Wednesday 17 September 2014

Beware overdue invoice malware attack, wrapped in an .ARJ file!

If you’ve been messing around with technology for a while, you may remember the good old days of acoustic couplers, ZModem, and Bulletin Board Systems (BBSes).
These were the days before the worldwide web had taken off, when even the slowest broadband speeds would have been sheer fantasy.
And because getting an online connection was slow and sometimes flakey, it wasn’t at all uncommon for techies to compress their programs and downloadable files into tight little packages, to make the download as painless as possible for users. The most famous compression tool of all was PKZip, created by the late Phil Katz, and versions of the .ZIP file format are still widely used today in some circles.
But there were other data compression tools which competed for .ZIP’s crown, each with their own loyal bands of followers. And one of the most famous was .ARJ.
And, to be honest, ARJ was pretty cool.
So you can imagine my delight when I discovered today that .ARJ wasn’t entirely forgotten and consigned to the dusty annals of history. Instead, it is still being used – albeit by malware authors…
Here is an example of a typical malicious email, spammed out by online criminals:
Example of overdue invoice malware
Subject: Overdue invoice #14588516
Attached file: invc_2014-09-15_7689099765.arj
Morning,
I was hoping to hear from you by now. May I have payment on invoice #45322407834 today please, or would you like a further extension?
Best regards,
Mauro Reddin
Of course, the social engineering might have been a little better thought out. For instance, the invoice numbers quoted in the email don’t match each other.
But it’s easy to imagine how many users might be alarmed to hear that it is being suggested that they are being accused of a late payment, and would click on the attached .ARJ file without thinking of the possible consequences.
At that point the .ARJ file will decompress, spilling out its contents.
As Conrad Longmoore explains on the Dynamoo blog, inside the .ARJ archive file is an executable program – designed to infect your Windows computer.
Before you know it, your Windows PC could have been hijacked by a hacker and recruited into a botnet. Whereupon the remote attacker could command it to send spam on their behalf, launch denial-of-service attacks or steal your personal information.
That’s why you should always be wary of opening unsolicited files sent to you out of the blue via email.
The good news for users of ESET anti-virus products is that it is detected as a variant of Win32/Injector.BLWX. But if you are using a different vendor’s security product you may wish to double-check that it has been updated to protect against the threat.

Free ebooks warning: Pirates ‘can hack into Amazon accounts’

Pirating ebooks is not just bad for the publishing industry: free ebooks available online can also be used to hack into Amazon accounts via the retail giant’s ‘Manage Your Kindle’ page, used to deliver ebook files to Kindle Readers, according to researcher Benjamin Daniel Mussler.
Mussler writes that simply changing the title of the free ebooks allows attackers to execute code when a victim opens the ‘Kindle Library’ page in a web browser, The Digital Reader reports
“As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised,” Mussler writes.
Engadget reports that Mussler discovered the security issue last October, and the company rapidly patched it. It was reintroduced, however, when the company launched a new version of the “Manage Your Kindle” web page.

Free ebooks: a threat?

Mussler writes that the threat affects, “Everyone who uses Amazon’s Kindle Library,” but stresses that the flaw affects those who pirate free ebooks in particular.
The attack takes place, he writes, “Once an attacker manages to have an e-book (file, document, …) with a title like <script src=”https://www.example.org/script.js”></script> added to the victim’s library.”
Mussler says, “Users most likely to fall victim to this vulnerability are those who obtain e-books from untrustworthy sources (read: pirated e-books) and then use Amazon’s “Send to Kindle” service to have them delivered to their Kindle. From the supplier’s point of view, vulnerabilities like this present an opportunity to gain access to active Amazon accounts.”

Kindle users beware

The reappearance of the flaw was highlighted by the German ebook blog Alles Book. The site also produced a proof-of-concept ebook download to demonstrate that it worked. As of the time of writing, the flaw is still active, Mussler reports.
Mussler says, “Amazon chose not to respond to my subsequent email detailing the issue, and two months later, the vulnerability remains unfixed.”

GTA V hacks warning as gamers ‘lose millions’ in online games

Gamers have reported losing millions of dollars to hackers running customized software which allows them to steal weapons, loot money, and even make people blow up in their own apartments, according to prominent Grand Theft Auto V YouTube reporter DomIsLive, who devoted an issue of his daily show to GTA V hacks this month.
Yahoo News reports that multiple players have been affected by glitches in online games, described variously as “unfairly modded”, ie using in-game tools, or simply as “hacked”.
DomIsLive, who has nearly half a million subscribers on YouTube, says that several of his subscribers reported losing “millions” in online games which had seemingly been hacked.
On Rockstar’s forums, various gamers complain about having lost large sums of in-game currency to similar GTA V hacks. DomIsLive claims to have seen multiple threads on the forums relating to the same or similar hacks.

