Government employees and Gmail users targeted by unexpected phishing tricks. 150K Magento 1.0 users exposed to unpatched vulnerabilities.
Russia’s hackers have new phishing tricks
There’s no rest from Russian hacking groups. This time they’re targeting governments in the U.S., the European Union and former Soviet Union territories with weaponized documents containing malware.
Their newly released malware tool allows hackers in to target computers where they take screenshots and get system information from the infected computer. The software then uses email to send the images back to the hackers and receive new instructions. Some describe it as a spy camera on a computer that can send images back home, allegedly to Russia.
The hackers with APT28 — sometimes known as “Sofacy” or “Fancy Bear” — are also allegedly behind the 2016 hack of the Democratic National Committee.
The malicious campaign begins with phishing emails referencing the recent Lion Air crash off the coast of Indonesia. Emails have impersonated employees of the U.S. Department of State, and sent to think tanks, businesses, and government agencies with a Microsoft Word document attached.
When the Word document is opened, it prompts the user to enable macros which then starts installing the malware. Now the Word doc has transformed into a delivery system for malware.
The campaign delivers two kinds of malware: (1) Zebrocy - a trojan which has previously been observed as part of cyber espionage attempts out of Russia, and (2) Cannon - functions similarly as Zebrocy by establishing communication with a command and control server, providing malware with instructions.
“When we talk about Advanced Persistent Threats (APTs), Word documents have been the weapon of choice,” explains Luis Corrons, Avast security evangelist. “To most users, they look benign, and email gateways are less likely to block them. Further, they can be filled with legitimate content that is relevant to the target, which makes it more likely that they will in fact open the document.”
Gmail glitch enables anonymous messages in phishing attacks
A glitch in the UX of Gmail allows the “From” field to be empty, essentially hiding the source address of an email. This trick can be used for phishing attacks that purport to be warnings from official sources or genuine system messages.
The glitch is a derivative of a previous bug that was discovered by software developer Tim Cotten. According to his research, Gmail leaves the “from” field unpopulated which is typically where the sender’s details appear.
Revealed in his blog, Cotten’s investigation is unlikely to be duplicated by an average Gmail user. Without seeing the sender information, even a well-educated user’s curiosity would lead them to compromise their own account by opening the email or clicking links in the email. Therefore, the risk of cybercriminals abusing this for phishing purposes is high.
This recent glitch is one of 3 UX-glitches related to Gmail within the last 2 years.
Tens of thousands of Magento sites at risk
Out of 170,000 Magento sites analyzed, 90% of those using Magento 1 are at heightened risk, according to researchers.
The heightened risk can be attributed to unpatched vulnerabilities, including 2.3% of all Magento websites that have yet to be patched for Magento Shoplift. This bug allowed attackers to obtain control over a store and its sensitive data, including personal customer information. It was disclosed (and patched) in early 2015.
Magento, a popular eCommerce platform, is used by nearly 74,000 websites in North America alone. And as more people cite convenience as the main reason to shop online, eCommerce entrepreneurs and retailers must invest in secure payment systems to prevent costly breaches.
But many eCommerce business owners or retailers don’t have the time or resources to implement their own payment system, opting instead to turn to a hosted payment page — a payment page that exists separately from their online web store.
To dramatically reduce the exposure of eCommerce sites, businesses that use third-party online payment systems need to prioritize regular patching, change default admin passwords, and use stronger passwords with multi-factor authentication.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.
Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.