Romanian police arrests cybergang who stole over $15 million from banks

Police have their work cut out for them as they are cracking down on cybercriminals. Romanian authorities have arrested 25 individuals that are suspected to be part of an international cybergang of thieves that hacked into banks by cloning credit cards and using them to steal over $15 million. The gang is suspected to have over 52 total members composed of Romanians and people of several other nationalities.

 According to PC World, the hackers used unauthorized access to steal credit card information associated with various accounts from large corporations in Puerto Rico, the US, Muscat, and Oman. They then used the information to create fake copies of the cards that were distributed to other members of the group that used them to withdraw money from various ATMs in several different locations.

Cybercriminals are banding together to commit costly bank heists

According to the Romanian prosecutors, the withdrawals were performed in batches over short periods of time on non-business days. Romanian authorities executed a search warrant for 42 homes in six cities on Sunday. Laptops and mobile devices of the suspected felons were seized. Gold bars valued at $163,000 weighing two kilograms were also taken.

Various cybergang leaders invested some of the stolen money in real estate and movable goods that are now being placed under restrictions pending an investigation. According to the New York Times, it was discovered that this specific case may also be linked to an even larger $45 million cybercrime campaign first reported by US authorities in 2013.

Members of this cybergang have struck more than once

US prosecutors also described two other cyber heists committed by the gang at one time. The first involved bank cards issued by the National Bank of Ras Al-Khaiman PSC in United Arab Emirates, the second involved bank cards issued by the Bank of Muscat in Oman. This could just be the beginning as it is almost guaranteed that there are still various members of this notorious gang still at large. In the coming months, more potential arrests are sure to be made.

What do you think about the rise in cybercriminal activity involving large sums of money being stolen from banks?

Have a safe (hacker-free) day!

Related Posts:

• Hackers steal up to $1 billion from banks through malware…


• Point of Sale Alert: Staples Investigating Potential Data…


• Warning: Don’t Get Vished


• Nigerian man accused of hacking a bank computer to steal…


• Authorities Crackdown on Gameover Zeus and CryptoLocker

Romanian police arrests cybergang who stole over $15 million from banks

US hospitals to use AC power probes to treat malware on medical devices

Photo by Sonarpulse, Wikipedia

Recent advances in the security world are truly astounding. According to The Register, two US hospitals will begin using a system that can detect malware on medical equipment by monitoring the AC power consumption. The two unnamed hospitals will be the first to test the new WattsUpDoc add-on monitoring system.

WattsUpDoc can check for potentially life-threatening malware running on crucial medical based devices. The developers Benjamin Ransford and Dennis Foo Kune created the platform to use a “traditionally undesirable” power consumption side channel to detect malware threats with great accuracy similar to that of a desktop anti-virus software without the need to modify the hardware or software.

Multiple medical devices can be vulnerable to malware

Hospital devices such as pregnancy monitors, compounders, and picture-storage systems for MRI machines are vulnerable to infection because they are typically connected to an internal network that is, in turn, connected to the Internet. Prototype developer Shane Clark states that even though many medical devices run Windows, they often use custom versions of the operating system that are incompatible with conventional antivirus software.

WattsUpDoc will help secure medical technology from malware

WattsUpDoc was first introduced in a 2013 paper titled WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices. The developers stated that the need to secure embedded systems without modification is critical for healthcare sectors due to the risk involved as “zombie machinery” is not so easily patched.

Ransford and Kune stated that:

“What you may be able to determine through AC power consumption are things like the computer that is plugged into an outlet, or more interestingly what is that computer doing? We are thinking about those machines that are really hard to patch, really hard to upgrade, and really hard to get inside.”

WattsUpDoc functions through classifiers under a supervised learning condition where the platform can be taught to identify malware, websites, or other computer functions that create feedback over AC. In testing, the platform detected both known and unknown malware with at least 94% and 85% accuracy respectively across different embedded devices.

In a live RSA demonstration, the platform was also able to generate unique power frequency footprints by visiting different websites such as Youtube or Twitter.

On the downside, the two developers also stated:

“A fast and brazen hacker can use their system to spy on machines if they are able to quickly switch a power socket with one that bears the WattsUpDoc monitoring kit”.

Hopefully, the hospitals that trial WattsUpDoc will benefit from it, which would be an important step into developing a tool that can be useful for hospitals worldwide.

Have a safe medical (malware-free) day!

Related Posts:

• BadLepricon Mobile Malware Mines for Bitcoin Gold


• Cyber Fallout! South Korean nuclear reactor breached with…


• Emsisoft Mobile Security 1.0 released!


• Keysweeper: proof that it’s relatively simple to hack…


• A Samsung Galaxy S5 flaw allows hackers to clone your…

US hospitals to use AC power probes to treat malware on medical devices

How to recognize the difference between a safe email and a scam

Over one billion consumers send and receive email on a daily basis. Of those, eighty thousand are victimized by scams everyday and a total of four million people fall prey to scams annually. It is essential for everyone to learn to differentiate a safe email from a potential scam because carelessly opening attachments and messages may leave you facing the aftermath of financial loss and identity theft.

45% of users are fooled by email scams and face financial loss or identity theft

According to Scamdex, these are the top five types of email scams that you need to watch out for:

#1) Employment scams – fake job offers (work from home)

These types of scams typically target people looking for or changing jobs. The majority of the employment opportunities on the internet are work from home jobs that promise a large sum of income for a small amount of work. Many employment offers as these are a form of check fraud which means scammers will illegally use a victim’s checks to borrow funds that do not exist within the account. You can often recognize these type of scams by the use of pictures with money or cars, testimonials, payment fees, and loud text.

Photo by Andrew Toskin, Flickr

Keep in mind that many work from home job offerings are often too good to be true. Use common sense and be on the lookout for job email scams that promise you a high wage for easy work or little work. Never give out your personal details to crooks sending you unsuspecting work from home career opportunities by email. Do not reply to the message, just discard it before scammers even have a chance to obtain your email address.

#2) Auction scams – fake messages from online shopping sites such as eBay and Amazon

Everyone loves shopping online. Unfortunately, scammers use the opportunity to rip off shoppers that may be unaware they are being scammed. Be weary of products advertised at a low price, poor ratings on an auction, completing a transaction outside of the auction, and a seller insisting on immediate payment.

Scammers pretend to sell a product at a very cheap price in order to steal your credit card and bank account details. Another trick scammers use in online auctions is entering a low bid followed by a very high bid using a different name on a product you are selling. Also beware of “miracle” products for sale online that seemingly provide unbelievable cures and weight loss capabilities.

Photo by Jett, Bet You Didn’t Know Blogspot

Always find out exactly who and what you are dealing with in online auctions and ensure payment methods are secure by using an https//: web address.  Also, take a look at the auction privacy policy and refund/returns policy to be sure everything seems fair.

#3) Phishing scams – fake messages from Paypal, social security administration, and banks

Of the 1% of users that lost money through phishing scams, 53% were not compensated by their bank and 11% say they are still waiting for compensation. According to research conducted by Google involving phishing attacks:

“Most of us think we’re too smart to fall for phishing, but our research found some fake websites worked a whopping 45% of the time.”

Photo by Quintana Hanson, Tax Refund

Phishing email scams often resemble official-looking messages from retailers, Facebook, banks, Paypal, and eBay. The messages often ask you to confirm details that warn you to take immediate action involving your account, such as confirming your bank account details. Most phishing emails contain special links that route you to genuine and spoofed websites. Do not fall for the massive number of  shipping label and package tracking scams that claim you have a package on its way by means of a popular shipping service such as Fedex or UPS.

