Malware Campaign Targeting Jaxx Wallet Holders Shut Down

A site spoofing the official Jaxx website was discovered packing several infections for Windows and Mac machines, and has been shut down.

A malware campaign targeted Jaxx cryptocurrency wallet holders through a website spoofed to mimic the legitimate Jaxx site, researchers at Flashpoint reported this week. The fraudulent site has since been taken down.

Jaxx was created by Ethereum cofounder and Decentral founder Anthony Di Iorio, who built the wallet in 2015 to help people manage digital assets. It has been downloaded more than 1.2 million times on desktop and mobile, the company reported in March. Its latest version, Jaxx Liberty supports more than a dozen cryptocurrencies, including Bitcoin and Ethereum.

Earlier this month, Flashpoint notified both Jaxx and the Cloudflare content delivery network of a spoofed site designed to mimic Jaxx's, created on Aug. 19. The site had a URL similar to the legitimate Jaxx[.]io and included line-by-line copy taken from the actual site, with modifications made to the download links to redirect visitors to a server controlled by attackers.

Researchers point out this campaign is built on social engineering and not a vulnerability in the Jaxx mobile app, website, or any domains owned by Decentral. The fraudulent Jaxx site packed several custom and commodity strains of malware developed to empty users' wallets.

"It's unclear how the attackers were luring victims to the spoofed Jaxx site, whether they were relying on poisoned search engine results, phishing via email or chat applications, or other means to infect victims," researchers report in a post on their findings.

Malware Skips Mobile, Goes to Desktop

This campaign was strictly focused on desktop victims, researchers report. Mobile users who clicked "download" on the malicious site were redirected to the legitimate Jaxx site, uninfected.

Windows and Mac OS X users, however, weren't quite as lucky. Visitors to the fake website would likely believe they were on the real one, as attackers installed the legitimate software onto victims' computers while malware was simultaneously installed in the background.

Mac users who clicked bad links received a custom malicious Java Archive (JAR) file, which was programmed in PHP and compiled using DevelNext, a Russian-language IDE. It seems the malware was developed specifically for this campaign; Jaxx branding is throughout the code.

If the JAR was executed it displayed a message in both Russian and English stating the user was temporarily blocked from creating a new wallet. They were rerouted to a "Pair/Restore Wallet" option, which prompted them for their Jaxx backup wallet phrase, a password used to decrypt wallets so threat actors could pilfer digital currency from the target's account. The victim's backup phrase went to the attackers' server, and they saw another error message.

The Windows link downloaded a custom-written .NET application, which contained both malicious behavior and two additional malware samples. This behavior included exfiltrating all the victim's desktop files to a command-and-control server, and the malware samples were KPOT Stealer and Clipper, both marketed on underground Russian-language cybercrime sites.

Victims who clicked the link downloaded a Zip archive from a Google Docs URL. The malicious .NET binary, like the JAR for OS X, was built for this campaign. Malware contacted the command-and-control server where the target's files were uploaded, while the fake application downloaded three executables from URLs: the Liberty Beta installer, KPOT, and Clipper.

KPOT is designed to steal information from the local hard drive; Clipper scans the clipboard for digital wallet addresses. Once it detects an address, it swaps it out for a different address under the attackers' control. If an address is changed in the clipboard, victims may not notice the recipient has changed when they copy-and-paste addresses to send payments.

via darkreading

Read more »

What Is Smishing?

Cybercriminals have created various methods to trick people into downloading viruses or malware onto their laptops, tablets, and smartphones.

The latest form is smishing, another tool used by cybercriminals to obtain personally identifiable information and steal identities by infecting your smartphone through texts or an SMS message. The software’s malicious intent comes in the form of viruses, ransomware, spyware or adware.

The term “smishing” is a mashup of SMS (short message service) and phishing, which is when fraudsters utilize malware by sending emails which mimic a trustworthy source such as credit card company, financial institution or retailer. Unsuspecting consumers mistakenly open the email and click on the links, allowing the malware to be activated.

When people click on the links, the fraudsters can trick them into sharing their password, credit card numbers or other personally identifiable information such as Social Security numbers.

Now growing in popularity, fraudsters often deploy smishing because too many people are unaware of this new type of fraud and trust text messages more than the emails they receive.

The fraudsters are following a similar strategy when it comes to phishing and rely on social engineering to get more people to give out their personal information. The smisher wants to obtain passwords, credit card information or your Social Security number to sell them on the darknet, a.k.a. the dark web.

If fraudsters are able to obtain your personal information, they can steal your identity and apply for credit cards and loans while pretending to be you, which can greatly affect your credit score.

Some smishers have deployed a tactic of telling people that if they fail to click on the link and provide their personal information, the company they’re pretending to be will start charging daily for the service. These fraudsters will attempt to fool you into thinking they are a legitimate source you would normally use or trust.

Ignore all messages that seem bizarre or are from companies where you did not sign up for text alerts.

How to Prevent Smishing

These two words will help you avoid smishing attacks: Delete and block.

