Viry a Červi

Tor pedo's torpedo torpedoed: FBI spyware crossed the line but was in good faith, say judges

The Register - Anti-Virus - 24 Únor, 2018 - 04:56
Playpen pervert fails to convince appeals court

Analysis  US judges have shut down an appeal from a convicted pedophile who claimed the FBI hacking of his computer was an illegal and unreasonable search.…

Kategorie: Viry a Červi

Drupal Patches Critical Bug That Leaves Platform Open to XSS Attack - 23 Únor, 2018 - 23:13
Drupal has patched several vulnerabilities – both moderately critical and critical – in two versions of its content management system platform.
Kategorie: Viry a Červi

NPM update changes critical Linux filesystem permissions, breaks everything

Sophos Naked Security - 23 Únor, 2018 - 22:00
A recent update to the Node Package Manager introduced a bug that caused it to interfere with the operating system, by locking the system itself out of numerous mission-critical files

FBI Warns of Spike in W-2 Phishing Campaigns - 23 Únor, 2018 - 18:14
A recent FBI public service advisory warned of an increase in reports of compromised or spoofed emails involving W-2 forms.
Kategorie: Viry a Červi

Bitcoin exchange founder charged with covering up hack

Sophos Naked Security - 23 Únor, 2018 - 14:56
Prosecutors charged Jon Montroll, chief of the belly-up BitFunder, of trying to cover up a hack that gutted it of 6,000 Bitcoins.

Supporters of Net Neutrality Vow to Fight Rule Changes - 23 Únor, 2018 - 14:31
The FCC’s rollback of network neutrality regulations is set to be complete in April, but it won't happen without a fight.
Kategorie: Viry a Červi

Rancher sues Feds for sneaking a spy camera on to his land

Sophos Naked Security - 23 Únor, 2018 - 14:22
Just like that camera and the agents who stuck it in that tree, the federal lawsuit is treading on contentious territory

5 signs you may be talking to a bot

Sophos Naked Security - 23 Únor, 2018 - 14:09
If you're on social media - be it Twitter, Facebook or Instagram - it's worth asking yourself: Can you tell when you're talking to a bot?

Hacker claims spyware maker Retina-X has been breached, again

Sophos Naked Security - 23 Únor, 2018 - 13:25
Retina-X denies that the vigilante hacker got in

Intel didn't tell CERTS, govs, about Meltdown and Spectre because they couldn't help fix it

The Register - Anti-Virus - 23 Únor, 2018 - 09:30
Letters to Congress detail the plan to keep CPU flaws secret

Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn't inform the wider world about the dangerous chip design flaws.…

Kategorie: Viry a Červi

OpenBSD releases Meltdown patch

The Register - Anti-Virus - 23 Únor, 2018 - 06:30
And now to see it's an unwelcome imposition or a mere inconvenience

OpenBSD's Meltdown patch has landed, in the form of a Version 11 code update that separates user memory pages from the kernel's – pretty much the same approach as was taken in the Linux kernel.…

Kategorie: Viry a Červi

That microchipped e-passport you've got? US border cops still can't verify the data in it

The Register - Anti-Virus - 22 Únor, 2018 - 22:54
Despite demanding world+dog gets one, Uncle Sam lacks tools to check crypto-signatures

Two Democratic US senators have formally asked Uncle Sam's Customs and Border Protection (CBP) agency to get its act together on electronic passports.…

Kategorie: Viry a Červi

Cryptojacking Attack Found on Los Angeles Times Website - 22 Únor, 2018 - 21:11
A security researcher found Coinhive code hidden on a Los Angeles Times’ webpage that was secretly using visitors’ devices to mine cryptocurrency.
Kategorie: Viry a Červi

Tax refund, or How to lose your remaining cash

Kaspersky Securelist - 22 Únor, 2018 - 11:00

Every year, vast numbers of people around the globe relish the delightful prospect of filling out tax returns, applying for tax refunds, etc. Given that tax authorities and their taxpayers are moving online, it’s no surprise to find cybercriminals hard on their heels. By spoofing trusted government agency websites and luring users onto them, phishers try to collect enough information to steal both money from victims’ accounts and their digital identity.