Photo by Saidul A Shaari, Flickr

In order to prevent yourself from being a victim, you should never send money or give personal details to strangers. Keep a periodic check on your credit card and bank statements and shred all important documents containing personal information. Always log in to a website directly and don’t click on suspicious links within an email message.

Google also discovered that users may not have much time to recover or change their login information before hackers access their account.

“Around 20% of hijacked accounts are accessed within 30 minutes of a hacker obtaining the login info.”

#4) Lottery and giveaway scams – the foreign lottery, competitions, and free vacation giveaways

Lottery and competition scams promise a recipient a big prize or something else to win. These types of scams are delivered in a variety of ways including – over the phone, in person, email or by conventional mail. The scammer will present that you have won a substantial amount of money and that all you have to do to claim the prize is to send money to pay fees such as taxes, customs duty, shipping, etc. Typically, users’ requests to take the fees out of the winnings; but, always receive the same response from the criminals: “we cannot do that”.

Photo by Jamil Velji, Wikipedia

Be wary of vacation scams that promise you a free vacation which requires you to pay a supposed service charge or purchase a membership to a travel club. Always seek the advice of a financial or legal expert before sending money.

#5 ) Advanced fee fraud scams – Promises of sending money, products, services, and special deals

Advanced fee fraud is a popular email scam that is also known as upfront fee fraud. It is any scam that charges you a fee and in exchange promises to send you money, products, services, and special deals. In addition to this, you may also be asked to assist in removing funds from a country in turmoil or help law enforcement catch thieves.

The most prevalent type of scam that hit a massive amount of users is referred to as the 419 Nigerian Scam. A scammer typically will contact someone by letter or email and offer a share in a large sum of money which they want to export from their country. The recipient is then asked to pay money or give bank details to help with the money transfer. The victim must pay fees, charges and taxes to help release the money out of the country or bank account. The scammers continue to make up fees that you must pay before you can receive your money.

Image by Morburre, Wikipedia

Off course you will never be sent the supposed promised funds. According to the Nigerian Fraud Watch website, victims have lost a shocking 12.7 billion dollars due to this scam.

Users perceive emails by what they see with the naked eye

Photo by Petr Novák, Wikipedia

Four popular universities – University of Buffalo, Brock University, Ball State University, and University of Texas in Arlington – conducted a study and launched a phishing attack against a group of users. The purpose of this was to discover the psychological reason behind why people fall victim to phishing spam emails. They state:

“Our results indicate that people process most phishing emails peripherally and make decisions based on simple cues embedded in the email. Interestingly, urgency cues, i.e., threats and warnings, in the email stimulated increased information processing, short-circuiting the resources available for attending to other cues that could potentially help detect the deception.”

The study reached a few conclusions:

1. Users only process what they see with their eyes and do not perceive the potential scam with their mind.


2. Users make decisions to open and read an email based on captivating titles, graphics, testimonials, and matters of urgency such as “your bank account will be deactivated if you don’t respond now”. The element of fear also plays a part because a user is often scared by the title or content of an email without asking how this is possible or why is this happening.


3. Urgency cues in an email stimulate information overload. Too much is often happening within an email and that leads to the brain processing too much at one time leading to an information overload. Use of catchy titles and influential content/graphics cause users to often miss an alert from their security product or a warning message from an email filter that could alert them and potentially flag the scam they are about to fall victim to.

“The findings suggest that habitual patterns of media use combined with high levels of email load have a strong and significant influence on individuals’ likelihood to be phished.”

How to avoid being victimized by email scams

• Be aware of unsolicited email attachments that use suspicious email addresses. Never click on a seemingly suspicious looking link. Hover over a link with your mouse to reveal the destination address to confirm if its legit.


• Don’t click on urls in emails that requests login with a password. Instead, visit the website manually, login there and look for the information that was promoted in the email.


• Don’t fall for the top five email subject bait lines that scammers use: invitation to connect on LinkedIn, Mail delivery failed: returning message to sender, Dear (name) customer, Comunicazione importante, and undelivered mail returned to sender.


• Use a spam/junk mail filter. Learn how to filter your email messages in order to separate the good from the bad. According to Kaspersky, over 70% of emails are spam related. Another option may be to use a dedicated software to filter and block potentially unsafe messages such as MailWasher.

Photo and content by Microsoft

• If an email message is seemingly suspicious, make contact through other means to verify the source and authenticity of the email. If a message is legitimate, finding a contact number to the source should be an easy task.

Have you seen these type of emails scams going around? What other ones are you aware of? Have a great (scam-free) day!

Related Posts:

• How to avoid losing your hard earned money to online…


• How to avoid losing your hard earned money to online…


• Fraud attempts on social networks How Facebook scams work


• ALERT: Google Drive Phishing Scam


• WhatsApp scam falsely promises early access to voice calling

How to recognize the difference between a safe email and a scam

University student jailed for using a keylogger to up his exam scores

Photo by Alberto G., Flickr

Cheating is a wrong act that is considered to be a serious offense to school officials. Birmingham University student Imran Uddin is facing severe consequences as a result of cheating. He has been jailed for four months because he used a keyboard spying device to steal staff passwords in order to up his exam scores by five points.

According to The Telegraph, Uddin is suspected to be the first British student to ever be jailed for cheating. He upped one exam from 57% to 73%. Uddin was pursuing his final year of a bio science course expecting to achieve a lower second class degree. He was jailed at the Birmingham Crown Court after admitting to six charges under the Computer Misuse Act.

Scholars will be prosecuted for illegal hacking

Uddin attached a “shadowing” keyboard device to the back of several university computers in order to steal passwords. The device could ultimately record the keystrokes of anyone using the keyboard as stated by prosecutor Madhu Rai.

Presiding Judge James Burbidge QC stated:

“For reasons not entirely clear to me, whether it was monetary, or pride or a desire to out-perform others, you decided to cheat and you formed a settled intention to do that. I consider your actions were planned and persistent.”

Among other checked university computers, three other devices were also found to have a similar keylogging/spying device attached. Miss Rai said one of the devices had been attached to a “staff only” computer in order to gain access to the exam grading software. The defense claimed that Uddin was under so much pressure that he could not see clearly.

A spokeswoman from Birmingham University in response to this stated:

“The University cannot comment on individual cases, however, we take any criminal activity extremely seriously and work closely with West Midlands Police.”

The ruling has yet to be decided on the case. The situation looks rather grim for Uddin because students convicted of serious crimes face a student misconduct investigation and permanent expulsion.

Do you think it’s fair that this student is facing charges for his cheating? Let us know what you think!

Have a safe (malware-free) day!

Related Posts:

• Keysweeper: proof that it’s relatively simple to hack…


• Nigerian man accused of hacking a bank computer to steal…


• Arkansas Police send malware-laden hard drive to lawyer…


• Apps like StealthGenie make mobile spyware accessible to…


• BadLepricon Mobile Malware Mines for Bitcoin Gold

University student jailed for using a keylogger to up his exam scores

IRC botnets have evolved to steal passwords and avoid detection

A recent analysis of some of the most common and widespread IRC based botnets performed by researchers at Zscaler revealed that such threats continue to thrive as they keep improving by adding new features. An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user.

Dorkbot and other common IRC botnets

Botnet malware has evolved to become a multipurpose tool that compromises the security of the infected system in several different ways, while building up an army of bots for large scale attacks. The worm Dorkbot is one of the most prevalent IRC based malware families. This threat, also known as Nrgbot is capable of stealing passwords, stopping security updates, downloading more malware, and even launching DDoS attacks using infected systems. Dorkbot is mostly spread via instant messaging services and social networking websites. The malware can also sneak into thumb drives thus creating another source of infection.

