Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
Laura O'Brien | 24 Feb 2014 01:22:26 GMT


Mobile World Congress is set to take place this year between February 24 and 27. The event promises to showcase smartphone and tablet innovations that will become a reality over the next 12 months. However, as mobile manufacturers and app developers have upped their game each year, so too have malware authors. Symantec discovered an average of 272 new malware variants and five new malware families per month targeting the Android mobile operating system in 2013. These threats have taken aim at mobile devices in several ways, such as by attempting to steal personal and financial information, track users, send premium rate SMS messages, and display intrusive adware. We have seen some notable threats that could pave the way for what’s next in mobile malware:

More aggressive financial Android threats
Consumers have been increasingly turning to their...

Symantec Security Response | 21 Feb 2014 23:01:00 GMT

Watering hole attacks using zero-day vulnerabilities are becoming more common. Last week we announced an Internet Explorer 10 zero-day being used in a watering hole attack and today, just one week later we have an Adobe Flash zero-day, Adobe Flash Player and AIR CVE-2014-0502 Remote Code Execution Vulnerability (CVE-2014-0502), also being used in a watering hole attack. This new attack has been dubbed “Operation GreedyWonk” in various media and is reported to be targeting the websites of three non-profit institutions. Symantec telemetry shows even more sites being targeted in this watering hole attack using this new zero-day.


Figure 1....

Eric Park | 18 Feb 2014 18:34:22 GMT

In this blog detailing how spammers continue to change their messages in order to increase their success rate, we looked at the evolution of the same spam campaign from missed voicemail messages to spoofing various retailers, and then spoofing utility statements. Clicking on the link led the users to a download for a .zip file containing Trojan.Fakeavlock. Attackers may have realized that those attack vectors no longer entice recipients, so spammers have introduced two new schemes for this campaign that appear to be random and unrelated at first, but they do share a common goal.

The first scheme spoofs various courts around the country:


Symantec Security Response | 14 Feb 2014 23:58:13 GMT

In an earlier blog, Symantec highlighted that we were investigating reports of a zero-day exploit affecting Internet Explorer 10 in the wild. Now we have further details on the attack leveraging this new zero-day, Microsoft Internet Explorer CVE-2014-0322 Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322).

IE 0 day edit.png

Figure. Watering hole attack using IE 10 0-day

Anatomy of the attack

The target of this watering hole attack was the (Veterans of Foreign Wars) website. While this attack was active, visitors to the site would encounter an IFrame which was inserted by the attackers in order to...

Symantec Security Response | 14 Feb 2014 00:30:09 GMT

Symantec is currently investigating reports of a potential zero-day exploit affecting Internet Explorer 10 in the wild. This appears to be a watering hole attack that was hosted on a compromised website in the United States. The watering hole attack website redirected unsuspecting users to another compromised website that hosted the zero-day attack.

We continue to analyze the attack vector and associated samples for this potential zero-day. Our initial analysis reveals that the Adobe Flash malicious SWF file contains shell code that appears to be targeting 32-bit versions of Windows 7 and Internet Explorer 10. We have identified a back door being used in this attack that takes screenshots of the victim’s desktop and allows the attacker to take control of the victim’s computer. We identify and detect this file as Backdoor.Trojan.

Symantec also has the following IPS...

Satnam Narang | 12 Feb 2014 18:59:14 GMT

In the latest Snapchat spam developments, an increasing number of the photo-sharing app’s users have been sending out spam pictures of fruits or fruit-based drinks to their contacts, which directs them to websites called “Frootsnap” and “Snapfroot”.

Snapchat Fruit 1 edit.png

Figure 1. Fruit spam on Snapchat

While Symantec has been tracking Snapchat spam for months, this is the first case in which the spam does not originate from fake accounts, but those belonging to real users. These accounts have been compromised to push diet spam.

Instagram users might recall similar...

Dinesh Theerthagiri | 11 Feb 2014 19:49:38 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of thirty-one vulnerabilities. Twenty-five of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the February releases can be found here:

The following is a breakdown of the issues being...

Eric Park | 11 Feb 2014 17:55:34 GMT

One of the most popular methods of spamming is snowshoe spam, also known as hit and run spam. This involves spam that comes from many IP addresses and many domains, in order to minimize the effect of antispam filtering. The spammer typically sends a burst of such spam and moves to new IP addresses with new domains. Previously used domains and IP addresses are rarely used again, if ever.

Some spammers like to use a similar pattern across their spam campaigns. This blog discusses a particular snowshoe spam operation that I have labeled “From-Name snowshoe”. While there are other features in the message that allow the campaigns to be grouped into the same bucket, the messages’ most distinct feature is that all of the email addresses that appear in the “from” line use real names as their usernames. 

  • From: [REMOVED] <Leila.Day@[REMOVED]>
  • From: [REMOVED] <CharlotteTate@[REMOVED]>
  • From: [REMOVED] <Diana.Pope@[REMOVED]>
  • ...
Stephen Doherty | 10 Feb 2014 18:50:53 GMT


The Mask 1.png

Modern cyberespionage campaigns are regularly defined by their level of sophistication and professionalism. “The Mask”, a cyberespionage group unveiled by Kaspersky earlier today, is no exception. Symantec’s research into this group shows that The Mask has been in operation since 2007, using highly-sophisticated tools and techniques to compromise, monitor, and exfiltrate data from infected targets. The group uses high-end exploits and carefully crafted emails to lure unsuspecting victims. The Mask has payloads available for all major operating systems including Windows, Linux, and Macintosh.

An interesting aspect of The Mask is the fact that they are targeting the Spanish-speaking world and their tools have...

Christian Tripputi | 07 Feb 2014 13:13:29 GMT

The biggest bank robbery of all time was identified in Brazil in 2005. In this case, a gang broke into a bank by tunneling through 1.1 meters of steel and reinforced concrete and then removed 3.5 tons of containers holding bank notes. This heist resulted in the loss of about 160 million Brazilian dollars (US$380 million).

Robbers today, however, don’t have to bother with drilling through walls to steal money. They can rob a bank while sitting comfortably at home behind a computer. Thanks to cybercrime, organizations have suffered financial losses in the order of millions. The Symantec State of Financial Trojans 2013 whitepaper shows that banking Trojans are becoming more prevalent. Apart...