Google Glass Still Vulnerable to WiFi Hijacking Despite QR Photobombing Patch

Malicious quick response (QR) codes are not a new idea. Some readers might remember last year when it was found that a popular Android smartphone could be wiped by a malicious USSD code embedded within a QR code. QR codes have been in use for many years now, but when scanning them with a mobile phone the user can never tell where they will end up.

To protect against automated redirection to malicious sites with QR codes, Symantec created the Norton Snap application which scans any URL before the user is redirected to the destination address. Currently, we get a few thousand URL lookup requests each day from our users. During the last month, only 0.03 percent of those URLs were malicious. That is not a huge risk but we have, for example, seen cases where QR codes used to make purchases at snack vending machines were replaced, causing snacks purchased through the code to be released at a different location.

1 - Google Glass QR codes.png

Figure. Google Glass and QR codes

Don’t look now

Google Glass is one of the hottest pieces of technologies out at the moment and we’ve got our hands on a number of them for research purposes in our labs. As far as the relationship between Glass and QR code goes, the codes provide an easy way to configure the device; after all it would be quite difficult to input text using your eyes. Our colleagues at Lookout analyzed how Google Glass can be manipulated using malicious QR codes. Wearable devices by their nature can open up new attack vectors because the user interacts with them differently. Lookout have stated when taking a photo of a QR code, it could cause Glass to silently connect to a potentially malicious WiFi access point. This gives the word photobombing a whole new meaning. Glass doesn't support all general QR codes, but does use them for reconfiguring the device's preferred WiFi access point.

Once the Google Glass device connects to the access point of an attacker, the attacker can sniff all the traffic or even redirect users of the device to a malicious website. Fortunately, Google is aware of this issue and have already fixed it—so you don’t have to keep looking away from QR codes while taking pictures.

QR code is not the only way to PWN a device…

So, while Glass’ ability to get QR photobombed was interesting, there are far easier ways to get a mobile device connected to a rogue WiFi access point. Many people have WiFi enabled all the time on their smartphones (or with Google Glass). This means the device constantly probes the surroundings to see if there is a known access point to connect to. Similar behavior is expected in new wearable devices to make it easier for them to connect to the Internet. However, there is software available that will impersonate any network that a device searches for, and this software is quite easy to use. You can even buy a small device called WiFi Pineapple that will do all the work for you. For example, suppose your smartphone is configured to always connect to your home WiFi network with the SSID name “myPrivateWiFi”. Now, imagine you take this smartphone to your local coffee shop where an attacker has installed a malicious WiFi Pineapple. When your device searches for “myPrivateWiFi”, the attacker’s WiFi Pineapple will simply answer the probe request and pretend to be that specific network. From that point on classic man-in-the-middle (MITM) attacks, such as session hijacking or sniffing, can be performed. Such attacks can be executed without the device having to recognize any QR code. So even with Google's patch against QR photobombing, Glass remains vulnerable to WiFi hijacking.

Unfortunately the WiFi hijacking issue is not trivial to solve. Users want a smooth experience that works seamlessly, without the hassle of pairing the devices each time they use a WiFi hotspot. Remembering the MAC addresses of the regularly-used access points together with the SSID could help in some instances, but it reduces the seamless experience users desire when roaming. In addition, MAC addresses can be easily spoofed by the WiFi Pineapple.

The more practicable solution to WiFi hijacking is to treat every network as hostile and ensure that all the applications use encrypted communications like SSL or tunnel through a VPN. That way you don’t have to worry about where you are or what you are looking at, but instead can relax and enjoy the sunshine.

BET VIP Concert Ticket Scam Spreading on Twitter

This weekend one of my favorite bands won free concert tickets on Twitter. They tweeted about the message they received from another Twitter user.

BET VIP 1 edit.png

Figure 1. Sarcastic tweet about free concert tickets

This type of scam looked familiar from a security standpoint. Upon further investigation, we at Symantec Security Response confirmed these suspicions.

BET VIP 2 edit.png

Figure 2. Spam account replies to specific tweet

I wrote a blog about free stuff on social networks and how it was not free about a year ago. These fake accounts were offering free devices and free gift cards to users tweeting specific keywords. In this case, the band wrote about their albums of the year (AOTY) picks, which mentioned Kanye West in the tweet. His name was used as a keyword that a random fake account was monitoring, which led to a reply offering free concert tickets. If a Twitter user tweets the name of an artist (e.g., Kanye, J. Cole, Jay-Z, Beyoncé), they are likely to receive one of these tweets.

106 & Park is a music video countdown show that airs weekdays on BET (Black Entertainment Television). The show has an official Twitter account that has over 5 million followers and over 13,000 tweets. The fake Twitter accounts are using the official logo and background image to try to convince users that they are legitimate. However, these fake Twitter accounts typically have no followers and only a couple of tweets, making it obvious that this is a scam.

