Do you know how to avoid Android ransomware malware?

Ransomware is a type of malware that restricts the access to your computer system and infects it.
Then a ransom is demanded to be paid to the creator of the malware in order for the restriction to be removed.

Ransomware can be the encryption of files on the system’s hard drive and usually locks the system demanding payment for it to be lifted.

Another form of ransomware is CryptoLocker.  This leaves your computer running while scrambling your data and demands a fee for the decryption key to get your data back.

The fee is usually around $300.  Recently, the pay-to-unlock ransomware has made its way into the Android ecosystem, and charges $300 to un-lock.

“Koler”

One of the most ransomware through the Android is known as “Koler”.  Koler is very similar to the Reveton malware, which leaves your data in tack but locks you out of your computer.

It’s thought that the Reveton gang is the one behind Koler.  Both malware’s follow a criminal formula that has worked for them on Windows computers.

As soon as the malware pops up, it downloads a display warning screen stating you are accused of viewing something illegally, like pornography.

According to reports, the crooks use the time-honored trick of telling you to install a specific “video player” app, then offering you help with downloading it.

**Because Koler has not made it into the Google Play Store, you need to have “Allow installation of apps from unknown sources” enabled in your Android security settings to be at risk.

Just like with Windows-based police warning ransomware, the malware can adapt the content it displays depending on your country or language settings.

The malware warnings have been coming from “U.S.A. Cyber Crime Center” and “FBI Department of Defense” (which doesn’t make sense because the FBI is not part of the DoD).





The screen shot shows fake government seals and an assortment of ripped-off images coaxing the victims to do what they are told on the screen.

These scare tactics often work for many, how many times do you have The President pointing his finger at you in a scolding manner?

Another message that is often seen:


ATTENTION! Your phone has been blocked up for safety reasons listed below. All the actions performed on this phone are fixed. All your files are encrypted. CONDUCTED AUDIO AND VIDEO.





Note. Sophos products, including Sophos Free Anti-Virus and Security for Android, detect this malware as Andr/Koler-A.

Get rid of Koler

Koler doesn’t scramble your data or disengage your audio.  It locks your phone with a pop-over browser window that automatically reappears if you try to get rid of it.

News that continually reappears through pop-up windows makes it nearly impossible to get into the Settings menu to remove the malware.

When trying to reboot, the malware kicks back in at the beginning of restarting your device.
If this happens, a factory reset will get rid of it.  The reset will remove the malware along with any other apps and stored data installed on your device.

It is recommended to use the Android “Safe Mode”, also detailed explination can be found in Sophos’  companion article.

via: NakedSecurity – Sophos

Stay protected from police warning ransomware Here are five easy tips to help you deal with Android malware of all sorts, including “police lockers”:

• Install a reputable anti-virus program to vet all new apps automatically before they run for the first time.
• Be cautious of apps you are offered in ads and pop-ups.
• Stick to Android’s default setting of allowing installs from the Google Play store only.
• Keep off-device backups of your important data.
• Read our article about using “Safe Mode”, just in case you ever need it in a hurry.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:
Zorabedian, John
NakedSecurity from SOPHOS
Android “police warning” ransomware – how to avoid it, and what to do if you get caught
Published: May 19, 2014
http://nakedsecurity.sophos.com/2014/05/19/android-police-warning-ransomware-how-to-avoid-it-and-what-to-do-if-you-get-caught/

Are you being explotied?

Software exploits are attack techniques managed by attackers to quietly install malware.  Trojans or backdoors are fastened into computers without requiring social engineering to trick victims into manually running a malicious program.

Malware installation through an exploit would be invisible to users and gives attackers an obvious advantage.

Exploitation Targets

Here are some applications most targeted by attackers through exploitation:

• Web browsers (Microsoft Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox and others).
• Plug-ins for browsers (Adobe Flash Player, Oracle Java, Microsoft Silverlight).
• The Windows operating system itself – notably the Win32 subsystem driver – win32k.sys.
• Adobe Reader and Adobe Acrobat

The most dangerous exploit attack is remotely installing code into the operating system.  Downloading or running vulnerable software increases the chance of your system becoming infected with malware.

While PDF’s are the most common document files, they can be dangerous if obtained from an unreliable source.  Adobe has extended the file format to maximize its data exchange functionality by  granting scripting and the embedding of various objects into files.  This can be exploited by an attacker.

Another target is the Adobe Flash Player.  This plug-in is used for playback of content on various browsers.  The Adobe Flash Player is updated regularly and notifies you when it’s time to upgrade.  Most vulnerabilities are of Remote Code Execution (RCE) which indicates that attackers use susceptibilities for remotely executing malicious code on a victim’s computer.