Once on the system, Dorkbot creates a registry entry to preserve itself while actively injecting malicious code into Microsoft Windows executables such as svchost.exe, mspaint.exe and calc.exe. The different code injected in the various Windows processes perform specific malicious tasks. For example, the malicious code in calc.exe downloads additional malware from 20 custom encrypted urls. The malware Dorkbot is also armed with a rootkit component.

Some other ambitious IRC botnet malware like RageBot, Phorpiex, and IRCBot.HI can even check for sandboxed environments and honeypots, and enter systems selectively, thus avoiding analysis and detection. To make the analysis process even more difficult, all of these threats have different propagation mechanisms.

According to Security Week:

“RageBot spreads by copying itself into RAR archive files, and folders associated with instant messaging and peer-to-peer (P2P) applications. Phorpiex spreads through removable drives, while the IRCBot.HI sample analyzed by Zscalers was designed to leverage Skype in order to spread.”

IRC botnets are alive, effective and evolving

Research shows that in the current cyber security environment, IRC botnets continue to evolve and thrive. Hackers have been using the combined power of thousands of infected computers as a weapon to launch massive DDoS attacks against various organizations for quite a while, but now they are looking to do even more.

As stated by Zscaler in their blog post:

“In this era of sophisticated botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based botnet families continue to evolve in terms of sophisticated features incorporated in the bots.”

The good news is, several botnets have been targeted and taken down by joint International Police Operations this year, like this one. Although such combined efforts of government and private organizations have been pretty successful, it is important to remember that any massive botnet is still made of individual bots (infected computers). The cyber criminals can only use the power they salvage from their victims. Thus, by protecting your own computer and keeping it clean, you can prevent the growth of botnets too! Make sure you have an up to date anti-malware application.

Have a nice (malware-free) day!

Related Posts:

• Joint international police operation targets Beebone botnet


• Europol takes down Ramnit botnet that infected millions of…


• Internet Zombie Defense Training, or: How Not to Become a…


• Emsisoft Security Warning: 16 Million Email Accounts hacked…


• SMS Trojan Podec bypasses CAPTCHA on Android phones

IRC botnets have evolved to steal passwords and avoid detection

How to stay safe on Facebook and avoid the top 5 scams

The immensely popular social networking site Facebook has a user base of over 1.19 billion, which also makes it a popular medium for scammers. It is important to be able to identify a threat before it hits you because the consequences that follow one “quick click” may leave your bank account empty and your identity stolen.

53% of scams target social media users

Bitdefender conducted a survey on Facebook and Twitter by befriending 1,900 people. They then sent the users three links leading to malware. Based on the results, they discovered:

“97 percent of respondents on Facebook and Twitter blindly click on links without checking for malware.”

It’s therefore not surprising that scam makers are successful in tricking Facebook users. In fact, during a two year Bitdefender study involving 850,000 different Facebook scams, it was discovered what the top five most prevalent scams are and the collective percentage of users that fall for each. Here are the top 5 scams you need to keep an eye out for:

#5) Atrocity videos: animal cruelty, suffering people and other dark videos (0.93%)

Atrocity video scams prey on a users darker side. Cybercriminals use horrendous images involving maimed animals, murder, suffering children, and tortured women to draw a user in. Although still relatively small compared to other scams (less than 1%), this type of scam is growing at a steady rate, with thousands of victims with every new campaign. According to the report:

“Children and teenagers are the most exposed to atrocity video scams, and we expect their number to intensify in the future.”

Woman Shark Attack (Google Images)

Cybercriminals use atrocity videos as a way to serve users with links to fraudulent web sites that prompt you to complete surveys and offers before watching the video. Cybercriminals hope to earn a commission for every survey completed. Malware is also distributed in this way.

In order to combat this type of scam, you must avoid falling victim to your own curiosity and fight the urge to click “play”. Stay vigil and use common sense. Check the domain name of any seemingly suspicious links to videos and images provided before clicking on it. Cyber criminals have no shame and even use tragic events as airline disasters to lure people into clicking. Steer clear from viewing atrocious content on Facebook and get your news from major news websites instead.

#4) Celebrity scams: celebrity scandals and death hoaxes (7.5%)

The fourth most popular type of Facebook scam preys on a users desire to keep up with the latest news and gossip on favorite celebrities such as Rihanna or Justin Bieber. The videos are often shocking news, such as the death of a celebrity or adult content. The primary goal of this scam is to trick you into clicking a link that will then ask you to update your video player or redirect you to an external source prompting you to download something to watch the video.

This scam appeals to a users sense of curiosity and amplifies it by using enticing trigger words and popular celebrities. While some videos lead to Potentially Unwanted Programs (PUPs) such as adware, others are more serious and lead to data stealing malware that can turn your computer into a zombie as part of a botnet.

In order to combat this scam, users must use caution and common sense. In order to stay up to date on your favorite celebrities, use a legitimate and verified news and video source. Think before you act, remember if something seems so shocking that it is unreal, it probably is. Avoid watching adult content based videos on social media sites.

#3) Freebies and giveaways: Free -enter any company name- gift card!  (16.5%)

Giveaway scams are the third most popular Facebook scam that preys on the human instinct of greed. A few examples of this scam are – winning free trips to Disneyland, receiving free gift cards, vouchers and free electronic items such as an iPad. A well known saying is “nothing in life is free”, especially if something sounds too good to be true. If somebody on Facebook tells a company is giving away vouchers or gift cards if only you invite your friends to the offer or click on a link—don’t believe it. If you do, you’ll end up spamming all your contacts with bogus messages about the fake offer.

If a user falls for a “free giveaway” or “freebie” scam, they are at risk of downloading a potential malware infection. Before qualifying for a free promotion, you must complete several “special” or “reward” bonus offers. The bonus offers are provided at the users expense costing real money. Cybercriminals receive a commission off each survey and receive a treasure chest full of confidential information such as your username, E-Mail, and phone number.

In order to combat, users must keep a mindset that almost all of the free offers encountered online are bogus. Always think before you click and if an offer does seem suspicious, contact the company to verify the promotion’s authenticity or check the company’s Facebook page. Never enter your most sensitive credentials on any free surveys and promotional offers that seem too good to be true.

#2) Facebook functionality enhancements (29.5%)

The second most popular Facebook scam is one that supposedly extends Facebook functionality. Users are seemingly presented with options to add a dislike button or embellish their profile with different colors or features, such as this one. This scam centers around a users desire to improve their overall social networking experience. Once a user decides to take advantage of the supposed enhanced Facebook features, cybercriminals can access and steal a user’s most sensitive data and spread malware by use of fake online survey pages. Never enter your data in seemingly suspicious forms or surveys on social media sites.

In order to combat this scam, Facebook users need to help raise user awareness. Also, never click on links leading to pages that offer the ability to change your background and profile color as Facebook does not offer such an option.

#1) Who viewed my profile? (45.5%)

By far the most popular, widespread Facebook scam that users will encounter (almost 46%) preys on the the aspect of human curiosity. User’s want to see exactly who, what, and how many views their page is getting. The “profile viewer” message is customized to each person, touching users on a personal level. A lot of users want to see if they are still searched for by a person for whom they may still have feelings for, such as an ex.

The scam involves installing a malicious Facebook application that seemingly provides this very functionality. After initially accepting the terms of use for the who viewed my profile application, users may begin to notice strange occurrences such as postings on their Facebook timeline and unauthorized access to pictures and personal information. Unknowingly to the user, their sensitive information and pictures are being used in phishing, fraud, and targeted spam or malware attacks.

In order to combat this type of attack, users must be made aware that finding a legitimate application which reveals high profile details such as how many views or how many viewers you have is highly unlikely. Don’t click on suspicious links to pages that you don’t know where they are taking you and don’t add applications to your Facebook that have not been checked and confirmed to be safe by Facebook’s developers.

