Viry a Červi

Parents say creep hacked their baby monitor to tell toddler they ‘love’ her

Sophos Naked Security - 26 Listopad, 2019 - 13:02
The Taococo FREDI baby monitor has repeatedly been criticized for being easy to hack.

Court says suspect can’t be forced to reveal 64-character password

Sophos Naked Security - 26 Listopad, 2019 - 12:30
We have to protect the constitutional rights of the innocent, and that can mean shielding guilty-as-hell child abusers, the court said.

National Veterinary Associates catches dose of ransomware

Sophos Naked Security - 26 Listopad, 2019 - 12:16
Ransomware attacks don't discriminate - and are just as happy targeting those with four legs as those with two.

Black Friday Shoppers Targeted By Scams and Fake Domains - 26 Listopad, 2019 - 12:00
Cybercriminals are tapping in on Black Friday and Cyber Monday shoppers with an array of scams and malware - including domain impersonation, social media giveaway scams, and a malicious Chrome extension.
Kategorie: Viry a Červi

Sir Tim Berners-Lee publishes plan to save the web from ‘digital dystopia’

Sophos Naked Security - 26 Listopad, 2019 - 11:27
Web inventor Sir Tim Berners-Lee has proposed a 'Contract for the Web' to rescue it from a headlong plunge into a moral abyss.

Spam and phishing in Q3 2019

Kaspersky Securelist - 26 Listopad, 2019 - 11:00

Quarterly highlights Amazon Prime

In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September’s Prime Day sale, such messages were plausible.

Scammers also used another fraudulent scheme: An email informed victims that their request to cancel Amazon Prime had been accepted, but if they had changed their mind, they should call the number in the message. Fearing their accounts may have been hacked, victims phoned the number — this was either premium-rate and expensive, or, worse, during the call the scammers tricked them into revealing confidential data.

Scammers collect photos of documents and selfies

This quarter we detected a surge in fraud related to stealing photos of documents and selfies with them (often required for registration or identification purposes). In phishing emails seemingly from payment systems and banks, users were asked under various pretexts to confirm their identity by going to a special page and uploading a selfie with an ID document. The fake sites looked quite believable, and provided a list of necessary documents with format requirements, links to privacy policy, user agreement, etc.

Some scammers even managed without a fake website. For instance, in summer Italian users were hit by a spam attack involving emails about a smartphone giveaway. To receive the prize, hopefuls had to send a photograph of an ID document and a selfie to the specified email address. To encourage victims to respond, the scammers stated that the offer would soon expire.

To obtain copies of documents, scammers also sent fake Facebook messages in which recipients were informed that access to their accounts had been restricted due to complaints about the content of some posts. To prevent their account from being deleted, they were instructed to send a photo or scan of a driving license and other ID documents with a selfie, plus medical insurance details.

YouTube and Instagram

Scammers continue to exploit traditional schemes on new platforms, and Q3 was a bumper quarter in this regard. For instance, YouTube ads appeared offering the viewer the chance to earn a lot of quick and easy money. The video explained to users that they had to take a survey and provide personal details, after which they would receive a payout or a gift from a large company, etc. To add credibility, fake reviews from supposedly “satisfied customers” were posted under the video. What’s more, the enthusiastic bot-generated comments did not appear all in one go, but were added gradually to look like a live stream.

All the user had to do was follow the link under the video and then follow the steps in the video instructions. Sure, to receive the handout, a small “commission fee” or payment to “confirm the account” was required.

Similar schemes did the rounds on Instagram. Advertising posts in the name of various celebrities (fake accounts are easily distinguished from real ones by the absence of a blue tick) were often used to lure fans with prize draws or rewards for completing a paid survey. As with the YouTube videos, there were plenty of fake glowing comments under such posts. Given that such giveaways by stars are not uncommon, inattentive users could swallow the bait.

Back to school

In Q3, we registered a series of attacks related in one way or another to education. Phishers harvested usernames and passwords from the personal accounts of students and lecturers using fake pages mimicking university login pages.

The scammers were looking not for financial data, but for university research papers, as well as any personal information that might be kept on the servers. Data of this kind is in high demand on the darknet market. Even data that seems useless at first can be used by cybercriminals to prepare a targeted attack.

