2014/06/30

A clever fix for Android L passwords issue | foodonia

One of the more painful moments in modern life (for the security conscious, at least) could be a thing of the past thanks to a new feature unveiled in Google’s upcoming ‘L’ update for its Android mobile operating system.


Android L passwords


Android L will allow users to hand over their Wi-Fi passwords unseen, encoded on an NFC tag (sticker-type ‘tags’ with an NFC chip embedded), to any guests with an NFC-enabled phone, according to Android Police’s report.


This should save security conscious homeowners from having to tell guests a private password – as the password can be handed over without the guest ever seeing it. The ‘tags’ can be encoded by any phone running Android L with its own NFC chip.


So far, NFC (Near Field Communication) chips have shipped inside Android devices from manufacturers such as HTC, Samsung and Sony – and allow enabled handsets to read codes from other phones, or from stickers, posters and pamphlets with NFC tags built in.


Secure Wi-Fi sharing


The upcoming Android L update (released to developers this week, and available to the public this coming fall) will allow home users to encode their password directly to an NFC chip, which can then be read by guests by tapping a mobile phone on them. Take a look at this full video preview of Android L by Droid Life.


Android Police says, “ You know the scenario: friends come over, want to use your Wi-Fi, and expect you to just hand over the password. In L, there’s an option to[write the code to an NFC tag] directly from the Wi-Fi settings menu. Just long-press on the network, select the “write to NFC tag” option, fill in the password, and write away. Now all your visitors with NFC-capable phones can simply tap the tag to join the Wi-Fi network. Easy peasy.”


Google’s upcoming Android L update will also help users do away with passwords – at least for dedicated Google fans, with Google devices like Android Wear watches used to authenticate users instead of PIN codes or passwords in the new update.


The post A clever fix for Android L passwords issue appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/24

F1 star Michael Schumacher dead? It’s the latest sick Facebook scam | foodonia

Scammers and fraudsters think nothing of scraping the barrel of bad taste, if they believe it will help them earn a few dollars.


Take the latest scam spreading on Facebook, for instance, which claims that Formula 1 racing driving star Michael Schumacher has died.


Scam Facebook post



{R.I.P } F1 Star Michael Schumacher dead after come out from COMA few seconds ago


miss you champ!



In case you’re not aware, almost six months ago the motor racing legend suffered a severe head injury in a skiing accident, which saw him – until very recently – placed in a medically induced coma.


Now, scammers are saying he has died.


And, sadly, ghoulish Facebook users are helping for the scam to spread – by clicking on the link.


If you are one of those people who clicks on the link, you will be taken to a third-party webpage like this.


Bogus Facebook page


You might think that it’s just a case of clicking on the video thumbnail to watch a news report of Michael Schumacher’s death, but you would be wrong.


Because if you do click onwards, you are told that you need to share the link with your Facebook friends to watch the video.


Share this scam...


At this point alarm bells should be ringing left, right and centre. Why would you have to share a link to a video *before* you see it? If this was a genuine news report, wouldn’t you simply be able to watch it?


And how come there is no word of Schumacher’s alleged death on any legitimate news outlets?


The truth is that cold-hearted scammers are trying to drive traffic to the webpage, because if you do share it with your friends you are helping them generate traffic to their site. And the more people who attempt to watch the video, the more money they will make.


Oh, and by the way, as Schumacher hasn’t died – you’re not going to see a news report claiming that he has. Instead, you will be taken to a webpage which pays a small amount of affiliate cash to the scammers, helping to fill their coffers.


If you made the mistake of clicking on a link like this, make sure that you did not share it with your friends and delete any strange posts from your Facebook newsfeed. Remember to warn your online friends to be wary of similar scams, and to always think twice before sharing links.


The latest genuine news about Michael Schumacher is that some low-life has offered his private medical records for sale.


You would imagine that Schumacher’s friends and family have suffered enough, without scammers, fraudsters and thieves attempting to profit from his critical condition.


The post F1 star Michael Schumacher dead? It’s the latest sick Facebook scam appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/23

Free Wi-Fi offered by smartphone networks poses “serious threat” new report warns | foodonia

Over-eager hotspots could be leaving thousands of smartphone users vulnerable to attack on free wi-fi services provided by AT&T and Xfinity, according to a joint report by NPR and Ars Technica.


The report found that the two services allowed smartphones to reconnect to public Wi-Fi hotspots automatically, which could leave users vulnerable to fake hotspots with the right name, able to redirect users to bogus websites to harvest usernames and passwords.


Ars Technica’s IT editor Sean Gallagher writes that the services open both Android and iPhone to a serious security threat, saying, “There’s a much bigger threat to your security than somebody randomly fishing for you to connect to them — the networks you’ve already connected to and trusted, like AT&T and Xfinity.


The NPR report, part of their Project Eavesdrop podcast, describes how easily smartphones automatically reconnect to hotspots called “attwifi” by default – ie users have to instruct the phones not to connect to such hotspots, or disable Wi-Fi altogether to be sure that they will not connect to a bogus hotspot.


Ars Technica’s more detailed report describes how such “fake hotspots” can be created with apps and tools on devices as small as Android phones, and deployed to disrupt internet users connection to a real hotspot then pick up the connection afterwards.


“These free Wi-Fi connections are popular, for good reason – they help reduce the amount of broadband cellular data you consume, and they often provide better network speeds than what you can manage over a 4G connection,” Gallagher writes.


“But they also offer a really easy way for someone to surreptitiously tap into your Internet traffic and capture your account information for less-than-friendly purposes.”


Earlier this year, the head of Europe’s Europol Cyber Crime division warned that free hotspots were increasingly used to steal private information from consumers in Europe, as reported by We Live Security here. Troels Oerting said, “We have seen an increase in the misuse of Wi-Fi in order to steal information, identity or passwords and money from the users who use public or insecure wi-fi connections.”


Up to 10% of workers admit to using public hotspots with work machines, according to a recent survey by phone insurer ProtectYourBubble.


ESET Distinguished Researcher Aryeh Goretsky writes that any free Wi-Fi service carries risks in a We Live Security how-to here, “Just because it is free does not necessarily mean you should take advantage of it. It is possible that someone might be monitoring and capturing network traffic going through the “free” Wi-Fi connection, for reasons ranging from questionable to illegal, such as injecting targeted advertising into web pages to the outright malevolent, such as stealing credentials for email, financial institutions and so forth.”


