Point-of-sale malware infecting Target found hiding in plain sight

Independent security journalist Brian Krebs has uncovered important new details about the hack that compromised as many as 110 million Target customers, including the malware that appears to have infected point-of-sale systems and the way attackers first broke in.

According to a post published Wednesday to KrebsOnSecurity, point-of-sale (POS) malware was uploaded to Symantec-owned ThreatExpert.com on December 18, the same day that Krebs broke the news of the massive Target breach. An unidentified source told Krebs that the Windows share point name "ttcopscli3acs" matches the sample analyzed by the malware scanning website. The thieves used the user name "Best1_user" to log in and download stolen card data. Their password was "BackupU$r".


The class of malware identified by Krebs is often referred to as a memory scraper, because it monitors the computer memory of POS terminals used by retailers. The malware searches for credit card data before it has been encrypted and sent to remote payment processors. The malware then "scrapes" the plain-text entries and dumps them into a database. Krebs continued:

Read 2 remaining paragraphs | Comments

2014 Threats Predictions: HTML5, Exploit Kits, ‘Free’ Software Require Web Safeguards

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Christoph Alme, Paula Greve, and François Paget.

In spite of advanced attacks of various types, malware, and other concerns, the web remains the primary threats vector. Whether we browse via Android, iOS, Windows, Mac, or other means, free open-source analytic tools can allow almost anyone to learn too much about us and use that information to entice us “click that link.” We have learned to avoid many of these temptations, but two things remain true in security: As features evolve, new threats are quick to arise; and as we adapt detection and takedown capabilities, the bad guys are just as agile in adapting their methods. We anticipate an increase in threats next year in three main areas: HTML5, exploit kits, and “free” software.

The biggest story in feature evolution is HTML5, which allows websites to come alive with interaction, personalization, and rich capabilities for programmers. But HTML5 also allows a significant number of new ways to snoop on users and exploit the system. Using HTML5, researchers have already shown how one could identify a user’s browser history to better target ads. Once the HTML5 adoption is complete, we expect to see similar abuses of HTML5 to enable access to the device—breaching the browser sandbox. With the spread of “app friendly” devices—and HTML5 embedded not just in web pages but within the apps as well—hackers will gain as much access to a user’s world as they could desire. We expect HTML5 abuses to become as commonplace as any of the exploit kits will allow.

Speaking of exploit kits, this past year showed us that they are the best tool for infecting users’ machines. We expect that the bad guys will continue to invest in the development and sharing of kits such as Blackhole. As the security industry continues to better detect and respond to newly registered domains set up for a malicious purpose, the criminals will focus efforts on evolving exploit kits to successfully insert malicious code and redirection components into legitimate web sites. Given the dynamic nature of content hosting, short URLs, and dynamic page content, these infected pages may have a longer time to live and become more valuable to attackers. Thus we will see continued evolution of attacking not only the browsers, but the servers as well.

In 2014, users and administrators will face a greater challenge from “free” products. Some say if you don’t pay for a product, you are the product. We have become accustomed to getting awesome apps—for free—with excellent features that make our lives easier—for free—and even security services—for free. But all of these services and apps cost money, and their developers must pay for them by selling ads, selling our information, or making us buy other things. This need has led to significant shades of gray between “information-stealing malware” and “making-our-lives-easier utilities.” In the security industry, we already see increased pressure from developers to reclassify their potentially unwanted programs and adware as legitimate software. During the course of 2014, an event (data breach, data leak, a company using customer information just a little too broadly) will occur that will make the public fully aware of how much of their data is exposed and could be inferred. This event and its fallout will challenge some of the freemium models that society has come to expect–and waking up the general public to how much of a “right” they have to fully understand and control their “big data footprint” and what conveniences they would be willing to give up to make it smaller.

Our desire for more and better features exposes us to greater risks, more open-source options help not just developers and researchers but also cybercriminals, and convenience and cost battle with privacy and security. In 2014 we will see the full impact of these tradeoffs.


The post 2014 Threats Predictions: HTML5, Exploit Kits, ‘Free’ Software Require Web Safeguards appeared first on McAfee.

Snapchat Spam: Sexy Photos Lead to Compromised Branded Short Domains

A few weeks after our blog post about porn and secret admirer spam targeting Snapchat users, a new spam campaign using sexually suggestive photos and compromised custom URLs is circulating on the photo messaging app.


Figure 1. Snapchat spam

Each of these spam messages includes a request to “Add my kik”, along with a specially crafted user name on the Kik instant messaging application for mobile devices.


Figure 2. Snapchat with a digital camera? It’s a trap!

After engaging these spam bots on Kik Messenger, this spam campaign is using a type of spam chat bot-script we discovered on Tinder last summer.


Figure 3. Spam bot using a familiar chat script on Kik

An interesting discovery from this campaign is the use of compromised custom URLs belonging to small websites and popular brands. Spammers have found a way to create their own links using branded short domains in order to entice users into a false sense of security.


Figure 4. Well-known branded short domain directs users to spam

The following are some of the compromised branded short domains we identified:

  • usat.ly (USA Today)
  • cbsloc.al (CBS Local)
  • on.natgeo.com (National Geographic)
  • nyp.st (New York Post)
  • on.mktw.net (Marketwatch)
  • mirr.im (Daily Mirror)
  • red.ht (Red Hat)
  • invstplc.com (Investorplace)
  • mitne.ws (MIT News)


Figure 5. Stats page for compromised short URL

Hidden behind the branded customized URLs are affiliate marketing links directing users to sign-up for adult webcam sites.

Symantec has been working closely with Bitly to investigate and shut down any spammer use of branded short URLs. Bitly has confirmed that some spammers obtained Bitly API keys belonging to various brands. Some of the brands affected used the AddThis social bookmarking service who recently stopped requiring users to reveal their API key in plain text as part of the AddThis website embed code.


Figure 6. Note from AddThis support page regarding API key safety

Public exposure of API keys gives anybody the ability to compromise accounts and, in this case, create short URLs using other people's domains.

Users of the AddThis service should refer to this support article on how to secure API keys. Bitly users should follow Bitly API best practices to ensure the security of API keys.

The recent spam campaign targeting Snapchat users should not be surprising. Scammers and spammers will always target new and popular apps—like Snapchat—as soon as they gain a large enough user base. To prevent spam snaps from appearing in your Snapchat feed, Symantec recommends users change their Snapchat privacy settings to receive snaps from “My Friends” only and use caution when receiving unsolicited messages or friend requests.

Security Essentials for Windows XP gets a 15-month reprieve

Earlier this month, we reported that Microsoft would stop providing updates for Microsoft Security Essentials on Windows XP on April 8, the same day that it will cease providing security fixes for Windows XP. The company has now altered its stance and will produce signature updates for Security Essentials until July 14, 2015.

This change, it says, is to help organizations complete their migrations. Of course, using that rationale, the company should extend Windows XP's support until the heat death of the universe.

While it will provide updated signature definitions, the company warns that its research "shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited." In other words, it's hard to provide a robust anti-malware system when hostile code can penetrate processes and the kernel willy-nilly just through attacking the browser.

Read on Ars Technica | Comments