Attackers employ standard methods that basically center on creating phishing sites and web pages. Such resources can prompt for passwords to My Account areas on the websites of local tax services, answers to security questions, names and dates of birth of relatives, information about bank cards, and much more besides. In addition to information that users themselves unwittingly hand over, scammers often get hold of extra tidbits such as victim IP address and location, browser name and version, operating system. That is, anything that increases the chances of a successful bypass of the protection system into the victim’s accounts.

Phishing pages can also spread malware under various guises. Fraudsters don’t shy away from direct extortion under the cloak of tax agents — such attacks have occurred in the US, France, Canada, Ireland, and elsewhere. Let’s examine the most common tax-phishing schemes in more detail.

Canada (CRA)

In Canada, the body responsible for tax collection and administration is the Canadian Revenue Agency (CRA). The deadline for filing tax returns for the past financial year is April 30. The figure below shows phishing activity in 2016 spiking in the days leading up to this deadline, and only abating in May.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the CRA brand, 2016

A slightly different picture is observed on the 2017 graph:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the CRA brand, 2017

A surge came when many Canadians were expecting a tax refund of some sort. We registered a huge number of phishing pages informing people that they were entitled to receive a certain amount of money. It was mostly these messages that distributed links to fake CRA pages where victims were asked to fill out a web form.

Example of a phishing letter allegedly from the CRA with a fake notification about a potential refund.

Typically, such pages are almost a carbon copy of the official CRA site and request a large amount of personal information. If the user doesn’t doubt the site’s authenticity, he or she will have no qualms about filling in the many fields. As a result, the attackers get hold of valuable information, while users are notified of a two-day wait while their data is “processed.” For added plausibility, the victim can be redirected to the original CRA site.

Among the information that the fraudsters collect are bank card details (including PIN code), social security number, driver’s license number, address, telephone number, date of birth, mother’s maiden name, and employer. The attackers also retrieve the IP address and system information.

Example of a phishing page masquerading as a CRA site. When all personal information is entered and the form is submitted, the script generates an email with all the data input (as well as the victim’s IP address and data received from the User Agent) and sends it to the specified address

Criminals do not focus solely on tax declarations and refunds. They make repeated attempts throughout the year to extract data under the guise of the CRA. For example, one of the emails we found invited the recipient to view information about a “tax incident,” prompting them to enter a login and password for a Dropbox account, or provide email credentials. After that, the victim clicked a button to download a public PDF document with information about alleged changes to the tax legislation. The data entered was forwarded to the scammers.

Example of tax and CRA-themed phishing to get Dropbox and mail credentials

Scammers do not restrict themselves to fake sites and emails. They also send out SMS messages and even call victims pretending to be from the CRA, demanding urgent payment of debts by wiring money to a certain account. Such calls are often accompanied by intimidation (threats of penalties, fines, and even imprisonment are used).

Taxpayers in Canada should remember that the CRA never sends emails containing links or requests for personal data, except when an email is sent directly during a telephone conversation with a CRA agent.

CRA recommendations on how to avoid scams are available on its official site under Security.

United States (IRS)

In the US, the tax body is the Internal Revenue Service (IRS), and the tax return deadline is usually April 18 (the date may vary slightly from year to year). In 2016, as in Canada, a major fraud outbreak occurred in the run-up to the deadline:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the IRS brand, 2016

However, we observed bursts of scamming activity throughout the year. That made it difficult to single out a specific moment in 2017, save for a notable pre-New Year spike:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the IRS brand, 2017

Scammers use a range of topics to bait US taxpayers: tax refund, personal information update, account confirmation, etc.

