A Week in the News: Apple Ransomware

May 30, 2014

It was a short week in the United States on account of the Memorial Day holiday on Monday. As is generally the case, short weeks are uneventful in the security news business. However, we’ve got a few stories for you: specifically, an Apple-device targeting ransomware and a new hybrid malware emerged, and there was a small security incident involving the Spotify Android application.

week-2

 

More Ransomware

As we reported yesterday, a new piece of ransomware is making the rounds targeting Apple users on both the OS X (Mac) and iOS (mobile) operating systems. There hasn’t been any real confirmation yet, but the overwhelming general consensus is that the attackers have compromised their victim’s iCloud accounts and are somehow locking users out from there.

If you want the full story, you can read about it on Threatpost or the Kaspersky Daily. Briefly put, this Apple threat is preventing users in and around Australia from accessing any of their applications before demanding a payment between $50 and $100. It would be no surprise if this ransomware migrated to other continents in the coming day and weeks.

Because we’ve already written about it very recently and there is nothing to add to the story, I will only pass along and elaborate on some paraphrased advice from Kaspersky Lab Expert, Christian Funk:

  1. When creating an Apple ID, make sure your Apple ID username is different from your email address. This will make it harder for an attacker to guess your username, which he or she will need to do before guessing your password and ultimately compromising your account.
  2. Make sure you set up secret questions and answers to recover your account. You should also set up two-factor authentication (see video below).
  3. Be wary of phishing attacks. Never enter your password into a field on a website you have followed a link to. Always navigate directly to a site before entering a password into it. Also, make sure you use good passwords. And remember that if the email account you use to recover iCloud becomes compromised, so does your iCloud account.
  4. Never pay money to unlock a device. Use available services to whatever extent you can. Start with a password reset using iForgot. If that doesn’t work, then contact Apple support. If things get dire, you may have to wipe or restore your iPhone. You can also find out how to do that from the Apple support link above.

Hybrid Malware

Crimeware is a subcategory of malware that is developed and put up for sale on the criminal underground – basically mimicking the legitimate software business. If you were a bad guy and you wanted a piece of malware that steals online banking credentials, you could go to a hacking forum and buy a license for one of these kits. Crimeware kits are incredibly popular because, in part, they let criminals with little or no technical background launch targeted malware attacks.

Two of the most infamous crimeware kits are Zeus, which is highly customizable but predominately used to pilfer various types of login credentials, and Carberp, which essentially does the same, though with a variety of different features. I wrote extensively about both being used as banking trojans if you’re interested in a bit of further reading.

Researchers recently discovered a hybrid Trojan combining the finer points of Zeus and Carberp.

Researchers recently discovered a hybrid Trojan combining the finer points of Zeus and Carberp. Malware writers breed their wares like dogs these days, mixing appealing qualities with one and another in order to develop particularly affective strains, so this isn’t particularly uncommon. However, this is an interesting story for two reasons. One: These were two of the most popular pieces of malware out there at one point. Two: Both Carberb and Zeus were once exclusively pay-to-play crimeware kits, and expensive ones at that. Each then had it’s source code leaked and essentially became public domain. So this new piece of malware, Zberp, is a mix of two open-source malware code-bases.

Spotify Breach

This last bit is a minor incident, but in slow weeks we talk about obscure news. The popular music streaming service Spotify will soon ask users of its Android application to update to the newest version of that app. The reason for this is that someone accessed the company’s systems without authorization. Some users will be asked to change their passwords.

Beyond that, the company says it is aware of only one customer whose data was accessed. They claim to have contacted this person and that no financial data or password-related information was compromised.

You should definitely go over to the Google Play store and download the latest version of the Spotify app if you use it on your Android device. You may also want to just go ahead and change your password out of an abundance of caution.

Something to Look Out For

I’ve actually left out the most significant story of the week, because I think it goes above our pay grade a bit. That said, an open-source encryption service called TrueCrypt yesterday posted an ominous note on its website warning users that the service was not secure and it would receive no further development.

Beyond that, there has been no explanation as to what is going on. Speculation and conspiracy theories are rampant. As of now, the case of TrueCrypt remains a mystery and a story to keep an eye on.