The holiday season is coming up and we expect that many will opt to shop online to avoid the big crowds in city centers, malls and stores.
In America, Cyber Monday, the cyber version of shopping day Black Friday, was born in the mid 2000s. Cyber Monday sales have steadily increased since its inception and according to IBM Digital Analytics, sales grew 8.5% in 2014. According to ComScore, purchases are now also being made from smartphones with overall spending from mobile devices in the millions.
Americans aren’t the only ones who have embraced Cyber Monday, many other retailers around the world have come together to offer deals on the Monday after U.S. Thanksgiving and in China, Singles’ Day (November 11th) has become a major ecommerce day with 27,000 online merchants participating in 2014.
This is not only an exciting time for online retailers and online shoppers but also for cyber criminals. I spoke with our senior malware analyst, Jaromír Hořejší about how cybercriminals are preparing for Cyber Monday:
There’s more than one RAT: Avast discovers that OmniRat is currently being used and spread by criminals to gain full remote control of devices.
On Friday, I discovered OmniRat, a program similar to DroidJack. DroidJack is a program that facilitates remote spying and recently made news when European law enforcement agencies made arrests and raided the homes of suspects as part of an international malware investigation.
OmniRat and DroidJack are RATs (remote administration tools) that allow you to gain remote administrative control of any Android device. OmniRat can also give you remote control of any Windows, Linux or Mac device. Remote administrative control means that once the software is installed on the target device, you have full remote control of the device.
On their website, OmniRat lists all of the things you can do once you have control of an Android, which include: retrieving detailed information about services and processes running on the device, viewing and deleting browsing history, making calls or sending SMS to any number, recording audio, executing commands on the device and more.
Elliot, Mr. Robot’s anti-hero cyber-security engineer by day and vigilante hacker by night, has been having a life-style crisis. In episode 3, Elliot longs to live what he calls a bug-free life, otherwise known as a regular person.
However, he is quickly pulled back into F Society’s hold when emails exposed during the threatened data dump revealed that E Corp executives had knowledge about the circumstances which led to his father’s death. We will leave the intrigues and plot theories, especially if Mr. Robot is real or a figment of Elliot’s imagination, to the internet. Right now, let’s look at the hacks highlighted in this episode.
At minute 7:40, you see Elliot in the hospital after Mr. Robot had pushed him off the high wall they were sitting on in the previous episode. His psychiatrist, Krista, is in the hospital and explains that the police wanted to do a drug panel, but Elliot refused. Elliot admits he has been taking morphine. Krista says the only way she can approve his release from the hospital would be if he commits to a bi-monthly drug test. Elliot starts thinking about how he will get around this problem by hacking the hospital’s IT. The IT department is lead by one single person, William Highsmith, with a budget of just $7,000 a year. According to Elliot, he uses useless virus scans, dated servers and security software that runs on Windows 98. It’s one of the reasons why Elliot made that particular hospital his primary care facility, since he can easily modify his records to look average and innocent.
Stefanie: Wow, wouldn’t it be an unusual that a hospital would actually use old infrastructure and have little budget for their IT? I also found it a bit odd that they have just one IT guy, I mean healthcare data is REALLY sensitive and definitely one of the last things I would want to have accessed by hackers!
When it comes to cybercrime, it’s always better to be in the know. Here are a few ways that web attacks can find their way onto your device. Don’t be fooled — most cybercrooks design attacks to take place where you’d least expect it.
Social engineering preys on human weakness
“A lot of attacks are still using social engineering techniques; phishing emails – ways of convincing the user to give up valuable information,” said Avast CEO Vince Steckler.
In a phishing or spearphishing attack, hackers use email messages to trick people into providing sensitive information, click on links, or download malware. The emails are seemingly sent from organizations or individuals the potential victims would normally get emails from, making them even more deceptive. Last July, Avast took a look at the Tinba Trojan, banking malware that used spearphishing to target its victims.
An example of an injected form from Tinba Trojan targeting U.S. Bank customers.
Web attacks also take place through SMS Text Phishing, also known as SMSishing. This method has become one of the most popular ways in which malicious threats are transmitted on Android devices. These text messages include links that contain malware, and upon clicking them, the malicious program is downloaded to the user’s device. These programs often operate as SMS worms capable of sending messages, removing apps and files, and stealing confidential information from the user.
Malicious apps attempt to fool you
Malicious programs can disguise themselves as real programs by hiding within popular apps or games. In February, we examined malicious apps posing as games on Google Play that infected millions of users with adware. In the case of malicious apps, cybercrooks tamper with the app’s code, inserting additional features and malicious programs that infect devices. As a result, the malware can attempt to use SMSishing in order to collect additional data.
The Durak card game app was the most widespread of the malicious apps with 5 – 10 million installations according to Google Play.
Ransomware uses scare tactics that really work
Another name that made headlines was a group of malware dubbed ransomware, such as CryptoLocker, and its variants Cryptowall, Prison Locker, PowerLocker, and Zerolocker. The most widespread is Cryptolocker, which encrypts data on a computer and demands money from the victim in order to provide the decryption key. Avast detects and protects its users from CryptoLocker and GameoverZeus.
