Viry a Červi

PHP Bug Allows Remote Code-Execution on NGINX Servers - 28 Říjen, 2019 - 17:18
CVE-2019-11043 is trivial to exploit -- and a proof of concept is available.
Kategorie: Viry a Červi

Magecart Gang Targets Skin Care Site Visitors For 5+ Months - 28 Říjen, 2019 - 15:17
A Magecart skimmer, discovered on the site of First Aid Beauty, was only just removed after being in place for five months.
Kategorie: Viry a Červi

Ransomware with a difference as hackers threaten to release city data

Sophos Naked Security - 28 Říjen, 2019 - 14:34
Johannesburg spent the weekend struggling to recover from its second malware attack this year as it took key services systems offline.

TikTok says no, senators, we’re not under China’s thumb

Sophos Naked Security - 28 Říjen, 2019 - 14:20
US lawmakers asked intelligence to look into whether the app and others like it could pose a security threat or be used to influence opinion.

New BBC ‘dark web’ Tor mirror site aims to beat censorship

Sophos Naked Security - 28 Říjen, 2019 - 14:08
A mirror copy of the BBC’s international news website is now available to users on the so-called dark web.

Cybercriminals Impersonate Russian APT ‘Fancy Bear’ to Launch DDoS Attacks - 28 Říjen, 2019 - 13:58
Attacks are targeting international companies in the financial sector, demanding that victims pay ransom in Bitcoin.
Kategorie: Viry a Červi

Crypto Capital boss arrested over money laundering

Sophos Naked Security - 28 Říjen, 2019 - 13:53
Bitfinex says the payment processor has $880M of the cryptocurrency exchange's “lost” funds. Polish authorities seized $390m of it.

VB2019 paper: Inside Magecart: the history behind the covert card-skimming assault on the e-commerce industry

Virus Bulletin News - 28 Říjen, 2019 - 11:28
Today we publish the VB2019 paper by RiskIQ researcher Yonathan Klijnsma, who looked at the Magecart web-skimming attacks.

Read more
Kategorie: Viry a Červi

Steam-powered scammers

Kaspersky Securelist - 28 Říjen, 2019 - 11:00

Digital game distribution services have not only simplified the sale of games themselves, but provided developers with additional monetization levers. For example, in-game items, such as skins, equipment, and other character-enhancing elements as well as those that help one show up, can be sold for real money. Users themselves can also sell items to each other, with the rarest fetching several thousand dollars. And where there’s money, there’s fraud. Scammers try to get hold of login details to “strip” the victim’s characters and sell off their hard-earned items for a juicy sum.

One of the most popular platforms among users (and hence cybercriminals) is Steam, and we’ve been observing money-making schemes to defraud its users for quite some time. Since June, however, such attacks have become more frequent and, compared to previous attempts, far more sophisticated.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Steam phishing attacks, January 2019 – September 2019 (download)

It all starts with an online store

Like many others, the scam we uncovered is phishing-based. Attackers lure users to websites that mimic or copy online stores — in this case, the ones linked to Steam — that sell in-game items. The fake resources are high-quality and it is really hard, sometimes even impossible, to distinguish them from the real thing. Such phishing sites:

  • Are very well implemented, no matter if copied or made from scratch
  • Have a security certificate and support HTTPS
  • Issue a warning about the use of cookies
  • Provide some links to the original website (that go nowhere when clicked)

The longer a user spends on the site, the more likely they are to spot something odd. Therefore the scammers do not want users to stay long, and phishing sites get down to business very quickly: on clicking any link, the user immediately sees a window asking for their Steam login and password. By itself, this might not raise a red flag. The practice of logging into a service through another account (Facebook, Google, etc.) is quite common, and Steam accounts can likewise be used to log into third-party resources. All the more so since the supposed trading platform requires access to the user’s account to obtain data on what items they have.

The fake login/password window is very similar to the real one: the address bar contains the correct URL of the Steam portal, the page has an adaptive layout, and if the user opens the link in another browser with a different interface language, the content and title of the fake page change in accordance with the new “locale.”

However, right-clicking on the title of this window (or control elements) displays the standard context menu for web pages, and selecting “view code” exposes the window as a fake, implemented using HTML and CSS:

In one example, the username and password are transferred using the POST method through an API on another domain that also belongs to scammers.

