Information Security Digest, 20.01 – 20.02

Game of Expectations Kaspersky Lab’s experts detected phishing newsletters that were supposedly advertising the messenger service, WhatsApp, being released for PC. WhatsApp is an extremely popular messenger for mobile platforms,

Game of Expectations

Kaspersky Lab’s experts detected phishing newsletters that were supposedly advertising the messenger service, WhatsApp, being released for PC.

WhatsApp is an extremely popular messenger for mobile platforms, and its versions seem to embrace all current mobile operating systems including Android, iOS, BlackBerry 10 and Windows Phone. However, there is no app for personal computers.

Attackers therefor tried to utilize the popularity of the messenger to try and make their campaign a success. Unfortunately though, they did a poor job executing: the message was written in broken Portuguese, too broken for attentive users to become enticed.

A similar campaign may now pay the organizers big dividends though, after Facebook’s recent announcement about buying WhatsApp for $19 billion. Nobody knows if it will lead to the appearance of a PC version of the messenger, but sophisticated phishers do not mess with just real news, they also touch upon events, so both ordinary and corporate users should beware of new malicious attempts to abuse popular products.



The case of cashiers

Neiman Marcus, which owns an extensive network of department stores, acknowledged that hackers had managed to steal the credit and debit card data of more than 1.1 million customers. According to a publication by Neiman Marcus, the attackers “phished” for data on payment terminals during a three month period – roughly from mid-July until the end of October 2013. At least 2,400 payments made on Visa, MasterCard and Discover have since been compromised while being used in frauds.

Although the company did not make any official statements about the exact way the hackers stole the credit card information, the methodology resembles the hacking of Target’s network in late 2013. Apparently, in both cases POS malware was used to intercept data from payment terminals that were processing, before encryption.

Attackers increasingly adopt sophisticated tools (and BlackPOS seems like a very tricky tool) and constantly look for – and find – new flaws in IT systems of potential victims.

The main question is how attackers found a way to infiltrate payment terminals given that they are usually very well protected. Protection methods proved insufficient, as even detecting the very attack was not immediate and the blow was delivered from an unexpected direction.



Chronicles of vain victories

The Syrian Electronic Army often makes the news in relation to information security. In late January, this group successfully hacked CNN’s social network accounts including seven Twitter accounts and two Facebook accounts.

Microsoft also made a similar admission by acknowledging that some of its employees’ social media and email accounts had recently been hit by phishers. Several official blogs were compromised, too. On the day of the hack, Microsoft had presented a new design of its official blogs. There was no better chance to embarrass the company and the hackers took advantage of it.

In early February, the Syrian Electronic Army announced an attack on Facebook. They substituted the nameservers field of the domain and the email address of the domain’s owner (the values of both fields are available via whois). The substitution of nameservers enables the redirecting of users to any other resource (what the Syrian Electronic Army regularly does). The social network’s operations were not interrupted and the domain record was restored almost immediately after the administration of Facebook learned of the incident.

The only question that remains is how exactly the SEA managed to accomplish what they did.

Details: [1], [2]


Yahoo! fails again

Yahoo! suffered a hacker attack leading to a data leak again. Due to “a coordinated effort”, unknown attackers managed to gain unauthorized access to Yahoo! Mail accounts, including logins and passwords. The attack was aimed at a third party database, i.e. the data was not stolen from the servers of Yahoo!

The company chose to say nothing about the scale of the attack and the size of the loot.

That was not the first time Yahoo! fell victim to hackers and suffered data leaks. From 2012-2013 the company’s mail service was attacked twice; in May the Yahoo! Japan subdivision endured a break-in attempt, which gave hackers 22 million user IDs (without passwords). Finally, during the Christmas holidays it became clear that some banners in the advertising network were infected with malicious scripts hidden in the iFrame. Users were redirected to a site furnished with Magnitude – a set of exploits for Java vulnerabilities. As is the case with the latest attack, a third-party factor was involved, but the ultimate responsibility still fell on Yahoo!.



The Mask revealed

Kaspersky Lab uncovered an extremely sophisticated APT campaign organized by a group of hackers in order to attack high-level nation-state government agencies, embassies and diplomatic offices as well as energy companies. The criminal group behind the campaign was engaged in stealing important data such as encryption keys and SSH, as well as other data on the attacked machines.

