FacebookTwitterLinkedIn

News Archive April 2014

Table of contents:

Smartphone Botnets Becoming Mainstream

02.04.14

The popular Android mobile operating system has fallen victim to numerous malware variations in recent months, but now Android hackers have “graduated” to using botnets powered completely by Android smartphones. The new threat actually targets smartphone users banking at Middle Eastern financial institutions. Disguised as a banking app, this botnet has already infected at least 2,700 smartphones and has intercepted over 28,000 text messages. Officially, this botnet does not have a name, but security experts are calling it “Sandroid” for now. Victims unintentionally install the malware because it comes bundled with apps designed to mimic the standard two-factor authentication modules used by mobile banking applications.

Currently, Sandroid is targeting customers of SAAB, Riyad, AlAhliOnline, AlRajhi Bank and Arab National Bank. This threat is significant for a couple of reasons. First, most of these customers were first infected with a mobile version of a password-stealing banking Trojan. Also, most banks send customers text messages with one-time codes as an additional security measure to supplement normal username and password combinations.

By intercepting text messages sent from financial institutions to victims, hackers are able to take control of bank accounts and transfer funds before the victim – or the bank – realizes what happened.

Believe it or not, this version of malware is not new. It has been used to target Facebook in the past as well as multiple banks around the world. Despite both Symantec and Trend Micro documenting this threat in the past, the banking botnet continues to spread because people usually do not install antivirus products on their mobile devices. Hackers are beginning to realize that most people conduct at least some personal business via Android smartphones. The difference, of course, is that these devices are not protected to the same extent as most personal computers. This makes Android-powered smartphones a perfect target for hackers looking for a new revenue stream.

Sandroid

The fake app responsible for Sandroid shows up as a browser pop-up spoofing popular banks that asks the user to download a “security application” on their smartphone. Rather than being a legitimate mobile application, the “security application” is actually a program designed to intercept text messages sent from the bank to the user’s phone. These text messages are then relayed to the botnet master who uses the code in conjunction with the victim’s user name and password to log into the bank account and drain funds. Interestingly enough, the cell phone number the intercepted texts are being sent to is listed as belonging to an individual in Russia.

While this scam is currently not affecting customer in the United States, Russian cybercrime syndicates have always displayed a propensity for targeting US victims and many security experts believe that the attacks on banks in the Middle East are only a trial for a massive attack on US citizens in the near future.

The same rules for keeping your information safe while web browsing at home should also apply to your smartphone. Never download unsolicited applications and research any applications prior to downloading them. Also, smartphone users should consider installing an antivirus suite specifically designed for the Android operating system (many are available) to further protect themselves from known mobile malware threats.

Back to Top

An In-Depth Look at the Heartbleed Bug

07.04.14

Millions of websites rely on OpenSSL technology to encrypt communications between web servers and visitors. Usually, OpenSSL is employed when sensitive information is being transmitted via a user’s web browser. Both personal and financial data (i.e. paying for online goods and services) are protected by OpenSSL – a technology that has been trusted for years by websites large and small. Researchers recently uncovered a critical vulnerability in OpenSSL and the release of a simple exploit known as the Heartbleed bug. Heartbleed can be used to steal the usernames and passwords from affected websites.

It can also steal the private keys used to encrypt and decrypt sensitive data. This means that hackers can read the memory of servers running vulnerable versions of OpenSSL software. When memory locations are compromised in this manner, the secret keys used to identify service providers and to encrypt traffic to and from these services are also compromised.

Ultimately, hackers can directly access the usernames and passwords of website visitors. In real time, hackers are able to view content (which should be encrypted), eavesdrop on communications, steal data directly from affected servers and even impersonate legitimate services and users.

According to security experts at Carnegie Mellon University, the vulnerability affects websites running versions 1.0.1 through 1.0.1f. At the time of this writing, there are approximately 500,000 sites vulnerable to an attack by the Heartbleed bug. Notable sites affected include Yahoo! and the OpenSSL site itself in addition to thousands of other extremely popular websites. While many common exploits are difficult to use without experience in the IT field, Heartbleed is extremely easy to use and is currently being traded online through a variety of outlets. Lists of vulnerable sites are also appearing online everyday as hackers test for the vulnerability across the Internet. The Heartbleed bug works by allowing hackers to retrieve the private memory of an application using a vulnerable version of OpenSSL “libsll” library.