Java is also a popular browser plug-in attractive to attackers.  More than three billion devices are using this platform.  Java is vulnerable to malicious attacks and is one of the most dangerous components.  When you use Java on Windows, its security settings can be changed using the control panel applet.  Latest versions of security settings allow you to configure the environment more accurately.


Windows operating systems itself can be used by attackers to remotely execute code.  The figure below shows the number of patches the each components have received during 2013.

This shows Internet Explorer fixed the greatest number of vulnerabilities.  More than a  hundred vulnerabilities have been fixed in the course of fourteen updates.

Windows Operating System

Newer versions of Microsoft Windows – i.e., Windows 7, 8, and 8.1 have built-in mechanisms which help protect users from destructive actions delivered by exploits.  Features became available with Windows Vista was upgraded in the most recent operating system versions.

http://www.hyphenet.com/blog/2013/12/13/are-you-being-explotied/

This shows Internet Explorer fixed the greatest number of vulnerabilities.  More than a  hundred vulnerabilities have been fixed in the course of fourteen updates.

Windows Operating System

Newer versions of Microsoft Windows – i.e., Windows 7, 8, and 8.1 have built-in mechanisms which help protect users from destructive actions delivered by exploits.  Features became available with Windows Vista was upgraded in the most recent operating system versions.

http://www.hyphenet.com/blog/2013/12/13/are-you-being-explotied/

 

Windows Operating System

Newer versions of Microsoft Windows – i.e., Windows 7, 8, and 8.1 have built-in mechanisms which help protect users from destructive actions delivered by exploits.  Features became available with Windows Vista was upgraded in the most recent operating system versions.

http://www.hyphenet.com/blog/2013/12/13/are-you-being-explotied/

All operating systems or programs used are studied by attackers for vulnerabilities.  Their intent is to exploit for financial gain.  Adobe, Google, and Microsoft are all taking steps to make these attacks more difficult to achieve.

To protest yourself, change your system settings for a more secure application and keep your software up-to-date.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:

Exploit Protection for Microsoft Windows – We Live Security
http://www.welivesecurity.com/2013/12/13/exploit-protection-for-microsoft-windows/

U.S. Bank Attack from Shylock Trojan!

The crafty banking Trojan known as Shylock has returned.  The Shylock Trojan is attacking thousands of customers and 24 American banks.

The Shylock or Caphaw Trojan is a financial malware that functions using stealth tactics both on and off the wire.

Shylock  has incredible defense mechanisms that enable it to restore itself after and during a shutdown.
The malware is outlined as “one of the few that can steal money while a user is accessing his bank account,” by ESET Security Intelligence Team Lead, Aleksandr Matroosov.  Aleksandr Matrosov published a detailed analysis about malware earlier this year.

The Shylock has an autoload functionality to repeatedly steal money when a user is actively accessing their bank account.  The user can not recognize the money is being stolen.

The threat uses techniques for bypassing security software and evading automated malware processing.

Zscaler stated in a blog post, “Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users’ bank accounts since 2011.  You may recognize this threat from research done by WeLiveSecurity earlier this year in regards to this threat targeting EU Banking sites.  This time would appear to be no different.  So far, we have tied this threat to monitoring it’s victims for login credentials to 24 financial institutions.”

Zscaler reported an increase in malware detections this week, targeting 24 U.S. banks including Chase Manhattan, Bank of America, Citi, and Wells Fargo.  The first detected malware in 2011 targeted European customers in the United Kingdon, Italy, Denmark and Turkey.

http://www.hyphenet.com/blog/bank-attack-shylock-trojan/

The ESET Virus Radar is showing an increase of infections in the North America Region.  This malware is difficult to detect and is hard to stop when it’s ability to restore itself and an antvirus cleaning procedure is carried out.

The infection vector is unknown, but researchers are pretty sure the malware is served by an exploit kit that uses Java’s vulnerabilities and targets the computer.

The DGA

A Domain Generation Algorithm represents an algorithm seen in  numerous families of malware.  This generates a large number of quasi-random domain names.

The nasty Trojan avoids detection by injecting itself into legitimate processes like explorer.exe while concealing its phone home traffic through the a Generated Domain Algorithm creating address using Self Signed SSL certificates.

The Self Signed SSL certificate is an identity certificate that certifies to an organization that they are the actual signers.  So basically forging its way through the system.