GTA V hacks: Losing millions?

ESET Distinguished Researcher Aryeh Goretsky looks in detail at the blurred lines between cheating and crime in an extended blog post on We Live Security, saying, “Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.”
It appears GTA V’s online game system is not exempt.
In one screenshot posted on DomisLive’s channel, a gamer complains, “Dear Rockstar, I have just been robbed of my weapons by an unfair modder. He stole my weapons, causing me to pay around 1,000,000 and I earned it fair and square, and I wondered if I could get my money back because I’m extremely frustrated.”

‘Rockstar may not reimburse money’

A Rockstar games representative replies, saying that the team will investigate, but warning that, “Rockstar will definitely look into this, however they may not be able to reimburse you with weapons and/or GTA dollars.”
It’s unclear whether one specific GTA V hack is responsible, or a multitude of methods. DomisLive advises his subscribers, “Losing their money in public sessions, I advise you to stay out of public sessions and stick to private sessions with this friend. If you see something strange happening, and if you see someone dropping their money, leave that lobby now.”
Responses from his subscribers seem to indicate that the problem is worse on Xbox 360 than on PlayStation 3. One poster says, “On Xbox it seems like every 20 sessions you join, you find one [a hacker]. On the PS3 I haven’t found that many, and from what people have told me, it’s because there aren’t that many.”

Cyber-theft prompts search for Nigerian bank IT worker

EFCC wanted notice 
 Mr Uyoyou is named in the wanted poster issued by Nigeria's financial police force
A Nigerian IT worker is being sought by police for his alleged role in co-ordinating a £25m ($40m) cyber-theft at a bank in Abuja where he worked.
Godswill Oyegwa Uyoyou is being sought by Nigeria's Economic and Financial Crimes Commission (EFCC).
A wanted notice claims he helped conspirators dressed as maintenance staff get into the bank so they could use computers to transfer cash.
Local reports suggest the theft was spotted when stolen cash was withdrawn.
Although no members of the gang have been caught, several are being "tracked", Wilson Uwujaren, a spokesman for the EFCC, told News Nigeria.
Details of the robbery are scant but it is thought that Mr Uyoyou and conspirators entered the bank on a Saturday when it was closed and no other staff were working.
The IT staffer was key to the robbery, said the EFCC, because of the access he enjoyed to the computer systems at the bank. This was used to siphon 6.28bn Nigerian Naira into accounts of the conspirators, said the EFCC. So far, the bank at the centre of the theft has not been named.
The EFCC has issued a warrant for Mr Uyoyou's arrest and he is being actively sought in Nigeria.
John Hawes, a computer security researcher at Sophos, said the amount of cash stolen was "unusually large" but the method the gang chose was "all too common".
"Insider risk is a major problem for banks," he wrote on the firm's security blog, "they still have to rely on trusted employees to behave themselves, resist temptation and keep their hands off the huge amounts of funds they may find themselves dealing with every day."

