Vast majority of malware attacks spawned from legit sites


The vast majority of sites that push malware on their visitors are legitimate online services that have been hacked as opposed to those hosted by attackers for the purposes of distributing malicious software, Google security researchers said Tuesday.

The data, included for the first time as part of the safe browsing section of Google's regular transparency report, further challenges the myth that malware attacks happen only on disreputable sites, such as those that peddle porn, illicit software ("warez"), and similar content. For instance, on June 9 only 3,891 of the sites Google blocked as part of its Safe Browsing program were dedicated malware sites, while the remaining 39,247 sites that were filtered offered legitimate services that had been compromised.

In all, Google blocks about 10,000 sites per day as part of the program, which is designed to help people using Firefox, Chrome, and other participating browsers to steer clear of phishing scams and drive-by malware attacks. The program is also designed to inform webmasters of infections hitting their site and to take steps to fix the problems. In all, the Safe Browsing program helps protect about 1 billion people per day.

Read 2 remaining paragraphs | Comments


Mobile Malware Plays Hide and Seek

Android/Obad.A is mobile malware that has been described as very complex. Truly it is one of the most complex we’ve seen because it:

  • Uses Bluetooth to infect other Android devices
  • Accepts commands from the attacker
  • Hides from the Device Administration list

This is a good collection of malicious activities for a modern piece of malware. Is it unique, though? No, other mobile malware has propagated via Bluetooth, as early as SymbOS/Cabir. Earlier mobile botnets on Symbian, Windows Mobile, and even Android have also accepted commands from attackers’ control servers. That last item, though, disappearing from a standard listing makes Android/Obad a bit more insidious.

Hidden apps: unwelcome guests?
If you can’t find it, you can’t remove it. Nearly every other piece of Android malware that doesn’t have root access can be found and discovered. Android/Obad uses a vulnerability that keeps it off the standard Device Administration list. The vulnerability isn’t yet closed, so it’s very likely we’ll see other malware authors start to exploit it.

Peek-a-boo, I see you
Fortunately, we have added hidden-app detection capabilities to the latest edition of our McAfee Mobile Innovations app (MMI). The MMI app hosts a bunch of our other new beta features as well. Protecting private data (Data Vault), letting your devices warn you before you lose them (Smart Perimeter), and a tool to avoid dangerous QR codes (Safe QR Reader).

2013-06-21 10.49.00

¬†Select “Hidden Device Administrator Applications” from McAfee Mobile Innovations menu.

The Hidden Device Administrator Detector searches and finds all apps that have Device Admin access, even if they’re using the vulnerability to hide from the Android OS. Once you run it, it will give you a list of all hidden Device Admin apps and the option to deactivate or remove them.

2013-06-21 10.49.10

A list of all detected Administrator Apps.

Malware attempting to hide via vulnerabilities face a short life. As soon as software publishers fix the bugs in their software or antimalware apps add detection and removal, their time is up.

Phishers Claim to Ensure Security for Digital Currency Users

Contributor: Avdhoot Patil

Digital currency, a form of electronic money, is a relatively new concept to the world. Many of these currencies have arisen during the past decade and digital currency in general has always been a subject of controversy. In recent years, the world witnessed the suspension of some digital currencies due to legal issues such as money laundering. However, phishers are not concerned about the controversies; instead they are busy seeking opportunities to steal digital currency or money in any form whatsoever. In May 2013, we found a phishing site that spoofed a popular digital currency company.

The phishing site alerted users of an account security update. According to the notice, the company wanted to ensure the integrity of their transaction system by reviewing user accounts. Users were notified that their accounts might be restricted due to multiple failed login attempts. The alert message instructed users to enter their confidential information in order to avoid any restrictions. A button was placed below the message for users to initiate the bogus verification process. After the button is clicked, users are redirected to the next page that asked for user account information.


Figure 1. User details requested for account security

The user information asked for included user name, password, email, and currency of user’s country of origin. The phishing page warns users that if the details are not submitted, the account would be temporarily closed.


Figure 2. User credential request

After the required information is entered, the phishing page redirected to an acknowledgment page confirming the account information. The page also mentioned that the information will be further verified by the company’s account management department within 24 hours.


Figure 3. Confirmation

The phishing site was hosted on an IP domain (for example domains like If users fall victim to the phishing site, phishers would have successfully stolen their information for financial gain.

Users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https,” or the green address bar when entering personal or financial information
  • Use comprehensive security software such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
  • Exercise caution when clicking on enticing links sent through email or posted on social networks