General human dispositions cause users to fall for these tricks

The report delves into psychological explanations as to why users fall for the traps. The conclusion:

“The biggest vulnerabilities appear because of general human dispositions that may hit any user at one point in his life,” Bitdefender Behavior Analyst Nansi Lungu said. “It’s hard for us to acknowledge our irrational behaviors, or that we’re blindly indulging in impulses we typically attribute to the less educated.”

1. Vulnerabilities appear because of general human dispositions – The way people act, think, and react give rise to threats and vulnerabilities.


2. Scams may hit any user at one point in his life – No matter how tech savvy or educated a user may be, no one is immune to falling victim to a scam at least once in a lifetime because cybercriminals always use the right psychological triggers.


3. We all behave irrationally sometimes, online and offline – Everyone at some point will say or do something crazy or careless without first thinking about the consequences that follow.


4. Scam victims are often less informed – Most scam victims are not aware of what something is or how it happens until its too late.

People are seemingly their own worst enemies. We don’t think before we act, and react before we think. This irrationality leads to cyber criminals having a motive to steal sensitive data and distribute malware as a means to make money. Cybercriminals take advantage of the fact that many users are not aware of online dangers and therefore aim to target this vulnerability. User awareness and caution is the key.

Tips to stay safe on Facebook

•  Stay informed and up to date on the latest malware outbreaks and security news via blogs and newsletters. It is important to stay up to date on the latest security news when fighting online threats. Read security blogs from Emsisoft and Sophos. Also, subscribe to receive security newsletters from security news sources. There are also good sites and Facebook pages to inform users about Facebook scams, such as this one.

• Use a reputable, up-to-date antivirus application to block malicious sites and malware infections. Antivirus applications are always essential tools used to detect, block, and prevent malware infections. It is critical to keep your antivirus enabled and up-to- date with the latest virus definitions to ensure maximum protection.

• Keep your operating system and applications up to date to minimize potential vulnerabilities. Always perform Windows updates and keep your software applications up to date. Cybercriminals on social networks will exploit vulnerable operating systems and software as a means to spread malware.

• Use caution and think twice before using the “quick click” method. Do not carelessly act and react without thinking. Use common sense and caution in order to avoid installing a potentially malicious application or visiting a suspicious web page. A lot of scams spread through Facebook friend recommendations, so don’t simply click on something a friends shared with you.

• Beware of the personal information you share on social media sites. The top five essential ” TMI” Facebook items to keep private and never share are your social security number, birth date, home address, home phone number, passwords and bank and credit card information.

• Customize various privacy options. Facebook gives a user control over their own privacy settings. Do not assume that you have to use the default settings. Check out the other configuration and learn how to adjust your security settings. Make yourself aware of how to limit what others can see and how to block unwanted guests from viewing your profile.

•  Avoid social media sites altogether to combat malware and scams. The last ditch effort to stop scams on Facebook is to avoid the social media site altogether. This may not be an option best suited for everyone. If you are consistently being infected or scammed on Facebook, it may be a good time to consider backing out of the social media game while you still have your identity and money.

• Use secure web browsers and security based add-ons to combat malicious web pages. Use a reputable, up-to-date web browser such as Google Chrome as a first line of defense. Chrome has the ability to block phishing and malware sites. Chrome allows for the use of a massive variety of different add-ons. Use ones such as Adblock Plus to block malicious ads and pop-ups and WOT to also help block phishing and malware sites which should further improve your overall security online.

• Use strong passwords. Probably the most critical part of staying safe on social media sites everywhere is to use strong passwords. Never give out your username or password to anyone. Cybercriminals are getting smarter and therefore cracking a weak password is a relatively easy task for them to accomplish. Learn how to make strong passwords here.

Have a great (scam-free) day!

Related Posts:

• Fraud attempts on social networks How Facebook scams work


• Naked Videos of Your Facebook Friends – Translation:…


• Hack Your Facebook Friends? More Like Hack Yourself.


• WhatsApp scam falsely promises early access to voice calling


• Don’t Download That Facebook Color Change App.…

How to stay safe on Facebook and avoid the top 5 scams

Hackers can potentially hack WIFI systems on aircrafts to commandeer the plane

Flying thousands of feet in the air can be a scary event for most people; but, now it seems that airway travel may be more dangerous than it has ever been. Potential flaws have been discovered in several new model airplanes that could allow hackers to commandeer the plane by hacking into a single WIFI system using their laptop computer. It is a scary thought to think that a hacker may be sitting next to you on a plane.

According to news Giant CNN, hundreds of the planes flying commercially today could potentially be vulnerable to having their on-board computers hacked and taken over by a plane passenger or even someone on the ground. One of the authors of the report told CNN that the Boeing 787 Dreamliner, the Airbus A350, and the A380 aircraft’s all have cockpits that are wired into the same WIFI system that passengers use.

According to cyber security and aviation experts:

“Modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems.”

Hackers could potentially make airline travel unsafe

According to the report by government investigators, it is theoretically possible for a hacker with a laptop to commandeer the aircraft, inject a virus into flight control computers, take control of the computers, and take over the warning and navigation systems. Hackers can also gain access to a flight computer system whenever there is physical linkage, such as the USB port in a passenger seat. If the wires are linked to the airplanes avionics, the linkage creates a vulnerability.

Washington officials are already on the case as Keith Washington, assistant secretary for the administration with the FAA said:

“The agency recognizes that cyber based threats to federal information systems are becoming a more significant risk and are rapidly evolving and increasingly difficult to detect and defend against. We take this risk very seriously.”

The FAA has already initiated a comprehensive program to improve cyber security defenses of the National Airspace System infrastructure.

Have a safe (air-travel) day!

Related Posts:

• Hackers use AirAsia flight disaster to phish and spread…


• Security bug shows how BIOSes of most manufacturers are…


• Hacking Identity Theft 2: More Entry Points, More Tools, And


• U.S. Charges Chinese Military Hackers with Cyber Espionage


• Hacking Identity Theft: Entry points, tools and prevention

Hackers can potentially hack WIFI systems on aircrafts to commandeer the plane

Nigerian man accused of hacking a bank computer to steal $340 million

Photo by trustieee, 123rf.com

Most people tend to believe that their money is safe when they put it in the bank; but, this may not be the case anymore. According to authorities, a Nigerian man named Stephen Omaidu has been arraigned for allegedly hacking into the server of a second generation bank. Omaidu is believed to have transferred a large sum of sixty-eight billion, and twenty eight million naira (Nigerian currency) into his personal accounts.

Stephen Omaidu is facing a two count charge bordering on theft to the degree of N68, 028,000,000.00 before a High Court in Jabi, Abuja. This type of offense is punishable under section 287 of the Penal Code Act. Stephen has pleaded “not guilty”. A specific date for the trial to commence is currently being decided.

Will Stephen Omaidu be found guilty?

The dirty money game of hacking banks is not something new. Similar cases have occurred such as the one in 2014 where a Nigerian IT worker was on the run after a fourty-million dollar heist.

Following Stephen’s not guilty plea, the defense counsel Gabriel O. Sanifu urged the court to set a bail. The court objected to this under the premises that the accused had failed to honor the administrative bail terms that were granted to him earlier by the Commission. The court stated that the accused could, if released, do the same act again if not reprimanded in court. Justice Nasir has ordered Stephen’s to be held in custody and has adjourned the case to April 28, 2015 to decide the ruling on the bail application.

Have a safe (hack-free) day!

Related Posts:

• NY hacker sentenced to 3 years in prison for cyber attacks…


• Hackers steal up to $1 billion from banks through malware…


• ALERT: 18 Million Email Accounts Compromised


• Arkansas Police send malware-laden hard drive to lawyer…


• U.S. sends scary message to hackers, but the truth is even…

Nigerian man accused of hacking a bank computer to steal $340 million

A Samsung Galaxy S5 flaw allows hackers to clone your fingerprints

Photo by Kārlis Dambrāns, Flickr

Researchers from the security firm FireEye discovered a potential flaw on the popular Samsung Galaxy S5 smartphone that could allow hackers to clone your fingerprints and steal biometric data. Samsung has several steps in place to ensure fingerprints are secure by encrypting the ones stored on a phone. Unfortunately, it is still possible for hackers to hijack your prints before they even reach the encryption stage. A reliable source states that Samsung faced a similar incident last year involving a fake fingerprint hack.

According to Forbes, this form of attack is straightforward. An attacker could focus on collecting data coming from Android’s fingerprint sensors instead of breaking into the trusted zone. If a hacker can acquire user-level access and run a program as root, they can easily collect biometric data. In the case with the Samsung Galaxy S5, hackers do not need to go deep into the Android OS because malware only needs system level access. FireEye employees Toa Wei and Yulong Zhang are presenting their findings at an RSA conference tomorrow.

Biometric devices aren’t foolproof

Biometric devices are becoming more common in homes and the workplace. Samsung is not the first to face security issues with biometric devices, In 2013, Apple had their TouchID fingerprint reader hacked. Biometric vulnerabilities can lead to identity theft and loss of sensitive information. Consumers using older versions of the Android operating systems are most at risk. It is advised to update to the latest Android OS version 5.0 (Lollipop).

Researcher Yulong Zhang stated:

“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint”.

You can protect yourself from biometric vulnerabilities by keeping your Android operating system up-to-date and patched with the latest security updates. Ideally, it would be best to avoid fingerprint scanners altogether and find a more secure phone authentication method. Since mobile malware and fraud is becoming more common, it’s smart to install a mobile security program on your Android, such as Emsisoft Mobile Security.

Have a safe (hack-free) day!

Related Posts:

• Will passwords become a thing of the past?


• Alert! Default Browser app on 75% of Androids is vulnerable


• Got a new Android for the Holidays? Malware may have come…


• Installer hijack vulnerability threatens almost half of all…


• Emsisoft Mobile Security 1.0 released!

A Samsung Galaxy S5 flaw allows hackers to clone your fingerprints

CozyDuke malware is being used to spy on high profile US organizations

Photo by PBCrichton,openclipart

An advanced threat dubbed CozyDuke is being used to spy on high profile US government organizations. This type of attack is not new as it dates back as far as 2011. According to credible sources, it is believed that the White House and US Department of State were victims in a recent incident involving CozyDuke. It is no surprise the hackers are targeting important organizations since several million dollars or more is there for the taking.

CozyDuke uses spear phishing to target individuals by use of an infected link that redirects to a hacked website. The e-mails often link to seemingly legitimate sites such as “diplomacy.pl” that hosts an infected zip archive containing an RAR SFX file that installs malware. The hackers also send E-Mails with .zip flash video attachments (office monkey video) that drops a CozyDuke malware executable on your system.

CozyDuke is a unique, sophisticated threat

CozyDuke exemplifies several unique characteristics and is sophisticated in its malicious operation. A couple of key elements are at play with this threat being that:

• It targets high profile victims.


• It has evolving crypto and anti-detection capabilities


• It represents a multi-stage malware attack.

Monkeys.exe and player.exe are the two malware executables dropped by the malicious payload to the %temp% directory after initial infection. Monkeys.exe is first launched followed by the CozyDuke dropper that utilizes anti-detection based tactics. Afterwards, the malicious threat uses a WMI instance in the root\security center namespace in order to discover which security product you currently have installed. Several notable security products are included in this list such as Kaspersky, Dr Web, and Avira.

Several malware files falsely signed with an AMD digital signature are dropped into a directory the malware creates. These files are then encrypted using an xor cipher and stored on the disk. Commands are then sent to the victims by the command and control server which means you have been compromised. CozyDuke aims to steal sensitive information and banking details by capturing keystrokes and taking screenshots.

According to the researchers:

“CozyDuke’s custom backdoor components appear to slightly evolve over time, with modifications to anti-detection, cryptography, and trojan functionality changing per operation. This rapid development and deployment reminds us of the APT28/Sofacy toolset”.

How do I avoid being infected by CozyDuke?

•  Never open E-Mail attachments from an unknown source.


• Beware of zip archives with SFX files inside.


• Keep your operating system and software up-to-date.


• Run regular antivirus scans on your PC.

Have a safe (malware-free) day!

 

 

 

 

 

Related Posts:

• March (attack!) of the Penguins! Linux Turla Edition


• Trojan downloader Waski steals login credentials


• Chthonic trojan on the rise!


• Emsisoft Malware Library


• Banking Trojan Alert: MS Word macros spreading Dridex

CozyDuke malware is being used to spy on high profile US organizations

Arkansas Police send malware-laden hard drive to lawyer representing whistleblowers

An Arkansas lawyer, Matt Campbell, who is representing some ex-cop whistleblowers, received his hard drive with three well known pieces of malware on it after he sent it to the police department. Mr. Campbell had handed his external hard drive to the Fort Smith police department for them to load it with e-mail and other data responding to his discovery request. The police returned it with the requested files but inspection revealed they had added something extra as well.

A folder filled with malware found on the portable hard drive

There was a subfolder on the drive named “Bales Court Order” containing multiple threats. A computer security consultant helped Campbell identify three well known trojans.

The following malicious files were placed in the folder:

• Win32:Zbot-AVH[Trj]: a keylogger and backdoor


• NSIS:Downloader-CC[Trj]: a program that connects to attacker-controlled servers and downloads and installs additional programs


• Two instances of Win32Cycbot-NF[Trj]: another backdoor

Act or Accident?

Since these trojans are well known and easily detected by antivirus/anti-malware it is unlikely that they had entered the hard drive by accident, especially since Fort Smith Police department claimed that their systems ran real-time AV protection. The placement of the files, all of them in a particular folder, and not in the root directory further suggests that they were put there intentionally, probably with the intention of spying on Mr Campbell’s computer and gaining unauthorized access to his accounts in order to steal information.

This would allow the department to have an unfair advantage over their legal opponents.

According to ArsTechnica:

In last week’s court filings, Campbell asked the judge hearing the suit to hold the plaintiffs in criminal contempt and impose other court sanctions. The request is under submission, and it’s not clear when the judge will rule on the motion.

So far, the Police have refused to comment on the matter. This incident however, highlights the fact that malware is now being widely used by several authorities for spying purposes. It is disappointing that the tools of cyber criminals are being used by the same authority that is supposed to prevent its use, the Police department.

Have a nice (spyware-free) day!

 

Related Posts:

• Protect your laptop data from theft – Here’s how


• NY hacker sentenced to 3 years in prison for cyber attacks…


• Europol takes down Ramnit botnet that infected millions of…


• Une opération internationale commune de police a ciblé le…


• Poweliks: The file-less little malware that could

Arkansas Police send malware-laden hard drive to lawyer representing whistleblowers

NY hacker sentenced to 3 years in prison for cyber attacks on DirecTV, Farmers Insurance and L.A. public works

Staten Island hacker Mario Patrick Chuisano was sentenced to 3 years of imprisonment this Thursday for his involvement in a series of cyber attacks against DirecTV, Farmers Insurance and the Los Angeles Department of Public Works. After his sentencing at the U.S. District Court in Los Angeles, Chuisano was also ordered to pay US$ 2,662,438.80 in restitution to the three victims. The 32-year-old self-taught hacker, an alleged member of the hacking syndicate Swagg Security or SwaggSec was known online by the aliases “fame” and “infam0us”. Chuisano had pleaded guilty to the charges of conspiracy to intentionally cause damage to a protected computer as well as possession of an unregistered sawed-off shotgun earlier in June, 2014.

Cybercrime is to be taken seriously

Chuisano had installed a Remote Access Trojan or R.A.T on an insurance agent’s computer in order to steal reports, e-mails and passwords from Farmers Insurance. During the investigation, FBI agents had also uncovered an unregistered handgun and brass knuckles at the culprit’s residence along with equipment capable of making counterfeit credit and debit cards. Between 2012 and 2013, Chuisano’s hacker group SwaggSec had made several posts in social media boasting about their attacks by releasing the stolen data.

In the sentencing memo, prosecutors wrote:

“The theft and release of passwords is particularly disturbing because many people use the same passwords for activities of daily Internet life, such as banking and device access”

In the attack against the Los Angeles Department of Public Works, Chuisano and his hacker group had stolen sensitive identification and health related information relating to over 3,000 individuals.

In defense, Chuisano’s lawyer, Joseph Sorrentino, argued that his client was “quite simply a very good man who made a terrible mistake,” and should receive a probationary sentence because “sending Mr. Chuisano to jail for any amount of time does more harm than good.”

This sentence clearly depicts that cyber crime, just like any other crime warrants punishment and sends a strong message to all cyber criminals, warning them of serious consequences if their crimes are discovered and brought to court.

Have a nice (hacking-free) day!

Related Posts:

• U.S. sends scary message to hackers, but the truth is even…


• U.S. Charges Chinese Military Hackers with Cyber Espionage


• Hackers Anonymous declare (cyber)war on terrorists after…


• Keysweeper: proof that it’s relatively simple to hack…


• BlackShades RAT Users – Busted

NY hacker sentenced to 3 years in prison for cyber attacks on DirecTV, Farmers Insurance and L.A. public works

Urgent! Update your Windows to patch several critical vulnerabilities‏

Updating Windows

Microsoft published a security bulletin this April after patching several vulnerabilities in their operating systems and applications. Updates for Microsoft Office, Internet Explorer and several other Microsoft applications are included. This is an important release as many of the vulnerabilities fixed were massive in scale and severity.

Microsoft usually releases security patches on the 2nd or 4th Tuesday of each month (in North America). This has lead to the day being referred to as “Patch Tuesday” or “Update Tuesday”. Microsoft also has a tendency of releasing more updates in even numbered months like February, April and so on as compared to odd numbered months. In any case, releasing security fixes regularly is definitely a good practice.

We strongly recommend all users to update Windows installations.

Several unpleasant situations avoided

Some of the major fixes are:

Cumulative Security Update for Internet Explorer (3038314): This fixes the remote code execution vulnerability in IE. The leak made it possible to execute a malicious code remotely by designing a suitable website, and having the same rights and privileges as the current user. This was a massive vulnerability and could have allowed cyber criminals to literally take over your computer!

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019): Similar vulnerabilities in Microsoft Office were also patched. Due to this vulnerability, a special MS Office file (like a malicious word document) could also allow attackers to execute their code on the victim’s system.

Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553): Attackers could also execute code remotely by sending a specifically crafted HTTP request to a vulnerable Windows system. This is probably the most severe security threat since it allows hackers to take over a system by simply sending an HTTP request. After generating the malicious request, cyber criminals could target every possible webserver until they find one that is vulnerable. The issue could be resolved temporarily by disabling IIS kernel caching, but that could affect the performance of the system.

According to Wolfgang Kandek, CTO at Qualys:

“An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account. The attacker would then use an exploit for a second local vulnerability to escalate privilege, become administrator and install permanent exploit code. The attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching. This is the top vulnerability for your server team if you run Windows based web servers on the Internet.”

It is expected that we will see several attempts by cyber criminals to break into windows webservers using this vulnerability. Surprisingly though, Windows Server 2003 IIS is not vulnerable, meaning the issue was created in later releases.

Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3049576): This vulnerability allows attackers to run their code with elevated privileges by designing a suitable application.

Vulnerability in .NET Framework Could Allow Information Disclosure (3048010): This vulnerability in .NET could be exploited by sending a specifically crafted request to an affected server that has custom error messages disabled. This would allow the attacker to retrieve sensitive information by viewing parts of the web configuration file. This is a major concern since there are plenty of Windows servers deployed in corporate environments holding financial and sensitive data.

Any server administrators using Microsoft webserver must update their systems as soon as possible in order to eliminate the above vulnerabilities.

Microsoft has released the patches, but to ensure that the above scenarios do not take place, users must install security updates. Windows automatically installs all important updates unless, the feature is turned off by the user. We strongly recommend keeping your Windows installation up to date to avoid many such threats.

Have a nice (patched-up) day!

Related Posts:

• Widespread Windows Zero Day affecting Microsoft Office Files


• Patch Tuesday: It Doesn’t Apply to Windows XP


• Zero Day Alert: Unpatched Vulnerability in Internet Explorer


• Google publishes Microsoft Windows vulnerability after 90…


• IE Zero Day Update: Microsoft Issues Emergency Patch, Even…

Urgent! Update your Windows to patch several critical vulnerabilities‏

Large scale Windows SMB vulnerability puts user login credentials at risk

An important vulnerability labeled “Redirect to SMB” has been uncovered by Cylance. This vulnerability allows attackers to steal sensitive login information using a new technique. All devices running Windows (even the preview of the latest Windows 10) are affected and the list of vulnerable software packages is huge as well. The vulnerability was recently disclosed to the public by Carnegie Mellon University CERT who have been working with the several affected software vendors for the last few weeks to help resolve the issue.

From Server Message-Block to Unauthorized Access-Allow

Server message block or SMB operates as an application-layer network protocol and is mainly used in order to enable shared access to files, printers and miscellaneous communications between nodes on a network. In this case, the communications between the victim’s computer and a legitimate web server could be hijacked using man-in-the-middle attacks and the traffic redirected through malicious SMB servers. These servers would allow the attackers to retrieve the victim’s username, domain and hashed password. Thus, this is another technique that can be used by cyber criminals to steal important login data. The following illustration describes the scenario:

Illustration of the Redirect to SMB vulnerability (source http://blog.cylance.com)

The redirect to SMB vulnerability is not the first of its kind. According to Brain Wallace of Cylance:

The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer  would cause the operating system to attempt to authenticate with a SMB server at the IP address 1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser.

Microsoft ignored the previous vulnerability and left it unpatched, hopefully that will not be the case here.

A large scale vulnerability that even affects antivirus programs

So far 31 vulnerable applications have been discovered including popular applications like Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Excel 2010 and Github for Windows.

The list even includes antivirus/anti-malware programs! The following security applications are affected:

• Symantec’s Norton Security Scan


• AVG Free


• BitDefender Free


• Comodo Antivirus

Due to the complicated nature of the vulnerability, it is expected that it will mostly be used for targeted attacks. However, cyber criminals rarely lack imagination so there could be several different scenarios.

The following types of attacks could make use of this vulnerability:

• Targeted attacks with sophisticated planning


• Attacks using Malvertising (malicious advertising)


• Attacks through shared wifi access points in locations like Hotels and Coffee shops

While we wait for a patch, the simplest solution is to completely block outbound traffic from the ports TCP 139 and TCP 445 using a firewall. Hopefully Microsoft will take this major security issue seriously and release a fix soon.

Have a nice (vulnerability-free) day!