One way to create phishing pages is to hack into legitimate resources and post fraudulent content on them. In Q3, phishers hacked school websites and created fake pages on them to mimic login forms for commonly used resources.

Scammers also tried to steal usernames and passwords for the mail servers of educational service providers. To do so, they mailed out phishing messages disguised as support service notifications asking recipients to confirm that the mail account belonged to them.

Apple product launch

In September, Apple unveiled its latest round of products, and as usual the launch was followed by fans and scammers alike — we detected phishing emails in mail traffic aimed at stealing Apple ID authentication data.

Scammers also harvested users’ personal data by sending spam messages offering free testing of new releases.

The number of attempts to open fake websites mentioning the Apple brand rose in the runup to the unveiling of the new product line and peaked on the actual day itself:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of attempts to open Apple-related phishing pages, September 2019 (download)

Attacks on pay TV users

To watch TV or record live broadcasts in the UK, a license fee is payable. This was exploited by spammers who sent out masses of fake license expiry/renewal messages. What’s more, they often used standard templates saying that the license could not be renewed because the bank had declined the payment.

The recipient was then asked to verify (or update) their personal and/or payment details by clicking on a link pointing to a fake data entry and payment form.

Spam through website feedback forms

The website of any large company generally has one or even several feedback forms. These can be used to ask questions, express wishes, sign up for company events, or subscribe to newsletters. But messages sent via such forms often come not only from clients or interested visitors, but from scammers too.

There is nothing new about this phenomenon per se, but it is interesting to observe how the mechanism for sending spam through forms has evolved. If previously spammers targeted company mailboxes linked to feedback forms, now fraudsters use them to send spam to people on the outside.

This is possible because some companies do not pay due attention to website security, allowing attackers to bypass simple CAPTCHA tests with the aid of scripts and to register users en masse using feedback forms. Another oversight is that the username field, for example, accepts any text or link. As a result, the victim whose mailing address was used receives a legitimate confirmation of registration email, but containing a message from the scammers. The company itself does not receive any message.

Such spam started to surge several years ago, and has recently become even more popular — in Q3 services for delivering advertising messages through feedback forms began to be advertised in spam mailings.

Attacks on corporate email

Last quarter, we observed a major spam campaign in which scammers sent emails pretending to be voicemail notifications. To listen to the supposed message, the recipient was invited to click or tap the (phishing) link that pointed to a website mimicking the login page of a popular Microsoft service. It was a page for signing either into Outlook or directly into a Microsoft account.

The attack was aimed specifically at corporate mail users, since various business software products allow the exchange of voice messages and inform users of new ones via email.

It is worth noting that the number of spam attacks aimed specifically at the corporate sector has increased significantly of late. Cybercriminals are after access to employees’ email.

Another common trick is to report that incoming emails are stuck in the delivery queue. To receive these supposedly undeliverable messages, the victim is prompted to follow a link and enter their corporate account credentials on another fake login page, from where they go directly to the cybercriminals. Last quarter, our products blocked many large-scale spam campaigns under the guise of such notifications.

Statistics: spam Proportion of spam in mail traffic

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of spam in global mail traffic, Q2 and Q3 2019 (download)

In Q3 2019, the largest share of spam was recorded in August (57.78%). The average percentage of spam in global mail traffic was 56.26%, down 1.38 p.p. against the previous reporting period.

Sources of spam by country

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Sources of spam by country, Q3 2019 (download)

The TOP 5 spam-source countries remain the same as last quarter, only their percentage shares are slightly different. China is in first place (20.43%), followed by the US (13.37%) and Russia (5.60%). Fourth position goes to Brazil (5.14%) and fifth to France (3.35%). Germany took sixth place (2.95%), followed — with a gap of less than 0.5 p.p. — by India (2.65%), Turkey (2.42%), Singapore (2.24%), and Vietnam (2.15%).

Spam email size

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Spam email size, Q2 and Q3 2019 (download)

In Q3 2019, the share of very small emails (up to 2 KB) in spam decreased by 4.38 p.p. to 82.93%. The proportion of emails sized 5-10 KB grew slightly (by 1.52 p.p.) against the previous quarter to 3.79%.

Meanwhile, the share of 10-20 KB emails climbed by 0.26 p.p. to 2.24%. As for the number of 20-50 KB emails, their share changed more significantly, increasing by 2.64 p.p. (up to 4.74%) compared with the previous reporting period.

