Ancient Japanese Click Fraud Still Healthy and Alive

In 2013, scammers published thousands of apps on Google Play that led to fraudulent sites. This form of scam is typically called “one-click fraud” in Japan.  The very first variant appeared in January and while only a handful of these fraudulent apps survive for a few days at most, we confirmed that, in total, more than 3,000 apps were published on the market in 2013. By October, scammers for the most part have stopped publishing new variants of the fraudulent apps on Google Play for unknown reasons.

Figure 1.
Total number of apps leading to one-click fraud sites published on Google Play throughout 2013

While apps that lure victims to fraudulent sites may no longer be available on Google Play, there are currently other vehicles leading victims to these sites, such as spam. 

This scam typically begins with spam that has been sent to a mobile phone, ideally a smartphone. The spam message contains a link to an adult video website. The site claims that videos can be viewed free of charge.

Figure 2.
Example of the spam message sent as part of this scam

Figure 3.
The adult video site linked in the spam message

To view a video, the visitor is instructed to make a phone call in order to register for the site. Once the user calls the number provided on the site, an automated system will accept the call and save the phone number of the victim’s mobile device. The visitor will then be prompted to input their telephone number in order to access the site.

Figure 4.
The site instructs the user to register to access the videos

When the user clicks on a video after they’ve registered for the site, another Web page opens. If you read the page carefully, you will notice that the term “free” has completely disappeared and a tiny note about a subscription fee has been added.

Figure 5.
The adult video site with details of a subscription fee

If the visitor fails to notice this detail and clicks the download button, they will end up registering for the paid service and will be charged the hefty price of about US$1,000. If you actually compare the URL of the two adult video Web pages, you will notice that the two sites have different domains. The original site redirects the visitor to a different service and allows free videos to be viewed only on its own site, but no videos can be found. There are videos on the second site, but they are not available for free.

Figure 6.
Registration page for the site that charges a subscription fee

The end-user agreement on the original site states that all content on the site can be accessed free of charge, however, other services linked to the site may not be free.

Interestingly, the site’s Q&A page warns visitors that they may receive phone calls from scammers asking them to pay for video services. The Web page instructs users to be carefully about making payments. The scammers do follow up by calling the visitors if the fee is not paid by the deadline.

Figure 7.
The Q&A page with a warning about scammers

These scams occur on a daily basis and affect users with smartphones that run any type of operating system. Users should remain vigilant of one-click fraud scams and should avoid clicking on links received through unsolicited spam messages.

OPC Calls for Greater Oversight of Canadian Intelligence Community

On January 28, 2014, the Office of the Privacy Commissioner of Canada (OPC) tabled a special report to Parliament on privacy oversight for Canada’s intelligence-gathering agencies. Titled “Canadian Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance,” the special report contains a mature and measured analysis of the governance issues in balancing privacy and intelligence gathering for national security.

The OPC makes recommendations in three areas. These recommendations include:

1. Greater Transparency. Augment existing review and reporting mechanisms through:

  • Reporting statistics annually on instances in which the Communications Security Establishment Canada (CSEC) assists other Canadian federal agencies when it receives requests for interception, as well as tabling annual reports by CSEC to Parliament.
  • Extending existing reporting requirements on use of surveillance in Public Safety Canada’s annual reports, separating domestic and foreign mandates, and those activities that are authorized by warrant and those that are warrantless.
  • Updating public disclosure providing an overview of Canada’s intelligence community and engage in a dialogue regarding mandates and how Canada’s intelligence community cooperates with global partners.
  • Reporting on consideration, rejection or implementation of recommendations from previous commissions of inquiry and policy reviews of Canada’s Intelligence Community.

2. Privacy Law Modernization. Modernize Canada’s privacy protections by:

  • Reforming existing privacy legislation to require privacy impact assessments prior to implementing new programs.
  • Strengthening provisions relating to exchange of information with foreign authorities to ensure that there is an investigative foundation for information and to ensure clear rules for cooperation.
  • Expanding grounds for recourse to the Federal Court.
  • Permitting the OPC to cooperate with other oversight bodies governing Canadian intelligence agencies.
  • Regulating use of and access to online sources and social networking sites by government agencies.

3. Accountability. Strengthen accountability by:

  • Bolstering the powers of oversight bodies, particularly with respect to joint reviews.
  • Clarifying legislative authority for certain intelligence gathering activities.
  • Increasing the role of Parliament in oversight.

The full report can be found here.