ThreatLabZ is monitoring the Internet for this threat and its multiplication.  The lab is also dissecting the threat in order to obtain more information about its attack,approach, scope and impact.
What do you think about the banks being compromised? Share you comments below!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

References:
Can’t keep a bad man down: “Shylock” Trojan returns to attack U.S. banks – WeLiveSecurity
http://www.welivesecurity.com/2013/09/20/cant-keep-a-bad-man-down-shylock-trojan-returns-to-attack-u-s-banks/
September 20, 2013
New wave of Shylock Trojan targets bank customers – Net Security
http://www.net-security.org/malware_news.php?id=2592
September 19, 2013
A New Wave of WIN32/CAPHAW Attacks – A ThreatLabZ Analysis -ZScaler
http://research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html

Filecoder: Your data is being held at ransom

Trojans put messages into user files and try to demand a ransom from victims in exchange for a decryptor utility.  Ransomeware is commonly known as a locked screen on your desktop, which tries to scare you into making some kind of payment to regain access to your computer again.

This is an old issue but it is noted to be a significant increase in Filecoder activity this summer.

ESET has detections of this malware category flagged as Win32/Filecoder, Win32/Gpcode, and other family names.

Statistics on ESET LiveGrid telemetry shows Win32/Filecoder detections have risen by 200% just in the last few months.  From January to June 2013 the detections have been at a normal level, but the spike since July is alarming.

http://www.hyphenet.com/blog/filecoder-your-data-is-being-held-at-ransom/

Russia is most affected by these malware families, although these campaigns are spreading throughout the entire world.

http://www.hyphenet.com/blog/filecoder-your-data-is-being-held-at-ransom/

Photo Credit: We Live Security

 

Infection Trajectory

Cybercriminals that incorporate Filecoder randomware use various methods of getting the malware to victims' systems:

• Downloads from malware-laden websites
• E-mail attachments
• Trojan-downloader or backdoor
• Manual instillation (this hurts the most)
• Infection vectors

A scenario of the Win32/Filecoder.Q or the Win32/Filecoder.AA/Win32/Filecoder.W spreads through back-doors such as the Poison-Ivy R.A.T.  Victims are being sent the Poison-Ivy backdoor through email and are enticed to execute the malware onto their computer.  The C&C (command and control) server waits for the commands then the attacker would send the Filecoder Trojan  to the infected mainframe.

The Trojan is not stored as a file on the hard drive, but is ran in the memory of the computer.

There are other cases where the attacker manages to install Filecoder ransomware through Remote Desktop Protocal.   The keylogger is infected and weak passwords enable the attacker to gain full access to the aimed machine.

This "break in" disables antivirus protection while installing malware onto the compromised desktop.
Sometimes manual installation is needed due to the fact that a number of variants call for "user interaction", to set the encryption password.

 
http://www.hyphenet.com/blog/filecoder-your-data-is-being-held-at-ransom/

 

Encryption Methods

Various encryption methods are used like:

• Blowfish - a keyed symmetrick block cypher
• AES - an encryption of electronic data based on the Rijndael cipher
• RSA - an algorithm for public-key cryptography based on factoring large integers
• TEA - a block cipher with implementation of a few lines of code
• Hard coded in binary numbering system
• Entered manually by command-line or dialog box
• Randomly created and sent to the machine

It is a good idea to password-protect any anit-malware software you have on your computer to prevent it from being adjusted by an attacker.

It is also equally important to backup your computer regularly, make sure all your anti-virus software is up-to-date and all setting preferences are correct.

Here is a good reference for cybersecurity: How FireEye has redefined cyberdefense on USATODAY.com: http://www.usatoday.com/videos/tech/2013/09/24/2861507/

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:
Filecoder: Holding your data to ransom - We Live Security
http://www.welivesecurity.com/2013/09/23/filecoder-holding-your-data-to-ransom/
September 23, 2013

Texas Plant Explosion Spam Leads to Malware Attack

Considering cybercriminals jumped on the opportunity to spread malware by sending spam related to Monday’s Boston marathon bombing, it’s not all that surprising that they’re now doing the same with yesterday’s fertilizer plant explosion in West, Texas.

Here are some of the subject lines to watch out for:

• West TX Explosion


• Waco Explosion HD


• Texas Plant Explosion


• Texas Explosion Injures Dozens


• CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas


• Raw: Texas Explosion Injures Dozens

Like the marathon-themed emails, the spam messages tied to the new fertilizer plant explosion trick users into following malicious links by promising video footage of the devastating event.

Image Credit: Sophos

While it’s true that the victim is presented with a series of embedded videos related to the incident, they are also being exposed to the misdeeds of the Redkit exploit kit, which will use Adobe PDF or Java vulnerabilities to silently install malware on the victim’s computer.

