In this blogpost we will look deep into a spam campaign, where unlike other possible scenarios, the victim is infected by opening and running an email attachment. In the beginning of this year, we blogged about a spam campaign with a different spam message – a fake email from the popular WhatsApp messenger. This time we will look at spam email which tries to convince the victim that it originates from his bank. The malicious email contains contents similar to the following one:
Subject: FW: Bank docs
We have received this documents from your bank, please review attached documents.
Recently, we discovered an account on GitHub, a service for software development projects, that has interesting contents. The account contains several projects; one of the latest ones is called Banks, and it has interesting source codes. The account contains information like user name, photo, and email address, but we cannot tell who the guy in the picture is. He might not be related to the contents at all, it could be a fake picture, fake name, or simply his account may have been hacked, his identity stolen, and the Banks repository created by someone else without his consent. In this blog post, we will explore the source codes in detail.
When we downloaded the repository, we found several directories – GoogleService and fake applications imitating mobile applications of five major Korean banks – NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank and Woori Bank.
We previously published two blog posts with analyses of the above mentioned fake applications.
When we look at GitHub statistics, and Punchcard tab, it tells us what time the creators were most active. From the chart below you can see, that Saturday mornings and evenings and Sunday evenings were the most active times of comments of new versions. It seems that authors of this application do the development as a weekend job. At the time of writing this blogpost, the last update of fake bank applications was in the beginning of January 2014.
This is not the first attack against users of Korean banks. About a year ago, we published this analysis.
Github, the web-based hosting service for software development projects, offers a lot of interesting contents, which depending on its settings can be later found and accessed by virtually anyone, including Google robots. We managed to find the above mentioned repository by simply Googling the strings which occurred in a malicious Android application.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
In February, we looked at the first part of the fake Korean bank application analysis along with Android:Tramp (TRAck My Phone malicious Android application), which uses it. In this blogpost, we will look at another two Android malware families which supposedly utilize the same bunch of fake Korean bank applications. At the end of this article, we will discuss the origin of malware creators.
Analysis of Android:AgentSpy
It is interesting to search for references of bank applications package names – KR_HNBank, KR_KBBank, KR_NHBank, KR_SHBank, KR_WRBank. One reference goes to a malicious application called Android:AgentSpy. The infection vector of this application was described by Symantec, contagio mobile and Alyac. We will not delve into details, we will just mention that the malicious application is pushed to a connected mobile phone via ADB.EXE (Android Debug Bridge). The uploaded malicious file is called AV_cdk.apk.
Android:AgentSpy contains activity MainActivity and several receivers and service CoreService.
Monitors android.intent.action.BOOT_COMPLETED and android.intent.action.USER_PRESENT and if received, starts CoreService. It also monitors attempts to add or remove packages – android.intent.action.PACKAGE_ADDED and android.intent.action.PACKAGE_REMOVED.
1) Calls regularly home and reports available connection types (wifi, net, wap), IMSI, installed bank apps
2) Regularly polls C&C and responds to the following commands
sendsms – sends SMS to a given mobile number
issms – whether to steal received SMS or not
iscall – whether to block outgoing call
contact – steals contact information and upload them to C&C
apps – list of installed bank apps
changeapp – replaces original bank applications with fake bank applications
move – changes C&C server
Moniors new outgoing calls. If android.intent.action.NEW_OUTGOING_CALL is received, information about the outgoing call is sent to C&C.
Contains C&C URL, name of bank packages (String array bank), name of fake bank packages (String array apkNames). It also contains reference to conf.ini configuration file.
Analysis of Android:Telman
One more Android malware family, which uses fake bank applications is called Android:Telman. Similarly to Android:Tramp and Android:AgentSpy, it checks for installed packages of the above mentioned banks. Read more…
About a year ago, we published this analysis about a pharming attack against Korean bank customers. The banks targeted by cybercriminals included NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank, and Woori Bank. With the rise of Android-powered devices, these attacks now occur not only on the Windows platform, but also on the Android platform. In this blogpost we will look at a fake bank application and analyze several malware families which supposedly utilize them.
Original bank application
We will show just one bank application for brevity. For other banks the scenario is similar. The real Hana Bank application can be downloaded from Google Play. It has the following layout and background.
I am quite surprised at how inventive people can be when it comes to the thinking up weak passwords. The obviously weak combinations like ’1234′ or ‘qwerty’ along with names and phone numbers are quite common parts of passwords.
The story begins with me fighting a familiar piece of malware, Bicololo, which is spyware designed to steal the identity from users of Russian social networks. A routine task you might say. This time the authors were less cautious with settings on their rogue servers, so I managed to get hundreds of freshly-stolen credentials. What to do with them? The first thing I tried was contacting support of the affected social network to get users warned and passwords reset. Unfortunately, my effort met no success there; they did not even bother to answer my mail! So instead of getting to warn hundreds of innocent users on the Russian social network, I used this unique opportunity to analyze the habits users have regarding their passwords and share it with our AVAST readers.