Malicious attachments in email

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of Mail Anti-Virus triggerings, Q2 2019 – Q3 2019 (download)

In Q3 2019, our security solutions detected a total of 48,089,352 malicious email attachments, which is almost five million more than in Q2. July was the most active month with 17 million Mail Anti-Virus triggerings, while August was the “calmest” — with two million fewer.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malicious attachments in mail traffic, Q3 2019 (download)

In Q3, first place by prevalence in mail traffic went to the Office malware Exploit.MSOffice.CVE-2017-11882.gen (7.13%); in second place was the Worm.Win32.WBVB.vam worm (4.13%), and in third was another malware aimed at Microsoft Office users, Trojan.MSOffice.SAgent.gen (2.24%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malware families, Q3 2019 (download) (download)

As for malware families, the Backdoor.Win32.Androm family (7.49%) claimed first place.

In second place are Microsoft Office exploits from the Exploit.MSOffice.CVE-2017-11882.gen family (7.20%). And in third is Worm.Win32.WBVB.vam (4.60%).

Countries targeted by malicious mailings

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Mail Anti-Virus triggerings by country, Q3 2019 (download)

First place by number of Mail Anti-Virus triggerings in Q3 2019 was retained by Germany. Its score increased by 0.31 p.p. to 10.36%. Vietnam also remained in the TOP 3, rising to second position (5.92%), and Brazil came in third just a tiny fraction behind.

Statistics: phishing

In Q3 2019, the Anti-Phishing system prevented 105,220,094 attempts to direct users to scam websites. The percentage of unique attacked users was 11.28% of the total number of users of Kaspersky products worldwide.

Attack geography

The country with the largest share of users attacked by phishers in Q3 2019 was Venezuela (30.96%), which took second place in the previous quarter and has since added 5.29 p.p.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of phishing attacks, Q3 2019 (download)

Having lost 3.53 p.p., Greece ranked second (22.67%). Third place, as in the last quarter, went to Brazil (19.70%).

Country %* Venezuela 30.96 Greece 22.67 Brazil 19.70 Honduras 17.58 Guatemala 16.80 Panama 16.70 Australia 16.18 Chile 15.98 Ecuador 15.64 Portugal 15.61

* Share of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky users in the country

Organizations under attack

The rating of categories of organizations attacked by phishers is based on triggers of the Anti-Phishing component on user computers. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

For the first time this year, the share of attacks on organizations in the Global Internet Portals category (23.81%) exceeded the share of attacks on credit organizations (22.46%). Social networks (20.48%) took third place, adding 11.40 p.p. to its share.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of organizations subjected to phishing attacks by category, Q3 2019. (download)

In addition, the TOP 10 said goodbye to the Government and Taxes category.

Its place was taken by the Financial Services category, which unites companies providing services in the field of finance that are not included in the Banks or Payment Systems categories, which cover providers of insurance, leasing, brokerage, and other services.


The average share of spam in global mail traffic (56.26%) this quarter decreased by 1.38 p.p. against the previous reporting period, while the number of attempted redirects to phishing pages compared to Q2 2019 fell by 25 million to just over 105 million.

Top in this quarter’s list of spam-source countries is China, with a share of 20.43%. Our security solutions blocked 48,089,352 malicious mail attachments, while Backdoor.Win32.Androm became the most common mail-based malware family — its share of mail traffic amounted to 7.49%.

Stop us if you've heard this one: Facebook and Twitter profiles silently slurped by shady code

The Register - Anti-Virus - 26 Listopad, 2019 - 06:11
Rogue SDKs covertly harvested personal info, it is claimed

Twitter and Facebook on Monday claimed some third-party apps quietly collected swathes of personal information from people's accounts without permission.…

Kategorie: Viry a Červi

TrickBot Evolves to Go After SSH Keys - 25 Listopad, 2019 - 23:36
The info-stealing malware has updated its password-grabbing module.
Kategorie: Viry a Červi

NYPD Fingerprint Database Taken Offline to Thwart Ransomware - 25 Listopad, 2019 - 20:28
The malware was introduced to the police network via a contractor who was installing a digital display.
Kategorie: Viry a Červi

PoS Malware Exposes Customer Data of Catch Restaurants - 25 Listopad, 2019 - 17:35
A newly announced data breach of several popular Catch restaurants stemmed from malware on its point-of-sale (PoS) systems.
Kategorie: Viry a Červi

OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud

Sophos Naked Security - 25 Listopad, 2019 - 13:46
A lawyer who boasted of making "50 by 50" - as in, $50m by the age of 50 - is now facing a potential 50+ years behind bars.

