Bitcoins Still a Hot Security Topic

Interest in Bitcoin—the decentralized digital currency—is definitely growing. But as with anything established, it also sparks the interest of scammers. We have seen a few Trojans stealing Bitcoin wallets over the last few years. Also, Trojans installing Bitcoin miners are not that exotic anymore. A case from last week shows how far interest has grown on the criminal side. Reports have emerged about phishing websites impersonating Mt.Gox, the largest Bitcoin exchange site. Mt.Gox has already fought battles in the past—for example when it was on the receiving end of a distributed denial-of-service (DDoS) attack and also when US authorities temporarily seized part of their money.

Of course, as with the nature of phishing websites, the real site has nothing to do with the fake scam site. The scammers just used the same second-level domain (SLD) name, "mtgox", but with a different top-level domain (TLD)—for example, using .org, .net, .de, or domains. The scam site tried to trick users into downloading and installing malware with the convincing MTGOX_Wallet.exe file name, which Symantec detects as Downloader.Ponik.

z z.png

Figure 1. Phishing website uses alternate TLD


Figure 2. Phishing website

The phishing websites were even advertised using more than one major online advertising service, for example Microsoft’s advertisement network, in order to reach as many victims as possible. This resulted in the scam ad being displayed on many prominent websites.

The ad enticed users by stating "New Century Gold: BITCOIN Protect your money - Buy Bitcoin"—a clever turn-about since the ad links to a scam site that has everything else in mind except protecting your money.

The fact that the phishing site does not use the common Secure Sockets Layer (SSL) security protocol should have been a clear giveaway for any visitor. As with any financial service, regardless of the currency behind it, people should pay due diligence to ensure they are on a real website when entering information. In this case, the scammers left an additional clue inside the HTML of the phishing website for the curious type: they hide the original site's guidance to change passwords.


Figure 3. Phisher-altered HTML

Symantec recommends all Mt.Gox users change their passwords and verify accounts. Mt.Gox has started to intensify the verification process of its members, allowing deposits or withdrawals only from verified accounts. They appear to be doing as much as possible to comply with anti-money laundry laws in order avoid the same fate as Liberty Reserve, which was shut down by federal prosecutors in May. Despite Bitcoin being substantially different to Liberty Reserve due to its decentralized peer-to-peer structure, and hence much harder to shut down, it is still good business practice to do as much as possible to ensure secure service.

Symantec has recently launched cloud-based Symantec AdVantage to help prevent ads that lead to malware from ever reaching customers. Website owners that include advertising on their websites should also check out the anti-malvertisement guidelines recommended by the Online Trust Alliance (OTA). The OTA is a non-profit organization with the mission to enhance online trust while promoting innovation and the vitality of the Internet. Symantec is a founding member of the OTA.

Apple blocks ad-injecting Mac trojan, Yontoo

A day after Russian anti-virus firm Doctor Web highlighted an adware Mac trojan called "Yontoo," Apple has moved to block it. Confirmed by Intego, Apple has updated the definitions included in OS X's Xprotect.plist in order to detect the adware, meaning users don't need to run anything special in order to be protected.

"In testing, it appears this detection is very specific and potentially location-dependent," wrote Intego. "This extra specificity is likely there so as to catch only the surreptitious installations of this file."

As we wrote on Thursday, the Yontoo adware socially engineers users into installing it as a browser plugin. Once it's installed into Safari, Firefox, and Chrome, the plugin injects advertising into the websites you're visiting—including those that don't even normally show ads.

Read 1 remaining paragraphs | Comments

Ad-injecting trojan targets Mac users on Safari, Firefox, and Chrome

Have you begun noticing unexpected ads appearing on unlikely websites while browsing on your Mac? If so, it's possible you've been infected with Trojan.Yontoo.1, which has been identified by Russian anti-virus firm Doctor Web as a malware variant affecting OS X users. No infection numbers were provided and Doctor Web is currently the only company reporting the threat, indicating that it has been fairly limited thus far. Still, its existence shows how Mac users continue to be targeted by malware writers and how easy it is to trick some users into installing it.

Here's how Trojan.Yontoo.1 works. An installer is presented to users as a browser plugin—usually on specially crafted webpages claiming to show movie trailers—but may also present itself as a media player, download accelerator, or "a video quality enhancement program." The installer asks the user if he or she wants to install an app called Free Twit Tube; at that point, the installer downloads the trojan from the Internet, which installs a plugin for all available browsers, including Safari, Firefox, and Chrome.

From there, the Yontoo trojan monitors your Web browsing and, according to Doctor Web, transmits information about what pages you visit to a remote server. It then injects ads into those pages using third-party code, allowing the attackers to collect unauthorized ad views on nearly any website they please. And yes, that includes Apple's own website.

Read 1 remaining paragraphs | Comments