eBay redirect attack puts its buyers' credentials at risk

eBay  
A listing for an iPhone 5S contained code that resulted in users being sent to a scam site
EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials.
The spoof site had been designed to look like the online marketplace's welcome page.
The US firm was alerted to the hack on Wednesday night, but only removed the listings after a follow-up call from the BBC more than 12 hours later.
One security expert said he was surprised by the length of time taken.
"EBay is a large company and it should have a 24/7 response team to deal with this - and this case is unambiguously bad," said Dr Steven Murdoch from University College London's Information Security Research Group.
The security researcher was able to analyse the listing involved before eBay removed it.
He said that the technique used was known as a cross-site scripting (XSS) attack.
It involved the attackers placing malicious Javascript code within product listing pages. This code in turn automatically redirected affected users through a series of other websites, so that they ended up at the page asking for their eBay log-in and password.
Users only had to click the original listing to have their browser hijacked.
"The websites the user is being redirected to are almost certainly compromised by the attacker to hide his or her traces," Dr Murdoch explained.
Fake eBay site Users who clicked on the affected listings were sent to a fake eBay welcome screen
He added that the fake page the users were ultimately delivered to contained code that had the potential to carry out further malicious actions.
"EBay is pretty competent, but obviously it has been caught out here," he said.
"Cross-site scripting is well within the top 10 vulnerabilities that web site owners should be concerned about."
A spokesman for eBay played down the scope of the attack.
"This report relates only to a 'single item listing' on eBay.co.uk whereby the user has included a link which redirects users away from the listing page", he said.
"We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links."
However, the BBC identified a total of three listings had been posted by the same account involved.
At least two of them produced the same redirect behaviour. The third was removed by eBay, along with the other two, before it could be checked.
Delayed reaction The issue was originally identified by Paul Kerr, an IT worker from Alloa, Scotland, who is also an "eBay PowerSeller".
He called the firm shortly after he had clicked on a listing for an iPhone and been redirected.
eBay The eBay site has experienced several glitches over recent weeks
"The advert had been up for 35 minutes," he told the BBC.
"When I spoke to the lassie on the phone, she said: 'I'm going to report that to the highest level of security to get it looked into.' And she did emphasise that."
"They should have nailed that straight away, and they didn't."
Mr Kerr identified the problem because the web address of the page he was sent to was unusual. He screen-grabbed a video of the attack, which he uploaded to YouTube as evidence.
He added that other less tech-aware users might not have realised the danger they were in.
"It's guaranteed - you can bet your bottom dollar that somebody's going to click on that and be redirected to a third-party site and they're going to enter their details and be compromised," he said.
"You don't know how many of the hundreds of thousands of people who use eBay will have done that."
This is not the first technical setback eBay has suffered in recent months.
The site has experienced several periods of time when members have been unable to sign into their accounts and have received incorrect password alerts.
In May, the firm made users change their passwords after revealing that a database containing encrypted passwords and other non-financial data had been compromised.
In addition, it announced in July that 1,600 accounts on its StubHub ticket resale site had been broken into resulting in a scam that defrauded the service of about $1m (£612,000).

Tasty Spam: Phishing Isn't Just About Your Money

Via Flickr user Jerry Pank When we talk about phishing, we tend to focus on financial fraud, such as the fake bank websites and ecommerce portals. The attackers are looking for ways to steal our credit card numbers and online banking credentials. Cloudmark reminds us in this month's Tasty Spam that phishing can target non-financial accounts, as well.
Phishing for financial details is highly lucrative but also high risk. "Bank fraud gets more attention from law enforcement and carries higher penalties than, say, selling worthless diet pills," said Cloudmark's spam expert, Andrew Conway. Less sensitive accounts are still valuable, since they can be used to send more spam over email, SMS, or even social networks.
The theft of celebrity photos from iCloud is a perfect example of attackers going after non-essential accounts and the kind of damage that could be inflicted. Cloudmark shared some types of phishing attempts against non-financial accounts which may be landing in your inbox right now. Check out some below:
Any Email Will Do
Tasty Spam: Email
This all-purpose email landing page doesn't bother trying to guess which email service you may use and just displays all the logos. It's up to you to decide which account credentials you want to hand over.
Criminals Like Apple, Too
Tasty Spam: Apple
Apple IDs are also popular phishing targets, Cloudmark said. Once stolen, these accounts may be used to send iMessage spam, or to remotely take control of iPhone and iPads. The attacker may use the "Find my iPhone" feature to remotely lock the device, and then demand the victim pay a ransom to regain control.
Users Beware
Tasty Spam: WoW
If you play games, keep an eye on your video game accounts. Criminals may be reselling in-game items to other players who are willing to spend real money to get these objects. Even though most modern games launch with two-factor authentication features, gaming accounts are still getting compromised. The above email tricks users into thinking they need to take attention.
Tasty Spam: Craigslist

"Even Craigslist is not immune to phishing attacks," Conway said. This particular scam also tries to steal login credentials for email accounts. Word Salad
Tasty Spam: Bank
Note the white text at the bottom of this sample message phishing for bank account information (you may have to squint a bit). This random text, called "word salad," is intended to confuse spam filters, and may not even be visible if the message is displayed against a white background.
PayPal, An Old Favorite
Tasty Spam: PayPal
PayPal is an old favorite among scammers, but the attacks are fewer than they used to be, Cloudmark said. It may be because PayPal's fraud detection algorithms have gotten better, more mail servers are checking for DKIM signatures (if a message doesn't have a valid PayPal DKIM signature, then it is flagged as a forgery), or PayPal's users are just savvier about these messages.
Keep AlertDon't make the mistake of thinking that phishing is just about email or bank accounts. As you can see, the attackers will go after whatever you have. Keep an eye out for suspicious messages that demand you take action right away. Most phishing attacks have errors in spelling, grammar, capitalization, punctuation, or spacing. Keep a cool head and don't click.

