Blog

Hundreds of GoDaddy Accounts Used for “Miracle” Product Scams

Posted by Dave Cahill on Apr 26, 2019 in Security News, Web & Graphic Design News | 0 comments

Hundreds of GoDaddy Accounts Used for “Miracle” Product Scams

Written by Ionut Ilascu / Courtesy of Bleeping Computer

Scammers pushing snake oil products compromised hundreds of GoDaddy accounts and used 15,000 subdomains to redirect to spam pages, some of which tried to impersonate popular websites.

The campaigns changed patterns over time but remained sufficiently consistent in some respects to allow automatic identification.

From short link to scam page

Using compromised GoDaddy accounts, the scammers created subdomains with redirection scripts that took the victim to a landing page where they saw a fake celebrity endorsement for the “miracle” product and then to the sale page.

The initial lure would typically come via email and the URL is converted into a short link, to keep the potential victim in the dark about the initial destination.

Jeff White, Palo Alto Networks Unit 42 researcher, spent two years monitoring campaigns that have “scam” written all over them, yet fool a large number of individuals. The products promoted this way range from diet pills to brain boosters and CBD oil.

Getting to know them

Using tools for pattern identification in images and RiskIQ’s PassiveTotal service, White was able to discover multiple redirection styles used in the illegal activity. In many cases, several redirects would occur before the victim reached the final result.

One Palo Alto Networks customer received hundreds of emails that led to these campaigns. Studying some of the messages to find the origin of the initial URL, White determined there was “similar structure of one simple English word used as a subdomain to an unrelated second level domain.”

From more than 4,000 sites enumerated from PassiveTotal where this naming pattern was visible and were linked to known landing pages, there were 3,000 unique second-level domains and most of them resolved to GoDaddy’s link shortening service.

While similar to other shortening services like Bit.ly, GoDaddy’s allows pointing a DNS A Record to an IP address and define where to forward the user.

Looking at the scale of the campaigns, White reasoned that the scammers automated the creation of subdomains that pointed to their redirector and generated them using a dictionary of simple English words.

Shady affiliate marketing business

Looking at the large collection, White realized that the activity is part of affiliate marketing business, where advertisers pay affiliates to promote products. Basically, an advertiser pays for traffic to head to their sale page.

“Technically, there is nothing wrong with affiliate marketing, but when affiliates use less than scrupulous methods for traffic generation, it puts the onus on the marketing company (merchant and/or affiliate network) to filter out the bad apples,” says White.

Merchants have the capability to track the affiliates engaged in this type of illegal activity but both parties are in on the scheme. Oftentimes, vendors are the ones providing the fake celebrity endorsement templates the affiliates display to potential victims, trying to elicit a click anywhere on the page that takes them to the sale page.

Re-billing clause in the small print

These operations are fueled by a low prosecution rate and large profits, leaving victims to deal with financial losses.

After ensnaring the victim with the fake endorsements, the scammers will try to convince them to try a sample of the product, asking in return only the shipping costs.

Hidden in fine print, though, is a line informing that it’s a subscription-based deal that is renewed automatically until the victim cancels it. 

Multiple billing cycles can pass this way and if the victim tries to cancel the subscription they are stonewalled. With no one answering their calls, the victim takes the issue to the bank to cancel the charges.

Based on the large dataset, White was able to identify recurring patterns for these campaigns and contacted GoDaddy’s Threat Intelligence team to stop the illegal activity.

“After writing some new scripts to automate and collect shadow domains for these campaigns and working with GoDaddy’s abuse teams, we were able to successfully identify and shut down over 15,000 subdomains being used across these campaigns,” White writes in a detailed report of his research.

Read the original article courtesy of BleepingComputer.com.

Over 500% Increase in Ransomware Attacks Against Businesses

Posted by Dave Cahill on Apr 25, 2019 in Security News | 0 comments

Over 500% Increase in Ransomware Attacks Against Businesses

Written by Sergiu Gatlan / Courtesy of Bleeping Computer

Cybercriminals have started focusing their efforts on businesses during Q1 2019, with consumer threat detections decreasing by roughly 24% year over year while businesses have seen a 235% increase in the number of cyber attacks against their computing systems.

For consumers, the number of detections for Trojans and RiskwareTool malware families has kept going down since Q1 2018 and backdoors, spyware, and MachineLearning/Anomalous malware have seen increases of 85%, 95%, and 221% respectively.