Ad-blocking companies block ‘unblockable’ tracker

Sophos Naked Security - 25 Listopad, 2019 - 13:45
Ad-blockers have figured out a way to block the unblockable - a pernicious tracker technique that hides advertising networks in plain sight.

Russia to ban sale of devices that don’t come with “Russian software”

Sophos Naked Security - 25 Listopad, 2019 - 13:31
The Russian Government’s campaign to control how its citizens use the internet seems to be gathering steam.

Hacker gets 4 years in jail for NeverQuest banking malware

Sophos Naked Security - 25 Listopad, 2019 - 13:26
The NeverQuest Trojan has been used by cybermuggers to try to weasel millions of dollars out of victims’ bank accounts.

Monday review – the hot 20 stories of the week

Sophos Naked Security - 25 Listopad, 2019 - 13:21
From a WhatsApp-attacking video file to the latest adopter of DNS-over-HTTPS, and everything in between. It's the weekly security roundup.

Unwanted notifications in browser

Kaspersky Securelist - 25 Listopad, 2019 - 11:46

When, back in 2015, push notifications were just appearing in browsers, very few people wondered how this tool would be used in the future: once a useful technology made to keep regular readers informed about updates, today it is often used to shell website visitors with unsolicited ads. To achieve that, users are hoaxed into subscribing to notifications, for example, by passing subscription consent off as some other action. The victim ends up subscribed to ad deliveries, while at the same time quite unable to get rid of the annoying messages, being unaware of their source or origin.

Examples of unsolicited push notifications

Other than ads, downright scam notifications may also be delivered, such as about lottery wins, or offers of money in exchange for completing a survey. All such proposals are usually phishing attacks seeking to coax users to part with their money. We have repeatedly anatomized such cases in our quarterly spam and phishing reports.

From January 1 through September 30, 2019, Kaspersky Lab products have blocked ad and scam notifications sign up and demonstration attempts on the devices of more than 14 million unique users all over the world. We have observed the highest share of users (of the total number of our product users) hit by unsolicited subscriptions in Algeria (27.2%), Belarus (24.1%), Nepal (23.7%), Kazakhstan (23.6%) and the Philippines (22.2%).

We have also registered an upward trend in the spread of ad and scam subscriptions. Since the turn of the year, the number of users hit by this problem has continued to grow:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,,o.src="",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of users hit by unwanted subscriptions, January – September 2019 (download)

Getting the user subscribed

To make users sign up for notifications they don’t need, scammers try to pass the confirmation window off as something else. For example, as CAPTCHA:

In other instances, clicking “Allow” button is ostensibly needed to play back a video or begin downloading a file:

Sometimes the webpage content remains blocked until the user has agreed to sign up for notifications:

Often the victim agrees to receive promotional notifications having been misled to believe that he or she is subscribing to updates on a website of interest. In the case below, a subscription like that is offered by a website ostensibly dedicated to Android devices:

Of particular note are websites touting subscriptions on behalf of popular resources: these are in fact phishing copies of popular websites – of only slightly different appearance and with domain names that look like the real ones.

This page has nothing to do with the company’s official website, it just refers to it

Another imitation

Sometimes scammers simply modify the script in such a way as to make the buttons swap their places in the subscription request dialog box; if used to clicking on “Block” in the right hand side of the box, chances are this time the user will hit “Allow”.

If you look up the earlier screenshots, you may notice that in this dialog box the buttons are placed the other way around

How do subscriptions work?

For the user to begin receiving notifications, his or her consent is required. Some requests for consent are illustrated above. These are activated using scripts that come with the webpage.

Examples of webpages featuring links to scripts activating subscription request dialog boxes (marked red)

The main purpose of these scripts is to identify the presence of the functions necessary to display notifications. Such as the ServiceWorker script, which operates as a service and allows to push notifications even when the browser is off. The sign-up scripts working with advertisement and scam subscriptions are usually strongly obfuscated. But their key elements are discernable, nevertheless.

