Mouseover’ technique relies on users hovering over hyperlinked text and images in Microsoft PowerPoint files to drop Trojan.
Researchers have found a new form of attack that abuses the action of hovering over hyperlinked text and images in a Microsoft PowerPoint presentation.
Trend Micro researchers discovered the “mouseover” technique, used by a Trojan downloader also found in a spam campaign hitting EMEA businesses in the manufacturing, education, pyrotechnics, logistics, and device fabrication industries. The downloader they analyzed delivers a version of the OTLARD banking Trojan, also known as GootKit.
“This is the first occurrence of malware using the ‘hover’ method to initiate a download that we know of,” says Mark Nunnikhoven, Trend Micro’s VP of cloud security.
“While GootKit is known malware, businesses should be more concerned about this latest technique as it shows none of the usual indicators of an infected document,” he explains. This is novel because it abuses the previously safe user practice of hovering over a link before clicking. Continue reading New Attack Method Delivers Malware Via Mouse Hover
Even when installing from the Google Play store, caution should be used when installing apps.
A good rule to follow is to ask yourself if the app being installed is asking for more permissions than what it needs to function. When it comes to a wallpaper app, the list of permissions should be rather short.
It was recently brought to our attention that there was a wallpaper app on the Google Play store that had an extra permission that didn’t fit. It was using the permission GET_ACCOUNTS which allows access to list accounts.
This wallpaper app was doing a bit more than just displaying pictures on the device’s background.
The app goes by the name of Sexy Girls Wallpaper Gallery with the package name com.sexywallpapers.wallpaper.sexy. With the permission GET_ACCOUNTS accepted, it then uses the getAccountsByType() function to gather account information from Google, Facebook, and Twitter.
The stolen account information is then sent to a remote server. This is all triggered when the app is opened.
It uses the value email for Google/email account info, emailf for Facebook account info, and emailt for Twitter account info when sending to the remote server.
The home improvement retailer confirms its customers’ payment card data was breached in an incident that is believed to have begun in April, likely compromising millions of card accounts.
One of North America’s largest retailers has confirmed that it was successfully compromised in a months-long campaign by attackers, resulting in what is believed to be the compromise of millions of customer payment cards.
In a long-awaited statement issued late Monday, Home Depot acknowledged that its payment card-processing system was breached, affecting payment card data belonging to customers of stores in the U.S. and Canada.
The Atlanta-based home improvement retailer said its investigation is focusing on April 2014 forward, indicating that the breach event may have been months long, spanning from April through August or early September.
“While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,” Home Depot said in the statement. It did not reveal the number of payment card accounts that may have been compromised.
It first learned of the breach via reports from banking partners and law enforcement on the morning of Sept. 2, according to the statement, and began its investigation immediately.
The company said that following the discovery of the breach, it has taken “aggressive steps to address the malware and protect customer data,” which included hiring security vendors Symantec Corp. and FishNet Security Inc. to investigate the breach.
Investigative security journalist Brian Krebs was first to report the Home Depot breach a week ago after multiple banks informed Krebs that they had identified stolen card data purportedly originating from Home Depot retail locations for sale on a popular black market website.
Krebs reported Sunday that a source close to the Home Depot investigation revealed that the breach was at least partially caused by a new variant of the Kaptoxa or BlackPOS point-of-sale malware used in last December’s massive Target Corp. data breach, causing speculation that the same attacker or group of attackers may be behind both breaches.
While Home Depot said there is no evidence that customers’ debit and PIN numbers were compromised, Krebs reported late Monday that banks have seen a spike in debit card fraud. He wrote digital criminals are using the data stolen from Home Depot to contact banks in an effort to reset customers’ debit card PIN numbers and in turn withdrawn cash from ATMs using fabricated debit cards.
By comparison, the Target breach that resulted in the compromise of some 40 million payment cards reportedly only occurred during a three-week period last year and affected just under 1,800 stores. That breach played a role in a string of bad financials results for the company, including $146 million in breach-related expenses outside of insurance coverage, and culminated in the ousting of Target CEO Gregg Steinhafel and other long-time executives.
Security researcher Axelle Apvrille recently published a paper about AdThief, a malware aimed at hijacking ad revenue from a reportedly 75,000 infected devices. First discovered in March 2014, and also known as “spat,” the malware, which comes disguised as a Cydia Substrate extension, was found to replace the publisher ID of publishers with the one of the malware creator, effectively attributing all ad revenue to him.
A publisher ID is used to identify a publisher’s account on an ad platform, which helps track revenue generated by said publisher. By being able to swap the publisher’s publisher ID with his own, the malware creator was able to hijack revenue from about 22 million ads. In effect, when clicking on an ad, an infected user would generate ad revenue for the attacker instead of the developer of the application or website.
Infected devices: ~75k
Total activate times: ~22m
Daily activate times (around 3/20/2014): ~22k
The malware was designed to target ad kits from 15 ad networks, including Google-owned AdMob and Google Mobile Ads, both representing a large share of mobile advertising at least here in the US. Other American companies targeted by AdThief are AdWhirl, MdotM, and MobClick. The remaining targeted ad networks were all from China or India.
A list of mobile adkits targeted by the malware is provided in a report: YouMi, Vpon, MobClick, Umeng, AdSage/MobiSage, MdotM, InMobi, Domob, AdWhirl, AdsMogo, Google Mobile Ads SDK, AderMob, Weibo, MIX SDK and Poly SDK. The majority of these are Chinese, four are based in the US, and two in India.
In his report, Xiao remarks that Weibo is a popular social network in China, but is unable to attribute MIX SDK and Poly SDKmore precisely. In fact, Sina Weibo, introduced in 2013, is an advertisement SDK, so that solves one mystery.