On the other hand, when it comes to the malware families detected in corporate environments, Malwarebytes’ “Cybercrime Tactics and Techniques Q1 2019” report shows skyrocketing detection rate all across the board since Q1 2018, while hijackers were the only malware that continued to show up less and less during the last year.

Out of all malware families impacting commercial entities, ransomware has seen huge comeback with increases of 189% since Q4 2018 and a massive 508% uptick since Q1 2018, while on the consumer side ransomware was “knocked out of the top 10 from its previous steady ranking for several years running.”

As detailed by Malwarebytes, this huge increase in corporate ransomware detections happened “thanks in large part to a massive attack by the Troldesh ransomware against US organizations in early Q1.”

This trend is also backed by FBI’s Internet Crime Complaint Center (IC3) annual Internet Crime Reports (2013, 2014, 2015, 2016, 2017, 2018) which show that while ransomware has definitely seen a decrease in the number of incidents since 2016, the total losses have increased despite a decreasing number of complaints.

Even though it might not be immediately obvious, this happened because cybercriminals have switched their targets from home users to commercial organizations which can afford to pay larger ransoms to have their computing systems unlocked and files decrypted.

The 2018 edition of IC3’s Internet Crime Report also underlined that not all ransomware victims report the incident, thus leading to an “artificially low ransomware loss rate.”

The Malwarebytes report conclusions are the result of combining statistics and intel collected between January 1 and March 31, 2019.

They rely on data from the company’s “Intelligence, Research, and Data Science teams” with telemetry added to the mix from both the “consumer and business products on the PC, Mac, and mobile devices.”

More details on the evolution of other threats targeting consumers and businesses are available in Malwarebytes’ full Cybercrime Tactics and Techniques (CTNT) Report.

Read the original article over at BleepingComputer.com.

McAfee joins Sophos, Avira, Avast—the latest Windows update breaks them all

Posted by Dave Cahill on Apr 19, 2019 in Virus Alert Information, Windows | 0 comments

McAfee joins Sophos, Avira, Avast—the latest Windows update breaks them all

A range of fixes and workarounds have been published.

Written by Peter Bright / Courtesy of ArsTechnica

The most recent Windows patch, released April 9, seems to have done something (still to be determined) that’s causing problems with anti-malware software. Over the last few days, Microsoft has been adding more and more antivirus scanners to its list of known issues. As of publication time, client-side antivirus software from Sophos, Avira, ArcaBit, Avast, and most recently McAfee are all showing problems with the patch.

Affected machines seem to be fine until an attempt is made to log in, at which point the system grinds to a halt. It’s not immediately clear if systems are freezing altogether or just going extraordinarily slowly. Some users have reported that they can log in, but the process takes ten or more hours. Logging in to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 are all affected.

Booting into safe mode is unaffected, and the current advice is to use this method to disable the antivirus applications and allow the machines to boot normally. Sophos additionally reports that adding the antivirus software’s own directory to the list of excluded locations also serves as a fix, which is a little strange.

Microsoft is currently blocking the update for Sophos, Avira, and ArcaBit users, with McAfee still under investigation. ArcaBit and Avast have published updates that address the problem. Avast recommends leaving systems at the login screen for about 15 minutes and then rebooting; the antivirus software should then update itself automatically in the background.

Avast and McAfee also provide a hint at the root cause: it appears that Microsoft has made a change to CSRSS (“client/server runtime subsystem”), a core component of Windows that coordinates and manages Win32 applications. This is reportedly making the antivirus software deadlock. The antivirus applications are trying to get access to some resource, but they’re blocked from doing so because they have already taken exclusive access to the resource.

Given that patches have appeared from antivirus vendors rather than an update from Microsoft, it suggests (though does not guarantee) that whatever change Microsoft made to CSRSS is revealing latent bugs in the antivirus software. On the other hand, it’s possible that CSRSS is now doing something that Microsoft previously promised wouldn’t happen.

Read the original article over at ArsTechnica.com.

The ‘Sea Turtle’ wave of domain hijackings besetting the Internet is worse than we thought

Posted by Dave Cahill on Apr 18, 2019 in Security News, Web & Graphic Design News | 0 comments

The ‘Sea Turtle’ wave of domain hijackings besetting the Internet is worse than we thought

Despite widespread attention since January, DNS campaign shows no signs of abating.