Make sure you back up important files on a regular basis to avoid losing them to ransomware. Ransomware made its way from desktop to Android during the year, and Avast created a Ransomware Removal app to eliminate Android ransomware and unlocks encrypted files for free.
Count on Avast apps to keep mobile malware at bay
To keep your devices protected from other ransomware, make sure to also install Avast Free Mobile Security & Antivirus from the Google Play store. It can detect and remove the malware before it is deployed.
Install Avast Ransomware Removal to find out if your Android devices are infected and to get rid of an infection. Avast Ransomware Removal will tell you if your phone has ransomware on it. If you are infected, it will eliminate the malware. Android users who are clean can use the free app to prevent an infection from happening.Once installed, you can easily launch the app to scan the device, remove the virus, and then decrypt your hijacked files.
2014 has been an active year for cybercrime. Let’s start with the most recent and then take a look at some of the other important security events of the year.
We are ending the year with the most publicized and destructive hack of a major global company by another country – now identified as North Korea. The Sony Entertainment attack, still being investigated by the FBI, resulted in the theft of 100 terabytes of confidential employee data, business documents, and unreleased films. It was an attack on privacy due to the theft of a massive amount of personal records, but also essentially blackmail; aiming to silence something that the North Korean government didn’t like – namely the release of The Interview, a movie depicting an assassination attempt on Kim Jong-Un.
Most of the blame for state-sponsored cybercrime in 2014 has been with Russian or Chinese hackers. Whether private or state-sponsored, these hackers have attempted to access secret information from the United States government, military, or large American companies. Recently, Chinese hackers sponsored by the military were indicted for economic espionage by the U.S. Department of Justice.
Along with the Sony breach, other notable companies that suffered from cybercrime include Home Depot, eBay, Michaels, Staples, Sally Beauty Supply, and others. A significant number of these breaches were begun months or years ago, but were revealed or discovered in 2014.
Nearly 110 million records were stolen from Home Depot; the largest ever breach of a U.S retailer. The cyber-heist included 56 million payment card numbers and 53 million email addresses.
JPMorgan Chase’s data breach impacted nearly 80 million households in the U.S., as well as 7 million small- and medium-sized businesses. Cybercriminals were able to gain access after stealing an employee’s password, reminiscent of the Target breach from 2013. This breach is said to be one of the largest breaches of a financial institution. The FBI is still investigating.
Financial and data stealing malware
GameOver Zeus, called the most infamous malware ever created, infected millions of Internet users around the world and has stolen millions of dollars by retrieving online banking credentials from the infected systems.
Tinba Trojan banking malware uses a social engineering technique called spearfishing to target its victims. The spam campaign targeted Bank of America, ING Direct, and HSBC customers using scare tactics to get customers to download a Trojan which gathered personal information.
Chinese hackers were at it again, and again, targeting South Korean banking customers with banking malware using a VPN connection. The customers were sent to a look-alike webpage where they were unknowingly handing cybercrooks their banking passwords and login information.
Many of the breaches that occurred in 2014 were because of unpatched security holes in software that hackers took advantage of. The names we heard most often were Adobe Flash Player/Plugin, Apple Quicktime, Oracle Java Runtime, and Adobe Acrobat Reader.
Avast’s selection of security products have a feature called Software Updater which shows you an overview of all your outdated software applications, so you can keep them up to date and eliminate any security vulnerabilities.
South Korean banks have been attacked by hackers again!
This is not the first time we reported malware which targets Korean banking customers. In the past, we wrote about Chinese threats against Korean Windows users and last year we published a series of blogposts, Fake Korean bank applications for Android (part 1, part 2, part 3), about malware targeting mobile platforms.
The Korean banking malware is based on the same principle previously used. The customer executes the infected binary, which modifies Windows hosts file. This file contains a list of domains with assigned IP addresses. Malware, however, may modify this file. When a customer wants to visit his online bank website, he is redirected to the IP address specified in the hosts file, not to the original bank website!
The piece of malware we will discuss in this blog post performs the above mentioned modification of system settings. However, when we looked into the modified hosts file, we noticed something unusual.
Cybercrooks target busy holiday shoppers with phishing scheme.
After all that shopping on Black Friday and Cyber Monday, consumers are reporting a bunch of phishing emails that look like authentic communications from poular stores. Malware-infected emails are reportedly coming from Walmart, Home Depot, Target, and Costco. The catch is these are not from the authentic merchants, but rather cybercrooks are using a phishing scheme to send fake emails with the intent to gather personal information from harried shoppers.
Millions of these emails are being sent each day, originating from more than 600 hacked websites that act as intermediaries, according to security analysts from Malcovery monitoring the attacks. This method prevented detection by causing the spammed links to point to websites that had been safe until the morning of the attack.
The messages have subject lines like this:
- Thank you for your order
- Order Confirmation
- Thank you for buying from Best Buy
- Acknowledgment of Order
- Order Status
If you receive one of these emails, don’t click on any links. Instead, visit the merchant’s website or call their customer service. Don’t give any personal information out unless you know for sure with whom you are speaking.