The fake login form is given extra credence by the fact that the entered data is verified using the original services. On entering the wrong login and password, the user is shown an error message:

When a valid login and password pair is entered, the system requests a two-factor authorization code that is sent by email or generated in the Steam Guard app. Obviously, the entered code is also forwarded to the scammers, who gain full control over the account as a result:

Other varieties

Besides creating “complex” login windows using HTML and CSS, cybercriminals also employ the good-old trick of a fake form in a separate window, but with an empty address value. Although the window display method is different, the operating principle is the same as above. The form verifies the entered data, and if the login and password match, it prompts the victim to enter a two-factor authorization code.

How to stay protected

The main tips for guarding against this and similar scams are essentially no different to those for identifying “ordinary” phishing sites. Look carefully at the address bar and its contents. In our example, it contained the correct URL, but less sophisticated variants are more common — for example, the website address might not match the store name, or display the words “about:blank”.

Pay close attention to login forms on “external” resources. Right-click on the title bar of the window containing the form, or try to drag it outside the main browser window to make sure it’s not fake. Besides, if you suspect that the login window is not real, open the Steam main page in a new browser window and log into your account from there. Then go back to the suspicious login form and refresh the page. If it’s real, a message will appear saying that you’re already logged in.

If everything seems normal, but something still arouses suspicion, check the domain using WHOIS. Genuine companies do not register domains for short periods and do not hide their contact details. Lastly, activate two-factor authentication through Steam Guard, follow Steam’s own recommendations, and use a security solution with anti-phishing technology.

Remember that competition for non-hoodie hacker pics? Here's their best entries

The Register - Anti-Virus - 28 Říjen, 2019 - 11:00
And we invite you to grab your easel and brush

A competition to produce stock pictures of infosec that does not involve hoodies or waterfalls of 0s and 1s has yielded a mixed bag of images to illustrate the industry's digital doings for the world's consumption.…

Kategorie: Viry a Červi

Monday review – the hot 21 stories of the week

Sophos Naked Security - 28 Říjen, 2019 - 10:39
Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.

FBI extends voting security push, LA court hacker goes down, and more D-Link failures

The Register - Anti-Virus - 28 Říjen, 2019 - 08:01
Plus, Kaspersky opens doors on its intelligence portal

Here's your Reg roundup of security news beyond all the bits and bytes we've already covered.…

Kategorie: Viry a Červi

Is AWS Liable in Capital One Breach? - 25 Říjen, 2019 - 21:16
Senators penned a letter to the FTC urging it to investigate whether Amazon is to blame for the massive Capital One data breach disclosed earlier this year.
Kategorie: Viry a Červi

Time to check who left their database open and leaked 7.5m customer records: Hi there, Adobe Creative Cloud!

The Register - Anti-Virus - 25 Říjen, 2019 - 20:13
No passwords, banking details, but enough info to convincingly phish someone

Adobe has pulled offline a public-facing poorly secured Elasticsearch database containing information on 7.5 million Creative Cloud customers.…

Kategorie: Viry a Červi

Uncle Sam demands summary judgment on Snowden memoir: We're not saying it's true, but no one should read it

The Register - Anti-Virus - 25 Říjen, 2019 - 19:00
We really needed to take a look before you published

The US government has gone back to court in a bid to get a summary judgment against whistleblower Edward Snowden and Macmillan – the publisher of his memoir, Permanent Record.…

Kategorie: Viry a Červi

U.N., UNICEF, Red Cross Under Ongoing Mobile Attack - 25 Říjen, 2019 - 17:23
A smart mobile-first phishing effort uses valid certificates to sign fake Office 365 pages, and logs keystrokes in real time.
Kategorie: Viry a Červi

News Wrap: Hotel Robot Hacks, FTC Stalkerware Crackdown - 25 Říjen, 2019 - 16:52
From hacking hotel room robots to crackdowns on stalkerware apps, Threatpost editors break down this week's top news stories.
Kategorie: Viry a Červi

Firefox Privacy Protection makes website trackers visible

Sophos Naked Security - 25 Říjen, 2019 - 15:33
Mozilla has added another privacy tweak to Firefox version 70 - the ability to quickly see how often websites are tracking users.

Ransomware, Mobile Malware Attacks to Surge in 2020 - 25 Říjen, 2019 - 14:22
Targeted ransomware, mobile malware and other attacks will surge, while companies will adopt AI, better cloud security and cyber insurance to help defend and protect against them.
Kategorie: Viry a Červi

Keylogging data vampire pleads guilty to bleeding two companies

Sophos Naked Security - 25 Říjen, 2019 - 14:04
He drained data from firms working on hot new technology, sneaking in with a fake access badge, planting hardware and software keyloggers.
Syndikovat obsah