Written by Dan Goodin / Courtesy of ArsTechnica

The wave of domain hijacking attacks besetting the Internet over the past few months is worse than previously thought, according to a new report that says state-sponsored actors have continued to brazenly target key infrastructure despite growing awareness of the operation.

The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.

Reverse DNS records show that in late March nsd.cafax.com resolved to a malicious IP address controlled by the attackers. NSD is often used to abbreviate name server demon, an open-source app for managing DNS servers. It looks unlikely that the attackers succeeded in actually compromising Cafax, although it wasn’t possible to rule out the possibility.

“I’ve also seen attributions to this name,” Liman told Ars, referring to nsd.cafax.com. “The strange thing is that that name doesn’t exist. There is, and, as far as I can remember, has never been, such a name in the legitimate cafax.se domain.” He said the techniques involved in the March attack are consistent with the Netnod hijacking. Asked how the March attack affected Cafax customers, Liman wrote: “I don’t know. I was not in a position to observe things as they happened, so I don’t know what the black hats did.”

The hackers—whom Talos claims are sponsored by the government of an unnamed country—carry out sophisticated attacks that typically start by exploiting known vulnerabilities in targets’ networks (in one known case they used spear phishing emails). The attackers use this initial access to obtain credentials that allow them to alter the DNS settings of the targets.

Persistent access

Short for “domain name system,” DNS is one of the Internet’s most fundamental services. It translates human-readable domain names into the IP addresses one computer needs to locate other computers over the global network. DNS hijacking works by falsifying the DNS records to cause a domain to point to an IP address controlled by a hacker rather than the domain’s rightful owner. The ultimate objective of the campaign reported by Talos is to use the hijacked domains to steal login credentials that give persistent access to networks and systems of interest.

To do that, the attackers first alter DNS settings for targeted DNS registrars, telecom companies, and ISPs—companies like Cafax and Netnod. The attackers then use their control of these services to attack primary targets that use the services. The primary targets include national security organizations, ministries of foreign affairs, and prominent energy organizations, almost all of which are in the Middle East and North Africa. In all, Cisco has identified 40 organizations in 13 countries that have had their domains hijacked since as early as January 2017.

Despite widespread attention since the beginning of the year, the hijackings show no signs of abating (which is the usual course of action once a state-sponsored hacking operation becomes well-known). Reverse lookups of 27 IP addresses Cisco identified as belonging to the hackers (some of which were previously published by security firm Crowdstrike) show that besides Cafax, domains for the following organizations have all been hijacked in the past six weeks:

• mofa.gov.sy, belonging to Syria’s Ministry of Foreign Affairs
• syriatel.sy, belonging to Syrian mobile telecommunications provider Syriatel
• owa.gov.cy, a Microsoft Outlook Web access portal for the government of Cyprus (also previously hijacked by the same attackers)
• syriamoi.gov.sy, Syria’s Ministry of Interior

Attacking the foundation

In Wednesday’s report, Talos researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney, and Paul Rascagneres wrote:

While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have in the Internet. That trust, and the stability of the DNS system as a whole, drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.

Talos is calling the campaign “Sea Turtle,” which it says is distinctly different and independent from the DNSpionage mass DNS hijacking campaign Talos reported as targeting Middle East organizations last November. Since the beginning of the year, most researchers and reporters believed Sea Turtle was a continuation of DNSpionage.

In an email, Talos’ outreach director, Craig Williams, explained:

DNSpionage and Sea Turtle have a strong correlation in that they both use the DNS hijacking/re-direction methodologies to perform their attacks. However, a distinct difference is their level of maturity and capability. In DNSpionage we observed some failings, i.e. one of their malware samples was leaving a debug log. Sea Turtle has a much more mature level of playbook by attacking their ancillary targets before shifting their focus to a specific set of Middle Eastern and African victims. Overlapping [techniques, tactics and procedures] are rife due to the very closely related nature of the attacks. Without additional intelligence it would be a fair assumption to see these attacks as one of the same. Our visibility, on the other hand, makes it very clear these are two different groups.

Talos was able to determine this distinction due to additional insights which other organizations may not have had access to. We assess, as mentioned, with high confidence that we believe DNSpionage and Sea Turtle are not related directly.