Avoiding these attacks should be relatively easy – don’t follow links in unsolicited emails. Aside from that, keeping your operating system (& installed software) up-to-date and running antivirus software should help your PC remain malware-free.

Have you received any suspicious emails related to the plant explosion or marathon bombing? Share your experiences below and get the word out to help protect others!

[via Sophos][via AppRiver]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Spammers Exploit Boston Marathon Bombing to Spread Malware

Click with caution if you receive unsolicited emails or find yourself wanting to click a website link related to the deadly bombing attack at the Boston Marathon on Monday.

Antivirus firms Avira and Sophos, along with email security provider AppRiver have already intercepted emails from spammers aspiring to dupe users into following malicious links by offering links to video footage of the attacks.

There are a variety of domain names and subject lines associated with this spam campaign; some of the subject lines in use are:

• Explosion[s] at Boston Marathon


• Boston Explosion Caught on Video


• Aftermath to explosion at Boston Marathon


• Video of Explosion at the Boston Marathon 2013


• Runner captures. Marathon Explosions


• 2 Explosions at the Boston Marathon

The body of the email appears to contain nothing more than a link pointing to a website that has legitimate videos from the attack. However, that same site is rigged with malicious code that will attempt to exploit Java plugin vulnerabilities in order to drop a backdoor Trojan on your machine.

Avira identifies the threat as TR/Crypt.ZPACK.Gen, while Sophos identifies it as Troj/Tepfer-Q.

Upon a successful infection, TR/Crypt.ZPACk.Gen (or Troj/Tepfer-Q) will modify the system registry and connect to a remote server, granting an attacker remote access to the affected PC.

Tips to Keep Your PC Safe

Avira warns that malicious links may also be posted on Facebook, so users should also exercise caution when following links shared on social networks. Here are a few other bits of advice to help keep your computer malware-free:

• Do not click links or download files attached to unsolicited emails.


• Stick to the official websites of your favorite news channel to get the latest updates.


• Keep your operating system and installed third-party software fully patched and up-to-date.


• Always run antivirus software and keep the virus definitions current.

Did You Already Fall for It?

Both Avira and Sophos offer security products capable of detecting and removing the malware being spread by these online attacks. So if you have the sinking feeling that you may have followed a bad link, you may want to try performing a full system scan using one of their products.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

American Airlines Spam Spreads Backdoor Trojan

Webroot is cautioning users not to fall for spam emails posing as a notification from American Airlines stating that their ticket is all set and ready for download.

This spam campaign isn’t exactly new, although previous versions may have had malicious files attached directly to the email itself.

Here’s what the current variant looks like:

 

American Airlines

Customer Notification

Your bought ticket is attached to the letter as a scan document.

To use your ticket you should Download It.

The embedded link will prompt users to download an executable, “Electronic Ticket.exe” that only 10/46 antivirus will identify as malware.

Dr. Web antivirus detects the threat as BackDoor.Kuluoz.4. Once it has infected your system, BackDoor.Kuluoz.4 will modify system files, inject itself into system processes and connect to a list of command & control servers.

Did You Get this Spam Email?

If you received a copy of this spam email, it is advised that you:

• Do not click on any links within the email.


• Do not download any files that may be attached or linked from this email.


• Forward a copy of the email, including the header to webmaster@aa.com.


• Delete the email immediately.

If You Downloaded Any Files...

If you made the mistake of clicking the link or opening any files attached to spam emails resembling the one above, you are advised to perform a full system scan using an antivirus solution offered by one of the following vendors:

• Dr. Web


• Sophos


• Kaspersky

Their products are capable of detecting and removing the threat associated with this attack. Be sure to be more careful in the future!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Check Your WordPress Plugins: Social Media Widget Found to be Injecting Spam into Websites

WordPress website masters are being advised to update (or remove) the Social Media Widget plugin following the discovery that it was being misused to inject spam into websites it was installed on.

According to Sucuri Security, the malicious code that calls the URL, hxxp://i.aaur.net/i.php to inject “Pay Day Loan” spam links on the affected website was added to version 4.0 of the plugin, which was launched about 2 weeks ago.

A thread on plugin’s support forums reveals that the compromise was a result of the owner trusting the wrong developer.

The Social Media Widget plugin was removed from the WordPress Plugin repository after it was found to have been tampered with, but has since been reinstated following removal of the bad code in version 4.0.1.

However, the plugin is quite popular, and there’s no telling how many of the 900k websites it had already been installed upon were still at risk.

If you have the Social Media Widget plugin installed on your WordPress website, it is strongly advised that you:

• Update or remove the plugin immediately.


• Run your site through Sucuri’s SiteCheck scanner (free) to verify that your website is clean.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Trojan Poses as Flash Player 11 Update, Changes Browser Home Page

Be sure to refer to Adobe’s official website if you’re looking to update Flash Player to the latest version.

There’s a Trojan parading around as a Flash Player 11 update, waiting for the opportunity to sneak onto your computer and change your browser’s home page.

Trojan:Win32/Preflayer.A does its best to trick the unsuspecting end-user by arriving under the name ‘FlashPlayer.exe’ and displaying the following installer window when executed:

 

While it's not entirely clear why two two languages are used (Turkish/English), the agreement being displayed sans scrollbar makes sense since there's a disclaimer at the bottom stating that your browser homepage will be changed to one of the following upon installation:

• www.anasayfada.net


• www.heydex.com

“These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing.” Jonathan San Jose revealed on Microsoft’s TechNet Blog.

Thankfully, driving traffic to these websites appears to be the main goal. Once the user continues the installation, the fake installer downloads and executes a legitimate Flash Installer and changes the home page in Firefox, Chrome, Internet Explorer and Yandex, as promised.

Microsoft has already received over 70,000 reports of this malware in the last week, but given that it is posing as a fake Flash Update, avoiding it should be relatively easy.

• Only download Flash Updates from adobe.com, and not some random website.


• Pay attention when installing software, and cancel the installer if anything seems amiss (like the missing scrollbar).

Is Your Computer Infected?

To remove Trojan:Win32/Preflayer.A from your computer, perform a full system scan using antivirus provided by one of the following vendors:

• Microsoft 


• McAfee


• AVG


• Ikarus

Just keep in mind that additional steps may need to be taken to change your home page in Internet Explorer.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Yontoo Trojan Installs Adware Browser Plugins to Inject Ads in Webpages

Russian antivirus vendor Dr. Web is warning OS X users about a new Trojan, detected as Trojan.Yontoo.1 (“Yontoo”) that installs adware browser plugins on whatever computer it manages to infect.

Users are often duped into downloading Yontoo after landing on a movie trailer page that prompts them to download & install a [missing] browser plugin, media player, video quality enhancement program or download accelerator.

When launched, Yontoo will display a dialog window  to the victim asking them to install a program called “Free Twit Tube” –

 

However, Yontoo proceeds to download and install adware plugins for Safari, Chrome and Firefox instead.  As users surf the web, the plugins relay browsing data to a remote server, which then returns a file that enables the Trojan to inject ads (via third-party code) into webpages loaded in the affected browser.

So, for example, when a user visits apple.com on an infected machine, they may see something like this:

 

While Dr. Web’s write-up focuses on the attack targeting OS X users, it is important to note that Windows users are also subject to Yontoo infections, although Symantec classifies Yontoo as a “potentially unwanted app” vs. Trojan (an app that claims to be one thing when it’s another).

Either way, the ol’ “missing plugin” bit is rather old, so don’t fall for it. Be careful what you install on your computer, and always read the installation dialogs.

Removing Yontoo from Your PC

If you’ve already been tagged by the Yontoo Trojan, you can perform a full system scan using one of the following antivirus programs to remove the infection:

• OS X users:
  
  
  
  • Dr. Web
  
  
  • Intego (detects it as OSX/Tonyoo)
  
  
  
  


• Windows users:
  
  
  
  • Symantec
  
  
  • Webroot
  
  
  
  

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Watch Out for Mobile Adware Posing as Candy Crush Saga Apps

Think twice before you download apps that claim to offer cheats or guidance for the popular matching game, Candy Crush Saga.

TrendMicro warns that ill-willed developers have started cashing in on the game's popularity by creating fake Candy Crush apps containing the code for the Leadbolt & AirPush ad networks.

AirPush and Leadbolt have gained quite a poor reputation for their “aggressive marketing practices,” which include placing ads to the notification/status bar, placing ad-enabled search icons on your mobile desk, and collecting user information.

Infact, these ad networks (and a few others) have become such a nuisance that developers & mobile security app vendors have released apps capable of detecting their presence so users can determine which apps are displaying ads on their device (and need to be removed).

TrendMicro’s mobile security app detects the AirPush & Leadbolt ad networks as ANDROIDOS_AIRPUSH.HRXV and ANDROIDOS_LEADBLT.HRY, respectively.

How to Avoid Candy Crush Saga-Themed Adware

As a fan of Candy Crush Saga, I can tell you that a large part of the game relies on luck, so those “cheats” and guides won’t be of much use since the candies aren’t laid out in a specific pattern.  You’ll have to figure it out on your own.

Aside from that, you can gauge the safety of an app by:

• Check the number of downloads and the app’s rating.


• Reading user reviews – usually users will spill the beans on what’s really going on with an app.


• Do a little homework on the developer – i.e. Google their name and make sure there aren’t any red flags in the results.


• Review the app permissions – sometimes the permissions can be hard to gauge (as some legitimate apps require odd permissions), but other times they can throw a big red flag. Either way, look them over and listen to your gut if something seems off.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Experian Spam Used to Spread Data-Stealing Trojan

Don’t open any files attached to emails purporting to be from Experian, claiming that a “key change” has been posted to “one of your three national credit reports.”

Spammers are pumping out Experian phishing emails in an attempt to infect as many computers as possible with malware.

Below is a copy of the email to watch out for:

From: Experian
Subject: IMPORTANT – A Key Change Has Been Posted

Experian

Membership ID #932823422

A Key Change Has Been Posted to One of Your Credit Reports

A key change has been posted to one of your three national Credit Reports. Each day we monitor your Experian, Equifax, and TransUnion Credit Reports for key changes that may help you detect potential credit fraud or identity theft. Even if you know what caused your Report to change, you don’t know how it will affect your credit, so we urge you to do the following:

• View detailed report by opening the attachment.


• You will be prompted to open (view) the file or save (download) it to your computer.


• For best results, save the file first, then open it in a Web browser.


• Contact our Customer Care Center with any additional questions.

Note: The attached file contains personal data.

Your Experian.com membership gives you the confidence you need to look after your credit. We encourage you to log-in regularly to take full advantage of the benefits your membership has to offer, such as unlimited access to your Credit Report and Score Tracker. Notifications like this are an important part of your membership, and in helping you stay on top of your credit.

*If it has been less than thirty days since you joined Experian.com, your monthly credit statement includes your information for the period of time you have been enrolled.

© 2013 Consumerinfo.com, Inc.

The danger of this email lies within the attached file, Credit_Report_XXXXXXXXX.zip which contains an .exe file with the same name and a misleading PDF icon. A virus total scan of the exe reveals that it is actually PWS:Win32/Fareit, and not a credit report as the email suggests (big surprise there).

Did You Receive This Email?

If this email lands in your inbox, be sure that you:

• Do not download or open any attached files.


• Report the email to SpamCop.


• Delete the email immediately.

Did You Already Open the Attached File?

According to Virus Total, 29/46 antivirus programs are capable of detecting the threat associated with this spam campaign, so double-check the VT results and make sure your antivirus can catch it.  Then, do a full system scan and remove any detected threats.

[via DataProtectionCenter.com]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Spam: Surprise! That 40% Apple Discount Coupon is Actually ZeuS Banking Malware

If you get an email offering a coupon to get 40% off Apple products – don’t open the file attached!

Spammers have been sending out emails with bogus coupons that can allegedly be used to shave 40% off the cost of a shiny new iMac, Macbook, or whatever other Apple product the recipient chooses to use it on.

Unfortunately, the only thing enclosed in the file attached to the email, Apple coupon.zip is a copy of the ZeuS Trojan, which will cost the victim money - not help save it - since it steals banking information.

Here's the email to watch out for:

From: Apple Inc.
Subject: You are the one!

One out of thousand!

Only 1000 people have been chosenas winners and you turned out to be one of them!

We?d like to offer you a 40% discount coupon for any Apple production (it?s attached to this email). You can buy a MacBook, iPod, iPhone or anything else Apple products you want! All you need to do is print it out and present at the checkout.
So, next time you go to BestBuy, Circuit City or Apple Store you are able to save up to 40% of any purchase of Apple production.

The discount coupon is accepted in Circuit City, Apple Store ot BestBuy

All the rules and detailed information about the lottery are also can be found in the attachments to this email.

Congratulations!

Did You Get This Email?

If you get an email like the one above, it is recommended that you:

• Do not download or open any files attached to it.


• Report the email to SpamCop.


• Delete the email immediately.

[via Barracuda]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

"CIA 'Deleted' Hugo Chavez" Spam Leads to Malware Attacks

Do not let curiosity get the best of you (and your PC) if an email drops in your inbox suggesting that the CIA and FBI played a role in the death of Venezuelan President, Hugo Chavez.

Researchers at Kaspersky Lab intercepted a spam email using said theory to pique the interest of recipients, hoping that they will follow one of the embedded links to a malicious website hosting the BlackHole 2.0 exploit pack.

Below is an example email that Kaspersky researchers warn users not to fall for:

Subject: CIA “DELETED” Venezuela’s Hugo Chavez?

Chavez was a leader who tried to free his people from the grip of people who will do anything to keep the consumer hostage. In the fall of 1988 oil was $15 a barrel and gasoline was 89 cents a gallon. I was called a dupe of Saddam by western media. We posted a video called A War On Children.

Our latest video is What Can You Buy With 5 Trillion Dollars Anything You Want April 2012. The key information in the new video is that $500 billion per year is paid by the United States to oil producing nations. In ten years, five trillion dollars will be paid to oil producing countries for foreign oil. The movement of trillions of American dollars to other countries is a great concern for the security of the United States.

Even in November I said: CIA and FBI Had Planned to Assassinate Hugo Chavez

To no surprise, the exploit code on the malicious sites attempt to leverage a [patched] vulnerability within the Java browser plugin, CVE-2012-0507. If that vulnerability seems familiar to you, it may be because it was the same one used to infect thousands of Macs with Flashback malware in 2012. (See why it’s so important to keep your computer up-to-date?)

The payload dropped was not disclosed; however, 8/46 antivirus programs were able to detect the exploit code, including Kaspersky products.

Tips to Stay Safe

Given that this is an email based attack, this threat shouldn’t be too difficult to avoid. However, we offer the following bits of advice to keep your PC safe:

• Always keep your operating system and installed third-party software fully patched and up-to-date.


• Always run antivirus software that offers real-time scanning and keep the virus definitions current.


• Do not click hyperlinks embedded in unsolicited emails.


• Do not download or open files attached to unsolicited emails.


• Remove Java from your system if it is not needed, or if it is necessary, dedicate a single browser to browsing Java-based websites and disable the Java plugin in all other browsers.


• Remain vigilant when surfing the web – dangers lurk everywhere!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Disable Java Browser Plugin, New 0-Day Vulnerability Under Attack

It’s starting to feel as if another day means another Java exploit will be found.

FireEye researchers are sounding the alarm after detecting a new Java zero-day vulnerability (CVE-2013-1493) that cybercriminals are actively exploiting in-the-wild.

The security flaw, which FireEye says was used to “attack multiple customers,” can be successfully exploited in browsers with Java 6 Update 41 and Java 7 Update 15 plugins installed.

FireEye researchers offered insight as to how the exploit works:

Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process.

After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero.

Upon successful exploitation, it will download a McRAT executable (disguised as a file called svchost.jpg) from same server hosting the JAR file and then execute it.

One relatively good thing to note is that FireEye researchers did say that the exploit is not very reliable given the fact that it tries to overwrite a big chunk of memory, and although the payload is downloaded, it fails to execute and the JVM crashes.

In the event that the attack goes smoothly, McRAT malware (detected by Microsoft as Backdoor:Win32/Mdmbot.F) will be planted on the compromised system.

Keeping Your System Safe

FireEye notified Oracle of this new vulnerability, but advises customers to take one of the following courses of action until a patch is released:

• Disable the Java plugin in your web browsers, or;


• Set Java security settings to “High” and do not execute any untrusted Java applets.

Aside from that, it is also recommended that users always run antivirus software on their computers and keep the virus definitions current given that 27/46 antivirus programs are capable of detecting the threat associated with this attack.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

NBC Website Hacked & Dishing Out Malware to Visitors

Update: NBC Website Safe to Visit Again, Said to Have Been Infected for 24hrs

Scan your computer if you went to NBC.com today, and be sure to avoid the NBC website until the coast is clear.

Hackers managed to inject malicious iframes into the NBC website, exposing visitors to third-party websites hosting Java and PDF exploits that drop malware if successfully executed.

The exploits are actively being served and cybercriminals have been continuously swapping out the malicious URLs, according to Hitman Pro blog.

Hitman Pro identified the malware being dropped as Citadel (which is a version of Zeus) & ZeroAccess, both of which have fairly low detection rates. Here are the MD5 hashes & VirusTotal results for the samples collected:

• c26c64c3129fca7aafe695904d5976da (Citadel)


• 16ee24be6b0afac36c994c9568e24331 (Citadel)


• 994da098a62905385af8481329bf7c70 (ZeroAccess)

Being that NBC.com has been hacked and is actively serving exploits, users are strongly advised to avoid visiting the website.

Pass the word to your family & friends!

Update: NBC Website Safe to Visit Again, Said to Have Been Infected for 24hrs

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

iPhone Developer Forum Linked to Facebook, Apple Malware Attacks

If you’re like me, you’ve probably been wondering what websites Facebook and Apple employees were surfing prior to the discovery of malware in their company machines.

How else could the rest of us do our best to avoid the same fate? [On that note, do not visit the website I am about to mention as it could still be infected. It is being disclosed as a warning.]

As it turns out, sources close to the Facebook hacking investigation revealed to AllThingsD that iPhoneDevSDK[dot]com, an iPhone developer forum frequented by iOS development teams of we-known companies, was the website likely used to conduct drive-by-download attacks against Facebook and Apple employees.

The malicious code embedded on the iPhoneDevSDK website exploited a zero-day vulnerability within Oracle’s Java browser plugin in order to plant malware on the machines of Facebook (& possibly Apple) employees.

This type of attack is commonly referred to as a “watering hole” attack. Instead of pursuing victims using poisoned emails, attackers inject malicious code into a website frequented by their targeted demographic. In this case, the targeted demographic happened to be the mobile developers for various companies, including Facebook.

That being said, if you or someone you know has recently visited iPhoneDevSDK, you may want to check if Java is installed on your system. If you do, there's a good chance your system has been compromised. Now would be a good time to check out Apple's security patch related to this attack, as they bundled a malware removal tool with it.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

New Adobe PDF Reader & Acrobat 0-Day Exploit Spotted

FireEye is warning users not to open PDF files sent from unknown/untrusted sources following the discovery of a a new zero-day vulnerability that’s actively being exploited in-the-wild.

The attack begins with a booby-trapped PDF - which may be masquerading as an application for an international travel visa -that drops 2 DLL files on the target machine should the exploit code be executed successfully.

“The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks “ FireEye researchers explain in a Tuesday blog post, "The second DLL in turn drops the callback component, which talks to a remote domain. "

Zheng Bu, Senior Director of Security Research at FireEye told Threatpost that this exploit is the first to bypass the sandbox in Adobe Reader X and higher.

FireEye notified Adobe of the bug, and has agreed to avoid posting technical details of the zero-day until further notice. FireEye was able to successfully execute this attack in Adobe Reader 9.5.3, 10.1.5 and 11.0.1.

Adobe is currently investigating the bug and will release an update once they have more information.

Until then, be sure that you do not open PDF files from unknown or untrusted sources.

Update: Adobe has confirmed the vulnerabilities discovered by FireEye & promises to release a patch soon.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Adobe Updates Flash Player to Fix Vulnerabilities Used in Ongoing Attacks

It’s time to update Adobe Flash Player!

Adobe released an emergency patch for Adobe Flash Player to address two vulnerabilities (CVE-2013-0633 & CVE-2013-0634) that are actively being exploited by cybercriminals to spread malware.

Attacks using the CVE-2013-0633 vulnerability involve tricking Windows users into opening a booby-trapped Word document (.doc) containing malicious Flash (SWF) content. The malicious Word documents arrive as an email attachment.

The second vulnerability, CVE-2013-0634 is being exploited in drive-by-download attacks using malicious Flash content and pose a threat to both Windows & Mac OS X users.

Adobe recommends that Linux and Android users update their software even though Windows & OS X are the only ones that appear to be targeted in the ongoing attacks.

Affected Flash Player versions, according to Adobe’s security advisory:

• Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh


• Adobe Flash Player 11.2.202.261 and earlier versions for Linux


• Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x


• Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x

Not Sure What Version of Flash Player You Have?

Users that are unsure of what version they’re running can find out by:

• Visiting the About Flash Player page on Adobe’s website.


• Right-clicking on content running in Flash Player & select “About Adobe (or Macromedia) Flash Player” from the menu.

Be sure to check the version in each web browser installed on your system; just remember that Google Chrome & IE10 will be updated automatically!

How to Update Adobe Flash Player

To update their installation of Adobe Flash Player, users can:

• Download the update from the Adobe Flash Player Download Center.


• Use the built-in update mechanism in Windows Control Panel or OS X System Preferences.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Malware is Everywhere [INFOGRAPHIC]

We all know that malware lurks around every corner, waiting for us to visit a booby-trapped website or open that zip file attached to an unsolicited email.

Cybercriminals across the globe have been busy creating and tweaking their malware creations, which they then unleash on unsuspecting users to do anything from steal sensitive data to demand ransom fees to partake in click fraud - and more.

What’s an internet user to do?

As they say, knowledge is power, and the folks over at Inspired eLearning have created the infographic to illustrate the dangers associated with malware along with steps that you can take to stay safe.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+