BET VIP 3 edit.png

Figure 3. Official 106 & Park Twitter account

BET VIP 4 edit.png

Figure 4. Fake 106 & Park Twitter account

One thing to note here is that unlike before, these scam accounts are not providing a direct link to users in their reply. Instead, they are asking users to visit their profile page in order to click on a link in their profile bio.

Users that click on this link will be directed to a page that contains more BET branding, featuring images of some of today’s most well-known artists.

BET VIP 5 edit.png

Figure 5. Free ticket scam landing page

Clicking on the “CLAIM MY VIP TICKETS” button on a computer leads users to a page that requests personal information from the user. However, it does not appear that this information is captured by the scammers. Rather, this is for cosmetic purposes, to make it appear as though this free ticket offer is legitimate.

BET VIP 6 edit.png

Figure 6. V.I.P. Giveaway page requests personal information

If users visit the same page from a mobile phone, they are asked to install one out of a choice of several applications instead. This is one way to make money from a scam like this, through affiliate programs, and scammers have just recently started using these mobile affiliate programs. One of the most recent examples targeted users of Twitter's video sharing service, Vine.

BET VIP 7 edit.png

Figure 7. Mobile affiliate program for app installation

BET VIP 8 edit.png

Figure 8. Fake page offering free tickets to One Direction and Justin Bieber concerts

Similar scam tweets

In recent months, fans tweeting about pop stars One Direction, Justin Bieber, and Rihanna or their respective tours received the same type of scam tweets. In these cases, the landing pages for the scams asked them to fill out surveys, another common method scammers use to monetize these campaigns.

BET VIP 9 edit.png

Figure 9. Fake page offering free tickets to Rihanna’s Diamonds tour

Right now, there are hundreds of fake accounts on Twitter spreading these types of scams. The most prominent one is the concert ticket scam. However, we are also seeing this exact type of scam with other lures, including:

  • Free exercise equipment for users tweeting about the gym or working out
  • Entry in a prize sweepstakes for $5,000 for users tweeting about being bored
  • Access to an exclusive jobs database for users tweeting about work or jobs

If you’re a Twitter user and you receive a message claiming that you’re the winner of one of these prizes, you should immediately question it, be wary about clicking on any links, and report these fake accounts to Twitter.

When it comes to being a modern fan, if you’re offered free concert tickets, be very skeptical. Check the official social media accounts for the brands or artists to verify and if you’re still not sure, recognize that it is likely a scam.

Ransomware Abusing Norton Logo

There are reports in the media of a particular ransomware, a type of malware, using the official Symantec Norton logo to dupe victims into believing the ransomware is verified by Symantec. This is a common social engineering technique used by malware authors to deceive victims. It is not the first time that a security company’s logo has being abused by ransomware.

Symantec detects this ransomware as Trojan.Ransomlock.Q and our IPS protection System Infected: Trojan.Ransomlock.Q will also detect its network activities.


Figure 1. Trojan.Ransomlock.Q as seen by German users, note the Norton logo (image courtesy of Heise Online)

As always, for those affected by these scams—DO NOT PAY THE RANSOM. Instead, follow our removal steps and watch our removal instruction video.

The functionality and modus operandi of ransomware have not changed much over the years and while we’ve countless new designs from one variant to another, they do keep to a certain design convention and usually impersonate official institutions and legitimate security companies to obtain an air of authenticity.

When it comes to Trojan.Ransomlock.Q, (a.k.a., Urausy), the authors are known to be very active and constantly update their designs as the political landscape changes depending on which country is being targeted. They are indeed very crafty and keep up to date with the news. Interestingly they haven’t used the Symantec Norton logo in the Irish version.


Figure 2. Trojan.Ransomlock.Q as seen by Irish users

Oracle Releases July 2013 Security Advisory

Original release date: July 18, 2013

Oracle has released its Critical Patch Update for July 2013 to address 89 vulnerabilities across multiple products. This update contains the following security fixes:

  •   6 for Oracle Database Server
  • 21 for Oracle Fusion Middleware
  •   1 for Oracle Hyperion
  •   2 for Oracle Enterprise Manager Grid Control
  •   7 for Oracle E-Business Suite
  •   4 for Oracle Supply Chain Products Suite
  • 10 for Oracle PeopleSoft Products
  •   1 for Oracle iLearning
  •   1 for Oracle Industry Applications
  • 16 for Oracle and Sun Systems Products Suite
  •   2 for Oracle Virtualization
  • 18 for Oracle MySQL

US-CERT encourages users and administrators to review the July 2013 Critical Patch Update and follow best practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.