One of the things that makes Sea Turtle more mature is its use of a constellation of exploits that collectively allow its operators to gain initial access or to move laterally within the network of a targeted organization. Cisco is aware of seven now-patched vulnerabilities Sea Turtle targets:

• CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin
• CVE-2014-6271: remote code execution vulnerability in the GNU bash system, specifically SMTP (this was part of the vulnerabilities related to Shellshock)
• CVE-2017-3881: remote code execution vulnerability by unauthenticated user with elevated privileges in Cisco switches
• CVE-2017-6736: remote code exploit vulnerability in Cisco 2811 Integrated Services Routers
• CVE-2017-12617: remote code execution vulnerability in Apache Web servers running Tomcat
• CVE-2018-0296: directory traversal vulnerability allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls
• CVE-2018-7600: the so-called Drupalgeddon2 vulnerability in the Drupal content management system that allows remote code execution

Talos researchers said Sea Turtle used spear phishing in a previously reported compromise of Packet Clearing House, a Northern California non-profit that manages significant amounts of the world’s DNS infrastructure. In that case, as KrebsOnSecurity previously reported, attackers used the email to phish credentials that PCH’s registrar used to send the Extensible Provisioning Protocol messages that act as a back-end for the global DNS system.

Once Sea Turtle hackers gain initial access to a target, they work to move laterally through its network until they acquire the credentials required to modify DNS records for domains of interest. Once the domains resolve to Sea Turtle-controlled IP addresses, the actors perform man-in-the-middle attacks that capture credentials of legitimate users logging in.

Sea Turtle uses legitimate, browser-trusted TLS certificates for the hijacked domains to hide the attacks. The certificates are obtained by using attackers’ control of the domain to purchase a valid TLS certificate from a certificate authority. (Most CAs require only that a buyer prove it has control of the domain by, for instance, displaying a CA-provided code at a specific URL.) With increased control of the domain over time, attackers often go on to steal the TLS certificate originally issued to the domain owner.

VPNs? No problem

The hackers also use legitimate certificates to impersonate virtual private network applications or devices, including Cisco’s Adaptive Security Appliance products. This impersonation then is used to facilitate man-in-the-middle attacks.

“By gaining access to the SSLVPN certificate used to provide the VPN portal, an individual user will be easily tricked into believing it is a legitimate service of their organization,” Williams told Ars. “Sea Turtle would then be able to easily harvest valid VPN credentials and with that they would be able to gain further access to their target infrastructure.”

The hijackings last anywhere from minutes to days. In many cases, the intervals were so short that the malicious domain resolutions aren’t reflected in passive DNS lookups. Below are diagrams outlining the methodology:

Another way that Sea Turtle stands out is its use of attacker-controlled name servers. DNSpionage, by contrast, made use of compromised name servers that belonged to other entities. Sea Turtle was able to do this by compromising DNS registrars and other service providers, and then forcing them to the hacker-controlled name servers.

Secrets to success

Talos said Sea Turtle has continued to be highly successful for several reasons. For one, intrusion detection and intrusion prevention systems aren’t designed to log DNS requests. That leaves a major blind spot for people who are trying to detect attacks on their networks.

Another reason is that DNS was designed in a much earlier era of the Internet, when parties trusted each other to act benignly. It was only much later that engineers devised security measures such as DNSSEC—a protection designed to defeat domain hijackings by requiring DNS records to be digitally signed. Many registries still don’t use DNSSEC, but even when it is used, it’s not a guarantee it will stop Sea Turtle. In one of the attacks on Netnod, the hackers used their control of Netnod’s registrar to disable DNSSEC for long enough to generate valid TLS certificates for two Netnod email servers.

The previously overlooked technique allowing browser-trusted certificate impersonation has also contributed greatly to Sea Turtle’s success.

Wednesday’s report is the latest reminder of the importance of locking down DNS networks. Measures include:

• Using DNSSEC for both signing zones and validating responses
• Using Registry Lock or similar services to help protect domain name records from being changed
• Using access control lists for applications, Internet traffic, and monitoring
• Mandating multi-factor authentication for all users, including subcontractors
• Using strong passwords, with the help of password managers if necessary
• Regularly reviewing accounts with registrars and other providers to check for signs of compromise
• Monitoring for the issuance of unauthorized TLS certificates for domains

The report also details indicators of compromise that network administrators can use to determine if their networks have been targeted by Sea Turtle. For networks that have been compromised, undoing the damage goes well beyond restoring the rightful DNS settings.