Is This Free Wi-Fi Safe? Search the Map of Dangerous Networks

Skycure Last year, Skycure hacked my iPhone in just a few minutes and I was immediately convinced that network attacks were a problem. Though this was an extreme example, we've long been warning our readers about the dangers of public Wi-Fi networks and the prevalence of attacks that can silently sip your personal data without your knowledge. But yesterday, Skycure's CEO and co-founder Adi Sharabani showed me a new tool that makes those invisible attacks a little easier to see.
Just search a location on maps.skycure.com and you can see how many naughty networks are in your area. You might be surprised, or just plain horrified.
How it Works
The site is built on Google Maps, so search for any location as you would normally. Skycure then searches through its database of known malicious networks, and places pins on the map for any nasty network its users have encountered in that area within the last six months. Results are shown within a red circle.
I find that being specific yields the best results. An address in Manhattan yields far more useful data than a search for "New York, NY." For broad searches like these, Skycure's search radius is just too small and centered apparently at random.
Not surprisingly, Skycure Maps works best in urban areas where there are lots of people and lots of Wi-Fi networks. Searching my hometown in Michigan turned up two results for the entire lower peninsula, both of which were (not surprisingly) at the airport. Obviously, the big limitation of Skycure maps is the number of users the service can draw data from and where those users have been.
The data for the map is drawn anonymously from Skycure users. When a user connects to a network, Skycure tests it to see if everything is on the up and up. If it's not, a warning appears on the user's phone and the unsafe network is logged on Skycure's servers. Skycure uses this knowledge of malicious networks, the network's location, and the network's hardware configuration, to better protect its users.
Skycure says that although the map's information comes from users, it's entirely anonymized. "We do not have any visibility to any data on your device, your emails, passwords, or the ability to do so," said Sharabani. "But we prevent the attackers from having the ability to do so."
What You'll See
You can click each pin to see the name of the suspicious network, and a brief description of why it's dangerous. Sometimes, you'll see a Google Street View image, too. Sharabani says that the location of the Wi-Fi network is accurate to within a few meters, but not always. Search for the PC Mag offices and you'll see the malicious network used to test the Skycure app for my review.
You'll probably see the highest concentration of questionable Wi-Fi networks at airports. That's partly because these networks are sometimes configured without privacy in mind. More interesting is when a Boingo hotspot appears in the middle of a residential neighborhood. These networks are almost always fake. Attackers use the name of popular wireless services to trick devices into automatically connecting to a malicious network.
At a glance, most of the pins on the map aren't malicious networks per-se but many have entries that say the network could potentially leak your personal information. From my experience using Skycure on my personal device, that seems accurate. To be clear: these networks should be avoided the same as overtly malicious ones.
What Does it Mean?
Skycure Maps exists partly to promote its mobile app, but it's also to prove a point. "Attacks are happening everywhere," said Sharabani. "Don't believe me. Search for it." He recommends that everyone, especially professionals traveling to conferences, scout around to get a feel for their network environment.
Looking at the map, it's hard to disagree that the threats are real. In my quiet Queens neighborhood, Skycure found three networks that could leak my personal information, and at least one that is outright dangerous. The next time someone asks me if they should be concerned about connecting to the Starbucks Wi-Fi, I'll just point them to this map.

Do You Trust Your Antivirus?

