Fake Browser Update Site Installs Malware

In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http://newyear[REMOVED]fix.com, was registered on December 30, 2013. Based on our research, 94 percent of  attacks appear to be targeting users based in the United Kingdom through  advertising networks and free movie streaming and media sites.

The attackers attempt to trick victims using the following techniques:

  • A URL containing the words “new year” and “fix”
  • A professional looking template (from Google, Microsoft or Mozilla) telling the victim that a critical update is necessary for their system to function properly
  • Redirecting the user, based on their browser type, to a fake but convincing Chrome, Firefox, or Internet Explorer Web page.
  • Using a JavaScript loop to force the victim to give up and stay on site – users have to click on the “Yes/No” option 100 times in order to close the browser.

This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down.

The website, which is hosted in the Ukraine, uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect.

The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates, shown in Figures 1 to 3, based on the type of browser they are using.

Fake Browser Update 1.png

Figure 1. Page displayed to Chrome users

Fake Browser Update 2.png

Figure 2. Page displayed to Firefox users

Fake Browser Update 3.png

Figure 3. Page displayed to Internet Explorer users

Fake Browser Update 4.png

Figure 4. JavaScript loop button which requires 100 clicks to close

At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe.

Both of these samples are detected by Symantec as Trojan.Shylock. Symantec also has the following IPS coverage in place for this attack:

Web Attack: Fake Software Update Website

To stay protected against this type of threat, Symantec recommends that users:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Exercise caution when clicking on enticing links sent through emails, messaging services, or on social networks.
  • Only download files from trusted and legitimate sources.

2014 Threats Predictions: Cybercrime and Hacktivism Will Continue to Grow

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by François Paget.

The Bitcoin saga will continue

In May, after the Liberty Reserve shutdown, cybercriminals looked for new sources of virtual currency to finance their businesses. They turned to Perfect Money, WebMoney (for a second time), and Bitcoin. But associating these virtual currencies with electronic or conventional (state guaranteed) moneys remained difficult. Cybercriminals had to use their virtual currencies primarily on the underground market, among themselves, to purchase drugs, services, or equipment. This money was directly reinvested in the black market and was difficult to launder. It was also difficult to retrieve “good money” like dollars or Euros.

But cybercriminals, and lawful users, have found a bit of relief. Some nation-states have decided to recognize Bitcoin: In August, Germany became one of the first countries in the world to recognize Bitcoin as a “private money”; in October, we saw the opening of the world’s first Bitcoin ATM in Vancouver, Canada. At the same time, French boutiques started offering branded perfume for sale and nights at luxurious hotels, Los Angeles restaurants accepted Bitcoin for payment; and an online newspaper claimed a Norwegian citizen bought an Oslo apartment—all with Bitcoin.

Given this increasing acceptance and barring a virtual stock market crash, we predict Bitcoin will remain popular and become a target for cybercriminals in 2014. With more access to the public, Bitcoin will certainly be used for money laundering. Attacks and fraud on exchange platforms, which have already occurred, will increase. Up to now, virtual money has been a platform on which cybercriminals worked in a closed world. In 2014, they will be able to hunt for newcomers.

This interest in virtual and decentralized money will attract more attention from law enforcement and justice officials. Following the money (and the criminals) will become more difficult. The battle against the Dark Web will not be easy to win.

Opportunities for cybercrime

In the coming year, the frontier between cybercrime and state-sponsored attacks will grow more porous. We expect to see advanced spying as a service, “waterholing” as a service, and cracking as a service. As with past aggressive marketing proposals, the distinction between legitimate and illegal activities will be more difficult to determine. Some illicit services will hide among legitimate ones.

As a complement to ATM or point-of-sale skimming, cybercriminals will improve ways to directly infect ATM machines. 3D printers are sometimes used to create skimming devices. These printers will become more popular in cybercrime circles. We anticipate ready-to-use firearms will be the next hot 3D objects sold online.

Snowden boosts hacktivism movement

In November the “Million Mask March” organized by Anonymous attracted people in 450 locations around the world. This success can partially be attributed to the Edward Snowden affair, which will cause new supporters to join the movement. Fearing big brother surveillance systems, many citizens distrust their local administrations, forcing governments to delay the introduction of some legal procedures to fight cybercrime.