Heartbleed

The exploit retrieves this supposedly protected memory in 64kb chunks. What makes Heartbleed especially dangerous is that an attacker can use the exploit repeatedly – allowing him or her to retrieve as much data as necessary to reveal the complete encryption keys for a given target. Once these keys have been established, hijacking a secure session is extremely easy to do.

A victim will never even know a breach has occurred despite their credit card information and other personal information being stolen from right underneath their nose in real time.

This exploit is extremely dangerous because not only do affected websites need to update OpenSSL to patch the vulnerability, but the affected providers also need to replace all private keys and certificates that may have been compromised during an attack.

Since a full list of affected providers has not been officially released yet, it is advisable to change any passwords for sites you frequent and keep an extra close eye on the integrity of your financial data until the OpenSSL patch has been installed across the Internet.

As always, report any suspicious credit card charges to your financial institution immediately to avoid the risk of serious financial losses as a direct result of the Heartbleed bug.

Back to Top

In-Flight Wi-Fi Aiding Government Spying Efforts

08.04.14

GoGo is an in-flight Wi-Fi provider that offers Internet service on more than 6,000 aircraft. Many Frequent Flyer programs offer customers free or discounted service via the GoGo service and other passengers can pay a nominal fee for access on flights throughout the country. Recently, documents have come to light that prove GoGo not only complies with federal law, but actually goes well beyond the requirements set forth by the federal government to give law enforcement even more information than previously thought. Much of this information was discovered by Christopher Soghoian of the American Civil Liberty Union in recent Federal Communications Commission filings about the company.

In a letter dated July, 20 2012, a GoGo lawyer stated that GoGo has worked closely with law enforcement to incorporate additional capabilities to accommodate law enforcement interests. These “additional capabilities” go well beyond the compliance required by the Communications Assistance for Law Enforcement Act (CALEA). In a separate publication, Aircell (a GoGo subsidiary) boasted that the company is “can give law enforcement any information they need in real time.” Not only is GoGo assisting government agencies above what is required by law, but they seem to be bragging about their extra cooperation.

Unfortunately, the customers paying for the service are the ones who are being punished as their information is being collected and monitored during business and leisure flights alike.

While GoGo has since tried to hide the claims made to the FCC, there is able evidence to suggest that Web browsing activities during a flight are closely monitored by GoGo and ultimately, the US government as well. Specifically, statements made by the Director of Business Development at Aircell suggest a “Super CALEA” arrangement with the FBI.

gogo wifi monitoring

This arrangement allows Aircell to shut off service to select individuals or the entire airplane without shutting off the service of undercover US air marshals. Similar FCC filings for eXConnect, a company providing broadband connectivity to American and United flights, also exist and suggest that Web browsing activities on the plane are scrutinized much more heavily than traditional browsing activities.

Leaked documents from Edward Snowden have already proven the government’s desire to spy on law-abiding citizens in the name of justice, but these new documents prove that despite waning media coverage, the government has no intention of stopping its practices any time soon.

The FCC has already concluded that it’s OK to extend CALEA beyond its initial parameters, meaning that it is perfectly legal for GoGo, eXConnect and other in-flight Wi-Fi providers to spy on customers at the behest of the US government; whether customers consent to such monitoring or not. Although the far-reaching implications of these tactics are still not fully understood, remember that the convenience of in-flight Internet service enjoyed by millions of people every day comes at a price.

Back to Top

Windows XP: Zero Day Forever Begins…

13.04.14

Last week marked the end of an era. As of April 8, 2014, Microsoft is no longer providing support to the still widely used Windows XP operating system that was first introduced to the world in 2001. While most people who have purchased a new computer any time in the last few years probably have a newer version of Windows already installed, approximately 30% of the computers currently connected to the Internet still rely on the XP operating system. While this news doesn’t mean that computers running Windows XP will stop working, the process of creating an unsecure OS has begun.

Microsoft has even gone so far as to dub the condition of XP as “zero day forever” because the absence of future support presents a host of security risks that are nearly unavoidable.

