Are malware authors targeting people via marketing services?

We spotted an interesting case of a person complaining about e-mail malware with social engineering content which hits home almost too well, and decided to investigate a bit.

The person had been talking to his friend about possibly booking tickets to San Francisco in near future. And 6 hours after the phone call he got an e-mail about an electronic plane ticket to San Francisco with an attachment. The person was cautious enough not to touch the attachment, which was a good decision, as in our analysis it was identified as a variant of Trojan.Krypt.AU.

This may be just a case of mass spammed malware and with social engineering text which hit this particular user at just exactly the right moment. But when we checked our sample collection, there was only 1250 instances of related malware, which would indicate that this particular malware is not being spammed to large audiences. And thus possibilities of getting exactly the right hit are very small.

Over the last year providers of targeted advertising have become a lot better at profiling users. For example, when I have been browsing for flight or hotel information. I have started to receive e-mail about flight and hotel offers in that particular destination from Trip advisor and other companies. Of course in order to experience this one has to have Freedome disabled, so that I can be tracked, but that is the price of wanting to experience the net like a regular user.

So this case looks very much like some targeted advertising services were misused for victim discovery by malware authors. We have seen advertising misused a lot with search engines, but this is the first case where we have indications that e-mail advertising services would be used in similar manner.

So far there is no proof the victim selection was done by abusing targeting profiling, and if profiling was used, was it based on phone call analysis. Perhaps the person searched for something which provided a match for profilers. But this is an interesting case and we will be keeping an eye out for future developments.

Fake Delta e-mail

Post by — Jarno

On 26/09/14 At 11:38 AM

More here

Posted in Uncategorized | Leave a comment

Medical Records Theft and Fraud

There’s a Reuters article on new types of fraud using stolen medical records. I don’t know how much of this is real and how much is hype, but I’m certain that criminals are looking for new ways to monetize stolen data.

More here

Posted in Uncategorized | Leave a comment

BlackEnergy 3: An Intermediate Persistent Threat

We have a new white paper available.

BlackEnergy & Quedagh: The convergence of crimeware and APT attacks

The convergence of crimeware and APT attacks

The paper’s author, Broderick Aquilino, first wrote about BlackEnergy in June:

  •  BlackEnergy Rootkit, Sort Of
  •  Beware BlackEnergy If Involved In Europe/Ukraine Diplomacy

BlackEnergy is a kit with a long history and this new analysis is quite timely. In fact, malware researchers Robert Lipovsky and Anton Cherepanov from ESET will present a BlackEnergy paper at Virus Bulletin today.

Broderick’s latest concurrent analysis focuses on a variant he has dubbed “BlackEnergy 3″. Among BE3′s new features is support for proxy servers when connecting to C&Cs. In this case, the proxies are based in Ukraine and there is compelling evidence the Quedagh gang is targeting Ukrainian government organizations.

Who is behind BlackEnergy 3? Here are some theories:

1) The Kremlin is directly responsible and using a crimeware kit provides plausible deniability.
2) Useful idiots (as in purely political patriotic hacktivists).
3) Current or former cyber-criminals (aka privateers). BE3 is evolving to reflect “market” interests.
4) All of the above.
5) Perhaps all of this is wrong and it’s the Dutch (it’s not the Dutch).

Whomever is behind Quedagh’s campaign, they’re using what is (or at least was) generally considered to be a “commodity threat” to achieve “advanced persistent threat” goals. This appears to be a trend.

Why Quedagh?

Quedagh Merchant

Quedagh Merchant is the name of a ship which was captured by Captain William Kidd, an infamous 17th-century Scottish privateer.

Privateering was a way of mobilizing armed ships and sailors without having to spend treasury resources or commit naval officers.

Our working theory is that the emergence of “intermediate persistent threats” such as BlackEnergy 3 is being driven by market forces and that cyber-criminals are expanding their capabilities into espionage and commoditized information warfare.

On 25/09/14 At 04:50 PM

More here

Posted in Uncategorized | Leave a comment

Notice: Freedome v2.0.1 Issue on iOS 8

If you (like me) have an Apple device running iOS 8 and use F-Secure Freedome, please avoid updating to version 2.0.1.


If you (like me) have already updated, you may see this after opening the app:

Freedome 2.0.1 on iOS 8

Do not “Remove Old VPN configurations”— just close the app. Version 2.0.1 should work with its existing configurations.

If you need to toggle Freedome on/off…

Use: Settings, General, VPN. Click the info button for your configuration and toggle “Connect On Demand”.

iOS 8 VPN settings

You’ll be limited to only the locations that you currently have installed. But the ones that you have should work based on my testing.

The developers have already submitted a fixed version (v2.0.2) to Apple earlier this morning which is pending Apple’s review. More details are available from our community forum. Also, Freedome’s Twitter account.

We are very sorry for the inconvenience.

Post by — Sean

On 23/09/14 At 01:45 PM

More here

Posted in Uncategorized | Leave a comment

CosmicDuke and the latest political news

After we had published the CosmicDuke report in July 2014, we continued to actively follow the malware. Today, we discovered two new samples that both leverage timely, political topics to deceive the recipient into opening the malicious document.

The first one discusses the Ukraine crisis and EU sanctions over Russia and the original document was published here less than a week ago

The topic of the second document is definitely focusing on current affairs: Scotland votes on independence today. The original article was published early this week. Here is the decoy document:

It is obvious that the attackers are keeping abreast of the latest political news, and they are very agile: they have the capability and capacity to rapidly utilize the information to increase the odds of social engineering.

