We have just published our Quarterly Report for Q1 2013, analyzing the IT security events and incidents from January through March 2013. If you want to be aware of the latest security trends, the latest cyber-war cases… don’t wait any longer, you can download our latest report from our Press Center
Last Tuesday, April 23, the Twitter account of the Associated Press news agency was hacked and sent out a hoax tweet reporting that President Barack Obama had been injured by an explosion in the White House. Within seconds, Wall Street was in panic mode and US stock plunged.
Situations like this illustrate once again the dangers of using weak passwords not only for home users but in corporate environments as well. Today, social networking sites are very often the first point of contact between users and companies, and special care should be taken to strengthen the security of social media accounts.
When a Twitter account is hacked, the public normally thinks it has been the result of some highly sophisticated attack perpetrated with complex programs and all sorts of stealth systems only accessible to some privileged minds… Well, in reality, things are usually much simpler. In most cases, the so-called “hacker” simply guess their victim‘s password. The most complex attacks are actually those where the attacker tricks the user into re-entering their credentials in some system unaware of the fact that, in reality, they are submitting their data to a cyber-criminal (which, by the way, was exactly what happened in the AP Twitter hack).
Two months ago, Burger King’s Twitter account was also hacked. Its background picture was changed to a McDonald’s image, and a message was posted announcing that the company had been sold to their rivals. It is not known what password Burger King used, but I would say “whopper” is one of the safest bets… The AP attack might look like an isolated incident, but unfortunately these attacks are far more common than it seems. In fact, the group behind the hack, the self-proclaimed “Syrian Electronic Army”, also hacked the Twitter accounts of watchdog organization Human Rights Watch, French news service France 24 and the BBC’s weather service.
But it is not only Twitter accounts that are at risk. Many of us still remember the theft of a series of compromising photos from Scarlett Johansson’s cell phone for example. Preliminary investigation seemed to indicate that a hacker had been able to launch a cyber-attack on the American actress’s cell phone, accessing her personal information. Later, however, it was found out that the ‘hacker’ was simply a man with a penchant for hacking into celebrities’ accounts who had been able to guess the star’s email address password.
Let me finish by offering you a series of simple tips about social media passwords that will help you protect yourselves from this type of attack:
Do not reveal your passwords or send them via email.
If we had to elaborate a list with the top tech companies who have being hacked in the last weeks, we should include all the ones in the title of this blog post, and maybe a few more cases we are still not aware of.
The first one was Twitter. On February 1st Twitter published an article in their blog, “Keeping our users secure“. They explained they had been victims of an attack, and that information from 250,000 users had been accessed.
A couple of weeks later, Facebook published an article in their blog, titled “Protecting People On Facebook“. It looks like no customer data was compromised in this attack.
The next victim was Apple, just a few days after Facebook announcement, they told Reuters they had also been targeted using the same attack.
And last, but not least, Microsoft recognized they also had been victims of the same attack.
Not a bad list of companies, isnt’t it? Maybe we will see some more (Google is in the same target level, for example, or Amazon, or IBM…) but that’s not the point of this article. What can we learn? Of course there is a lot of information we don’t know yet, however we can see some positive outcome and 1very important task to do:
- Companies are not afraid of recognizing being targets of this kind of attacks.
- They have good security teams which have been able to identify the attacks as they were taking place.
Task to do: We all should stop using Java in the browser. All these attacks were successful thanks to yet another 0-day vulnerability in Java. Disable it now.
People involved in computer security know that there is not a 100% safe place. You can take a number of preventive measures, and they will work well most of the times. But there is always some weak point, some new vulnerability, some human error, and out of the thousands of attacks that such big companies receive on a daily basis, one could succeed.
And being able to identify a current attack is critical. And Twitter, Facebook, Apple and Microsoft were able. They all are gathering information about the attack. They all are working with law enforcement to find out who is behind this attack.
If you are responsible for a medium / small company, you may think you do not have to worry as much as those biggies as you are not such a sexy target. That is partially true, you probably will get a small number of targeted attacks (if any), however you will be hit constantly with the usual cybercrime attacks that infect millions of computers.
According to PandaLabs 2012 Anual Report, 1/3 of all computers were infected at some point last year. And cybercriminals love low-hanging fruit. If you have computers without protection, without updated software, without a serious security plan, you will be the next.
Most computer infections nowadays come from exploit kits, which will infect the user’s computer without his knowledge through some software vulnerability. More than a 90% of these cases are Java vulnerabilites through the browser, so the best way to avoid these infections is simple: DISABLE JAVA IN YOUR BROWSER. NOW. WHAT ARE YOU WAITING FOR?
