Security News

Closing the cybercrime superstore and more news of the week

Avast Security News Team, 17 May 2019

Europol busts an international cyber syndicate; spyware infects WhatsApp; Forbes online subscribers get hacked; and Zombieload rises.

Europol takes down cybercrime supermarket

In a joint effort by six countries, Europol led a complicated international operation to take down the GozNym malware cybercriminal network. The network preyed on over 40,000 victims from whom it attempted to steal a collective $100M. A federal grand jury in Pittsburgh indicted ten members of the criminal network under conspiracy to infect victims’ computers with GozNym malware designed to capture banking credentials, using the stolen credentials to gain fraudulent access to the victims’ accounts, and stealing and laundering money from those accounts. The bust entailed cooperation from Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States.

The GozNym network is an example of “cybercrime as a service,” where bad actors with specific criminal skill sets team up to form a full “assembly line” of crime. This consists of the leader of the network, the developer of the malware, “crypters” who encrypt the malware so it can’t be detected, spammers who distribute the malware, bulletproof hosting servers to house the malicious domains, account takeover specialists who do the actual transferring of funds from victims’ accounts, and “cash-outs” (also called “drop masters”) who launder the money. Five of the indicted men have evaded capture and remain on the run, while the others await prosecution.

Quote of the week

“The GozNym network exemplified the concept of ‘cybercrime as a service,’ with different criminal services such as bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support.”
– Europol explaining GozNym malware crime ring

WhatsApp flaw lets in spyware

Commercial-grade spyware believed to come from the Israeli cyber-offense program called Pegasus has been detected in certain cyberattacks using the WhatsApp app. The malware could install itself onto the mobile device just by making a call, and the victim didn’t even have to answer. WhatsApp parent company Facebook believes specific people were targeted in the attack, namely human rights activists and lawyers. “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”

The attackers took advantage of a buffer overflow flaw, but WhatsApp claims it immediately blocked that attack vector in an update once the attacks were detected and users have been protected against it since last week. It’s unclear how many victims were targeted in the attack, but WhatsApp has briefed a number of human rights organizations on the details over the past few days.

Avast Security Researcher Luis Corrons notes, “Although we are not used to seeing attacks through WhatsApp, we are talking about a platform with several hundreds of millions of people using it. A security hole in this platform that allows the targeting of specific people can be a powerful weapon in the hands of criminals.”

Fact of the week

Zero: The number of publicly reported “hacktivism” cybersecurity attacks reported so far this year. The activist, politically themed hacks reached a peak of 35 in 2015, according to IBM.

Magecart card skimming malware infects Forbes

Cybersecurity researchers have found that hackers have infected the Forbes subscription site with Magecart malware, an oft-used card skimming program that has been terrorizing businesses around the globe. We’ve reported on the Magecart attack of British Airways, the Magecart attack on Magento extensions, another Magecart attack on British Airways, and the evolution of the term Magecart from a specific cybercrime group to the type of malware for which they’ve become infamous.

The malware collects customer credit card info including name, number, expiration date, and security code, as well as phone number, home address, and email address. Authorities immediately took down the domain that the cybercriminals were using to collect the stolen data as soon as the malware was detected. In addition to Forbes and British Airways, Magecart malware has been used in attacks against Ticketmaster, Newegg, OXO, Amerisleep, and MyPillow. One security expert comments, “For every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms.”

Attack of the Zombieload

Researchers have identified a new class of vulnerabilities in Intel processing chips that can be maliciously exploited. Intel microchips have been riddled by newfound flaws over the past year — Spectre, Meltdown, and Foreshadow — and now there’s a new type of threat joining the ranks, the colorfully named Zombieload.

Like the other three vulnerabilities, Zombieload takes advantage of the speculative execution process, the ability to calculate the user’s next probable move, which adds to the speed and smoothness of Intel chip performance. Zombieload is a side-channel attack known as a Microarchitectural Data Sampling (MDS) attack. A hacker can use such an attack to pull data from other apps being used by the same CPU, hence this idea of creating a “side door.”

Intel is already on top of patching this flaw, reporting to ZDNet that “MDS is already addressed at the hardware level in our recent 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable Processor Family. For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today.”

This week’s “must-read” from the Avast blog

Sindhura Gade, a cybersecurity engineer at Avast, gives specific, tactical advice to young women looking to get started on a cybersecurity career.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.