“There has been this huge resistance to believing how bad these compromises are,” Bill Woodcock, executive director of Packet Clearing House, told Ars. “The very first thing [attackers] do when they get in is start trying to put in a bunch more backdoors, so you really have to turn things upside down to have any reasonable assurance of security going forward. There are a lot of people who think of these things as brief incidents rather than thinking of them as ongoing campaigns.”

Read the original article over at ArsTechnica.com.

Julian Assange Charged by U.S. With Conspiracy to Hack a Government Computer

Posted by Dave Cahill on Apr 11, 2019 in Security News | 0 comments

Julian Assange Charged by U.S. With Conspiracy to Hack a Government Computer

Julian Assange, the founder of WikiLeaks, was arrested Thursday at the Ecuadorean Embassy in London, where he had sheltered since 2012.

Written by Eileen Sullivan and Richard Pérez-Peña / Courtesy of The New York Times

The United States has charged WikiLeaks founder Julian Assange with one count of conspiracy to hack a computer related to his role in the 2010 release of reams of secret American documents, according to an indictment unsealed Thursday just hours after British authorities arrested him in London.

Julian Assange Indictment

The indictment of Julian Assange, the founder of WikiLeaks, filed in federal District Court in Virginia. (PDF, 7 pages, 0.22 MB)

The single charge, conspiracy to commit computer intrusion, stems from what prosecutors said was his agreement to break a password to a classified United States government computer. It is not an espionage charge, a significant detail that will come as a relief to press freedom advocates. The United States government had considered until at least last year charging him with an espionage-related offense.

Mr. Assange, 47, has been living at the Ecuadorean Embassy in London since 2012. British authorities arrested him after he was evicted by the Ecuadoreans. The Metropolitan Police said that Mr. Assange had been detained partly in connection with an extradition warrant filed by the authorities in the United States.

Mr. Assange, born in Australia, has long been in the sights of the United States government since his 2010 release of American documents and videos about the wars in Afghanistan and in Iraq, and confidential cables sent among diplomats.

Mr. Assange has most recently been under attack for his organization’s release during the 2016 presidential campaign of thousands of emails stolen from the computer systems of the Democratic National Committee, leading to a series of revelations that embarrassed the party and Hillary Clinton’s campaign. United States investigators have said that the systems were hacked by Russian agents.

Mr. Assange will have the right to contest the United States extradition request in British courts. Most people who fight extradition requests argue that the case is politically motivated rather than driven by legitimate legal concerns.

Read the original article over at NYTimes.com.

The robocall crisis will never totally be fixed

Posted by Dave Cahill on Apr 9, 2019 in Technology | 0 comments

The robocall crisis will never totally be fixed

Like spam, we’ll be able to manage it but not eliminate it.

Written by Lily Hay Newman / Courtesy of ArsTechnica

Years into the robocalling frenzy, your phone probably still rings off the hook with “important information about your account,” updates from the “Chinese embassy,” and every bogus sweepstakes offer imaginable. That’s despite promises from the telecom industry and the US government that solutions would be coming. Much like the firehose of spam that made email almost unusable in the late 1990s, robocalls have made people in the US wary of picking up their cell phones and landlines. In fact, email spam offers a useful analogy: a scourge that probably can’t be eliminated but can be effectively managed.

Finding the right tools for that job remains a challenge. The Federal Trade Commission has had a strong track record in its 140 robocall-related suits, including a recent victory at the end of March that targeted four massive operations. Bipartisan anti-robocalling legislation is gaining traction in Congress. Apps that flag or block unwanted calls have matured and are solidly effective. And wireless carriers—in part facing pressure from the Federal Communications Commission—have increasingly offered their own anti-robocalling apps and tools for free.

Yet the number of robocalls continues to hit new highs. The anti-robocalling company YouMail estimates that March 2019 saw 5.23 billion robocalls, the highest volume ever. And other firms recorded similar highs. But those numbers don’t take into account calls that were successfully blocked. A more useful measure might be the number of complaints filed per month to the FCC and FTC, which remained mostly static in 2018 and the beginning of 2019.

“Even though we’re at an all-time high, there’s some good news,” says YouMail CEO Alex Quilici. “The numbers may be creeping up a little bit, but the situation seems to be mostly stable at this point. We have not turned the corner, but maybe the corner is in sight.”

