Phishing attacks target mobile browsers with dash-padded URLs

Researchers at PhishLabs recently spotted a trend emerging in malicious web sites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from, by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers.

"The tactic we're seeing is a tactic for phishing specifically mobile devices," said Crane Hassold,  a senior security threat researcher at PhishLabs’ Research, Analysis, and Intelligence Division (RAID).

Hassold called the tactic "URL padding," the front-loading of the web address of a malicious web page with the address of a legitimate website. The tactic, he said, is part of a broad credential-stealing campaign that targets sites that use an e-mail address and password for authentication; PhishingLabs reports that there has been a 20 percent increase overall in phishing attacks during the first quarter of 2017 over the last three months of 2016. The credentials are likely being used in other attacks based on password reuse.

Read 6 remaining paragraphs | Comments

In surveillance era, clever trick enhances secrecy of iPhone text messages

A security researcher has developed a technique that could significantly improve the secrecy of text messages sent in near real time on iPhones. The technique, which will debut in September in an iOS app called TextSecure, will also be folded into a currently available Android app by the same name.

The cryptographic property known as perfect forward secrecy has always been considered important by privacy advocates, but it has taken on new urgency following the recent revelations of widespread surveillance of Americans by the National Security Agency. Rather than use the same key to encrypt multiple messages—the way, say PGP- and S/MIME-protected e-mail programs do—applications that offer perfect forward secrecy generate ephemeral keys on the fly. In the case of some apps, including the OTR protocol for encrypting instant messages, each individual message within a session is encrypted with a different key.

The use of multiple keys makes eavesdropping much harder. Even if the snoop manages to collect years worth of someone's encrypted messages, he would have to crack hundreds or possibly hundreds of thousands of keys to transform the data into the "plaintext" that a human could make sense of. What's more, even if the attacker obtains or otherwise compromises the computer that his target used to send the encrypted messages, it won't be of much help if the target has deleted the messages. Since the keys used in perfect forward secrecy are ephemeral, they aren't stored on the device.

Read 7 remaining paragraphs | Comments


Android Fake AV Hosted in Google Code Targets South Koreans

During the last two years we have observed the accelerated discovery of Android malware by the security industry. Malware authors today often create and distribute fake “antimalware” apps that simulate the scan of files on a device. These fake apps report fake threats (and sometimes make the device unusable). The goal is to get victims to pay for the “full version” of the software to eliminate the nonexistent infections.

However, not all “fake AV” threats pursue monetary gain directly by scaring users with fake threats or denying access to the infected devices. Sometimes malware authors use the good reputation of legitimate security software to trick users into installing malware that executes commands sent by a remote control server to perform tasks in the background–such as stealing sensitive information from infected devices and sending SMS messages without the users’ consent.

Recently the McAfee Mobile Research team has received a new type of Android fake AV that targets South Korean users. The malware pretends to be the security software V3 Mobile Plus:


Icon used by the malware.

When the application executes for the first time, a fake system scan shows fake information such as the current file being scanned–basically a string in the code–the number of files scanned at that moment (13,887 in the following screenshot) and a simulated progress bar:


Fake system scan.

After a few seconds the fake scan finishes and the following summary is presented to the user: One malware found (already removed) and 19,266 files (always the same number) were analyzed.


Fake system scan summary.

After the user clicks the button “확인,” the app closes itself and the icon that was present when the app was installed disappears from the main menu, making the user believe that the app was uninstalled. In fact, the icon is merely hidden and a service starts in the background. The service will register the infected device with control server by sending encoded sensitive information of the infected device such as the phone number and network operator:


Malware registering the infected device.

After that the malware constantly checks for new tasks to be executed remotely. These include sending SMS messages with parameters (number and content) from the remote server; this feature can be abused to send premium-rate messages. In addition to this functionality, the malware will silently intercept all incoming SMS messages to send the sender’s encoded phone number and content to a remote server:


SMS leaked.

This Android malware was found in a Google code project, and it’s not the first time we’ve seen that. However, in this particular Google code project (which has already been removed) Android malware was joined by Windows malware:


Android and Windows malware in a Google code project.

McAfee Mobile Security detects the Android threat as Android/FakeAhnAV.A and the Windows threats are detected by McAfee VirusScan/Total Protection as BackDoor-DKA, Generic BackDoor.u, Generic Dropper.i, and Generic BackDoor.abf.