“If you must use the free Wi-Fi service, do not access log in to any sites for which you need a password, such as your email, bank or online shops. It is more secure to tether your tablet or laptop to your smartphone and make use of its data connection, or use a portable hotspot. While such connections may not be free, they do have the advantage of being far less likely to be intercepted.”


The post Free Wi-Fi offered by smartphone networks poses “serious threat” new report warns appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/21

Internet firm goes out of business after DDoS extortion attack | foodonia

In the last few weeks there have been numerous stories of online criminals launching attacks against businesses with the aim of extorting money from their victims.


For instance, some 650,000 Domino’s Pizza customers in France and Belgium were put at risk after hackers made off with a customer database, and demanded the restaurant paid up a hefty ransom or face having the stolen data made public.


It has also been revealed that mobile phone giant Nokia had, a few years back, found itself in the uncomfortable position of handing over millions of dollars to blackmailing hackers who had stolen encryption codes for the Symbian operating system, and were threatning to post them online.


Unfortunately, a police sting designed to catch Nokia’s blackmailers is said to have failed after officers lost track of both the criminals and the cash.


More recently, RSS aggregator Feedly admitted it had been hit by a distributed denial-of-service (DDoS) attack which took its service offline, and announced that it was refusing to pay the ransom demanded by the blackmailing hackers. At the same time it was being reported that Evernote and music service Deezer were also suffering from DDoS attacks against their systems.


Of course, all of these companies have recovered and will – hopefully – be able to parry any future attacks more successfully without disruption or inconvenience to their users.


The same, sadly, can not be said of the latest DDoS extortion victim: Code Spaces.


Code Spaces, a company which provided a similar service to GitHub and describes itself as offering “Rock Solid, Secure and Affordable Svn Hosting, Git Hosting and Project Management” has closed down for ever, after saying it fell victim to DDoS blackmailers this week.


Here is part of the message you will find on the Code Spaces website right now:


Code Spaces webpage



On Tuesday the 17th of June 2014 we received a well orchestrated DDOS against our servers, this happens quite often and we normally overcome them in a way that is transparent to the Code Spaces community. On this occasion however the DDOS was just the start.


An unauthorised person who at this point who is still unknown (All we can say is that we have no reason to think its anyone who is or was employed with Code Spaces) had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them using a hotmail address


Reaching out to the address started a chain of events that revolved arount the person trying to extort a large fee in order to resolve the DDOS.


Upon realisation that somebody had access to our control panel we started to investigate how access had been gained and what access that person had to the data in our systems, it became clear that so far no machine access had been achieved due to the intruder not having our Private Keys.


At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel. We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI’s, some EBS instances and several machine instances.


In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.



Although Code Spaces had made bold claims about its resilience and disaster recovery plans, this was clearly one problem that they were unable to recover from.


All of this, of course, is pretty bad news for Code Spaces’ customers.



Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility.


As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.


All that we can say at this point is how sorry we are to both our customers and to the people who make a living at Code Spaces for the chain of events that lead us here.



Code SpacesIt’s certainly bad news for Code Spaces to go out of business, and one hopes that the authorities have been involved so they can investigate who might have been behind this malicious hack that forced the company to go kaput.


But it should also not be forgotten that there are plenty of Code Spaces’ customers who have also been inconvenienced, and might now find themselves in troubled waters because of the disappearance of this service and their code.


Code Spaces customers who wish to recover data they stored with the company are advised to email support@codespaces.com with their account URL. Code Spaces makes no promises, but it says that if it can recover any of your data it will.


The adage that the “cloud is just a different word for somebody else’s computer” has never seemed more apt.


There are lots of benefits, of course, to using internet-based services but for goodness sake if you are trusting them with your sensitive or important data make sure that you ask the right questions, get the right assurances and – if necessary – have your own disaster recovery plan in place should things go pear-shaped.


The post Internet firm goes out of business after DDoS extortion attack appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/20

California company sues bank over cybercrime, wins $350,000 settlement | foodonia

A California oil company that lost thousands after being attacked by hackers has won $350,000 in a legal settlement after suing its bank.


TRC Operating Co. Inc, an oil production company from Taft, California, sued the Fresno-based United Security Bank, claiming that the bank has failed to adequately secure its accounts.


In November 2011, TRC was the victim of a hack that lasted five days, and saw hackers seize control of its bank accounts, stealing nearly $3.5 million. The money was transferred out of the company’s accounts in twelve separate wire transfers, all to accounts in Ukraine.


United Security was able to block or recall eleven of the twelve wires, leaving one transfer worth $299,000 that got through. TRC still sued the bank, arguing that the simple “username and password” security offered by the bank was insubstantial.


United Security hit back, claiming that as the hack took place on one of TRC’s computers, it was their responsibility. It emerged that a TRC employee was victim to a phishing scam, and had malware on his computer that allowed ‘web inject’ code to be inserted into his browser.


Web inject malware is designed to target online banking sites, and manifests in the form of pop-up windows prompting for extra user information and personal details. These are stolen, and used by the hackers to change access to bank accounts, contact email addresses and authorized users.


Before the case could come to trial, United Security’s insurance company agreed to settle out of court with TRC, neither firm admitting fault. The $350,000 settlement is the maximum permitted under California law – the original amount stolen plus interest.


Julie Rogers, the San Jose attorney representing TRC, said that “Under the California Commercial Code, that’s all we’re entitled to. The law is written to the advantage of financial institutions…[we can’t claim] punitive damages or attorney fees.”


Dennis Woods, United Security CEO, said that TRC had a duty to keep its data private. “If you don’t give away your confidential info and identity, you don’t get hacked… None of our other customers were hacked. They never hacked the bank – he gave away his ID to a third party.”


TRC is not the first California cybercrime victim to successfully pursue legal action to recover its losses. In 2012, Village View Escrow Inc. was awarded $400,000 from Professional Business Bank for a case run on similar lines. The same law firm – Dincel Law Group – has represented the claimants in both cases, arguing both time that the banks’ security was lacking.


The post California company sues bank over cybercrime, wins $350,000 settlement appeared first on We Live Security.






Brought by: http://foodonia.com

World Cup Phishing Scam hits FIFA 14 players through Instagram, Twitter | foodonia

As the World Cup heads into its third week, there’s a new World Cup phishing scam to be aware of. EA Games’ FIFA 14 Ultimate Team has been targeted – not for the first time – by scammers offering new downloadable players.