In fact, some consensus has emerged about where that corner is. Industry groups led by the Alliance for Telecommunications Industry Solutions have been working since 2016 on a pair of standards, dubbed “STIR” and “SHAKEN,” that will be used across landline, mobile, and VoIP carriers to cryptographically authenticate the source of calls. Basically, this means that the “spoofed” phone numbers robocallers rely on to ramp up their call volume—also the reason so many robocalls appear to come from your area code—will be easily flagged as untrustworthy.

A spoofed call is really just one that displays inaccurate caller ID information, using one of the numerous Web portals and apps that enable obfuscation. VoIP software also allows robocallers to bounce their calls around the telephony network a few times before connecting, making it more difficult for law enforcement and service providers to trace robocalls back to their origins. In addition to authenticating that calls are really coming from the numbers they claim, STIR and SHAKEN will also append an “Origin ID” to every call, making it much easier to track robocalls to the source.

ATIS and the newly formed governing bodies of STIR and SHAKEN are still figuring out what exactly consumers will see on their phones when a number pops up—maybe a green check mark or red alert, depending on the source. They’re also coordinating how to share their findings with third-party robocall-blocking apps. ATIS hopes that STIR and SHAKEN will begin to reach consumers by the end of 2019 or beginning of 2020, but the process of setting up the platform’s cryptographic checks and deploying the protocols across every telephony provider in the US is, as you might guess, complicated.

Still, it’s doable. Comcast and AT&T demonstrated the first cross-carrier call with the authentication check in March, and other carriers like Verizon have announced that they’ll implement the protocols. An FCC official told Wired, though, that it will take time for the process to trickle down to every small and medium-sized provider. The agency has recently pressured large carriers to make the initial investment. FCC Chairman Ajit Pai specifically threatened “regulatory intervention” in February if carriers don’t adopt STIR and SHAKEN.

Both the private sector and government are also managing expectations about what the protocols will actually achieve. “I think that some people are hoping that, ‘poof,’ robocalls will just be gone, and that’s the wrong mindset,” says Jim McEachern, a senior technology consultant at the communication industry standards body ATIS. “It’s more like email spam. It’s still there, but it’s more manageable now. We have the tools in place that the curve will peak and begin to go down to a manageable level.”

And while STIR and SHAKEN will make it harder for robocallers to rely on spoofed numbers, they’ll still be able to use legitimate phone numbers for their scams. The protocols will also make it easier to track the reputation of a given phone number, but both the FCC and industry developers emphasize that the change will also inevitably spur criminal innovation in robocalling to evade or manipulate the new cryptographic baseline.

This cat-and-mouse game has been playing out all along. For example, in response to apps and carriers getting better at flagging suspicious calls, robocallers upped their volumes and embraced tricks like same-area code spoofing and aping real organizations’ phone numbers to make calls look legitimate.

“What I think caused the big jump last year was the fact that a lot of the carriers started labeling suspicious calls,” YouMail’s Quilici says. “If you don’t answer the phone the robocaller has to work harder, so they generate more calls. It’s a death spiral.”

In December, the FCC started a reassigned number database so you’ll get fewer calls meant for the person who owned a number before you.

The FTC offers basic recommendations for consumers looking to protect themselves from the threat of robocall scams. The first is to register for the Do Not Call Registry, which, perhaps surprisingly, still exists and collects data on abusive phone numbers and call content. Adding your number to this list only cuts down on telemarketing calls, not illegal robocalls, but it’s a start. You can report abusive calls you receive to the FTC here. Always hang up immediately if you answer a call that you don’t recognize. And finally, consider a call blocking app, like the popular services RoboKiller and Nomorobo, both of which came out of FTC anti-robocalling incubators. Apps and services from wireless carriers or phone makers like Google can also help.

Though it’s frustrating that existing efforts haven’t made much of a dent in robocalling yet, Ian Barlow, who oversees the FTC’s Do Not Call Registry, says that things would be even more dire without the measures that are already in place. “Like any law enforcement agency we’re never going to stamp out every crime,” he says. “But without that enforcement the problem would be much worse.”

As with email spam, the most important step you can take is staying vigilant.

“There’s no silver bullet. You build tools and protective capabilities and mitigation techniques,” ATIS’s McEachern says. “This is not a problem that you solve.”

Read the original article over at ArsTechnica.com.

Serious Apache server bug gives root to baddies in shared host environments

Posted by Dave Cahill on Apr 4, 2019 in Security News, Web & Graphic Design News | 0 comments

Serious Apache server bug gives root to baddies in shared host environments

Privilege-escalation flaw could also make minor flaws much more severe.