If you are interested in learning more about CosmicDuke, these latest samples, as well as other interesting discoveries, will be discussed in detail at T2, an information security conference during October 23-24 in Helsinki, Finland.

On 18/09/14 At 09:13 PM

More here

Posted in Uncategorized | Leave a comment

Tracking People From their Cell Phones with an SS7 Vulnerability

What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

More here

Posted in Uncategorized | Leave a comment

Why do Apple’s security questions still suck?

It’s been two weeks, so why do Apple’s security questions still suck?

Here’s an example of questions you’ll be asked when you create an Apple ID:

Apple Security Questions

And here’s the full list…

Security Question 1:

  •  What is your favorite children’s book?
  •  What is your dream job?
  •  What was your childhood nickname?
  •  What was the model of your first car?
  •  Who was your favorite singer or band in high school?
  •  Who was your favorite film star or character in school?

Security Question 2:

  •  What was the first name of your first boss?
  •  In what city did your parents meet?
  •  What was the name of your first pet?
  •  What is the first name of your best friend in high school?
  •  What was the first film you saw in the theater?
  •  What was the first thing you learned to cook?

Security Question 3:

  •  What is the last name of your favorite elementary school teacher?
  •  Where did you go the first time you flew on a plane?
  •  What is the name of the street where you grew up?
  •  What is the name of the first beach you visited?
  •  What was the first album that you purchased?
  •  What is the name of your favorite sports team?

The problem is painfully obvious — the questions are far too subjective or else are based on easily obtainable information.

What then does one do?

Whatever the question, create a nonsense answer. But then you’ll have another problem… you’ll forget the nonsense when needed.

So what next then?

Use your password manager’s note field:

Childhood nickname? SvenHjerson

Hopefully you’ll never need to use your answer — make sure nobody else can either.


For related advice, please see our article on dealing with passwords.

On 16/09/14 At 01:46 PM

More here

Posted in Uncategorized | Leave a comment

We Need More Than Penetration Testing

Last week I read an article titled  People too trusting when it comes to their cybersecurity, experts say by Roy Wenzl of The Wichita Eagle. The following caught my eye and prompted this post:

[Connor] Brewer is a 19-year-old sophomore at Butler Community College, a self-described loner and tech geek…

Today he’s what technologists call a white-hat hacker, hacking legally for companies that pay to find their own security holes. 

When Bill Young, Butler’s chief information security officer, went looking for a white-hat hacker, he hired Brewer, though Brewer has yet to complete his associate’s degree at Butler…

Butler’s security system comes under attack several times a week, Young said…

Brewer and others like him are hired by companies to deliberately attack a company’s security network. These companies pay bounties if the white hackers find security holes. “Pen testing,” they call it, for “penetration testing.”

Young has repeatedly assigned Brewer to hack into Butler’s computer system. “He finds security problems,” Young said. “And I patch them.”

On the face of it, this sounds like a win-win story. A young white hat hacker does something he enjoys, and his community college benefits from his expertise to defend itself.

My concern with this article is the final sentence:

Young has repeatedly assigned Brewer to hack into Butler’s computer system. “He finds security problems,” Young said. “And I patch them.”

This article does not mention whether Butler’s CISO spends any time looking for intruders who have already compromised his organization. Finding security problems and patching them is only one step in the security process.

I still believe that the two best words ever uttered by Bruce Schneier were “monitor first,” and I worry that organizations like those in this article are patching holes while intruders maneuver around them within the compromised network.

More here

Posted in Uncategorized | Leave a comment

Two New Snowden Stories

New Zealand is spying on its citizens. Edward Snowden weighs in personally.

The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom.

More here

Posted in Uncategorized | Leave a comment

A Twitch of Fate: Gamers Shamelessly Wiped Clean is a video gaming focused live streaming platform. It has more than 50 million viewers and was acquired by in August for nearly a billion dollars.

We recently received a report from a concerned user about malware that is being advertised via Twitch’s chat feature. A Twitch-bot account bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as “Counter-Strike: Global Offensive” items:

items (165k image)

The link provided by the Twitch-bot leads to a Java program which asks for the participant’s name, e-mail address and permission to publish winner’s name, but in reality, it doesn’t store those anywhere.

Those who have fallen victim to this fake giveaway will be shown this message after entering their details:

congrats (17k image)

After this message, the malware proceeds to dropping a Windows binary file and executing it to perform these commands:

  •  Take screenshots
  •  Add new friends in Steam
  •  Accept pending friend requests in Steam
  •  Initiate trading with new friends in Steam
  •  Buy items, if user has money
  •  Send a trade offer
  •  Accept pending trade transactions
  •  Sell items with a discount in the market

This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry. It even dumps your items for a discount in the Steam Community Market.

Previous variants were selling items with a 12% discount, but a recent sample showed that they changed it to 35% discount. Perhaps to be able to sell the items faster.

code_sell_discount (67k image)

Being able to sell uninteresting items will allow the attacker to gather enough money to buy items that he deems interesting. The interesting items are then traded to an account possibly maintained by the attacker.

Victims have reported in that their items were being traded to this Steam account without receiving anything in return:

steamaccount (113k image)

All this is done from the victim’s machine, since Steam has security checks in place for logging in or trading from a new machine. It might be helpful for the users if Steam were to add another security check for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold. This will lessen the damages done by this kind of threat.

On 12/09/14 At 11:29 AM

More here

Posted in Uncategorized | Leave a comment