If for any reason you need Java in the browser to run some application, then use it in a secondary browser.
Last week I congratulated Spanish National Police for the fantastic job done that took down a cybercrime gang that was using the known “police virus”, but I already pointed out that this was not going to be the end of this threat, as most likely there were a number of different gangs using the same kind of attacks.
I talked about different evidences that indicated this fact: different techniques within the malware that were not used anymore suddenly appear again (encription of files in the infected computers, for example), how to perform the same actions (like showing the fake police warning screen) were performed in completely different ways, showing that they were different projects, or how we are still seeing new attacks performed on a daily basis.
Anyway I decided to pull the thread and look for some figures to see if they are coherent with the previously described evidences. In most of the cases, computers get infected via the infamous “exploit kits”, tools used by cybercriminals to install different malware just visiting a compromised web site without user intervention. To achieve this, exploit kits use different security holes in software installed in the computer, most of them based on Java or Adobe, as this is very popular software with hundreds of millions of users and with -sadly- many security holes. To make it worst, many users do not bother updating that software, which is like having an open door in your computer with a big sign saying “please infect me”. In short: infecting computers is child’s play in many cases.
This is why some months ago we deployed a new technology in Panda Cloud Antivirus that allows to stop infection attempts that try to use this kind of vulnerabilities (even when it is an unknown vulnerability) and furthermore it sends information to our cloud with data of the malware file that was trying to infect the system.
Out of all the data, I have extracted a couple of different families that belong to the police virus to see how many infections have we stopped since December 2012 until mid February 2013. In other words, we are talking about Panda Cloud Antivirus users that while on the Internet were attacked with an exploit they had no protection for (his software wasn’t updated, most of them Java related) and which aim was to infect them with any of these particular 2 families of the police virus.
The Russian head of the cybercriminal gang was arrested in Dubai last December. If this was really the only gang behind these attacks, as we have seen in some media, the number should have dropped considerably. However, this is the result:
As we can see, the number of blocked infections is not going down, it has increased by 2! This is a proof that shows how we will have to deal with this police virus for a long time, war is not over yet (as usual 
)
These 2 families, as well as many others, are detected by Panda with the name Trj/Ransom.AB. If you have been already infected and need some help, our Technical Support team have the following instructions that work really well to solve all your problems.
Finally, some advices to avoid becoming a victim of these cybercriminal gangs:
- Update. All installed software. From the operating system to any other software you have in your computer. Don’t be lazy, it is worth it
- Uninstall any Java plugin in the browser. You don’t need it and you get rid of a HUGE risk. Not only this, unless you need Java to run some local application in your computer, remove it completely. I did this long time ago. An ounce of prevention is worth a pound of cure.
Today, we have some important news to share with you. Our friends in the Technological Investigation Brigade of Spain’s National Police, together with Europol and Interpol, have dismantled the cyber-crime ring responsible for the “Police Virus”. According to the news release published by Spain’s Ministry of Home Affairs, the police have arrested ten members of the computer hacking group, responsible for taking in around 1 million euros per year from victims of their scams. The arrested people include six Russians, two Ukranians and two Georgians, all of them living in Spain.
The head of the gang –a citizen of Russian origin – was also arrested in the operation. Oddly enough, and despite his origin, he was arrested in Dubai while on vacation, and awaits extradition to Spain. The operation remains open and more arrests could be forthcoming.
In any event, and before we all start celebrating, it must be said that in our opinion, based on our research of the Police Virus, there is more than one group behind the attacks. We’ve reached this conclusion after having studied multiple variants of this malware over time and having detected numerous striking differences among them.
Here on this blog we have posted several reports on the Police Virus and its evolution over time. This evolution is absolutely normal and it doesn’t necessarily mean that there are various teams behind the attacks, as it is quite normal for cyber-criminals to try different techniques to infect as many people as possible.
However, there is other evidence to the contrary: We saw how certain techniques that had apparently been abandoned (like the encryption of files on the victim’s computer) were suddenly put to use again; or how different variants used completely different techniques to achieve the same results (display a fake police warning on screen). All the evidence seems to indicate that we are dealing with different projects.
This wouldn’t be too surprising after all. If you analyze the situation from a purely commercial point of view, it would be something like this: someone comes up with a money-making idea, and others copy it quickly to get the same results. It happens all the time. In this particular case, it seems that there are different gangs ‘in the same line of business’.