Examples of fake IRS emails

Tax refund forms are a very popular tool for phishers in the US, and scam sites that exploit this method typically appear at the start of the tax return period. The amount of data they steal is staggering: anything they can and more besides. They exploit users’ very strong urge to claw back some of their hard-earned cash.

Fake IRS pages prompting users to fill out a tax refund form

An information leak on this scale might not only empty the victim’s bank accounts, but lead to a host of other problems, including targeted attacks and attempts to access other accounts. Whereas a compromised bank card is easily blocked and reissued, one’s address, social security number, date of birth, and mother’s maiden name are rather less flexible.

Another way to dupe victims is to send a fake tax service message containing a link to confirm their account, update personal information, or restore their password:

Examples of phishing pages using the IRS brand

After the data is forwarded to the scammers, the victim is usually redirected to the original site not to arouse suspicions:

Example of a phishing script sending user data to a fraudulent email address. If the information is successfully forwarded, the victim is redirected to the original tax service website

Besides the IRS brand, scammers use the name of Intuit, the developer of the TurboTax program, which helps fill out tax returns.

Example of a phishing email using the Intuit brand

Scammers try to get user credentials for the Intuit site, as well as email logins and passwords:

Examples of phishing pages using the Intuit brand

Links to phishing pages in the US are distributed not only by email, but by SMS and social media. Remember that the IRS doesn’t initiate contact with taxpayers through these channels to request personal information.

Official IRS anti-phishing recommendations are available on the department’s website..

United Kingdom (HMRC)

The UK tax (fiscal) year runs from April 6 through April 5 the following year. The PAYE (Pay As You Earn) system means that most taxpayers are not required to fill out any forms by a certain deadline (HMRC receives monthly data from the employer). However, if a taxpayer’s income changes, he/she must update their tax code in accordance with the new income level. And in the event that the taxpayer owes money or is due a reimbursement, HMRC (Her Majesty’s Revenue and Customs) will make contact to arrange payment. That’s where scammers set traps informing potential victims about a potential refund or (less often) monies owed.

In 2016, phishing activity in this segment in the UK was very high, rising toward the end of the calendar year:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites exploiting the name of the UK’s HMRC, 2016

In 2017, phishers cast their nets in May (this month saw two major outbreaks of activity) and remained active pretty much until the end of the calendar year.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites exploiting the name of the UK’s HMRC, 2017

Scam emails supposedly from HMRC are sent to UK residents via SMS, social media, and email, and contain links to phishing pages that strongly resemble the official website. To claim their “refund,” users are usually asked to enter bank card details and other important information.

Examples of phishing pages using the HMRC brand.

In addition, scammers try to steal credentials for other services. In the example below, the scammers sent an email seemingly from HMRC with a PDF attachment (in fact an HTML file). On opening it, the user is shown a page in the style of an Adobe online resource, and is prompted for an email login and password to view the PDF. These credentials are, of course, sent to the attackers.

A fake PDF directing victims to a page used by cybercriminals to steal email account credentials

Anti-phishing recommendations can be viewed on the official HMRC website.

France (DGFiP,

In France, tax collection is the responsibility of the General Directorate of Public Finance (La Générale des finances publique, DGFiP); the start of the fiscal year coincides with that of the calendar year. The French have no PAYE system (one is planned for implementation in 2019), and the deadline for tax returns is set by each individual département. Tax declarations can be filed in paper form (soon to be discontinued) and online. What’s more, the paper deadline is earlier than the electronic one. Generally, the submission deadlines fall in May-June.

As we can see on the graphs, phishing activity surged during this very period:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to fake DGFiP phishing sites, 2016

2017 saw two flashes of activity: during the filing period and at the end of the year:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to fake DGFiP phishing sites, 2017

The most popular topic for scammers, as before, is the offer of a refund:

Example of a phishing email exploiting the subject of tax refunds

Clicking on links in such messages takes users to phishing pages where they are prompted to enter bank card details and other personal information:

Examples of fake pages masquerading as the French tax service

Official warning about scammers on the DGFiP website.

