Security News

Malware with more might and other weekly security news

Avast Security News Team, 22 March 2019

An infamous cybergang, a notorious botnet, and new phishing scams continue to do their best to ruin your day.

Over 200 million Facebook passwords exposed internally

In a statement released today, Facebook divulged that some user passwords were being stored in readable format on certain internal data storage systems within the company. While the statement does not provide details on how or why the passwords were being stored in plain text, it does assure users that the issue has since been fixed and that potentially compromised accounts would be alerted.

An anonymous source at Facebook tells security researchers that the security failure is due to employee-built applications intended to log and store data such as passwords for Facebook users. The problem is that proper security measures call for the data to be encrypted while stored on internal servers, but in this case, everything was stored in plain text and therefore viewable to 20,000 Facebook employees. The anonymous insider claims that between 200 million and 600 million Facebook users were exposed on the internal database, dating back to 2012. Both the anonymous source and the Facebook official statement emphasize that only Facebook employees had access to the plain text passwords, and there is no evidence that the information has been used for any malicious purposes.

“It is really a shame what we’ve been learning about Facebook over the last few years,” notes Avast Security Expert Luis Corrons. “This is just the icing on the cake. Even though it looks like Facebook is improving its security practices, it might be too late for many users who are losing confidence in Facebook and deciding to leave it in order to keep their private data safe.”

Today’s catch: Netflix and AMEX phishing

Two widespread phishing campaigns are currently making the rounds, one targeting Netflix viewers and one targeting AMEX cardholders. The Netflix scam begins with an email informing the user that his or her account is on hold. The user is then directed to fill out a Netflix-branded form that asks for sensitive data including credit card info, bank name, and PIN.

The AMEX scam uses a similar technique, informing the user that there is a problem with the account and that certain details could not be confirmed. The email tells the user that access to the cardmember profile has been blocked and can only be accessed after downloading and filling out the attached form. The form then requests personal info such as first elementary school and mother’s maiden name. If you receive either of these scams, delete the email immediately and don’t fall for it.

Fin7 strikes with more strength

The global threat group responsible for identity theft, bank fraud, and malicious hacking into thousands of point-of-sale terminals around the world continues to terrorize the internet. The group is suspected of stealing the credit card numbers of at least 15 million US citizens, and other countries are targeted as well. Despite the arrest of three of its high-ranking members last August, the group remains active, and researchers have discovered some new tools in the Fin7 arsenal.

The criminal gang’s main M.O. continues to be phishing emails — psychological tricks to pressure the user into opening an attachment or clicking a link — and one of the new malicious payloads they’re using has been dubbed SQLRat. Experts are calling the malware “ingenious” because of its ability to cover its tracks and keep from being detected. Another new trick of theirs is being called DNSbot. It’s malware that creates a backdoor to exchange commands over DNS traffic including secure channels like HTTPS and SSL. Researchers continue to monitor the actions of Fin7, who are still up to their old tricks, but with new tools.

“There is an interesting lesson for all of us here,” notes Security Evangelist Luis Corrons. “No matter how sophisticated an attack is — and the malware and techniques used by this group are really sophisticated — at the end of the day, the starter is the same for most attacks: using social engineering tricks to get the help of the victim to become a victim in the first place. We users have to be especially alert when it comes to emails, and try not to click on any link or attachment unless we are reasonably sure that it is a legit message.”

Mirai is back with more boom

The infamous botnet Mirai introduced itself to the world back in 2016 with its DDoS attack on DNS provider Dyn, resulting in a host of sites like Twitter, CNN, and Spotify temporarily being knocked offline. The malware creators were eventually arrested, but not before they released the code online for all would-be cybercriminals to use. Last October, we reported how many would-be cybercriminals were doing just that, and this week we have some new Mirai news.

Security researchers found a new variant of Mirai that equips itself with more power and a greater attack surface. Instead of hijacking only consumer products for its botnet, the new variant also targets enterprise-grade devices with higher bandwidth. The addition of these “super soldiers” to the botnet gives it more firepower, leading experts to suspect these greater weapons are being developed to attack larger enterprises. This new variant is not known to have been used in attacks as of yet.

Google Photos revealed too much

In a flaw that has since been patched, Google Photos was vulnerable to a side-channel attack. Researchers revealed the news this week that while it required a bit of effort on the criminal’s part, exposing a photo’s metadata (e.g. including things like where a photo was taken, who was in the photo, and when it was taken) on Google Photos through browser-based timing attacks was a possibility. In order to execute the browser-based timing attacks, the criminal would first have to lure the victim to a malicious website while at the same time having their Google Photos app opened. While this vulnerability never posed too great of a risk, researchers note that side-channel attacks are often overlooked and need to be kept in mind when running security due diligence.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.