Written by Dan Goodin / Courtesy of ArsTechnica

The Apache HTTP Server, the Internet’s most widely used Web server, just fixed a serious vulnerability that makes it possible for untrusted users or software to gain unfettered control of the machine the software runs on.

CVE-2019-0211, as the vulnerability is indexed, is a local privilege escalation, meaning it allows a person or software that already has limited access to the Web server to elevate privileges to root. From there, the attacker could do just about anything. The vulnerability makes it possible for unprivileged scripts to overwrite sensitive parts of a server’s memory, Charles Fol, the independent researcher who discovered the bug, wrote in a blog post. A malicious script could exploit the vulnerability to gain root.

The vulnerability poses the most risk inside Web-hosting facilities that offer shared instances, in which a single physical machine serves content for more than one website. Typically, such servers prevent an administrator of one site from accessing other sites or from accessing sensitive settings of the machine itself.

“If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the Web hoster,” Fol told Ars. “This implies read/write/delete any file/database of the other clients.”

The other likely scenario for exploit is in the event an attacker using a different attack gains only limited privileges on a server running Apache. If the server is vulnerable to CVE-2019-0211, the attacker could then exploit the flaw to elevate those limited privileges to root.

The vulnerability affects only Apache versions 2.4.17 to 2.4.38 when running on UNIX-like systems. According to security firm Rapid7, an estimated 2 million distinct systems were vulnerable to CVE-2019-0211, although most have likely updated since that number was published. Half of the vulnerable systems resided in what Rapid 7 called the “usual suspects,” or big cloud-hosting providers.

Here’s an image from the security firm of providers that were vulnerable at the time:

People who rely on Apache—particularly customers of hosts that provide shared instances—should ensure they’re running version 2.4.39.

Read the original article over at ArsTechnica.com.

Facebook caught asking for new users’ email passwords

Posted by Dave Cahill on Apr 3, 2019 in Privacy | 0 comments

‘Beyond Sketchy’: Facebook Demanding Some New Users’ Email Passwords

Mark Zuckerberg admitted recently that Facebook doesn’t have a ‘strong reputation’ for privacy. An odd new request for private data probably won’t help with that rep.

Written by Kevin Poulsen / Courtesy of The Daily Beast

Just two weeks after admitting it stored hundreds of millions of its users’ own passwords insecurely, Facebook is demanding some users fork over the password for their outside email account as the price of admission to the social network.

Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. “To continue using Facebook, you’ll need to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”

A form below the message asked for the users’ “email password.”

“That’s beyond sketchy,” security consultant Jake Williams told the Daily Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”

In a statement emailed to The Daily Beast after this story published, Facebook reiterated its claim it doesn’t store the email passwords. But the company also announced it will end the practice altogether.  

“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” Facebook wrote.

It’s not clear how widely the new measure was deployed, but in its statement Facebook said users retain the option of bypassing the password demand and activating their account through more conventional means, such as “a code sent to their phone or a link sent to their email.” Those options are presented to users who click on the words “Need help?” in one corner of the page.

The additional login step was noticed over the weekend by a cybersecurity watcher on Twitter called “e-sushi.” The Daily Beast tested the claim by establishing a new Facebook account under circumstances the company’s system might flag as suspicious, using a disposable webmail address and connecting through a VPN in Romania. A reporter was taken to the same screen demanding the email password.

“By going down that road, you’re practically fishing for passwords you are not supposed to know!,” e-sushi wrote in a tweet.

Small print below the password field promises, “Facebook won’t store your password.” But the company has recently been criticized for repurposing information it originally acquired for “security” reasons.

Last year Facebook was caught allowing advertisers to target its users using phone numbers users provided for two-factor authentication; users handed over their numbers so Facebook could send a text message with a secret code when they log in. More recently the company drew the ire of privacy advocates when it began making those phone numbers searchable, so anyone can locate the matching user “in defiance of user expectations and security best practices,” wrote the Electronic Frontier Foundation, a civil liberties group.

Facebook also has a checkered history when it comes to securely handling passwords. Last month the company acknowledged that unencrypted passwords for hundreds of millions of its users had been stored for years in company logs accessible to 2,000 employees.