However, the varied motivations of Anonymous members will prevent most of their Internet operations from gaining much success. They will be numerous, as in 2013, but rarely highly damaging for their victims.

The Anonymous movement is only one face of hacktivism. Next year its signature will continue to be misappropriated by individuals or groups that range far from Anonymous’ ideals of freedom. Hacktivism in and from the Middle East will continue to grow.

Cyberwarfare a reality

Resulting from a voluntary attack or out-of-control spreading, malware can not only destroy computer data, but also disrupt people’s lives.

In September, malware in Israel caused the closure of a major roadway. One expert, speaking on the condition of anonymity, explained the attack was the work of unknown, sophisticated hackers, similar to the Anonymous group that led attacks on Israeli websites in April.

Politically motivated attacks will continue to increase. We’ll see more from patriots hiding behind the Anonymous brand or labeling themselves cyberarmies. Others will arrive from online spies of governments developing cyberoffensive capabilities. If cyberattacks against critical infrastructure succeed, we will have truly reached the age of cyberterrorism.

The 2014 Sochi Winter Olympics (in February) and the FIFA World Cup in Brazil (June-July) will be massive opportunities for criminals to exploit people’s curiosity to infect their systems with crimeware (for example, via booby trapped email or compromised sites). Hacktivists will also take advantage of these events to promote their ideas. In recent years, we’ve seen destructive malware associated with some politically motivated attacks. These attacks will continue in 2014.

Rioting and racism

Criminals have understood for years that it is easier and less dangerous to steal money online rather than in the physical world. This may be the year that rioting demonstrators will learn the same lesson. Data destruction just for pleasure may become a new threat if politicians cannot mollify certain violent elements of the population.

Racism is not dead and may become a new motivation for defacement. It’s growing on social networks (Facebook, Twitter, etc.). More of the Internet may be poisoned if we are not careful. Information manipulation is another threat we expect to see next year. Massive deliberately propagated digital misinformation could lead to confusion or worse.

Malware in humans a future nightmare

At some point in the future, physical attacks through the cyberworld will move beyond to science fiction to reality. We expect to see real attacks or nasty proofs of concept against human implants in the coming years. We might also see psychological attacks via virtual reality games that lead to physical consequences.

Patient medical data, political party databases, and personal data from online VIP services will be increasingly targeted. Hackers will enjoy more successes searching for sensitive information on politicians, sports figures, and celebrities. Depending on the attackers’ motivation (money or ill intent), they will carry out blackmail or damage to reputations.

DoS attacks that took down big game sites abused Web’s time-sync protocol

69 percent of all DDoS attack traffic by bit volume in the first week of January was the result of NTP reflection.
Black Lotus

Miscreants who earlier this week took down servers for League of Legends, EA.com, and other online game services used a never-before-seen technique that vastly amplified the amount of junk traffic directed at denial-of-service targets.

Rather than directly flooding the targeted services with torrents of data, an attack group calling itself DERP Trolling sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol (NTP). By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly amplify the firepower at their disposal. A spoofed request containing eight bytes will typically result in a 468-byte response to a victim, a more than 58-fold increase.

"Prior to December, an NTP attack was almost unheard of because if there was one it wasn't worth talking about," Shawn Marck, CEO of DoS-mitigation service Black Lotus, told Ars. "It was so tiny it never showed up in the major reports. What we're witnessing is a shift in methodology."

Read 4 remaining paragraphs | Comments

Security Essentials for Windows XP will die when the OS does

There are three months to go for Windows XP. The ancient operating system is leaving extended support on April 8, at which point Microsoft will no longer ship free security fixes. XP itself isn't the only thing that's losing support on that date. The Windows XP version of Microsoft Security Essentials, the company's anti-malware app, will stop receiving signature updates on that date and will also be removed for download.

The message is clear: after April 8, Windows XP will be insecure, and Redmond isn't going to provide even a partial remedy for the security issues that will arise. Antivirus software is just papering over the cracks if the operating system itself isn't getting fixed.

In contrast, both Google and Mozilla will provide updates for Windows XP versions of Chrome and Firefox beyond the cessation of Microsoft's support. Google has committed to supporting Chrome until April 2015.

Read 2 remaining paragraphs | Comments