The scam has been circulated via Instagram, Twitter and Facebook. Numerous fake accounts, purporting to be support accounts for EA Sports, have posted messages offering free downloadable content – such as the ability to play as Brazilian star striker Neymar in FIFA 14 Ultimate Team – to the first players to respond.


The posts encourage people to follow a link and enter their password for Origin (EA Games’ online service) or Xbox Live. Fake Origin and Xbox Live sites are being used by the scammers – users are advised to check closely the last section of the domain name; i.e. the web address should always end “…origin.com” or “….origin.co.uk” if it is legitimate.


User details including email addresses, passwords and security questions for Origin or Xbox Live are all being gathered by the scammers. On Instagram, the phishing account has been identified as using the name ‘easportsut2014’, and has picked up 9,000 followers.


FIFA’s Ultimate Team is a game mode that launched three years ago in FIFA 12, and has been present within EA’s FIFA titles since. It allows players to create a fantasy team by buying and swapping virtual trading cards. Polygon.com reports that hackers have a history of targeting Ultimate Team players and using their account details to run up huge bills.


This year, for the World Cup, EA is offering special upgraded versions of particular cards, based on the players who stand out at the tournament – lending credibility to the phishing scams.


Earlier this year, several fake Twitter accounts appeared, pretending to be EA Sports help and support contacts. Like the current scams, the accounts attempted to direct people to fake Origin websites to steal their user details. EA has not offered any comment on the recent scams.


The post World Cup Phishing Scam hits FIFA 14 players through Instagram, Twitter appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/19

Nokia paid millions to blackmailing hackers | foodonia

Nokia paid several million euros to criminals who threatened to reveal the source code for part of its smartphone operating system seven years ago, a Finnish TV station has revealed.


Finnish police have confirmed that they are investigating an open case of alleged blackmail. Speaking to Reuters, Detective Chief Inspector Tero Haapala said “We are investigating felony blackmail, with Nokia the injured party.”


Nokia has not come forward with any comment on the case. Finnish TV station MTV (no relation to the music channel) is reporting that hackers acquired encryption codes for Nokia’s Symbian operating system, and had threatened to post them online.


If access to the Symbian source code had been made public, hackers could have injected potentially millions of smartphones with malware without fear of detection. The encryption key was used to prevent phones running unauthorized applications.


It has been reported by MTV that Nokia paid a multi-million euro ransom to the hackers, agreeing to deliver cash to a parking lot in Tampere in Finland. A police sting operation to catch the blackmailers picking up the money reportedly failed, as officers lost track of the criminals after they picked up the money.


At the time of the crime, Nokia had approximately 50% market share of mobile phones worldwide, with Symbian also used by other manufacturers. By 2006, 100m Symbian devices had been shipped. Since 2011, however, Nokia has shifted to Windows Mobile, and last year Microsoft purchased Nokia’s mobile phone division for a total of 5.4 billion euros.


Hackers have more and more often been demanding ransom from their targets. The malware Cryptolocker, which locks users out of their own files, has reportedly generated $1.1 million in Bitcoin payments by victims. Recently the news syndication app Feedly was hit by a denial-of-service attack in which the hackers responsible attempted to extort payment to restore access to the site.


The post Nokia paid millions to blackmailing hackers appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/18

Hacker amasses $620,000 in cryptocurrency using infected computers | foodonia

A hacker has reportedly harvested over $600,000 in digital currency, using a network of hijacked machines, in what is believed to be the largest fraud of its kind.


The crime was discovered by tracing malware-infected network attached storage (NAS) drives back to a single hacker. Researchers at Dell say the hoard, which took just two months to accumulate, may represent the largest operation of its type to date.


The hack isn’t technically a theft, as the money was created rather than stolen. Cryptocurrencies like Bitcoin are ‘mined’ by solving complex algorithms, a process that gets harder as it goes on, requiring more and more computing power to generate new currency. The hacker used malware to infect the NAS drives, harnessing their collective power to generate Dogecoin, a Bitcoin derivative named after a popular internet meme.


The NAS drives in question were made by Taiwanese company Synology. In February this year, users started to notice sluggish performance from their drives. One user posted on Facebook that he had found a folder entitled ‘PWNED’ on his drive that was responsible for the drop in performance.


It had already been noted last September that the drives contained flaws in their operating system that would allow remote attackers to install malware. Researchers David Shear and Pat Litke examined several users’ ‘PWNED’ folders and discovered a program called CPUminer, designed to mine Bitcoins or similar.


Checking the public record of transactions in Dogecoin – all cryptocurrency transactions are publicly logged – they were able to track the operations back to the same hacker. A total of more than 500 million coins were mined – at today’s exchange rate, worth $200,000. However, exchange rates were higher earlier in the year, and Litke and Shear worked out the hacker would have made $620,496.


The hacker is believed to be German, and to have hacked other devices as part of accumulating his ill-gotten fortune. Fraudulent mining operations have been discovered on a wide range of devices including smartphones and CCTV cameras, as hackers look to use devices with weaker security than PCs.


The post Hacker amasses $620,000 in cryptocurrency using infected computers appeared first on We Live Security.






Brought by: http://foodonia.com

New banking malware ‘Dyre’ targets Bank of America, CitiGroup accounts | foodonia

A dangerous new strain of malware has been discovered, able to steal banking credentials without alerting users to the interception.


Named Dyre, or Dyreza, the Trojan software was discovered by researchers investigating a phishing scam that was spreading via Dropbox. It is believed to be a completely new family of malware, similar to but sufficiently distinct from, the Zeus malware.


Dyre has been designed to target certain banks in particular – Bank of America, CitiGroup, NatWest, RBS and Ulsterbank. It is thought to be an example of ‘crime-as-a-service’ – malware for hire to the highest bidder. It has been found able to bypass both SSL encryption and two-factor authentication systems.


The phishing campaign intended to spread the malware and has been asking users to download a zip file that claims to contain invoices or federal tax information. Dropbox has been quick to remove the links from its system, but the hackers have switched to Cubby, a similar service, to continue their campaign. Using such sites, the malware is able to evade URL-scanning software that detects files coming from suspicious domains.


According to SC Magazine, the malware is ‘a small code change away from being able to steal Facebook, Gmail’ account details – or any other information sent through HTTPS-protected websites.


Dyre’s danger lies in its ability to dupe users into believing they have a secure SSL connection to a bank, while in fact it is performing a ‘man-in-the-middle’ attack, intercepting data without disrupting what appears to be a legitimate secure connection.


Dyre injects malicious code into web browsers, ready to steal information when victims visit their banking site. It works across Chrome, Firefox and Internet Explorer, and may sometimes masquerade as a Flash Player download.