What are the Risks?

The most important risk you need to understand about Windows XP is that Microsoft is longer producing security patches for critical vulnerabilities in the OS. Over time, additional security holes will be found by hackers and there won’t be any support from Microsoft to protect machines from these vulnerabilities and associated exploits. While large organizations may be able to pay expensive fees to receive custom Windows XP support, these updates will never become available for home and small business users. Even if large businesses opt to pay for custom XP support, it is unlikely to remain a cost-effective alternative as time progresses and the sheer number of security vulnerabilities continues to climb.

Perhaps the most dangerous risk comes from security vulnerabilities that hackers have already discovered, but are waiting to exploit until Microsoft is completely done supporting the product.

This means that new and potentially dangerous exploits could begin showing their faces as soon as this week and the vulnerabilities they prey on will never be fixed until every Windows XP machine is shut down permanently. Another risk is that third-party software developers will also stop supporting Windows XP. Although this is likely to take months or even years, software designed for this antiquated OS could pose security threats as developers stop devoting resources to patching vulnerable code.

Windows XP upgrade

What Can You Do?

The best thing you can do is upgrade the OS on your PC to a more modern version of Windows as soon as possible. With the release of Windows 8.1, previous versions of Windows have become extremely affordable. Windows 7, for instance, is an affordable choice for most people as legitimate upgrade licenses can be found through a variety of retail outlets for less than it costs to fill up the average vehicle fuel tank. If upgrading right now is not an option, there are still a few other things you can do to buy yourself some time. If you use Internet Explorer, change your web browser. Both Google Chrome and Mozilla Firefox plan to continue supporting Windows XP for at least another year. Either of these browser options provide security well beyond what Internet Explorer 8 is capable of. Most antivirus software is committed to continuing XP support until at least April of 2015 with many of them extending support well into 2016.

As long as you continue to update virus definitions, antivirus software on XP machines should continue to function reasonably well. That said, Microsoft has warned that research shows the effectiveness of antivirus solutions on operating systems that are no longer supported is limited at best.

Also, update the Microsoft Office suite to Office 2007 or newer. Office 2003 and Office XP have additional security vulnerabilities that could be even more easily exploited in the absence of further XP OS security updates. Finally, remove unnecessary and potentially insecure software from the machine whenever possible. Java, for instance, is notoriously insecure and should be uninstalled if not absolutely necessary. Browser plug-ins such as Adobe Flash and Adobe Reader are also insecure and should be disabled whenever they are not in use. Although following these recommendations isn’t a long-term fix for the Windows XP operating system, it should keep the machine reasonably safe (when combined with savvy Internet-browsing practices) until an OS upgrade can be performed properly.

As a final note, keep in mind that many hackers are trying to capitalize on the end of Windows XP by offering “free upgrades” to other popular versions of Windows. Often, these offers are scams designed to steal your money or your personal information. When upgrading your OS, make sure you purchase directly from Microsoft or from an authorized Windows reseller.

Purchasing from anywhere else could result in the installation of a non-genuine version of Windows and many popular features could be disabled until a legal license is purchased. While change can be hard for some, the new features available in modern versions of Windows make upgrading from Windows XP a good idea anyway. Combined with the security threats associated with an unsupported OS, there has never been a better time to revamp your computer with a new and improved platform.

Back to Top

In the Market for a New Home? Be Careful!

15.04.14

A new scam was recently uncovered that targets consumers in the process of purchasing a new home. Real estate and title agencies were first warned by First American Title in an alert sent out to its title agents located throughout the United States. The gist of this scam is simple – hackers intercept legitimate emails from title agencies, change some of the financial information and then re-transmit the emails to their original recipients. This targeted phishing campaign has been highly effective so far and victims have little to no chance of recovering the funds once they have been received by the attackers.

The alert issued by First American Title explains that the emails intercepted by this group of hackers include bank account and wire transfer instructions for would-be home buyers expecting to wire down payment money to the title agency during the home buying process.

The hackers are altering the bank account information in the email before sending the email to the intended recipient. Aside from the altered payment information, the email remains completely intact; including the title agency logo and contact information.