Java-based malware driving DDoS botnet infects Windows, Mac, Linux devices

Researchers have uncovered a piece of botnet malware that is capable of infecting computers running Windows, Mac OS X, and Linux that have Oracle's Java software framework installed.

The cross-platform HEUR:Backdoor.Java.Agent.a, as reported in a blog post published Tuesday by Kaspersky Lab, takes hold of computers by exploiting CVE-2013-2465, a critical Java vulnerability that Oracle patched in June. The security bug is present on Java 7 u21 and earlier. Once the bot has infected a computer, it copies itself to the autostart directory of its respective platform to ensure it runs whenever the machine is turned on. Compromised computers then report to an Internet relay chat channel that acts as a command and control server.

The botnet is designed to conduct distributed denial-of-service attacks on targets of the attackers' choice. Commands issued in the IRC channel allow the attackers to specify the IP address, port number, intensity, and duration of attacks. The malware is written entirely in Java, allowing it to run on Windows OS X and Linux machines. For added flexibility, the bot incorporates PircBot, an IRC programming interface based on Java.

Read 1 remaining paragraphs | Comments


Neverquest Banking Trojan Uses VNC, SOCKS in New Threat

A new banking Trojan in the news, known as Neverquest, is active and being used to attack a number of popular banking websites. This Trojan can identify target sites by searching for specific keywords on web pages that victims are browsing. After infecting a system, the malware gives an attacker control of the infected machine with the help of a Virtual Network Computing (VNC, for remote access) and SOCKS proxy server. The Trojan targets several banking sites and steals sensitive information such as login credentials that customers enter into these websites. The Trojan also steals login information related to social networking sites (listed in the configuration file) like Twitter, and sends this information to its control server.

Once it infects a system, the Trojan drops a random-name DLL (for example, cjekvxk.dat) with a .dat extension in the %APPDATA% folder. The Trojan then automatically runs this DLL using regsvr32.exe /s [DLL PATH] by adding a key under “Software\Microsoft\Windows\CurrentVersion\Run\.” The Trojan tries to inject its malicious code into running processes and waits for browser processes such as iexplorer.exe or firefox.exe. Once the victim opens any site with these browsers, the Trojan requests the encrypted configuration file from its control server, as we see in this screenshot:


The Trojan generates a unique ID number that will be used in subsequent requests. The reply is encrypted with aPLib compression. The reply data is appended to an “AP32” string, followed by a decompression routine, as shown:


The configuration file contains a huge amount of JavaScript code, a number of bank websites, social networking websites, and list of financial keywords. The JavaScript code in the configuration file used to modify the page contents of the bank’s site to steal sensitive information. Let’s look at the configuration file:


The Trojan targets financial institutions including Bank of America, CitiBank, and many others. Here is a list of target sites found in the decrypted configuration file:


The Trojan asks for sensitive information by modifying the page contents that a victim visits. The configuration file also contains a list of social networking sites and a list of keywords related to banking:


If the Trojan finds any of the keywords on a web page, it will steal the full URL and all user-entered information and sends this data to the attacker:


The Trojan sends a unique ID number followed by the full URL containing username and password. (We’ve entered fake information to capture the logs.) The Trojan also sends all web page contents compressed with aPLib to the attacker in the following format:


The Trojan steals information entered on social networking sites listed in the configuration file and can use that data to further spread the malicious code:


The Trojan keeps on stealing new data and updating its configuration file. The attacker uses a SOCKS and VNC server to carry out malicious activities. Here is a snapshot of strings we found:


The Trojan can steal SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients. It can also steal FTP login credentials from various programs that can be used to distribute the malicious code:


We have also found an updated configuration file that contains code to request additional JavaScript files targeting financial sites such as BMO (Bank of Montreal), PayPal, RBC (Royal Bank of Canada), and others from a different malicious server. The malicious server has several web panels for collecting sensitive information from different financial sites–which shows attackers are learning and creating new fake pages for new sites. The JavaScript code:


The preceding JavaScript code is displayed in the victims’ browsers if they visit these sites. There are many banking Trojans, but Neverquest has more capabilities than most. Attackers can hide their tracks with the help of proxy and remote control and can carry out transactions from the infected machines. The Trojan can search for new banking sites with the help of financial keywords listed in the configuration file. The Trojan can also steal new banking URLs and their page contents, which eventually update its configuration file. In this way Neverquest can grow its target database to carry out future attacks.

I would like to thank my colleague Vikas Taneja for assistance with this research.

The post Neverquest Banking Trojan Uses VNC, SOCKS in New Threat appeared first on McAfee.