Related Posts:

• Widespread Windows Zero Day affecting Microsoft Office Files


• Another Flash vulnerability


• The end of FREAK: Massive SSL vulnerability finally patched


• Covert Redirect Security Flaw in Sites Using OAuth and…


• Security flaw “FREAK” haunts millions of Android

Large scale Windows SMB vulnerability puts user login credentials at risk

LG Split Screen software disables UAC

LG is one of the leading manufacturers of televisions and monitors. In a company this big you would expect high standards when it comes to security. LG split screen, a software designed for their ultra-wide monitors seems to have a major security issue. The software disables UAC during installation, making the computer vulnerable to a wide variety of threats that could have at least been partially blocked by this Microsoft security feature.

Security glitch gives administrator privileges to all applications

User Account Control or UAC is a Microsoft security feature which only allows certain user approved applications to have administrator privileges on the system. By default, all applications have limited privileges but when an application requires elevated privileges to execute, Windows asks the user to authorize the action. However, with UAC disabled, all applications get full administrator privileges. These permissions when acquired by a malicious application can lead to a lot of damage.

As reported at Developer’s couch, Split Screen automatically disables UAC. The user is greeted by the following message after installing the software:

UAC automatically disabled after restart

Before installing Split Screen:

 

Default run window

All applications are granted admin privileges after installing Split Screen:

 

Run window after UAC has been disabled

A bad idea or just laziness?

Windows strongly recommends having UAC enabled at all times. No legitimate application should disable UAC automatically, as it greatly reduces the security of the system. It seems that a bit of laziness and poor planning is what created the issue in this case. The Split Screen software probably requires administrator privileges to run, but instead of going through the usual workarounds like using task scheduler to start applications in admin mode when logging in, LG decided to just disable UAC altogether to make their task easier. It is surprising that the developers of the software decided it was okay to turn off one the major security features of Windows just to avoid a bit of effort.

While we wait for a fix from LG, the only solution seems to be re-enabling UAC and uninstalling the Split Screen application. This issue is a clear example of why all kinds of software vendors need to take the matter of security much more seriously.

Have a nice (secure) day!

Related Posts:

• SMS Trojan Podec bypasses CAPTCHA on Android phones


• Google publishes Microsoft Windows vulnerability after 90…


• Installer hijack vulnerability threatens almost half of all…


• Emsisoft Malware Library


• Linux Rescue CD: a help or a hinderance?

LG Split Screen software disables UAC

Joint international police operation targets Beebone botnet

Several government and private agencies joined forces to take down a Beebone botnet that has plagued over 12,000 computers. Beebone, also known as AAEH uses a polymorphic downloader bot that installs various kinds of malware on the victim’s computer. Although the botnet looks like a minor threat, its reach is massive. As reported by Europol, there are over 5 million unique w32/Worm-AAEH samples with more than 205,000 samples from 23,000 systems in 2013-2014.

A joint effort against cybercrime

The government agencies involved in this effort include Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Taskforce (J-CAT), the Dutch authorities, the FBI, and U.S-based representatives at the National Cyber Investigative Joint Task Force- International Cyber Crime Coordination Cell (IC4). They were also assisted by representatives from Intel Security, Kaspersky and Shadowserver.

According to Europol’s Deputy Director of Operations, Wil van Gemert:

“This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime. We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes. Together with the EU Member States and partners around the globe, our aim is to protect people worldwide against these criminal activities.”

Beebone is a worldwide threat affecting over 195 countries with the most infected countries being:

• United States


• Japan


• India


• Taiwan

This joint effort aims to clamp down on the botnet and prevent further infections. As stated by Europol:

“The botnet was ‘sinkholed’ by registering, suspending or seizing all domain names with which the malware could communicate and traffic was then redirected.”

Europol has also promised to distribute data to ISPs (Internet Service Providers) and CERTs (Computer Emergency Response Teams) around the world in order to inform the victims.

A month ago, we also covered an incident where Europol, with the help of Microsoft and Anubis Networks successfully took down a massive Ramnit botnet. Hopefully we will continue to see such well coordinated efforts by government and private agencies to fight cybercrime.

Have a nice (zombie-free) day!

Related Posts:

• Europol takes down Ramnit botnet that infected millions of…


• Weitläufiges Botnet von Europol zerschlagen


• Un botnet bien répandu éliminé par Europol


• Authorities Crackdown on Gameover Zeus and CryptoLocker


• BlackShades RAT Users – Busted

Joint international police operation targets Beebone botnet

Popular Chrome extension turns out to be Spyware!

 

If an extension is listed for Chrome and has a decent rating, it is surely safe to install, right? Maybe not. In today’s world spying has become a common activity. That does not mean though that it is any more acceptable. A Chrome extension known as Webpage screenshot collects private information about its users and shamelessly sells it to a third party. What is astonishing is that the extension has an excellent rating of 4.5 stars and has been downloaded by 1.2 million users worldwide. This highlights the lack of awareness among customers as to what such programs actually do behind the scenes.

Extension turns into Spyware after one week

According to the founder of the CSIS Security Group, Peter Kruse:

“To avoid any security check or detection mechanism from Google, Webpage Screenshot includes a sleep function, so that the spyware-like behavior will not be activated right away, but a week later.”

Google’s security check usually filters out malicious extensions from the chrome library, which is probably why the original software does not act like spyware at all. After a week however, it downloads additional components/code and commences the spying program. This way, the spyware part of code evades the scanners. Once activated, the spyware component collects sensitive information about the user and transmits it to the ip address: 64.34.175.88, located in New York, USA.

Heimdal Security have analysed this extension in detail and confirmed that the transmitted information could be used to identify an individual which definitely makes this a privacy threat.

The greater concern though, is that several other extensions may also be using the same method to avoid Google’s security measures. This is a serious vulnerability and could allow cyber criminals to use Chrome apps and extensions for their malicious activities. They simply have to add the malicious part a day, a week or a month later.

Luckily, in this case, Google acted quickly to take down this spyware extension from their store, but there is certainly a bigger problem that needs to be addressed with the current app/extension verification system.

Have a nice (spyware-free) day!

 

Related Posts:

• Naked Videos of Your Facebook Friends – Translation:…


• Apps wie StealthGenie machen Handy-Spyware für jeden…


• iPhones having spyware built-in?


• VaultCrypt ransomware offers fake customer support


• Privacy Alert: Adobe’s Digital Editions eReader is…

Popular Chrome extension turns out to be Spyware!

Trojan downloader Waski steals login credentials

Banking malware Waski is on the rise. This trojan is not really a new threat, it was discovered more than a year back, at the end of 2013, but what is troubling is that it is becoming more and more widespread and claiming victims all around the world. As reported by welivesecurity, the malware initially targeted Switzerland and Germany, but is now beginning to appear in English-speaking regions like  Australia, New Zealand, Ireland, United Kingdom, Canada, and the United States. Instead of directly doing its job, Waski downloads another trojan know as Battdil which steals login data by intercepting it or by redirecting users to a phishing website.

Fake emails used to spread Trojan

Waski is a trojan downloader spread through fake emails like the one shown below. The malware writers attempt to trick users into thinking that the attachment is a pdf file by giving it a suitable icon. Unwary users may mistake it for a document from their workplace, but on examination it is clear that the file is an executable. On running the file, Waski loads into memory, contacts its command and control servers and downloads the additional malware components. Waski also creates a unique identification number for the infected computer and reports a successful compromise. The real threat here though, is the downloaded trojan, Battdil.

Banking Trojan steals login data

The downloaded banking trojan Batdill, consists of two main components, an injector and a payload. The method of infection used is dll injection into a windows process. After successfully infiltrating the system, batdill intercepts bank login credentials from popular browsers like IE and Chrome. It also redirects users to modified/manipulated versions of bank websites which may look similar, but are traps to make the user spill out private data. Such a trojan in conjunction with phishing websites can be a powerful tool to gain access to unauthorized bank information. After making the steal, the trojan sends the information home anonymously using the I2P (Invisible Internet Project).

