A Week in Security (Nov 15 – Nov 21)

Last week, our CEO and founder Marcin Kleczynski recalled his time in the UK and Ireland. One of the main highlights of his trip was him dropping by the BBC Business Live to talk about cybercrime.

Malware intelligence analyst Christopher Boyd found a phishing campaign just in time for the festive season: tax refund. And UK tax payers are targeted with a fake HMRC re-calculation spam campaign. You can read more about it on this post.

Senior security researcher Jérôme Segura found “one of the largest malvertising campaigns in recent months”. Targets are visitors of questionable websites offering pirated goods, such as movie torrent files, live streams, and software. They are redirected to casino sites without interacting with the URL they visit. In a more recent post, Segura wrote about the Blackhole exploit kit, which had been less visible compared other known kits these days.

Finally, we took a look at a really nasty adware family that is capable of dropping certificates into the Untrusted Certificates list of a system, wherein all of them are certs of known anti-malware companies like Malwarebytes. As a result, applications belonging to such companies will be blocked from running on the affected system. You can read more about security researcher Pieter Arntz’s take on the Vonteera adware here.

Notable news stories and security related happenings:

  • Android Gmail App Security Hole Lets You Pretend to be Anyone Online. “A bug which allows you to pose as anyone when sending an email through the Gmail application has been deemed a non-issue despite the risk of exploit via phishing campaigns. In order to spoof your email address and masquerade as someone else when sending an email, you need only change your display name in account settings, which hides your legitimate email address.” (Source: ZDNet)
  • Windows Update for Business Lets IT Admins Defer Damaging Patches. “New options for controlling the timing of Windows 10 upgrades and updates arrived as part of Windows 10 version 1511, the upgrade that began rolling out Thursday.” (Source: Computer World)
  • Google Play will Start Labeling Ad-supported Apps. “According to Droid Life, Mountain View has notified developers (see the full email below the fold) that they’re required to sign into their consoles and declare whether their applications have advertisements. And, if they lie about it, they could face suspension.” (Source: Engadget)
  • Android Adware can Install Itself Even When Users Explicitly Reject It. “The hijacking happens after a user has installed a Trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices.” (Source: Ars Technica)
  • Edgy Online Shoppers Face Dyre Christmas as Malware Mutates. “The banking bomb has ripped untold fortunes from victims and passed them into the hands of its authors. In at least one instance alone IBM says more than one million dollars was plundered from an organisation.” (Source: The Register)
  • Amazon Now Offers Two-factor Authentication to Make Your Account More Secure. “While two-factor authentication adds a bit of a hassle to your login process, it’s worth it, as it makes your account a lot safer from hacking attempts, even if someone manages to steal your password. If you change your mind, you’ll be able to turn off two-factor authentication later.” (Source: Mashable)
  • Yahoo is Locking Down Mail Access for Some People with Ad Blockers. “Although Yahoo is hardly the first to experiment with detecting ad-blocking software and then prompting users to disable it — many news sites, for example, have taken that action — it’s more rare that a critical service like email is put behind such a wall.” (Source: The Verge)
  • Security Flaw in Samsung Galaxy Devices Lets Attackers Record Phone Calls. “A telephone tower-like device (IMSI-catcher) can be used for recording phone calls from the latest versions of Samsung Galaxy, demonstrated by two German researchers.” (Source: HackRead)
  • Don’t Allow Your Wi-Fi to Become a Security Risk. “It is important to step back and consider the way in which Wi-Fi is used – by both staff and guests – and assess the risks. Under the current legislation an organisation needs to be able to demonstrate a robust intent to prevent people – both employees and guests – from breaking the law.” (Source: IT Security Guru)
  • Phishers are Targeting Millions of DHL Customers. “This is also the time of year when cyber crooks usually start to ramp up their phishing and malware delivery campaigns, which often take the form of emails made to look like legitimate ones coming from popular package delivery companies.” (Source: Help Net Security)
  • BadBarcode: Poisoned Barcodes can be Used to Take Over Systems. “Researchers from Tencent’s Xuanwu Lab have proved that a specially crafted barcode can be used to execute commands on a target system, saddle it with malware, or perform other malicious operations.” (Source: Help Net Security)
  • The Evolution of Ransomware: Is Cryptowall 5.0 Around the Corner? “When the original Cryptolocker infrastructure was removed last year, we projected that the next logical step for cyber criminals would be smaller, more agile attacks, which would better elude a takedown. That presumption was correct, but cyber criminals improved ransomware to achieve much more than just that.” (Source: Heimdal Security Blog)
  • Police Body Cams Found Pre-installed with Notorious Conficker Worm. “According to a blog post published last week by security firm iPower, multiple police cams manufactured by Martel Electronics came pre-installed with Win32/Conficker.B!inf. When one such camera was attached to a computer in the iPower lab, it immediately triggered the PC’s antivirus program.” (Source: Ars Technica)
  • Apple’s Siri can Leak Personal Data. “Further security and privacy risks to users of Siri, Apple’s personal assistant, have been revealed that could allow anyone to gain entry to personal data on someone else’s Siri-enabled iOS device, regardless if the device is locked.” (Source: SC Magazine)
  • Child Porn and Malware in Facebook Scam. “As reported on by Cybercrime Coordination Unit Switzerland (CYCO), ever more pictures are emerging on Facebook with worrying scenes of child pornography depicted. These are the result of hacked Facebook accounts.” (Source: Check and Secure)

Safe surfing, everyone!

The Malwarebytes Labs Team