Once I cleaned up the data, I received about 850 unique combinations of username-password pairs. This is not enough variants for the results to be widely representative. The data was obtained from a rather specific group of (less experienced) users whose lack of knowledge allowed their computers to be infected. I expect the general reality to be a bit better than my results. Though my findings are not scientifically-correct, they can give us some insight into the problem and show us examples we should avoid while choosing our passwords. Read more…
A low-tech type of identity theft is threatening Facebook users in South Africa. Facebook “cloning” has been around for years, but has had a revival this past week. We learned about it in a personal way – the brother of an Avast colleague, Richard B. from South Africa, had his profile cloned and notified Richard.
The way it works is that a cybercrook copies the victim’s profile photos, then uses them to create fake accounts. Then, using the victim’s details, a friendship request is sent to friends. The clue that something fishy is happening comes when you receive the request, but thought you had already ‘friended’ that person. One Facebook user explained in an article on ENCA.com that he received a friendship request from his sister while she was sitting next to him.
Cloned accounts can be used to send spam messages, initiate scams, and possibly steal personal information that could be used for more serious identity theft. In the recent cases, there are reports that once the request has been accepted, the scammer starts soliciting money from ‘friends’.
It can also be used for social media sabotage. An experiment conducted in 2011 showed that the implications of this type of social engineering range from mere trickery to damaging reputations. You see, through the ‘trusted friends’ password recovery feature, it is possible that someone can reset your password and gain access to your account.
Check privacy settings and be cautious about who you friend and what you share. This video explains about the recent attacks and how to avoid your profile being cloned.
edit: changed image
How’s this for a good phishing scam? Everything seems legit:
1. From email is “email@example.com”
2. No misspelled words and has decent grammar (however, some punctuation inconsistency)
3. Copyright (c) symbol next to the university name
4. Gmail did not filter it as spam, but left it in my normal inbox
Yes, if I had ever attended that particular university, I might have fallen for it.
PLEASE NOTE: University of Texas has nothing to do with this email.
It’s that time of year again for Americans. You have received your W-2 and are eager to file your tax return, especially if you anticipate a refund. Every year, the Internal Revenue Service (IRS) warns taxpayers to beware of phishing scams used by con artists to steal your identity, cash, and sense of security. This year is no different.
Phishing takes many forms, but usually involves unsolicited email or messages via social media and a fake website that poses as a legitimate site. The danger is that if you follow the link the scammers provide, you could end up with a malware infection, such as a Trojan that logs your keystrokes and allows a hacker to gain access to your bank accounts, or you could provide valuable personal and financial information that exposes you to identity theft. Here are some recent examples:
Classic phish: Last tax season, a bogus email warned recipients they would be penalized up to $10,000 for not filing their taxes by a false deadline of January 31st. They were instructed to follow a link which went to a phony site that appeared to be the official IRS website. They were asked to provide personal or financial information that could be used by scammers and identity thieves.
Don’t be misled by sites claiming to be the IRS but ending in .com, .net, .org or other designations instead of .gov. Read more…
Question of the Week: I’m a gamer who also banks and shops online. Am I at risk for identity theft?
Your activities online can potentially make you more vulnerable to identity theft. How many times a month do you access your bank account online? How many email addresses do you have? Do you like to try previews of new games? These questions can help you determine your exposure to identity theft.
According to the Federal Trade Commission, it takes people an average of six months and 200 hours to recover from identity theft.
StaySafeOnline, the organization behind National Cyber Security Awareness Month, of which Avast is a proud champion, has an Online Identity Risk Calculator that can help you know if you’re at risk. Players answer some questions to find their personal identity risk score and get practical tips on keeping their online identity protected. Play now!
Cybersecurity begins with STOP. THINK. CONNECT. These three simple steps are the starting point for staying safer and more secure online.
- STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems. An obvious step is to install antivirus protection. For the risk averse, we suggest avast! Internet Security with SafeZone, an isolated environment that keeps your sensitive transactions private.
- THINK: Take a moment to be certain the digital path ahead is clear. Watch for warning signs and consider how your online actions could impact your safety or your family’s.
- CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.
Avast Software is proud to be a champion that supports National Cyber Security Awareness Month with news and tips on how, together, we can make a safer digital society.
Recently, we’ve noticed that there are too many legitimate domains popping up in our url filters with malware. At first we thought we had a huge false-positive (FP) problem, but after analysis we found a pattern.
All of the referring links came from the Russian Odnoklassniki server, which is a quite-popular Russian social network. Users of that network are getting fake messages with links to photos.