Some relatively good news comes in the fact that currently, Dyre is not as advanced as other Trojans, in some respects at least. Dark Reading reports that Dyre currently has no encryption capabilities, so communication between computers in a botnet running Dyre are ‘straightforward’ to intercept.


The post New banking malware ‘Dyre’ targets Bank of America, CitiGroup accounts appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/16

Domino’s Pizza refuses to pay ransom after customer database hacked | foodonia

A group of hackers claim to have stolen the personal details of some 650,000 pizza lovers, and have threatened to release them to the world if Domino’s Pizza doesn’t cough up a hefty ransom.


The hacking group, which is calling itself Rex Mundi, claims to have breached the network of Domino’s Pizza in France and Belgium, grabbing customers’ full names and addresses, phone numbers, email addresses and the passwords.


Domino's pizza blackmailed via Twitter


Via their Twitter account (now suspended) the hackers posted a link to a statement about the breach:



Dear friends and foes,


Earlier this week, we hacked our way into the servers of Domino’s Pizza France and Belgium, who happen to share the same vulnerable database. And boy, did we find some juicy stuff in there! We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones. That’s over six hundred thousand records, which include the customers’ full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favorite pizza topping as well, because why not).



Fortunately, there is no indication that payment information has fallen into the hands of the hackers – but there’s clearly still plenty to be concerned about for those Domino’s customers who have had their personal information exposed.


Domino’s France responded to the security breach with a series of tweets, claiming that although it used “cryptage” (encryption), the company believed the hackers to be experienced criminals, and it was deemed likedly that passwords would be cracked:



Domino’s Pizza utilise un système de cryptage des données commerciales. Toutefois les hackers dont nous avons été victimes sont des professionnels aguerris et il est probable qu’ils aient pu décoder le système de cryptage comprenant les mots de passe. C’est la raison pour laquelle nous vous recommandons de modifier votre mot de passe, par mesure de sécurité. Nous regrettons fortement cette situation et prenons cet accès illégitime très au sérieux.



Sadly, there’s no mention of whether the sensitive information was salted and hashed.


Domino's PizzaAndré ten Wolde, who heads up Domino’s Pizza in the Netherlands, told De Standaard that there were clearly security problems with the firm’s server.


At the same time he confirmed that the company would not be paying any ransom of the hackers.


Good for him, and good for Domino’s Pizza.


Clearly any hack is very bad news – both for the thousands of potential innocent victims, and for the corporation which has been hit by a criminal hack.


It’s easy to point the finger of blame at the corporation for not protecting its customers data properly, and there are no doubt a lot of angry people in France and Belgium writing now ordering an Indian takeaway as a form of protest.


But we have to make a stand against criminals who attempt to blackmail and extort money out of the corporations they are attacking via the internet. We saw a fine stand made by Feedly the other day when hackers attempted to extort money, and I’m pleased to see Domino’s Pizza not bowing to the hackers’ demands either.


If companies cave in and pay ransoms to internet attackers the only thing that is certain is that there will be more internet attacks.


I asked ESET security expert David Harley whether he felt the Feedly and Domino’s attacks were the sign of a new era of cyber-extortion.


Here’s what he had to say:



The Feedly story appears to have been just a DDoS attack, not a credentials breach. There’s nothing new at all about that: even in the early 2000s, UK agencies were quietly cooperating with private companies to deal with extortion attacks based on “pay up or we’ll keep on DDoS-ing you”.


Historically, online casinos and similar sites have been persistently targeted, but there’s no reason why an attacker wouldn’t consider any site dependent on keeping its online services available a likely target for extortion.


Extortion based on the threat of data release is a little more unusual, but not unknown.


Since stolen data can’t usually be ‘given back’ in such a way that you know the attacker can’t make further use of it, it makes sense to look at other means of mitigation rather than relying on the attacker’s ‘good faith’. I.e., alerting customers, advising them to change passwords, improving database security.


Similarly, it’s almost a given that paying up under threat of DDoS is unlikely to be a permanent solution.



So, the message is clear.


If you’re the victim of cyber-extortionists, don’t give in to the blackmailer’s demands.


Even though you might be at risk of personal or commercial embarrassment, or potential financial loss, it’s always better to contact the crime-fighting authorities than get into bed with the criminals. Of course, you should also put some serious resources into exploring what security holes might exist in your company’s operations – and making sure you are better defended in the future.


And, if you’re a customer of Domino’s and fear that your details may have been exposed by this attack, make sure that you are not using your pizza-ordering password anywhere else on the net.


After all, if the hackers manage to extract your password from Domino’s database they might attempt to use it to unlock your other online accounts too.


It’s good practice to always use different passwords that are hard-to-crack for different websites. Reusing passwords is a recipe for disaster. Anything less than proper password practices could end up with hackers getting their hands on your hard-earned dough.


The post Domino’s Pizza refuses to pay ransom after customer database hacked appeared first on We Live Security.






Brought by: http://foodonia.com

Would you allow cybercriminals onto your computer for money? | foodonia

Cybercriminals could buy their way into your computer for less than a dollar, a new academic study has found.


The study, led by Nicolas Christin at Carnegie Mellon University, Pittsburgh, examined how much money they would have to offer home users to unquestioningly install software onto their computers or other devices.


“We asked users at home to download and run an executable [program] we wrote without being told what it did and without any way of knowing it was harmless,” explained Christin. “Our goal was to examine whether users would ignore common security advice… if there was a direct incentive.”


The software offered by the researchers was harmless, but if they had been genuine cybercriminals, it would have been malware designed to turn home users computers into ‘bots’ – computers under some degree of remote control, used to distribute more malware and participate in fraud. Christin and his team used Amazon’s Mechanical Turk software marketplace to promote their ‘Distributed Computing Client’.


The advert posted with the software claimed users would “get paid to do nothing” and required them simply to run the software for one hour, after which it displayed a code to enable them to claim payment. Payments offered ranged from $0.01 to $1.


Access was restricted to users with Microsoft Windows XP or later; in Windows Vista or later, users would have to acknowledge a warning notice that the software could be dangerous.


The results showed that 22% of people who saw the offer downloaded and ran the software for just $0.01. When the reward offered was increased to $0.50, that figure rose to 36%, and for a dollar, 43% of people would run the mystery software.


Malware bundled with the software could have included Cryptolocker software, a type of malware which locks users out of their own systems and holds them to ransom. The average ransom cost in the US is $300.