In other words, the email looks completely legitimate and homeowners have no idea that their funds are actually being wired to a fraudulent account instead of the title agency. What makes this scam even more dangerous is that victims are expecting the email from the title agency. Most phishing scams are designed to mimic email communications from popular companies and financial institutions. Since many of these scams are unsolicited, consumers tend to be more wary of the emails especially if they do not do business with the business represented in the phishing email).

real estate scam email

These emails, however, are completely “genuine” other than the altered payment information and victims have absolutely no idea that they are about to fall victim to a scam when performing the requested wire transfer. Unfortunately, wire transfers are not bound by the same consumer protection laws afforded to credit card customers. This means that victims are unlikely to recover funds lost in this scam and at this point it is unclear if First American Title plans to reimburse affected customers. It’s also important to realize that security experts are cautioning that this scam is probably not limited to customers using First American Title services.

A scam of this magnitude (and demonstrated success thus far) is capable of penetrating nearly any title agency and its customers in the United States or even the world. The fact that this scam is so new suggests that First American Title customers are only the tip of the iceberg and more victims should be expected in the near future.

It is difficult to protect yourself from this scam without doing a little legwork as the email appears to be perfectly legitimate. Security experts recommend contacting the title agency directly before transferring any funds related to the purchase of a home. Verify the bank account and wire transfer details with a local agent or risk losing thousands of dollars in the blink of an eye.

Back to Top

The New Threat to Your Privacy

21.04.14

According to an interview with Eugene Kaspersky (co-founder of Kaspersky Labs) recently conducted by The Telegraph, the Internet of Things is the newest threat that could affect nearly every U.S. household in the near future. For those unfamiliar with the term, the Internet of Things refers to the rapid expansion of smart household appliances. Smart TVs connected to the Internet are already extremely common and many other devices are becoming popular as well including refrigerators, home alarm systems and even automated sprinkler and irrigation systems. Just as the last couple of years have shown a dramatic increase in the number of malware attacks targeting mobile phones and tablets, the new threat is malware designed to target these smart devices in the home and it could already be affecting devices you use every day.

In the interview, Kaspersky specifically mentioned smart TVs frequently because of the popularity of the appliance and its widespread use around the world. Furthermore, smart TVs typically allow users to input username and password combinations for multiple social and multimedia sites including Netflix, Facebook, Twitter and Instagram.

By developing malware that specifically targets the hardware and software found in the average smart TV, hackers could have access to all of this information in one place. And because there are no current anti-malware solutions available for smart appliances, a single piece of malware could become an epidemic problem in no time at all.

Most modern smart TVs also include a webcam for use with Skype and other video messaging applications. It is conceivable that malware designed for smart TVs could also access the webcam remotely; adding yet another privacy concern to an era already dealing with privacy issues on a daily basis. It is estimated that by 2016, there will be upwards of 100 million TVs connected to the Internet, making the creation of malware for these devices a top priority for hackers around the world. Other smart appliances, such as the popular Nest Digital Thermostat, could also be controlled remotely by hackers.

smart household appliances privacy

While controlling the temperature of a home remotely may not seem like a very lucrative idea for most hackers, the fact that someone other than yourself could conceivably control your home without your consent is a concerning thought to say the least. Also, since these devices are connected to the home network, hackers may be able to use compromised devices as a backdoor to access other, more sensitive portions of the typical home network. Smart refrigerators are also a concern. In fact, recently 100,000 refrigerators and other smart appliances were used by hackers to send out nearly one million spam emails. Even printers, security cameras and set-top boxes are at risk. Recently, a Linux worm known as Linus.Darlloz was responsible for hacking these devices and using them to remotely mine digital currencies including Bitcoin.

Most people enjoy the additional functionality that many new smart appliances provide, but what many people do not realize is how these devices are being targeted for malware campaigns large and small.

Unfortunately, there is no anti-virus/security infrastructure in place to deal with these threats at this time meaning that there could already be serious malware threats compromising popular smart appliances undetected. Hopefully, security measures and anti-malware solutions for these devices will become more prevalent as the technology continues to grow exponentially, but until that happens, be careful when using smart devices in your home.

Back to Top

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal