by titanadmin | Jan 23, 2018 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
Tax season is open season for cybercriminals and phishers, who increase their efforts to obtain personal information and Social Security numbers in the run up to – and during – tax season. Until April, we can expect many W2 phishing attacks. Make sure you are prepared and do not fall for a scam.
Anatomy of a W2 Phishing Attack
The most common method of stealing the information needed to file fraudulent tax returns is phishing. Phishing emails are sent in the millions to individuals in an effort to obtain their sensitive information. Individuals must be on high alert for malicious emails during tax season, but it is businesses that are most likely to be targeted.
Payroll employees have access to the W2 forms of the entire workforce. If a single worker can be convinced to email the data, the attacker can file thousands of fraudulent tax returns in the names of employees.
The way cybercriminals get payroll staff to part with sensitive data is by impersonating the CEO or CFO in what is referred to as a Business Email Compromise Scam – otherwise known as a BEC attack or CEO fraud.
The most successful attacks require access to the CEO or CFO’s email account to be gained. That means the CEO or CFO must first be targeted with a spear phishing email and lured into parting with his/her login credentials. Once access to the email account is gained, the impostor can craft an email and send it to a select group of individuals in the company: Payroll and accounts department employees.
The company is researched, individuals likely to have access to W2 forms are identified, and emails are sent. A request is made to attach the W2 forms of all employees who worked for the company in the past year, or for a specific group of employees. A series of emails may be sent, rather than asking for the information straight away.
Since the attacker has access to the CEO’s or CFO’s email account, they can delete sent emails and replies before they are seen by the account holder.
An alternative way of conducting BEC attacks is to spoof an email address. The CFO or CEO is identified from social media sites or LinkedIn, the email address is obtained or guessed based on the format used by the company, and the email is made to appear as if it has come from that email account. An alternative is for the attacker to purchase a similar domain to that used by the company, with two transposed letters for instance. Enough to fool an inattentive worker.
Oftentimes, W2 phishing attacks are not detected until days or weeks after the W2 forms have been sent, by which times IRS tax refund checks have been received and cashed.
How to Defend Against W2 Phishing Attacks
There are several methods that can be used to block W2 phishing attacks. A software or cloud-based anti-spam service should be used to block attacks that come from outside the company. Configured correctly, the spam filter should block spoofed emails and emails sent from similar domains to that used by the company. However, a spam filter will not block emails that come from the CFO or CEOs account.
Multi-factor authentication should be set up on all email accounts to help prevent the first phish that gives the attacker access to a C-suite email address. W2 phishing attacks using spoofed email addresses are much easier to identify and block.
It is therefore important to raise awareness of the threat of W2 phishing attacks with accounts and payroll staff, and anyone else with access to W2 forms. Training can greatly reduce susceptibility to W2 phishing attacks. Training should also be provided to the C-suite, not just employees.
The number of staff who have access to W2 forms should be restricted as far as is possible. Policies should also be introduced that require any request for W2 data to be verified. At a minimum, a request for the data should be checked by a supervisor. Ideally, the request should be confirmed face to face with the sender of the email, or with a quick phone call. The scammers rely on this check not taking place.
by titanadmin | Jan 20, 2018 | Email Scams, Phishing & Email Spam, Spam News, Spam Software |
The insurance, telecoms, and financial service sectors are being targeted by malicious actors spreading Zyklon malware. A large-scale spam email campaign has been detected that leverages three separate Microsoft Office vulnerabilities to download the malicious payload.
Zyklon malware is not a new threat. The malware variant was first detected at the start of 2016, but it stopped being detected soon after and was not extensively used until the start of 2017.
Zyklon malware is a backdoor with a wide range of malicious functions. The malware acts as a password harvester, keylogger, and data scraper, obtaining sensitive information and stealing credentials for further attacks. The malware can also be used to conduct DoS attacks and mine cryptocurrency.
The latest variant of Zyklon malware can download and run various plugins and additional malware variants. It can identify, decrypt, and steal serial keys and license numbers from more than 200 software packages and can also hijack Bitcoin addresses. All told, this is a powerful and particularly nasty and damaging malware variant that is best avoided.
While the latest campaign uses spam email, the malware is not included as an attachment. A zip file is attached to the email that contains a Word document. If the document is extracted, opened, and the embedded OLE object executed, it will trigger the download of a PowerShell script, using one of three Microsoft Office vulnerabilities.
The first vulnerability is CVE-2017-8759: A Microsoft NET vulnerability that was patched by Microsoft in October.