Only 17 out of 965 people who downloaded the software did so in a ‘virtual environment’, a setup designed to minimize the potential damage that malware could cause. Only one person directly expected the software to be potentially harmful, according to surveys conducted after the downloads.


Engadget points out that users of the Mechanical Turk site are ‘already eager for money’ and note that it ‘may be tougher to pay for control of a PC when the offer comes out of the blue’, but conclude that the research is a ‘reminder to always treat unfamiliar code with caution, no matter how much profit you’ll make by installing it.’


The post Would you allow cybercriminals onto your computer for money? appeared first on We Live Security.






Brought by: http://foodonia.com

Pinterest hit by weight loss spam | foodonia

Picture-sharing social media site Pinterest appears to have been hacked, as multiple users reported weight-loss spam messages both on Pinterest itself and on Twitter.


The Pinterest spam had a health and fitness theme, promising an ‘asian fruit that burns fat for you’, and boasts from users claiming ‘I’m 12 pounds lighter as of today!!’. The messages carry links which conceal malware, redirecting to a fake women’s health site as well as spreading the spam, according to ProgrammableWeb .


User preferences were also altered by the attack, with several users revealing that the options to mirror Pins to Twitter and Facebook had been ‘mysteriously enabled’ following the attack. It was not clear whether user preferences were changed manually or automatically.


Pinterest responded to the spam attack, telling TheNextWeb : “The security of Pinners is a top priority. We were alerted to some instances of spam and responded by immediately placing impacted accounts in safe mode, and reaching out to Pinners as we solved the issue. We’re constantly working on ways to keep Pinners safe through reactive and proactive steps, as well as educating them on the importance of using complex and unique passwords.”


Together with the importance of strong passwords, security researchers familiar with the hack are advising users to be careful which plugins or add-ons they enable in Pinterest, as well as highlighting a potential vulnerability around social authentication logins – the practice of using Twitter or Facebook login details to access Pinterest.


This is not the first time Pinterest has been the victim of hackers. In March this year, a large number of accounts were hacked and posted pictures of women in lingerie or swimwear, along with comments that also had a weight loss theme.


Pinterest has grown enormously since its launch in 2010 – according to Comscore, it is the 39th most popular site in the US. A recent bout of fundraising from investors (which raised $200m) valued the company at $5bn.


The post Pinterest hit by weight loss spam appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/13

P F Chang’s chain suffers breach – thousands of cards for sale online | foodonia

Newly stolen credit and debit card details, from cards used in P F Chang’s China Bistro, a nationwide American chain of restaurants, went on sale on an underground website this week at a site best-known for selling off the details of victims of the Target data breach. The new breach was again reported by cybersecurity journalist Brian Krebs.


The Verge reports that the scale of the breach is still unknown, but that banks contacted by Krebs said that the details all appeared to come from cards used in-store between, “March 2014 and May 19, 2014.”


The Register reports that the chain has confirmed that data has been leaked from multiple branches – and has resorted to using carbon paper card machines as a defensive mechanism. The move hints that, as with the Target breach, the card data could have leaked due to malware in point-of-sale terminals.


In a statement, Chang’s said, “On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.”


The restaurant has established a dedicated site for diners worried that their details may have leaked in the attack. ESET security researcher Lysa Myers offers tips for diners worried that they may have used their cards in a location leaking data to cybercriminals here.


The chain has 211 locations in America, as well as sites in Mexico, Canada and the Middle East, and a subsidiary chain Pei Wei’s Asian Diner, with 192 location, the Verge reports.


Krebs says that, according to banks his site has contacted so far, the cards appear to have been used at American branches of the restaurant.


The cards – which are being sold as sequences of numbers from the magnetic stripes on the reverse of cards – are advertised as “100% valid” and described as a “super fresh dump” – and being sold at prices ranging from $18 to $140 depending on credit limit and other factors. The advertisement suggests that the cards come from a fresh hack where users are unaware their details may have been compromised, Krebs says – hence the claim “100% valid”.


The Verge reports that if all branches of Chang’s and Pei Wei’s Asian diner have been affected, the numbers involved could be up to two million.


The story of Krebs’ exclusve revelations of data breaches and other major stores has been optioned as a feature film by Sony, as reported by We Live Security here. The studio has bought the rights to the New York Times article, “Reporting From the Web’s Underbelly,” which told Krebs’ story in the wake of his exclusive revelations about the data breach at Target.


The post P F Chang’s chain suffers breach – thousands of cards for sale online appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/10

Encryption essential for cyber security: A million reasons to encrypt sensitive data | foodonia

Why should all the sensitive data on your computers be encrypted? You can find the answer to that question by Googling these three words: data breach unencrypted. Even a cursory glance at the long list of search results will show you how much trouble organizations can get into when they don’t encrypt sensitive information, particularly personally identifiable information (PII).


What kind of trouble does a lack of encryption bring? Well, apart from bad publicity and lost business from customers who decide you can’t be trusted with their data, you could also be looking at a million dollars in fines, possibly more. We’re talking budget-busting costs that could have been avoided by spending just a fraction of that on a basic program of encryption for all company computers.


The cost of inadequate encryption


Consider Concentra, a company you probably never heard of before, at least not until April when it reached a $1,725,220 settlement with the OCR. Never heard of the OCR? That’s the Office for Civil Rights within the U.S. Department of Health & Human Services, the branch of government that enforces the Health Insurance Portability and Accountability Act, better known as HIPAA. The privacy and security rules that came with HIPAA require just about any organization that handles health-related personal information to protect said data to certain standards. (On top of that, many states also require companies to notify persons whose PII may have been exposed, as will be discussed in a moment.)


Fail to meet applicable HIPAA standards and you could be in trouble, particularly if any incident occurs which exposes data that should be protected (Protected Health Information or PHI). Incidents involving more than 500 unencrypted PHI records must be reported. The OCR maintains a wall of shame, a searchable database of incidents in which protected PHI was breached, and a list of case examples and settlements, like the one with Concentra.


So what did Concentra–in common with so many other organizations inside and outside of the healthcare industry–do wrong? According to the OCR settlement, the company:



“did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level…”



In other words, the company not only failed to do enough encryption, but it also lacked a suitable business process (risk management) for determining the necessary extent of encryption. As this PDF of the case shows, the company knew in October of 2008 that only 434 out of 597 laptops were encrypted but did not move to encrypt all laptops until June of 2012, after an inventory of IT assets was completed.