Last month, amid a steady drum beat of fresh privacy scandals, Facebook founder Mark Zuckerberg unleashed a thousand-word manifesto describing  a new “privacy-focused vision” for the company built on strong encryption and cutting-edge security tools.

Even then, Zuckerberg acknowledged that Facebook’s putative pivot-to-privacy would meet with some skepticism. “[F]rankly we don’t currently have a strong reputation for building privacy protective services.”

Read the original article over at TheDailyBeast.com.

Game of Thrones downloads could be hiding dangerous malware

Posted by Dave Cahill on Apr 2, 2019 in Tips & Tricks | 0 comments

Game of Thrones downloads could be hiding dangerous malware

The net is dark and full of terrors

Written by Mike Moore / Courtesy of Tech Radar

Game of Thrones fans keen to get a head-start on the newest episodes have been warned to take precaution when watching and downloading online.

The  hugely-popular HBO series, which is set to start its final season soon, was named as the most popular choice for hackers to use as a shield to spread malware.

In a worldwide study by security firm Kaspersky Lab surveying 31 of the most popular TV shows worldwide over the last two years, Game of Thrones came first in a slightly less desirable struggle for top spot, ahead of The Walking Dead and Arrow.

Malware is coming

Overall, the series accounted for 17 percent of all the infected pirated content in 2018, with 33 types and 505 different families of threats hiding behind the Game of Thrones title.

In total, 20,934 users suffered a Game of Thrones-related attack, despite being the only TV show in Kaspersky Lab’s list that did not release new episodes in 2018 – with ‘Winter Is Coming’ – the very first episode of the show – was the one most actively used by cybercriminals.

In fact, the first and the last episodes of every Game of Thrones season analysed by Kaspersky Lab turned out the most dangerous, hiding the largest number of malicious files  and affecting the most users.

Trojan attacks were found to be the most common, with threats often hiding in shortcuts downloaded via a torrent or email, with adware and downloaders also found to rank highly in the list of threats.

With the new series of Game of Thrones set to launch in just a few weeks, Kaspersky Lab says it is expecting a raft of new threats to emerge, and is urging users everywhere to stay vigilant.

It advises users to pay close attention to website authenticity, check file extensions are legitimate, and exercise caution when clicking on links and downloading torrents.

Read the original article over at TechRadar.com.

Hijacked ASUS software updates installed backdoor on at least 0.5 million PCs

Posted by Dave Cahill on Mar 26, 2019 in Security News | 0 comments

Hijacked ASUS software updates installed backdoor on at least 0.5 million PCs

“ShadowHammer” used ASUS’ own digital certificate and update system to infect systems worldwide.

Written by Sean Gallagher / Courtesy of ArsTechnica

An attack on the update system for ASUS personal computers running Microsoft Windows allowed attackers to inject backdoor malware into thousands of computers, according to researchers at Kaspersky Labs. The attack, reported today on Motherboard by Kim Zetter, took place last year and dropped malicious software signed with ASUS’ own digital certificate—making the software look like a legitimate update. Kaspersky analysts told Zetter that the backdoor malware was pushed to ASUS customers for at least five months before it was discovered and shut down.

The traces of the attack were discovered by Kaspersky in January 2019, but it actually occurred between June and November 2018. Called “ShadowHammer” by Kaspersky, the attack targeted specific systems based on a range of MAC addresses. That target group, however, was substantial. According to a blog post by a Kaspersky spokesperson:

Over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time… We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.

Nearly half of the affected systems detected by Kaspersky were computers in Russia, Germany, and France—though this number may be more representative of where Kaspersky users with ASUS computers were rather than the actual geographic distribution. The domain associated with the attack, asushotfix.com, was hosted on a server with an IP address in Russia.

The backdoor malware was uncovered when Kaspersky added new code to its endpoint-protection tool. That tool is aimed at detecting supply-chain security breaches by scanning the contents of signed software updates for malware hidden within legitimate update code. A full paper on the ASUS attack will be presented in April at Kaspersky’s Security Analyst Summit in Singapore.

Supply-chain attacks—attempts to compromise the infrastructure that delivers software updates or the developers’ own software development operations—are on the rise. In October 2018, two separate supply-chain attacks were uncovered: one on the VestaCP control panel software used to manage shared hosting environments and another on a popular Python code repository. These sorts of attacks can spread malicious code widely across systems, making them easily discoverable and vulnerable to takeover by an attacker.

Read the original article over at ArsTechnica.com.