It is always best to avoid threats like these in the first step. A careful inspection of email attachments can easily prevent such infections and the golden rule: do not open attachments from unknown sources, also applies here.

Since Waski is a trojan downloader, a good antivirus and firewall is also enough to keep you safe.

Have a nice (trojan-free) day!

 

Related Posts:

• Banking Trojan Alert: MS Word macros spreading Dridex


• Chthonic trojan on the rise!


• Alert: CHASE Phishing Emails Steal Credentials, Serve Dyre…


• Banking malware Vawtrak attacks financial institutions in…


• Malware Alert: Dyre steals Salesforce login credentials, and

Trojan downloader Waski steals login credentials

New Cryptolocker copycat PClock2 discovered that targets over 2,500 file extensions

One of the biggest ransomware threats of the last few years, Cryptolocker, was discovered in late 2013. It has been reported that the makers of Cryptolocker made approximately USD$30 million in the first 100 days of operation, and it therefore is no surprise that many variants and copycats emerge that try to capitalize on Cryptolocker’s reputation. Earlier this year, we discovered a Cryptolocker copycat named PClock, for which we developed a decrypter to help victims get their files back without paying the ransom. Now, a new variant of PClock and another copycat of Cryptolocker has emerged: PClock2.

PClock2 demands 0.5 bitcoin ransom to decrypt files

Like other types of ransomware, the main goal of PClock2 is to encrypt important files on the victim’s system in order to compel them to pay a ransom in return for their files. PClock2 encrypts files using a randomly generated key and the RC4 algorithm. Like most other variants it also demands payment in bitcoin and provides the user with a limited time window to produce it. The malware also falsely proclaims that 0.5 bitcoin (the demanded ransom) is approximately equal to US$ 0 while the accurate conversion amounts to almost US$128.

Similar to its predecessor PClock, this variant closely resembles Cryptolocker visually as well:

This malware also recommends users to turn off their antivirus programs in order to save itself from deletion. The application window is clearly meant to threaten and mislead users.

PClock2 behavior and infection methods

PClock2 usually enters the user’s system via infected torrent downloads. Once on a victim’s computer, PClock2 establishes persistence on the system using the following Registry entry:

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
  
  “wincl” = “%APPDATA%\WinDsk\windsk.exe”

PClock2 saves additional details about the infection, like the Bitcoin payment address, here:

• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\CLOCK

What’s interesting is that PClock2 targets 2583 file extensions which is a lot more compared to earlier types of ransomware we have come across. Since so many different file extensions are targeted, the list became too lengthy to post in this blog post. The command and control servers for this malware are located in these domains:

• http://balanzic.nl


• http://blog.knewmart.com


• http://nrg.facelook.no


• http://www.9188com.com


• http://dota2arcana.com


• http://faceoftopgame.sk


• http://thebatikapartemen.com


• http://www.42kiralama.com

The extracted malware files are stored locally in the following locations:

%APPDATA%\WinDsk\windsk.exe – The malware executable

%APPDATA%\WinDsk\windskwp.jpg – The wallpaper generated by the malware

%DESKTOP%\CryptoLocker.lnk – A shortcut to the malware executable

%USERPROFILE%\enc_files.txt – The list of encrypted files

After encrypting all the files it can find, the ransomware changes the user’s desktop background to this image:

How to recover your files without paying the ransom

Luckily PCLock2 is nowhere near as powerful as it claims to be and none of your files have actually been damaged. Our malware research team has designed a decrypter that will allow you to easily restore your locked files, without paying the ransom. You can download the decrypter here.

The decryption process is fairly easy as illustrated by these screenshots:

 

If you don’t feel comfortable performing the decryption process on your own, feel free to create a support request in our support forum or send us an email. We’d appreciate it if you share this post so that more victims of PClock2 can be helped to recover their files.

Prevention is always better than cure which is why we always recommend regular backups and a strong antivirus program that protects you from getting infected in the first place.

Have a nice (ransomware-free) day!

Related Posts:

• New Ransomware Alert: CryptoLocker copycat PClock discovered


• New Cryptolocker variant attacks games


• Copycat Ransomware “Locker” Emerges


• Ransomware Cryptowall makes a comeback via malicious help…


• CryptoLocker – a new ransomware variant

New Cryptolocker copycat PClock2 discovered that targets over 2,500 file extensions

Criminals try to steal cash by smashing their way into an ATM

While cyber criminals use advanced hacking tools and malware to get their steals, some desperate ones still do it the old fashioned way. Such criminals resort to physical destruction of ATMs to plunder cash. Although the success rate is low, such attacks usually end up costing banks a lot of money. ATM machines are expensive and even unsuccessful attacks leave them in a state that can only be described with the help of a hilarious picture as the one on the left.

As reported by Brian Krebs, a recent attack on an ATM by a few robbers armed with hammers and crowbars resulted in a lot of expensive equipment (worth almost US$ 20,000) getting destroyed.

This is a lose-lose situation as no one benefits from a broken ATM machine. Not only does it cost the bank a ton of money, it is also a major inconvenience for users in that area.

Brute Force Attack

In hacking, brute force refers to an attack that tries all possible combinations of a given set of characters in order to crack a password. Here though, the literal meaning is applicable.

 

According to the technician on the scene:

“The burglars ruined a $13,000 cash acceptor, a $5,000 check scanner, a $900 monitor, and a $700 card reader, among many other pricey items. Hardly any part of the machine escaped damage.”

Physical attacks on ATM machines have increased significantly since 2014. These mostly include explosive gas attacks and the use of thermal tools to cut through the metal casing. In this case though, the criminals didn’t have the right tools for the job and got no reward for their endeavor. They did however, remind us of the days when theft just meant smashing into things with sticks and stones.

Have a nice (theft-free) day!

Related Posts:

• Hackers steal up to $1 billion from banks through malware…


• Banking malware Vawtrak attacks financial institutions in…


• The 2014 Verizon Data Breach Investigations Report


• Sophisticated new breed of Point-of-Sale malware discovered


• Warning: Don’t Get Vished

Criminals try to steal cash by smashing their way into an ATM

Massive YouTube vulnerability allows deleting any video on the site

Even software giants like YouTube and Google get their fair share of security problems. A few days ago, security researcher Kamil Hismatullin found a critical vulnerability in YouTube which allowed him to delete any video belonging to any user by simply sending a request.

A lucky escape for all hated YouTube videos

Kamil stumbled across this massive security bug while looking for Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS) issues.

The request used was:

POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_event=1

event_id: ANY_VIDEO_ID
session_token: YOUR_TOKEN

On testing out the above code, the bug hunter received a success response, and the target video was deleted. It was that simple. As mentioned by Kamil:

“In general I spent 6-7 hours to research, considering that couple of hours I’ve fought the urge to clean up Bieber’s channel haha.”

The issue was handled responsibly however, reported to YouTube and fixed within a few hours. It was a close call. Kamil received a pretty sizeable reward from Google as this bug in the wrong hands could have wrecked havoc on the world’s largest video sharing website.

Have a nice (video-full) day!

Related Posts:

• Mysterious DDOS Attack Against Top 50 Website


• Video-Review: Emsisoft Anti-Malware 9 verus echte…


• Video Review: Emsisoft Internet Security 9 scores 100%


• Video review: Emsisoft Anti-Malware 9 vs real zero-day…


• Covert Redirect Security Flaw in Sites Using OAuth and…

Massive YouTube vulnerability allows deleting any video on the site