Concentra is far from alone in this “failure to adequately encrypt” category of data breach. Other examples of fines for failure to encrypt in the healthcare space include $1.5 million paid by both Blue Cross Blue Shield of Tennessee (BCBST) and Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. And that Google search on data breach unencrypted that I mentioned earlier? It just turned up this May 27 headline: Humana members notified of Atlanta data breach. Apparently, an Atlanta Humana employee’s car was broken into and thieves took the employee’s encrypted laptop. Sadly, they also took a USB drive on which were stored unencrypted files containing names, medical record information and some Social Security Numbers of almost 3,000 Humana enrollees.


Of course, this problem of failure to encrypt extends well beyond the healthcare sector into all areas of data usage, including government, education, and yes, big business. Brand names don’t get much bigger than Coca-Cola, and in January we learned that “Due to a theft of unencrypted laptops at Coca-Cola, around 74,000 current and former employees at the company may be at risk of identity theft or fraud.” SC Magazine.


So, Coca-Cola was in the unhappy position of notifying tens of thousands of people that some combination of their identity data were “out there” and could be used for identity theft, including name, address, Social Security Number, compensation, ethnicity, and driver’s license number. It’s a safe bet that some of those current or former Coca-Cola employees were California residents, and California has one of the strongest data security breach reporting requirements. The law requires timely disclosure to “any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”


Note that, as with HIPAA, California also provides “Safe Harbor” in the case of encrypted records. In other words, if you’ve encrypted files or folders containing PII on a drive that goes missing, you don’t have to report the breach. Accidentally emailed a spreadsheet of employee data to the wrong person? No need to worry if the attachment is encrypted.


Encryption standards


Encryption of files, whether stored on a drive or emailed via Outlook, not only gets you Safe Harbor when something does go astray, it also buys you considerable peace of mind. However, don’t expect to get Safe Harbor for data breach notification by using any old encryption program. The trend is for data protection laws to keep raising the bar and California looks set to pass legislation that sets a baseline standard for encryption. As Phil Lee, a partner at Fieldfisher told DataGuidance:



“The ‘safe harbor’ breach notification provisions in AB 1710 really make clear that there’s encryption, and then there’s encryption. In a nutshell, AB 1710 says that businesses will have to notify consumers about breaches even where the data lost was encrypted, unless the data was encrypted to the strict levels of NIST’s Advanced Encryption Standard [AES]. Simply seeking exemption from notification on the basis that the data was encrypted to some vague, loosely-defined standard will no longer suffice.”



One reason regulators come down so hard on those who fail to implement proper encryption is that this ability to encrypt data to high standards, making it inaccessible to everyone except holders of the decryption key, has been around for a long time. That makes failure to use strong encryption an increasingly egregious oversight in the eyes of those charged with protecting and policing the handling of personal information.


And regulators are not the only ones getting steamed up about a lack of encryption. The public today is a lot better informed about encryption than it was even a year ago. Take 12 months of news headlines about mass electronic surveillance and attacks on encryption by certain government agencies (NSA and GCHQ), season with a large data breach at a brand name company that everyone has heard of (Target) and you produce a big batch of consumers that are far more familiar with the word ‘encrypted’ than folks used to be. That means your company’s failure to encrypt sensitive information like PII will be judged harshly, not only in the courts of compliance and law, but also in the courts of press and public opinion.


Fortunately, encryption is no longer the IT pain it used to be. There are encryption products available today that are easy to implement and use across small or large enterprises, with all functionality and settings conveniently managed from a central server. You can start out with basic file and folder encryption. Add Outlook integration to enable secure transmission of protected files. Later you can add automatic encryption of removable media and full disk encryption. What you don’t want to do is ignore the need for a well documented and properly implemented encryption policy, one that is applied to all of the sensitive data that your organization handles, wherever it resides and however it is transmitted. Otherwise, if you do experience a breach, you will quickly learn there are no excuses left.


The post Encryption essential for cyber security: A million reasons to encrypt sensitive data appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/09

‘Major’ Smart TV vulnerability could allow mass wireless attacks | foodonia

A vulnerability in the way interactive apps work on many so-called Smart TVs could allow teams of relatively unskilled hackers to attack thousands of devices at once, a team of Columbia University researchers claims in a new paper.


“The technical complexity and required budget are low, making this attack practical and realistic,” the researchers write. “In a dense urban area, an attacker with a budget of about $450 can target more than 20,000 devices in a single attack.”


In a detailed analysis of the threat, Forbes magazine claims that the “rogue” broadcast could steal logins for sites such as Facebook and Yelp, hijack devices such as printers, and even sniff for weakly protected Wi-Fi networks.


“The only way for law enforcement to find a rogue broadcast is to send out multiple vehicle-mounted antennas to triangulate the signal. A hacker could be long gone before those trucks ever hit the streets,” Forbes writes.


Slashgear reports that the vulnerability relies on the HbbTV standard, used by advertisers to target users. Slashgear says that the standard is already widespread in Europe, but has recently been added to the NTSC standard for Smart TVs in America. “HbbTV notably allows advertisers to target users for advertising purposes (like watching a food show and getting coupons for a grocery store),” the site writes


“Our analyses of the specifications, and of real systems implementing them, show that the broadband and broadcast systems are combined insecurely,” the researchers write.


The paper refers specifically to so-called, “Red Button” content, where applications are launched on a smart TV during a programme by pressing a red button on the remote, typically displayed on screen as an invitation to press said button. But the researchers write that applications can also run invisibly in the background.


The researchers say that they presented the results of their research to the HbbTV Technical Group in January, but that their research was dismissed as insignificant.


They claim that the attack they describe is both possible and practical, with attackers intercepting and rebroadcasting a popular channel, after embedding malicious script into the channel.


“The best way to do so is to carry out a form of man-in-the-middle attack, in which the attacker transparently modifies a popular TV channel to include a malicious payload,” they write. The researchers say that there are ways for Smart TV manufacturers to block such attacks.

Slashgear writes, “The issue is that a Smart TV app is basically left without a point of origin when used, left “twisting in the wind” if you will. When used, it accesses both our network and the content we want, compromising both points.”


The post ‘Major’ Smart TV vulnerability could allow mass wireless attacks appeared first on We Live Security.






Brought by: http://foodonia.com

Ransomware 101: FAQ for computer users and smartphone owners | foodonia

What is ransomware?

Ransomware is the generic term for any malicious software that, as its name suggests, demands a ransom be paid by the computer’s user.