MIX SDK can be attributed to GuoHeAD. It probably refers to the GuoHe MIX platform for cross-promotion of mobile games. This is also backed up by the name of a source file found in the malware: /Volumes/MacOsStore/Project/IOS/SpAd/SpAd/AD_GuoHe.xm.
Finally, Poly SDK is not a new adkit: it corresponds to AderMob. This is confirmed when downloading the AderMob iOS SDK.
Implementation details of adkit hooks found in iOS/AdThief.A!tr
Typical class names
AdMob and Google Mobile Ads SDK
YouMi* – delegated to Google Ads
iOS/AdThief is a technical and malicious piece of code which hijacks revenue from 15 different adkits. It is built on top of the Cydia Substrate platform, available for jailbroken devices, which provides it with an easy way to modify advertisement SDKs. With Substrate, the malware needs only to focus on the call and implementation of each hook.
At first, the identification of every adkit the malware targets was difficult because the code mentions only class names used by each adkit SDK. However, the fact that the malware author did not strip out debugging information helped us to identify all 15 adkits. In particular, this is how support for Komli Mobile and GuoHeAD was detected.
Phishing is the act of trying to secure information from someone by impersonating someone else in an electronic communication, such as email. It is common for attackers to send out emails with links or attachments that attempt to secure information from you or even take control of your computer.
Why should I care about phishing?
By email, attackers use phishing to get access to your sensitive and confidential information. It is common practice for the attackers to impersonate a trusted person or company in an attempt to collect enough information to steal your identity or confidential information from your employer. These emails can also include attachments that can contain malware that can affect your computer when clicked on.
Attackers are very sophisticated these days and can easily set up bogus websites that steal your information without you even realizing it or you realize it too late. For example, an attacker can send you a link to a very real looking but “fake” website, prompting you for information (ie. name, address, telephone, bank account information, credit card information, social security number) that they can use for personal gain.
List of phishing techniques
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Phishing attempts directed at specific individuals or companies have been termed spearphishing. Attackers may gather personal information about their target to increase their probability of success.
A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or an updated version to the original.
This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.
How can I spot a phishing attempt via email?
Determine who is sending the email. Is it from a trusted source? Or is it from an address that you don’t recognize?
Is the sender asking you to click on a link? Or open an attachment? Scrutinize it before taking any action!
If links are provided, hover over it to determine where you will be directed to. If the email is from a known entity but the link is taking you to somewhere else, do not click on it. This will let the sender know that they reached an active email address and may continue to target you in future phishing attacks.
If an attachment is included, only open it if you trust the sender. You can always scan for viruses prior to opening it, to ensure that it does not contain a virus.
Pay close attention to the email of the body. If you spot misspellings or bad grammar, be cautious.
What to do?
Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Legitimate companies don’t ask for this information via email or text.
The messages may appear to be from organizations you do business with – banks, for example. They might threaten to close your account or take other action if you don’t respond.
Don’t reply, and don’t click on links or call phone numbers provided in the message, either. These messages direct you to spoof sites – sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
Area codes can mislead, too. Some scammers ask you to call a phone number to update your account or access a “refund.” But a local area code doesn’t guarantee that the caller is local.
If you’re concerned about your account or need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
Report Phishing Emails
Forward phishing emails to email@example.com – and to the company, bank, or organization impersonated in the email. You also may report phishing email to firstname.lastname@example.org. The Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
If you might have been tricked by a phishing email:
A widely used management software running on Target’s internal network may have given an important leg-up to attackers who compromised 40 million payment cards belonging to people who recently shopped at the retail giant, according to an article published Wednesday by KrebsonSecurity.
As journalist Brian Krebs reported, malware that infected Target’s point-of-sale terminals used the account name “Best1_user” and the password “BackupU$r” to log in to a control server inside the Target network. The malware used the privileged insider access to temporarily stash payment card data siphoned out of the terminals used in checkout lines so it could then periodically be downloaded to a different service for permanent storage. In Wednesday’s post, Krebs filled in some intriguing new details that suggest a poorly secured feature inside a widely used server management program may have played a role. Krebs explained: Continue reading Target exploit may have been due to a backdoor in Windows Server Tools
A newly-discovered malware dubbed Unflod Baby Panda is stealing Apple ID credentials from jailbroken iPhones and iPads, warn security researchers.
Unflod hooks into the SSLWrite function of an infected device’s security framework, according to a blog post by German security firm SektionEins.
The malware is designed to listen for outgoing connections. Once it recognises an Apple ID and password, it sends these unencrypted IDs and passwords to the cyber criminals behind the malware.
The Unflod malware also highlights the risks of installing unknown apps on jailbroken iPhones.
Reports of the malware targeting Apple iOS emerged in posts on reddit by iOS users hit by repeated system crashes after installing iOS customisations that were not part of the official Cydia market.
A developer for the Cydia market, an alternative to the Apple App Store, has responded to news by in a reddit comment, saying that the probability of Unflod coming from a default Cydia repository is fairly low.
Independent security journalist Brian Krebs has uncovered important new details about the hack that compromised as many as 110 million Target customers, including the malware that appears to have infected point-of-sale systems and the way attackers first broke in.
According to a post published Wednesday to KrebsOnSecurity, point-of-sale (POS) malware was uploaded to Symantec-owned ThreatExpert.com on December 18, the same day that Krebs broke the news of the massive Target breach. An unidentified source told Krebs that the Windows share point name “ttcopscli3acs” matches the sample analyzed by the malware scanning website. The thieves used the user name “Best1_user” to log in and download stolen card data. Their password was “BackupU$r”.