The second ‘vulnerability’ is Dynamic Data Exchange (DDE) – a protocol part of Office that allows data to be shared through shared memory. This protocol is leveraged to deliver a dropper that will download the malware payload. This vulnerability has not been patched, although Microsoft has released guidance on how to disable the feature to prevent exploitation by hackers.
The third vulnerability is far older. CVE-2017-11882 is a remote code execution flaw in Microsoft Equation Editor that has been around for 17 years. The flaw was only recently identified and patched by Microsoft in November.
The second stage of infection – The PowerShell script – serves as a dropper for the Zyklon malware payload.
According to the FireEye researchers who identified the campaign, the malware can remain undetected by hiding communications with its C2 using the Tor network. “The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.”
Campaigns such as this highlight the importance of applying patches promptly. Two of the vulnerabilities were patched in the fall of 2017, yet many organizations have yet to apply the patches and remain vulnerable. If patches are not applied, it will only be a matter of time before vulnerabilities are exploited.
FireEye researchers have warned that while the campaign is currently only targeting three industry sectors, it is probable that the campaign will be widened to target other industry sectors in the near future.
The advice is to implement an advanced cloud-based anti-spam service such as SpamTitan to identify and quarantine malicious emails, and ensure that operating systems and software is kept up to date.
by titanadmin | Jan 16, 2018 | Internet Security, Phishing & Email Spam, Spam Advice |
More than 60 apps have now been removed from Google Play Store that were laced with AdultSwine Malware – A malware variant that displays pornographic adverts on users’ devices. Many of the apps that contained the malware were aimed at children, including Drawing Lessons Lego Star Wars, Mcqueen Car Racing Game, and Spinner Toy for Slither. The apps had been downloaded by between 3.5 and 7 million users before they were identified and removed.
While the malicious apps have been removed, users who have already downloaded the infected apps onto their devices must uninstall the apps to remove the malware. Simply deleting the apps from the Play Store only prevents more users from being infected. Google has said that it will display warnings on Android phones that have the malicious apps installed to alert users to the malware infection. It will be up to users to then uninstall those apps to remove the AdultSwine malware infection.
Apps Infected with AdultSwine Malware
- Addon GTA for Minecraft PE
- Addon Pixelmon for MCPE
- Addon Sponge Bob for MCPE
- AnimePictures
- Blockcraft 3D
- CoolCraft PE
- DiadelosMuertos
- Dragon Shell for Super Slither
- Draw Kawaii
- Draw X-Men
- Drawing Lessons Angry Birds
- Drawing Lessons Chibi
- Drawing Lessons Lego Chima
- Drawing Lessons Lego Ninjago
- Drawing Lessons Lego Star Wars
- Drawing Lessons Subway Surfers
- Easy Draw Octonauts
- Exploration Lite: Wintercraft
- Exploration Pro WorldCraft
- fidgetspinnerforminecraft
- Fire Skin for Slither IO app
- Five Nights Survival Craft
- Flash Skin for Slither IO app
- Flash Slither Skin IO
- Girls Exploration Lite
- Guide Clash IO
- Guide Vikings Hunters
- HalloweenMakeUp
- halloweenskinsforminecraft
- How to Draw Animal World of The Nut Job 2
- How to Draw Batman Legends in Lego Style
- How to Draw Coco and The Land of the Dead
- How to Draw Dangerous Snakes and Lizards Species
- How to Draw Real Monster Trucks and Cars
- Invisible Skin for Slither IO app
- Invisible Slither Skin IO
- Jungle Survival Craft 1.0
- Jurassic Survival Craft Game
- Mcqueen Car Racing Game
- Mine Craft Slither Skin IO
- Moviesskinsforminecraft
- Pack of Super Skins for Slither
- Paw Puppy Run Subway Surf
- Pixel Survival – Zombie Apocalypse
- Players Unknown Battle Ground
- San Andreas City Craft
- San Andreas Gangster Crime
- Shin Hero Boy Adventure Game
- skinsyoutubersmineworld
- Spinner Toy for Slither
- Stickman Fighter 2018
- Subway Banana Run Surf
- Subway Bendy Ink Machine Game
- Subway Run Surf
- Temple Bandicoot Jungle Run
- Temple Crash Jungle Bandicoot
- Temple Runner Castle Rush
- ThanksgivingDay
- ThanksgivingDay2
- Virtual Family – Baby Craft
- Woody Pecker
- youtubersskins
- Zombie Island Craft Survival
Malicious Activities of AdultSwine Malware
AdultSwine malware, and the apps that infect users, were identified and analyzed by security researchers at CheckPoint. The researchers note that once downloaded onto a device, the malware sends information about the user to its command and control server and performs three malicious activities: Displaying advertisements, signing up users to premium services, and installing scareware to fool victims into paying for security software that is not necessary. Information is also stolen from the infected device which can potentially be used for a variety of malicious purposes.