WireShark Session Shortly after publishing my review of Tiranium Premium Security 2014, I got a message from a researcher using the handle Malware1. He claimed that Tiranium abused various online malware-checking websites to bolster its detection rate. His note included links to videos showing an older version of the software connecting to VirusTotal, in particular (though he admitted there is no longer a direct connection). He also supplied what he said were a number of emails from VirusTotal to Tiranium demanding they stop abusing the service.
I checked with VirusTotal, but my contact declined to comment for publication. I had to determine for myself whether this was true, and whether it constituted a problem if so.
What Is VirusTotal
For those who aren't familiar with it, VirusTotal's public face is a website where you can upload a file to see if it's malicious. The site first generates a hash for the file—a unique mathematical fingerprint. If the hash is already in its database (and most are) it returns the stored results. If not, it checks the file with about 50 major antivirus engines, reporting which flagged the file as malicious. Google acquired VirusTotal about two years ago.
The service goes beyond simply checking files. According to its website, "VirusTotal's mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services." That same page states that "None of the services or applications publicly offered on this site should be used in commercial products, commercial services or for any business purpose. In the same way, none of the services should be used as a substitute for security products."
In other words, a product that simply used VirusTotal's results without independently verifying that the file is malicious would be violating the terms of service. And indeed, a controversial test by Kaspersky Lab several years ago showed that blindly using detection from the website is a bad idea.
Digging With WireShark
According to Malware1, Tiranium first checks a suspect file using its locally installed client. If there's no match, it checks the file's hash on VirusTotal. Only if it gets no results from VirusTotal does it invoke its own behavioral cloud scanner.
To start my investigation, I created brand-new modified versions of my current malware collection, changing the filenames, altering the file size, and tweaking some non-executable bytes. I checked the hash of each file against VirusTotal, to be sure all were absent from the database.
With the WireShark network traffic tracing utility running, I launched a Tiranium scan of the folder containing these files. Strangely, the scan ran for hours but never finished, and the count of files scanned never changed from its initial zero. I learned later that this was because the behavioral cloud server was down for several hours.
Indeed, perusing the WireShark log I could see that Tiranium tried again and again to upload files to the behavioral cloud, each attempt ending in an error. What I did not find was any evidence of a direct connection to VirusTotal, or to any of the other services that had allegedly been used in the past.
Circumstantial Evidence
I moved some of my test files to another folder and submitted them to VirusTotal for checking. In every case a majority of the antivirus engines detected them as malicious; some got near-unanimous recognition as malware.
As soon as all the files were processed by VirusTotal, I immediately scanned the folder with Tiranium. This time it recognized those files as malware right away. When I scanned the remaining files, the ones I hadn't uploaded, the scan stuck, as before. While there was still no direct connection from my computer to VirusTotal, it seems I had established a clear chain of causality.
Maybe It's OK?
I reached out to my connections in the antivirus industry to see what they thought. One researcher pointed out that antivirus companies can contract with VirusTotal to automatically receive any sample that others detected but their product missed. However, that didn't seem to describe the situation I observed.
More importantly, my Tiranium contact confirmed the use of VirusTotal. "VirusTotal has specific terms of use," he said. "They're sending samples to companies. Tiranium is one of the companies analyzing that, like all others." He went on to note that the time to analyze new samples can vary. "Sometimes this will take hours, sometime minutes, sometime days," he said.
Or Maybe Not
The VirusTotal credits page lists all vendors who have "integrated a product, tool or resource in VirusTotal, or have contributed somehow." These vendors have signed an agreement that includes a set of best practices. Tiranium is not among the companies listed. It's not receiving samples from VirusTotal, so its use is not "like all the others."
I've determined to my own satisfaction that the emails supplied by Malware1 telling Tiranium to stop misusing VirusTotal are real. I've seen evidence that at one time the application itself connected directly to VirusTotal for information, which is definitely abuse. But is its current incarnation stealing the work of other vendors, as Malware1 contends? I can't say definitively, but my trust is definitely shaken.
Potentially Unwanted?
Apparently I'm not alone. In a discussion on the well-regarded Wilders Security forum, several members express concern about the product. In fact, at the time of this discussion about eight months ago, a number of well-known antivirus products detected Tiranium as a "potentially unwanted application" that should be removed.
Even now, Kaspersky detects one of Tiranium's two main files as malware, and ESET detects them both. Fortinet identifies Tiranium's website as malicious, as does Webroot's BrightCloud service.
Shady Behaviors
I pointed out this detection to my Kaspersky contact and asked if he could explain why Tiranium was flagged as malware. He dug into the question with significantly more skill than I could muster, and came up with a lot. "They're using more than five different obfuscators to obfuscate their code and there's no digital signature," he said "It's a little crazy and looks far from legit." There's no smoking gun here, but these and other malware-like behaviors were sufficient to get the product flagged. He also found traffic from the server referencing VT (VirusTotal), Anubis, and VirScan, suggesting some kind of reliance on third-party sources.
The BrightCloud folks couldn't pinpoint the reason that Tiranium's website got flagged as risky. However, they pointed out that Tiranium's IP address is shared with quite a few phishing websites. Google's safe browsing page for the olympe.in domain used by Tiranium had some alarming news: "Of the 1341 pages we tested on the site over the past 90 days, 13 page(s) resulted in malicious software being downloaded and installed without user consent."
I said in my review that Tiranium is a good first effort, but not ready to challenge our several Editors' Choice antivirus products. I now feel that the company needs to both improve the product and regain my trust with professionalism and transparency. Fix the spelling and grammar errors, ditch the obfuscation, digitally sign the executable files, and make sure it integrates with Windows's Action Center. Refrain from any use of third-party products that isn't fully transparent. Separate Web hosting from servers that host malware. For now, I recommend that you stick with our Editors' Choice antivirus products.