Category Archives: Spam and scams

April security roundup

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Security roundup for March 2016

Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.

Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.

Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.

A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.

The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.

Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.

Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.

Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.

Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.

Opera announced that their web browser will now include ad-blocking features that are enabled by default.

July security roundup

Flash improvements

Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.

Asprox botnet status

There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.

Flaw in BIND could cause widespread issues

BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.

Mobile versions of IE are vulnerable

Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.

Stagefright vulnerability on Android devices

A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.

Mediaserver vulnerability on Android devices

More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.

Android spyware toolkit widely available

And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.

Avoid Hola’s free VPN service

In the wake of Snowden’s revelations, many people have started using VPN services to encrypt their online activities. Until recently, one popular choice was Hola’s free VPN.

Researchers have discovered that Hola is selling access to the resources of its users, creating what has been described as a botnet, which may have been used for malicious activities.

Hola has been scrambling to deal with the public backlash over this news, but so far all they’ve done is retroactively update their FAQ, adding statements about what Hola can do with your computer if you’ve installed their software.

Recommendation: avoid Hola completely. This kind of deceptive behaviour should not be encouraged. If you’ve been using Hola, check your level of exposure using this handy tool.

Test your skill: spot the phishing email

A short quiz, provided by anti-malware software maker McAfee, allows you to test your skill at identifying phishing email.

In the quiz, you are presented with ten email samples, and asked to decide whether they are phishing email.

What is phishing? From Wikipedia: “Phishing is the illegal attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Hint: look for links in each of the sample messages. Hover your mouse over each link, and compare the address with the supposed sender. If a link points to a site that’s unrelated to the supposed sender, the email is probably not legitimate.

Hat tip to reader tap tap.

Google’s efforts to clean up ad injection on the web

A recent post on the Chrome blog discusses Google’s recent efforts to clean up the growing problem of ad injection on the web.

From the post: “Ad injectors are programs that insert new ads, or replace existing ones, into the pages you visit while browsing the web.” If you’re seeing a lot of advertising on all the sites you visit, and much of it seems unrelated to the site, your computer may be running one or more ad injectors.

Ad injectors are unwanted software that is surreptitiously installed on victims’ computers through a variety of tricks, including “marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns.”

The ad injection ‘ecosystem’ is complex, and at any given time there are thousands of injection campaigns affecting web surfers.

To combat this problem, Google has identified and removed 192 apps – identified as contributing to ad injection systems – from the Chrome Web Store. Improvements in the Chrome Web Store and Chrome itself help to protect against ad injection software. And Google is reaching out to advertising networks, to assist them in eliminating ad injection. Most importantly, Google’s AdWords network policies have been tweaked, to make it more difficult for the perpetrators of ad injection schemes to promote malicious software.

Recent surge in spam likely due to Mumblehard botnet

If you noticed more spam than usual in your inbox in recent months, you’re not alone. You may also have noticed that using your email client to block the sender is typically ineffective. That’s because the spam is coming from thousands of different domains, each corresponding to a different compromised web server.

This is the work of the Mumblehard botnet, which was observed sending mass spam starting about seven months ago by ESet researchers. The Mumblehard code has existed on the web for at least five years, but seems to have started its spamming activities on a large scale only in the last year or so.

Computers infected with Mumblehard are typically Linux web servers. It remains unclear exactly how servers become infected, but researchers suspect that unpatched WordPress and Joomla vulnerabilities provide the key.

CRTC follows through on its efforts to curb spam

The Canadian Radio-television and Telecommunications Commission (CRTC) has handed out steep penalties to three organizations for failing to comply with Canada’s new anti-spam regulations.

Up to this point, there has been some doubt as to whether the CRTC and the Competition Bureau would follow through on the promise of the new law. Doubt no more: the worst offender was a Quebec company called Compu-Finder, which received a whopping 1.1 million dollar fine.

It’s not often that I find a reason to praise the CRTC, but this is one of those times. Nice work, folks! Keep it up.

WordPress sites targeted by pro-ISIL hacks

An active campaign pushing the agenda of ISIL is being perpetrated mainly via hacked WordPress sites. The FBI has issued a related warning.

Anyone who runs a WordPress site should immediately ensure that it is up to date with all WordPress and plugin updates. Of course this won’t help if your site has already been hacked, so if you have any doubt, please scan your site with one (or preferably all) of the following web-based site scanners:

Meanwhile, yet another popular WordPress plugin has been found to contain a serious vulnerability. The site caching plugin WP-Super-Cache has a nasty cross-site scripting bug. Anyone using this plugin on a WordPress site needs to update it to the fixed version (1.4.4) immediately.