The advertisements are displayed when users are playing games or browsing the Internet, with the adverts coming from legitimate ad networks and the AdultSwine library. The AdultSwine malware library includes extreme adverts containing hardcore pornographic images. Those images appear on screen without warning.
The scareware claims the victim’s device has been infected with a virus that requires the download of an anti-malware app from the Google Play Store, although the virus removal tool is a fake app. Users are told that their phone will be rendered unusable if the app is not downloaded, with a countdown timer used to add urgency.
Registering for premium services requires the user to supply further information, which is done through pop-up phishing adverts. The user is told they have won a prize, but that they must answer four questions to claim their prize. The information they supply is used to register for premium services.
Preventing Infection of Mobile Devices
Generally, users can reduce the risk of a malware infection by only downloading apps from official app stores, although this latest malware campaign has shown that even official stores can be compromised and have malicious apps uploaded.
Google does scan all apps for malware, but new forms of malware can be sneaked into Google Play Store on occasion. Google has announced that from the end of January it will be rolling out a new service called Google Play Protect that is capable of scanning previously downloaded apps to ensure they are still safe to use.
Google recommends only downloading apps for children that have been verified by Google as being ‘Designed for Families’. Those apps may contain adverts, but they have been vetted and strict rules apply covering the advertisements that can be displayed.
It is also important to install some form of anti-malware solution – from a reputable and well-known company – that will scan downloaded content and apps for malware.
by titanadmin | Jan 5, 2018 | Industry News, Internet Security, Network Security |
It has been pretty difficult to avoid the news of Meltdown and Spectre – Two vulnerabilities recently discovered that could potentially be exploited to gain access to sensitive information on PCs, Macs, servers, and smartphones. Meltdown and Spectre affect virtually all devices that contain CPUs, which amounts to billions of devices worldwide.
What are Meltdown and Spectre?
Meltdown and Spectre are two separate vulnerabilities affecting CPUs – central processing units. The chips that power a wide range of electronic devices. The flaws make devices vulnerable to side-channel attacks, in which it is possible to extract information from instructions that have been run on CPUs, using the CPU cache as a side channel.
There are three types of attacks, two for Spectre and one for Meltdown. Spectre Variant 1 – tracked as CVE-2017-5753- is a bounds check bypass, while Spectre variant 2 – tracked as CVE-2017-5715 – is a branch target injection. Variant 3, termed Meltdown – tracked as CVE-2017-5754 – is a rogue data cache load, memory access permission check that is performed after kernel memory read.
The less technical explanation is the attacks leverage the prediction capabilities of the CPU. The CPU will predict processes, load them to an easily accessible, fast sector of the memory to save time and ensure fast performance. Spectre allows data to be read from the memory, but also for information to be loaded into the memory and read that would otherwise not be possible.
Meltdown also reads information from the memory, stealing information from memory used by the kernel that would not normally be possible.
What Devices are Affected by Meltdown and Spectre?
US-CERT has warned that the following vendors have been affected by Meltdown and Spectre: AMD, Apple, Arm, Google, Intel, Linux Kernel, Microsoft, and Mozilla. Apple has said that virtually all of its Macs, iPhones, and iPads are affected. PCs and laptops with Intel, Arm, and AMD chips are affected by Spectre, as are Android smartphones. while Meltdown affects desktops, laptops, and servers with Intel chips. Since servers are affected, that has major implications for cloud service providers.
How Serious are Meltdown and Spectre?
How serious are Meltdown and Spectre? Serious enough for the Intel chief executive officer, Brian Krzanich, to sell $25 million of his shares in the company prior to the announcement of the flaws, although he maintains there was no impropriety and the sale of the shares was unrelated to the announcement of the flaws a little over a month later.
For users of virtually all devices that contain CPUs, the flaws are certainly serious. They could potentially be exploited by malicious actors to gain access to highly sensitive data stored in the memory, which can include passwords and credit card data.
What makes these flaws especially serious is the number of devices that are affected – billions of devices. Since one of the flaws affects the hardware itself, which cannot be easily corrected without a redesign of the chips, resolving the problem will take a considerable amount of time. Some security experts have predicted it could take decades before the flaws are totally eradicated.
Fortunately, companies have been scrambling to develop patches that can at least reduce the risk of the flaws being exploited. For example, Chrome and Firefox have already released updates that will prevent attacks from occurring via browsers. Since the attacks can be performed using JavaScript, securing web browsers is essential.