Signs of a fake email
Unfortunately, cybercrooks are becoming more professional with their scams, but here are a few things you can look for to tell a fake email from an authentic one.
- Poor grammar usage
- The Sender (the “from” line) may not match the merchant name
- Links in the email do not go to the real website
- There is no order confirmation number or details about the order. A real order confirmation email contains the details of your order without clicking on any links, as well as where it is being shipped and the payment method.
How to protect yourself
Walmart acknowledged that the fraudulent emails were in circulation and suggested these steps if you receive a suspicious email.
- If you actually placed an order and are suspicious about the email you received, log onto your Walmart.com order to check your order status.
- Keep your virus software updated on all your computers.
If you were a victim of fraud via the Internet, you should file a report with your local law enforcement agency along with the Internet Crime Complaint Center (ICCC). The ICCC is a partnership between the FBI and the National White Collar Crime Center. You can make a report with the ICCC.
#GivingTuesday is a day dedicated to give from the bounty we have received.
After the shopping free-for-all of Black Friday, the local discoveries of Small Business Saturday, and the online click frenzy of Cyber Monday, people the world over have a day for giving thanks.
On Tuesday, December 2, 2014, charities, families, businesses, community centers, and students around the world will come together for one common purpose: to celebrate generosity and to give. ~www.givingtuesday.org
From supporting women’s microfranchises selling solar products in Nicaragua to supplying feed and services to a ranch in Arizona that helps save horses from abuse and neglect to constructing toilets in a school in West Bengal, there are a myriad of opportunities to spread your goodwill and your cash. It’s also an opportunity for cybercrooks to scam those with a generous heart.
What you need to know about charity scams
Charities and fundraising groups use all methods to solicit funds, so you could receive a phone call, a knock at your door, an email, a message via social networking sites, and even a text message on your mobile phone. Before giving your donation, carefully review a charity and ensure it is a trustworthy organization.
- Watch out for copycats. There may be hundreds of charities seeking support in the same category, and some may use a name that is similar to a better-known, reputable organization. Don’t fall for a case of mistaken identity.
- Avoid being pressured. Don’t succumb to high-pressure tactics that try to get you to donate immediately. Responsible organizations will welcome your gift tomorrow just as much as today.
- Give through a reputable, secure service. If a charity asks for donations in cash, by money wire, or offers to send a courier or overnight delivery service to collect the donation immediately, then beware. A genuine charity will give you time and a secure method to make your donation.
- When in doubt, check them out. The results of a Google or Yahoo search have been known to include bogus phishing sites designed to look like a legitimate charity’s website. Just look up scams around Hurricane Katrina, and you’ll see what I mean. Charity Navigator says,
- Carefully examine the web address. Most non-profit web addresses end with .org and not .com. Avoid web addresses that end in a series of numbers.
- Bogus sites often ask for detailed personal information such as your social security number, date of birth, or your bank account and pin information. Be extremely skeptical of these sites as providing this information makes it easy for them to steal your identity.
The Home Depot security breach last spring has gotten worse. In addition to the 56 million credit-card accounts that were compromised, around 53 million customer email addresses were also taken, according to a statement from Home Depot about the breach investigation. Home Depot assures its customers that no passwords, payment card information like debit card PIN numbers, or other “sensitive” information was stolen.
The breach occurred when cybercrooks stole a third-party vendor’s user name and password to enter their network in April 2014. The hackers then deployed unique, custom-built malware on Home Depot’s self-checkout registers in the United States and Canada.
The company said that as of September 18, the malware had been eliminated from the network.
Request your free identity protection
The Home Depot is notifying affected customers and still offering free identity protection services, including credit monitoring, to any customer who used a credit or debit card at one of its 2,266 retail stores beginning in April. Customers who wish to take advantage of these services should visit homedepot.allclearid.com or call 1-800-HOMEDEPOT (466-3337).
Home Depot said that customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.
- Review your credit card statements carefully and call your bank if you see any suspicious transactions.
- Be aware of phone calls or emails that appear to offer you identity theft protection but are truly phishing schemes designed to steal your information. Always go directly to The Home Depot’s website or to the AllClear ID website, or call Equifax for information rather than clicking on links in emails.
Get more information from Home Depot’s Facebook page.
Cybercrooks use popular stories in the news to deceive people into giving up confidential information.
The dreaded disease Ebola that is spreading rapidly throughout West Africa made landfall in the US recently, and since then many news agencies have sensationalized the “outbreak” with constant coverage. Panic has grown as politicians raise the public’s fears and medical experts are confusing people with contradictory information. These things all combine to create the perfect atmosphere for scammers.
It’s quite common for cybercrooks to use social engineering techniques to fool people during a big news event, and we have seen an increase in phishing attempts. The United States Computer Emergency Readiness Team (US-CERT) issued an alert today to remind users to protect against email scams and cyber campaigns using the Ebola virus disease as a theme.
“Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system, “ says the advisory.
Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software.
- Refer to the Using Caution with Email Attachments Cyber Security Tip for information on safely handling email attachments.
- Refer to the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip for information on social engineering attacks.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.