Why would you want to pay a ransom?

Because the ransomware has done something unpleasant to your computer, and potentially to your data.


For instance, it might have encrypted your documents and demanded that you pay a ransom to unlock access to them. This type of ransomware is known as a filecoder.


The most notorious filecoder is Cryptolocker. (Numerous versions of this are detected by ESET antivirus products as Win32/Filecoder).


How would my computer get infected by ransomware like Cryptolocker?

A typical method of infection would be to open an unsolicited email attachment or click on a link claiming to come from your bank or a delivery company.


There have also been versions of Cryptolocker seen which have been distributed via peer-to-peer files-sharing networks, posing as activation keys for popular software like Adobe Photoshop and Microsoft Office.


If your computer becomes infected, Cryptolocker hunts for a wide range of file types to encrypt – and once its dirty work has been done, displays a message demanding you electronically transfer the cash to have the files decrypted.


Cryptolocker


In some cases, the lockscreen may even include a live feed of what your computer’s webcam is currently looking at.


webcam


It is unnerving to unexpectedly see yourself sitting in front of your computer, and might help to trick less technical users into believing that they really are being observed by the authorities.


I’ve also heard of scareware. What’s that?

Scareware is software that tries to scare you into taking a particular course of action.


Most commonly, scareware will pretend to be an anti-virus product that displays a warning of security issues on your computer or smartphone in an attempt to trick you into paying the scammers or downloading further dangerous code from the net.


In some cases the fake anti-virus might actually present itself with the name of a genuine security firm, in an attempt to increase the number of people who are duped into making a bad decision.


Scareware for the Mac


Like ransomware, scareware can be written for any operating system. Ironically, some instances of fake anti-virus scareware have had more impressive user interfaces than the legitimate products they are attempting to ape!


In a sinister development, some scareware – if unsuccessful frightening you into making an unwise purchase – might resort to ransomware tactics to demand money with more obvious menace.


What happens if, after my computer gets hit by ransomware, I don’t pay up?

In the case of many ransomware attacks there is a deadline for payment – and if you don’t pay up in time you could permanently lose access to your files.


Is file-encrypting ransomware the only kind of ransomware?

No, there is also lockscreen ransomware. That’s a type of ransomware that locks your computer, preventing you from doing anything with it until a ransom has been paid.


Lockscreen malware might use underhand psychological tricks to hurry you into paying.


For instance, sometimes the lockscreen message might pretend to come from your country’s police force, and claim that the authorities are demanding you pay a fine because images of child abuse, zoophilia, or evidence of visiting illegal websites and pirated software has been found on your computer.


Reveton ransomware


One of the most commonly encountered families of ransomware that locks users’ computers while posing as a message from the authorities is Reveton.


And do people actually pay the ransom?

Yes, in many cases they do.


Imagine if you didn’t have a verified backup from which you can restore your sensitive or company files. You might very well think it is worth spending a few hundred dollars to regain access to your data.


Corporate users may not care as much about lockscreen malware (after all, they hopefully have backups and access to other hardware), but it’s easy to imagine how home users could be scared by the fake police threats or the mention of child abuse images into paying the ransom rather than taking their computer to their local computer repair shop.


So does paying the ransom decrypt your data?

Yes, generally it does restore access your data If you think about it, that’s good business sense by the criminals. If word got around that the attackers don’t keep their side of the bargain, nobody would ever pay the ransom.


However, paying the ransom doesn’t mean that you’re safe and out of the woods. The criminals might leave malware on your computer, and now know that you are the kind of person who is prepared to pay hard cash to regain access to their computer or data. In short, you could be targeted again in the future.


So if I am a victim of ransomware, should I pay the ransom?

We wouldn’t recommend it. Remember, there is nothing to stop the criminals behind the attack from demanding more money from you. If you pay the ransom you are helping create a new market for online criminals, which might lead to more ransomware and other cybercriminal attacks in future.


Instead, learn from the lesson by putting better protection in place and ensure that you have a proper backup regime to recover your essential files should you be unlucky enough to be hit again.


Can’t my antivirus simply remove a ransomware infection?

Yes, in most cases good security software should be able to remove ransomware from your computer. But that isn’t the end of your problems.


Because, if you the ransomware which infected your computer was a filecoder your files are still encrypted. Security software might be able to decrypt your sensitive information if a simple filecoder was used in the attack, but files hit by a more sophisticated example of ransomware like Cryptolocker are impossible to decrypt without the right key.


Prevention is the best medicine.


So, filecoders which encrypt your sensitive files are worse than Lockscreen malware?

Yes, in most situations file-encrypting ransomware is probably harder to recover from than other forms of ransomware. However, if you have a backup that wasn’t impacted by the attack it shouldn’t be too difficult to be up and running again quickly.


Frankly, the worst malware is the one that has infected *your* computer!


Is filecoder ransomware on the rise?

You have probably guessed the answer to this one.


Yes, there is more and more file-encrypting malware seen by ESET researchers all the time – and has been a steady rise over the last year.


Growth in Filecoder prevalence since July 2013

Growth in Filecoder prevalence since July 2013



What operating systems have been hit by ransomware attacks?

Android ransomwareIn theory, there’s nothing stopping online criminals from writing ransomware for any operating system – but the majority of the attacks have targeted Windows users. Cryptolocker, for instance, has only been seen for the Windows platform.


However, ESET researchers recently detected Android/Simplocker, the first file-encrypting Trojan to demand a ransom from Android users via a control centre hidden on the anonymized Tor Network.


Clearly things are getting more sophisticated in the world of ransomware, even on smartphones.


So smartphones could be at risk too?

Correct. Of course, the malware threat is much smaller on even jailbroken iOS devices than it is on Android.


We Live Security’s Rob Waugh has put together a great guide about how to keep your Android device safe from ransomware.


Where can I learn more about ransomware?

Further reading:



Podcasts:



  • Listen to this five minute podcast by ESET expert Aryeh Goretsky, where he even sheds light on the AIDS Information Trojan seen in 1989, probably the very earliest example of ransomware.


The post Ransomware 101: FAQ for computer users and smartphone owners appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/05

England footballers have their passport details leaked on Twitter | foodonia

In an embarrassing breach of security, the passport numbers of members of the England Football squad have been accidentally tweeted out by the team’s official sponsor.


The information was included on an official FIFA team sheet, shared with members of the press one hour before the English team played a friendly match against Ecuador at the Sun Life Stadium in Miami.