Obfuscated functions of a sign-up script

A clearer portion of a sign-up script code with some obfuscation elements

If the user has consented to notifications, the script sends to the notification host server a unique user ID, which will later help to determine who exactly is to receive the news. After consent is secured, the server stores the user’s ID, while a link to the website which has signed the user up for notifications (the page on which the “Allow” button has been clicked) is saved in browser settings.

Websites authorized to deliver push notifications in browser settings. The box highlights ad subscriptions in which the content of notifications is unrelated to the original content of the website

So, the user has consented to notifications, the subscription server has stored the user’s ID, and the browser has memorized the webpage which had provided consent for subscription. Now the server can deliver a push message to the user by sending it via the subscription service in JSON format.

Example of notification message in JSON format

The message contains text, an image (if needed), a link to the destination website, and the user ID. The notification itself will feature a link to the website which had signed the user up, but not the webpage to which the user will be redirected. Very often this misleads the user, especially if the sign-up website uses a domain name made to look like the legitimate one.

Example of notification misleading the user with a link to a sign-up website

What’s the upshot

In the most harmless case, the victim will simply receive push ads. Interestingly, their content may vary depending on the user’s location. For example, if in Singapore, country-relevant content will be displayed:

By the way, the example above shows the “success story” advertisement, quite popular ad category in the last couple of years. Push notifications often deliver links to stories about how to get rich or soar to success in the context of sensitive social topics. For example, “how to get rich in a particular country” or “how to become a successful manager if you are a woman”. Most such “tips” advertise success trainings and workshops or various mascots.

Worthy of separate mention are the push messages disguised as system notifications coming from the OS or applications: the victim may be suggested to click a button to deactivate push ads or to extend the anti-virus license.

Computer virus infection alert notifications are among the most unpleasant ones. These usually redirect users to pre-designed pages made to appear like the official Microsoft website or resembling some OS Windows components, e.g., Windows Defender:

This trick is often used to distribute various “PC cleaning” utilities. And while some of them do perform the stated functions to a greater or lesser extent, others simply try to milk the user out of as much money as they can – either for the “work” done or for upgrade to a better equipped version.

Avoiding unsolicited subscriptions

To avoid receiving annoying notifications or scam ads, follow a few simple recommendations:

  • Where possible, block all subscription offers, unless they come from popular and trusted websites. Even then keep your eyes open not to be taken in by a fake website.
  • If unable to avoid an unwanted subscription, you can still block it in the browser settings.
  • Use protective solutions made to warn about scam notifications and delete the existing ones, if needed.

Kaspersky Lab’s products detect push notification attempts and existing subscriptions with the verdicts not-a-virus:AdWare.Script.Pusher and Trojan.Multi.BroSubsc.gen.

Get ahead of the cyber-criminals using training and advice from SANS Manchester in 2020

The Register - Anti-Virus - 25 Listopad, 2019 - 07:00
Keep up with the latest threats – and learn how to stop them

Promo  The IT security landscape changes by the second, as organisations move to new technologies and data thieves devise increasingly ingenious ways to penetrate systems. It’s no surprise that IT security leaders feel the constant need to shore up their defenses.…

Kategorie: Viry a Červi

T-Mobile US hacked, Monero wallet app infected, public info records on 1.2bn people leak from database...

The Register - Anti-Virus - 23 Listopad, 2019 - 11:06
...OnePlus also compromised, and much more

Roundup  Time for another roundup of all the security news that's fit to print and that we haven't covered yet.…

Kategorie: Viry a Červi

RDP loves company: Kaspersky finds 37 security holes in VNC remote desktop software

The Register - Anti-Virus - 23 Listopad, 2019 - 01:38
BlueKeep isn't the only bug in town, plenty to go round

VNC remote desktop software has no shortage of potentially serious memory-corruption vulnerabilities, you'll no doubt be shocked to hear.…

Kategorie: Viry a Červi

ID Thieves Turn to Snail Mail as Juicy Target for Financial Crimes - 22 Listopad, 2019 - 23:49
Hackers turn to old-school mail-forwarding scams to commit modern-day ID theft and financial crimes.
Kategorie: Viry a Červi
Syndikovat obsah