Another clear evidence of this is the fact that the attacks keep repeating, even at this very minute: There are new Police Virus infections asking for their €100 fine. Here are a couple of screenshots of two new variants we have detected a couple of minutes ago as I was typing these lines:
Anyway, this is still good news for everyone: another cyber-crime ring has been dismantled, and law enforcement agencies around the world keep making progress towards defeating the cyber threat.
I do not want to bore you to death, just a few tips on the topic
- Do not run attached files that come from unknown sources. Stay on alert for files that claim to be Valentine Day’s greeting cards, romantic videos, etc.
- Do not open emails or messages received on social networks from unknown senders.
- Do not click any links included in email messages, even though they may come from reliable sources. It is better to type the URL directly in the browser. This rule applies to messages received through any mail client, as well as those in Facebook, Twitter, or other social networks or messaging applications, etc. If you do click on any such links, take a close look at the page you arrive at and if you don’t recognize it, close your browser.
- Even if the page seems legitimate, but asks you to download something, you should be suspicious and don’t accept the download. If you download and install any type of executable file and you begin to see unusual messages on your computer, you have likely been infected with malware.
- If you are making any purchases online, type the address of the store in the browser, rather than going through any links that have been sent to you. Only buy online from sites that have a solid reputation and offer secure transactions, encrypting all information that is entered in the page.
- Do not use shared or public computers, or an unsecured WiFi connection, for making transactions or operations that require you to enter passwords or other personal details.
- Have an effective security solution installed, capable of detecting both known and new malware strains.
Today we are publishing the latest PandaLabs Annual Report, covering the major security news happened during 2012, from mobile malware to cyber-war, covering all major events in different areas such as social netwoks.
We cover also the security trends for 2013, as well as some of the main figures related to malware:
- 27 million new malware strains found in 2012, at an average of 74,000 new samples per day.
- Three out of every four malware infections were caused by Trojans.
- China, South Korea and Taiwan are the world’s most infected countries.
The full report is available here.
To no wonders, the Blackhole Exploit Kit is still trying to infect users. One of the techniques commonly used is to send the victim an email from for example Facebook, Linkedin, Twitter, …. Asking to click on a link.
We’ll take a small peek at those tactics. We received the following email:
Hi ,
You have disabled your Facebook account. You can restore your account at any moment by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in usual way.
Thanks,
The Facebook Team
Obviously, Facebook didn’t disable your account at all. There are some factors to easily determine this email is fake:
When clicking on any of the links, you are presented (after several redirects) with the Blackhole Exploit Kit (aka BH EK). It tries to load a Java exploit on the machine by firstly detecting which plugin and Java version you are using:
The payload? Probably ransomware or a Banker Trojan.
Prevention
Use the NoScript add-on in Firefox or NotScripts in Chrome to prevent this.
Use the WOT add-on to check on the status of a website.
Use your common sense and ask yourself the proper questions (see below).
Use a URL scanner if you’re unsure about a URL. Some examples are VirusTotal, URLvoid and URLquery.
Conclusion
As usual with this kind of emails, be alerted and always ask yourself the proper questions:
Use your common sense, update your 3d-party applications as well as Windows, and use a decent antimalware and antivirus product, like Panda Cloud Antivirus free.
Author: Bart Parys
Source: http://bartblaze.blogspot.be/2013/01/facebook-spam-leads-to-exploit-kit.html
Social networks are actively used by cybercriminals to spread malware. The most common type of attacks in Twitter usually show the same behaviour:
1.- You get a Direct Message (DM) from one of your contacts, with a shortened link.
2.- You click on the link.
3.- Any (or even all) of the following options will take place:
Usually this is how it works, although some days ago it caught my attention a slightly different approach. This one, instead of sending you a DM it mentions you with some funny comment and a link.
These are some of the message that were being sent out from a compromised user account:
If the mentioned Twitter user clicks on the link, he will get to the following web:
Of course if you download and run the file, your computer will be infected, a nice Trojan for the collection.
The reason for using mentions is that you can mention anyone, while you can only send DMs to your followers, so potentially it could spread faster. However, people tend to trust more on DMs as they come from a “trusted” source (at least it is someone you are actively following) so the infection ratio per tweet sent will be higher using DMs.
Another option (we haven’t seen it yet, but I guess it is just a matter of time) is a mix of both techniques, sending DMs to your followers and mentions to the rest of the Twitter users.
Remember, do not trust anyone you don’t know, and beware of your friends as their accounts could have been compromised 
And finally, if even after following my advice your Twitter account is hacked, do the following:
A) If you can still log into your account, change your password IMMEDIATELY.
B) If your password has been changed and you cannot access your account anymore, follow these instructions from the Twitter team.