Researchers said the attackers behind the Mask are Spanish-speaking and have gone after targets in more than 30 countries around the world. Many, but not all, of the victims were in Spanish-speaking countries and the attackers had at least one zero-day in their arsenal, along with versions of the Mask malware for Mac OS X, Linux, and perhaps even iOS and Android. Most malicious programs are now being written for Windows and Android (in the case of mobile malware) while there is still a common belief that malware for Mac OS X, Linux and iOS just do not exist. Unfortunately, it does.

Actually, the hackers attacked victims with spearphishing emails that lured users to a malicious web site containing exploits, some of which were available only via direct links received by attack victims.

Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation that had carried on since 2007 was shut down last week within a few hours of a short blog post the researchers published with a details of the Mask campaign. This does not mean that the attackers cannot resurrect the operation in a few hours though.



The Moon circulating

A self-replicating worm is spreading amongst a number of different Linksys home and small business routers. SANS released an early list of vulnerable routers that could be vulnerable, depending on the firmware version they are running: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. It’s unclear yet whether there is a malicious payload or if the worm connects to a command and control server. The worm appears, at the moment, to be doing little more than scanning for other vulnerable routers and seeding itself.

It is worth mentioning, however, that malicious programs attacking routers are still rare, but they are getting mentioned more often now. On the one hand, a router is the most important, but on the other hand, it is the most overlooked component of a wireless network. It processes all the data while it often turns out that users retain default settings and do not even bother to change the password.

We recently wrote about a botnet, which largely consisted not of computers, but of home appliances with integrated smart modules and routers. Whether you like it or not, the Moon worm makes you reconsider ignoring security issues for such devices.


There are more and more malicious programs emerging for specific platforms that have been previously considered safe, primarily those developed by Apple. With cybercriminal intentions shifting toward earnings, we should expect an increasing amount of malware for less popular operating systems than Windows.

Do not reuse passwords

Kickstarter officials reported their site was broken into by unknown intruders. The hackers managed to steal a variety of user data, including usernames, addresses, email addresses, phone numbers and encrypted passwords.

The service’s users received recommendations to immediately change their passwords to Kickstarter as well as to other resources where the same passwords might have been used. The attackers were not able to get credit card numbers.

Kickstarter is a so-called crowdfunding platform that is quite popular. It deals with financial transactions, so hackers have definite interest in hacking it. It’s important to note that the service’s administration managed to secure credit card numbers from thieves. But personal data can be used against users, for example, during phishing attacks. The contemporary computing power allows cracking short and simple passwords in a fairly short time. So this leak cannot be considered harmless.



Thief in a decent suit

On several popular sites, researchers detected a malicious application designed to steal Bitcoin wallet credentials and keys. The price ticker apps for Bitcoin and Litecoin called Bitcoin Ticker TTM (To The Moon) for Mac and Litecoin Ticker hosted on popular sites and appeared to be fronts for the OSX/CoinThief Trojan (this Trojan was obviously designed for Mac OS X). At least a few dozen people downloaded these applications and evidently lost some Bitcoins.

It should be noted that the Trojan was discovered on another perfectly legitimate resource – GitHub, which hosts different software for downloading. Researchers found StealthBit, which pretended to be an app used to send and receive payments on Bitcoin Stealth Addresses. The attackers hosted source code and a pre-compiled version of StealthBit on code repository; both were not matches. The pre-compiled app contained the CoinThief malware not present in the source code.



Pictures with payload

A newly discovered variant of the Zeus banking Trojan gets a crucial configuration code by downloading a picture – a JPG file. As it turned out, the authors of new ZeusVM took an arbitrary image on the Web and supplemented its code with hidden data. The data added by the cybercriminals had been encrypted using Base64 encoding and then RC4 and XOR encryption algorithms. When decrypted, the file shows the banks targeted, including Deutsche Bank, Wells Fargo and Barclays. Following this list, ZeusVM monitors victims’ visits to online banking systems, intercepts data and uses them to conduct fraudulent transactions.

Alas, steganography as a way to disguise malicious code is not a new, but still effective trick to bypass the defenses. Pictures rarely come under suspicion, but now companies are going to have to pay greater attention to JPG files.


The past four weeks provide a lot of food for thought. The first thing that catches your eye is the growing number of exotic, previously atypical malware distribution methods and new attack techniques. You can also clearly see that attackers have gotten increasingly interested in business and to obtain the biggest trophy. A million victim data leaks started happening too often to be considered particularly outstanding. Financial information and banking access codes are not the only data leaking now. Hackers gladly steal regular user data, too.

It is also evident that there are more malicious programs emerging for specific platforms that have been previously considered safe, primarily those developed by Apple. With cybercriminal intentions shifting toward earnings we should expect an increasing amount of malware for less popular operating systems than Windows.