At present, it would appear that the flaws have not been exploited in the wild, although now the news has broken, there will certainly be no shortage of individuals attempting to exploit the flaws. Whether they are able to do so remains to be seen.
What Can You do to Prevent Meltdown and Spectre Attacks?
As is the case when any vulnerability is identified, protecting against Meltdown and Spectre requires patches to be applied. All software should be updated to the latest versions, including operating systems, software packages, and browsers. Keeping your systems 100% up to date is the best protection against these and other attacks.
Some third-party antivirus software will prevent Windows patches from being installed, so before Windows can be updated, antivirus must be updated. Ensure that your AV program is kept up to date, and if you have automatic updates configured for Windows, as soon as your system is ready for the update it will be installed.
Chrome and Firefox have already been updated, Microsoft will be rolling out a patch for Windows 10 on Thursday, and over the next few days, updates will be released for Windows 7 and 8. Apple has already updated MacOS version 10.13.2, with earlier versions due to receive an update soon.
Google has already issued updates for Android phones, although only Google devices have so far been updated, with other manufactures due to roll out the updates shortly. Google has already updates its Cloud Platform, and Amazon Web Services has also reportedly been updated. Linux updates will also be issued shortly.
Fixes for Meltdown are easier to implement, while Spectre will be harder as true mitigations would require major changes to the way the chips work. It is unlikely, certainly in the short term, for Intel to attempt that. Instead, mitigations will focus on how programs interact with the CPUs. As US-CERT has warned, “[The] Underlying vulnerability is caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” although that advice is no longer detailed in its updated vulnerability warning.
Applying patches will help to keep computers protected, but that may come at a cost. For example, the fix for the Meltdown vulnerability changes the way the computer works, which means the processor will have to work harder as it has to repeatedly access information from the memory – tasks that would otherwise not normally need to be performed.
That will undoubtedly have an impact on the performance of the machine. How much of a dip in performance can be expected? Some experts predict the changes could slow computers down by as much as 30%, which would certainly be noticed at times when processor activity is particularly high.
by titanadmin | Jan 4, 2018 | Industry News, Internet Security, Network Security |
A recently discovered Forever 21 POS malware attack has seen customers’ credit card data compromised. While malware attacks on retail POS systems are now commonplace, in the case of the Forever 21 POS malware attack, the security breach stands out due to the length of time malware was present on its systems. Attackers first gained access to its POS system seven months before the infection was discovered.
The Forever 21 POS malware infections were first identified in October, when a third-party linked credit card fraud to customers who had previously visited Forever 21 stores. The potential malware infections were investigated and a third-party cybersecurity firm was called in to assist.
Forever 21 first made the announcement about a data breach in November, although the investigation has been ongoing and now new details about the attack have been released.
The investigation has revealed the attack was extensive and affected many POS devices used in its U.S. stores. The Forever 21 POS malware attack started on April 3, 2017, with further devices compromised over the following 7 months until action was taken to secure its systems on November 18, 2017. Forever 21 reports that some POS devices in its stores were only compromised for a few days, others for a few weeks, while some were compromised for the entire timeframe.
In response to the increased threat of cyberattacks on retailers, Forever 21 started using encryption technology on its payment processing systems in 2015; however, the investigation revealed the encryption technology was not always active.
While the encryption technology was active, the attackers would have been prevented from obtaining the credit card details of its customers, although the information could be stolen at times when the encryption technology was turned off.
Further, some devices that were compromised by the malware maintained logs of completed credit card transactions. When the encryption technology was not active, details of completed transactions were stored in the logs and could therefore be read by the attackers. Since those logs contained details of transactions prior to the malware infections, it is possible that customers who visited affected Forever 21 stores prior to April 3, 2017 may also have had their credit card details stolen.
Each store uses multiple POS devices to take payments from consumers, and in most cases only one device per store was compromised. The attackers concentrated their efforts on stores where POS devices did not have encryption enabled. Further, the attackers main aim appeared to be to find and infect devices that maintained logs of transactions.
On most POS devices, the attackers searched for track data read from payment cards, and in most cases, while the number, expiry date and CVV code was obtained, the name of the card holder was not.
The investigation into the Forever 21 POS malware attack is ongoing, and at present it is unclear exactly how many of the company’s 700+ stores have been affected, how many devices were infected, and how many customers have had their credit and debit card details stolen. However, it is fair to assume that an attack of this duration will have affected many thousands of customers.
The type of malware used in the attack is not known, and no reports have been released that indicate how the attackers gained access to its systems. It is not yet known if stores outside the US have been affected.