Other countries

Taxes are a common scamming topic in other countries, too. Personal information is solicited for under various pretexts: tax return completion, account verification, tax refund, system registration, etc.

Example of a fake page of the Revenue Commissioners of the Republic of Ireland

Scammers not only target taxpayers’ personal data, but sometimes aim to install malware on their computers. For example, one spam mailing contained a link to a fake site of the Federal Tax Service (FTS) of the Russian Federation, where a Trojan was downloaded to the victim’s computer.

A spoof FTS site distributing malware

Not only taxes

Posing as the state, attackers have other topics than taxes up their sleeve. For example, scammers in Hungary held fake prize giveaways in the name of the government:

Smartphone giveaway by the “Hungarian government”

In Italy, fraudsters rather ingeniously extorted money under the guise of the Ministry of Defense. To conceal its real address, the site opened (if the user allowed it) in full-screen mode with the control elements and address bar hidden, and then proceeded to simulate these interface elements. Naturally, the fake address bar displayed the Ministry’s legitimate URL.

Fake Italian “Ministry of Defense” website

Scaring users into thinking they had distributed prohibited materials (pornography, pedophilia, zoophilia), the site blocked the computer and demanded a fine in the form of a €500 iTunes gift card to have it unblocked.


Trust in government websites is very high, and filing of tax returns always involves submitting large quantities of personal information. Therefore, if users are sure that they are on the official tax service website, they will not hesitate to share important details about themselves. Another important aspect is that many online tax return filers are not everyday netizens, and thus know little about online fraud and cannot recognize a scam when they see one. But even regular Internet users can be wrong-footed by a tempting (and often expected) tax refund notice. Scammers take full advantage of this. In sum, always treat monetary offers with a healthy dollop of skepticism, and bookmark the official site of your country’s tax service in your browser to help avoid getting hooked by phishers.

Konference Security 2018

VIRY.CZ - 12 Únor, 2018 - 22:47

Už po 26. se ve čtvrtek 1. března v Clarion Congress hotelu v Praze sejdou odborníci na kybernetickou bezpečnost z celého světa. Nezávislou konferenci pořádá společnost AEC a i letos bude rozdělena na dva paralelní programy: manažerský a technický, skládající se z přednášek expertů a případových studií, prezentovaných přímo zákazníky. Program začne zahájením konference v 9 hodin a s přestávkami bude trvat až do 18 hodin.

V technické části programu půjde hlavně o vývoj v oblasti bezpečnostích hrozeb a vývoj v oblasti ransomware a malware. Proběhne i zvláštní hodinový blok, v rámci kterého bude společnost AEC detailně demonstrovat scénáře kyberútoků na firemní infrastrukturu s následným rozborem jejich detekce.

Na konferenci vystoupí se svými příspěvky např. poslanec za Českou Pirátskou stranu v PS PČR Ivan Bartoš, experti Tobias Schrödl, Jornt van der Wiel, Fred Streefland, Domenico Raguseo nebo Jonas Pfoh. Své zástupce mezi řečníky vyšlou i společností jako ČEZ, IBM Security, Reiffeisen Bank, Symantec nebo Tatrabanka.

Program celé konference má na starosti speciální programová komise, která tradičně dohlíží na podobu příspěvků, aby si konference udržela vysoký odborný standard a nezávislost na marketingově, nebo produktově orientovaných příspěvcích.

V průběhu akce se bude konat i hackerská soutěž “Capture the Flag”, v rámci které si přihlášení jednotlivci budou moci vyzkoušet techniky používané hackery k získání přístupu k moderním webových aplikacím a firemním systémům.

Konference Security 2018

Kdy: čtvrtek 1. března 2018, od 9.00

Kde: Clarion Congress Hotel, Freyova 33, Praha 9

více informací na:

The post Konference Security 2018 appeared first on VIRY.CZ.

Kategorie: Viry a Červi
Syndikovat obsah