Unfortunately England’s corporate sponsor Vauxhall clearly didn’t realise that the passport numbers might be sensitive, and excitedly tweeted out a smartphone photo of the line-up to ardent soccer fans.


The photograph showed the names, dates of birth, and passport numbers of England’s starting line-up of eleven players and the seven substitutes. Oops. Something of an own goal, there.


The picture included the players' dates of birth and passport numbers (redacted above)

The picture included the players’ dates of birth and passport numbers (redacted above)



The player’s dates of birth are easy for anybody to find with a little help from Wikipedia, but it doesn’t feel right reproducing them here – so I have redacted them in the image above as well as the passport numbers which clearly shouldn’t be in the public domain.


Vauxhall quickly realised its blunder, and deleted its tweet.


But, of course, the internet doesn’t work like that. Once you publish anything on the internet there is no guarantee that you will be able to remove every trace of it – especially if you directly tweeted it to thousands of avid football fans.


We all have to learn to be more careful about what we share on the internet – and think before we tweet.


At least former England football captain Gary Lineker had something amusing to say on the subject.




(There’s always a first time, Gary)


I’m sure none of us would like our passport details to become public knowledge, as there is always a chance that an identity fraudster might take advantage of the information for their own malicious purposes.


Bad enough for you or me – but imagine how much more tempting it might be for criminals to exploit the information when it relates to somebody who earns £125,000 per week.


No doubt, however, most of those handsomely-paid players (on the English side at least, I have no idea what kind of salaries footballers command in Ecuador) will have a minion who can organise a new passport for them should it be felt to be required.


The English Football Association (FA) says the data leak is nothing to do with them, and pointed the finger of blame at the match’s organisers:



“It is a matter for the match organisers, the publication and distribution of the team sheets are their responsibility.”



This isn’t, of course, the first time that FIFA has been connected with an alleged security breach involving passport information.


In August 2010, the Norwegian newspaper Dagbladet claimed that the details of 250,000 fans who had attended the 2006 FIFA World Cup in Germany had been sold on to ticket touts, including the passport details of 35,689 UK ticket purchasers.


According to reports at the time, the alleged data leak was blamed on a rogue employee at FIFA’s official ticketing agency, although investigators from the UK’s Information Commissioner’s Office (ICO) later asserted that there was no evidence that British passport holders had been exposed.


For those who care about such things, the England-Ecuador match ended as a 2-2 draw.


But there were definitely losers: the players who had their personal information needlessly shared with the world via Twitter.


The post England footballers have their passport details leaked on Twitter appeared first on We Live Security.






Brought by: http://foodonia.com

2014/06/04

ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware | foodonia

Last weekend saw the (somewhat anticipated) discovery of an interesting mobile trojan – the first spotting of a file-encrypting ransomware for Android by our detection engineers.


Let’s put this all into perspective, so we know what we’re dealing with here…


Almost exactly one year ago, a hybrid comprising characteristics of a rogue AV and ransomware (the lockscreen type, not a file-encryptor) was discovered, calling itself Android Defender, as reported by Symantec. It had all the typical traits of a fake AV and all the typical traits of a lockscreen ransomware – in that it was not actually that trivial to get rid of when a user was not protected by a mobile antivirus, they had to disable it by booting their device into Safe mode. ESET detects it as Android/FakeAV. And a less aggressive Android Defender without the lockscreen functionality was analyzed by Sophos in May 2013.


Last month the blog Malware don’t need Coffee reported on a police ransomware for Android by the Reveton team. Again, this was an evolutionary migration of a malware type very prevalent in the recent years from Windows to the Android platform. Although some connection to Cryptolocker (one of many file-encrypting trojans, which ESET detects as the Win32/Filecoder family, that received an overwhelming amount of media attention and that I have written about here and here) was suggested by Kaspersky, the malware, detected by ESET as Android/Koler was neither Cryptolocker, nor did it encrypt any files on the infected device.


That, however, changed with the most recent discovery, last weekend. This Android trojan, detected by ESET as Android/Simplocker , after setting foot on an Android device, scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files. Let’s look at the malware in greater detail.


After launch, the trojan will display the following ransom message and encrypt files in a separate thread in the background.


1. Ransom message

Figure 1 – Android/Simplocker.A ransom message



The ransom message is written in Russian and the payment demanded in Ukrainian hryvnias, so it’s fair to assume that the threat is targeted against this region. This is not surprising, the very first Android SMS trojans (including Android/Fakeplayer) back in 2010 also originated from Russia and Ukraine. The message roughly translates to:


WARNING your phone is locked!


The device is locked for viewing and distribution child pornography , zoophilia and other perversions.


To unlock you need to pay 260 UAH.


1. Locate the nearest payment kiosk.


2. Select MoneXy


3. Enter {REDACTED}.


4. Make deposit of 260 Hryvnia, and then press pay.


Do not forget to take a receipt!


After payment your device will be unlocked within 24 hours.


In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”


The malware directs the victim to pay using the MoneXy service for obvious reasons, as it is not as easily traceable as using a regular credit card. 260 UAH is roughly 16 EUR.


Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them using AES.


Files encrypted by Android/Simplock.A

Files encrypted by Android/Simplock.A



It will also contact its Command & Control server and send identifiable information from the device (like IMEI, et cetera). Interestingly, the C&C server is hosted on a TOR .onion domain for purposes of protection and anonymity.


Figure 3 - Part of the Android/Simplocker.A source code for connecting to the TOR anonymity network

Figure 3 – Part of the Android/Simplocker.A source code for connecting to the TOR anonymity network



As you may notice on the nag-screen above, there is no input field for a payment-confirming code of any kind, as we’ve seen in earlier examples of Windows ransomware. Instead, the malware listens to its C&C server for a command – probably issued after payment is received – to decrypt the files.


The sample we’ve analyzed is in the form of an application called ‘Sex xionix’. It was not found on the official Google Play and we estimate that its prevalence is very low at this time.


Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to “the infamous Cryptolocker” on Windows.


Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.


Instead we encourage users to protect themselves against these threats by prevention (by using our ESET Mobile Security for Android, for example and adhering to best security practices, such as keeping away from untrustworthy apps and app sources) and if they are unfortunate to already be infected to recover the files from a backup. Because when you have a backup, then any Filecoder trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance.


Analysed Sample SHA1: 808df267f38e095492ebd8aeb4b56671061b2f72


Kudos to Marek Luptak for his analysis of this Android trojan.


The post ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware appeared first on We Live Security.






Brought by: http://foodonia.com