Video Screencast Help
Security Response
Showing posts in English
Symantec Security Response | 30 May 2014 15:15:55 GMT

Info_theft_concept.png

Earlier this year, Symantec blogged about Infostealer.Bankeiya, a Trojan that was specifically targeting  users in Japan through the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322). Bankeiya monitors and steals confidential information specific to Japanese online banking sites.

A few months after our first blog, Symantec noticed that Infostealer.Bankeiya had resurfaced and was infecting more online banking customers in Japan. While it is unclear exactly how much money was stolen by Bankeiya, there is no doubt that its previous...

Satnam Narang | 29 May 2014 17:12:10 GMT

Following reports of Apple IDs being compromised and devices being held for ransom in Australia and New Zealand, Apple issued a statement to ZDNet proclaiming that their iCloud infrastructure had not been breached. They went on to warn users to “change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services.” Symantec would like to advise owners of Apple devices to keep an eye out for emails attempting to phish for Apple ID login credentials.

Going phishing for Apple IDs

While there have been no confirmed reports as to how these Apple IDs were compromised, one possible explanation is phishing scams. Due to all the media attention this event has received, Symantec is cautioning...

Joji Hamada | 29 May 2014 13:26:22 GMT

In mid-May, Symantec observed a gradual uptick in attacks exploiting the Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515), and we continued to monitor this trend. Symantec’s research now indicates that the attacks are being performed on a massive scale and that majority of them are focused on Japan.

Back in April, CVE-2014-0515 was originally being exploited in watering-hole attacks against specific organizations or industries. Later in the same month, Adobe released a patch for the vulnerability. However, just a few weeks later Symantec telemetry indicated that instead of the initial targets, the exploit was now being used to target a wider range of Internet users.

Figure1_12.png
Figure 1....

Satnam Narang | 27 May 2014 21:06:05 GMT

Many users in Australia and New Zealand have had their Apple IDs compromised. We are seeing reports on Apple’s support community and social networks that their Apple devices are being remotely locked and held for ransom by someone claiming to be Oleg Pliss, a software engineer at Oracle, who the attackers randomly chose to pin this attack on.

Apple ID 1 edit.png

Figure 1. Locked iPhone ransom message

What happened to my Apple device?

Based on initial feedback, a number of Apple IDs have been compromised and used to lock iPhones, iPads, and Macs. It remains unclear exactly how the Apple IDs were compromised, but possible explanations include phishing attempts, weak passwords, or password reuse. A separate breach involving emails and passwords used to login to Apple and iCloud could have...

Joseph Graziano | 27 May 2014 18:38:53 GMT

At the beginning of April, a vulnerability in the OpenSSL cryptography library, also known as the Heartbleed bug, made headlines around the world. If you haven’t heard of the Heartbleed Bug, Symantec has published a security advisory and a blog detailing how the Heartbleed bug works.

As with any major news, it is only a matter of time before cybercriminals take advantage of the public’s interest in the story. Symantec recently uncovered a spam campaign using Heartbleed as a way to scare users into installing malware onto their computers. The email warns users that while they may have done what they can by changing their passwords on the websites they use, their computer may still be “infected” with the Heartbleed bug. The spam requests that the user run the...

Satnam Narang | 27 May 2014 16:21:34 GMT

image1_24.png

Symantec has discovered a paid retweet service targeting aspiring artists, managers and bands on Twitter with the promise of retweets from real users. These scammers are charging victims 50 cents for every "person" they hire to retweet every tweet for 30 days. Despite claiming that each account is operated by a real person, the service consists of little more than automated accounts, also known as Twitter spam bots.
 

image2_14.png

Figure 1. Retweet service offering pitched to managers of artists
 

As you would expect, numbers define popularity on social media—from the number of Facebook "likes" to the number of Twitter followers and Twitter retweets....

Nick Johnston | 21 May 2014 18:02:27 GMT

Google Docs and Google Drive were the focus of a sophisticated phishing scam that we looked at two months ago and this technique is being used again. This scam is more effective than the millions of phishing messages we see every day because the Google Drive phishing page is actually served over SSL from the legitimate Google Drive service itself.

Most phishing mitigation focuses on visually inspecting the URL to make sure the connection is secure. And this is good advice, but this does not help prevent against this specific attack.

As in the past, the attacker's phishing message uses the simple subject of "Documents" and contains a URL pointing to a phishing page hosted on the Google Drive file storage and synchronization service:
 

...

Symantec Security Response | 20 May 2014 15:58:24 GMT

3509155_-_mobile_device_iBanking.png

Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model. 

Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to US$5,000. For attackers unable to raise the subscription fee, GFF is also prepared to strike a deal, offering leases in exchange for a share of the profits. 

iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent...

Symantec Security Response | 19 May 2014 15:04:19 GMT

The FBI, Europol, and several other law enforcement agencies have arrested dozens of individuals suspected of cybercriminal activity centered around the creepware known as Blackshades (a.k.a. W32.Shadesrat). Symantec worked closely with the FBI in this coordinated takedown effort, sharing information that allowed the agency to track down those suspected of involvement. As a result of this operation, the website selling Blackshades has been taken down and we expect a significant reduction in activity involving this malware. 

Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry level hackers right up to sophisticated cybercriminal groups. Blackshades was sold on a dedicated website, bshades.eu for...

Binny Kuriakose | 16 May 2014 15:02:41 GMT

May 13, 2014 witnessed the release of another posthumous compilation album of Michael Jackson recordings, named Xscape. This reworked collection of Jackson tracks was highly anticipated by music lovers, ever since its announcement in March, 2014. News of the album release has once again made Michael Jackson a hot topic and, unsurprisingly, spammers have been quick to exploit this.

This spam campaign uses a very simple email which is crafted to appear like personal mail. It uses Michael Jackson’s name and some of his song titles to create intriguing subject lines. The body of the email contains a link along with a generic comment. A name is used to sign the email message, as seen in Figure 1, in an effort to give the impression that an acquaintance has sent you an email with a link to the new Jackson album. The URL in the body of the email redirects to a fake pharmacy domain which promises cheap medicines without prescription.

The following are subject lines seen in...