Just like emails, don’t reply to texts to people who are not in your address book. There are too many incidences of fraud and the headaches of identity theft are not worth it.

When a text message or SMS comes from a number such as “8000” and does not resemble a standard phone number, skip them. Those are simply emails that are sent to a smartphone.

As more and more people share links from articles, videos or social media, it is easy to just click on a link. Skip the ones from people you do not know. If the link looks suspicious or out of character to be coming from that particular friend, ask them if they sent it.

Protecting Yourself From Identity Theft

If you communicate through your mobile device frequently or use it to watch videos or movies, consider adding a VPN to your phone. A VPN is virtual private network and prevents fraudsters from seeing your activity on the Internet.

VPNs can be used on a person’s mobile device, laptop or computer and is useful when you are accessing the Internet from a public network at an airport, retailer or hotel.

The risk of using public WiFi is high because criminals routinely intercept people’s sensitive and personal data as they are paying bills or shopping. The public networks are being watched by hackers so they can steal passwords and identities and install malware.

Adding a VPN will shield both your activity and personally identifiable information. While some VPNs are free, others can be purchased, but people should conduct due diligence before downloading one.

Since smishing is occurring more frequently, it is good practice to check your credit report on a regular basis to see if a fraudster tried to open a new credit card or another account in your name. Consumers can obtain one free credit report from Experian, Equifax and Transunion every 12 months at AnnualCreditReport.com. You can also get a free copy of your Experian credit report and dispute anything inaccurate on it here on Experian.com.

Read more »

mobile malware Daily update ⋅ March 15, 2018

	NEWS
	Cybercriminals pivot to cryptomining, fileless malware – McAfee Rappler McAfee said new ransomware grew 35%, and 2017 ended with a 59% growth of ransomware attacks year over year. While new mobile malware decreased by 35%, most notably in terms of Android screenlocking ransomware, the cybersecurity firm added new Mac OS malware samples increased 24% ... Flag as irrelevant
	APAC security chiefs expect imminent attack on critical systems ComputerWeekly.com Cyber criminals will ramp up efforts to mine cryptocurrencies, while mobile malware will rear its ugly head across the APAC region in 2018. The computer networks of two universities in Singapore were breached in April 2017 by hackers looking to steal information related to government or research. Flag as irrelevant
	Eight new cyber threat samples emerging per second Technology Decisions In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters. 97% of spam botnet traffic in Q4 was driven by Necurs — recent purveyor of 'lonely ... Flag as irrelevant
	Asia Pacific countries are a melting pot of cyber threats SecurityBrief NZ Asia Pacific (APAC) countries remain a popular melting pot for cyber threats of all kinds, including online banking malware, ransomware, malicious mobile app downloads and exploit kit attacks. APAC accounted for almost 40% of the 1.7 billion ransomware attacks between 2016-2017, according to ... Flag as irrelevant
	Cyberattacks to increase in 2018 on IoT and mobile devices: SonicWall Cyber Threat Report Wire19 (press release) (blog) Malware attacks increased from 7.87 billion in 2016 to 9.32 billion in 2017, while ransomware attacks decreased from 638 million to 184 million, according to SonicWall Cyber Threat Report. SonicWall, the cybersecurity solutions provider, revealed the findings, intelligence, analysis, and research about ... Flag as irrelevant
	Mobile Anti-Malware Market Analysis, Overview, Growth, Demand And Forecast Research Report ... MilTech Mobile Anti-Malware Market report provides key statistics on the market status of the Mobile Anti-MalwareManufacturers and is a valuable source of guidance and direction for companies and individuals interested in the Mobile Anti-Malware Industry. The Mobile Anti-Malware industry report firstly ... Flag as irrelevant
	Mining Malware was used by Hackers for 400,00 Computers Canadian Homesteading However, the antivirus program managed to recognize all these attempts. The miner was supposed to mine Electroneum, which is a less known coin that also uses mobile mining that is app based. Malware also generated traffic that was really suspicious, and the command and control server were ... Flag as irrelevant

Read more »

Should you uninstall Kaspersky software?

Q: Should I uninstall Kaspersky anti-virus from my computer?

A recent Wall Street Journal story about a National Security Agency contractor that had classified documents on his home computer and was allegedly targeted because of his use of Kaspersky Lab anti-virus software has once again put the Russian cybersecurity company in the spotlight.

The theory is that hackers used the file inventory process that Kaspersky anti-virus uses to discover the sensitive files and target the contractor.

Concerned?  See below for suggestions on how to remove Kaspersky from your computer.

Government ban

Software from Kaspersky Lab was removed from the U.S. General Services Administration approved list in July and in September, the Department of Homeland Security ordered federal agencies to stop using any software made by Kaspersky Lab because of concerns about the company’s ties to Russian intelligence.

The founder of the company, Eugene Kaspersky, has long had a cloud of uncertainty over him because of his early ties to the KGB and its replacement, the FSB. As a teenager, he studied cryptography in school and by his mid-20s, he created an anti-virus program to protect his own computer that eventually led to Kaspersky Lab.

This most recent allegation certainly makes using the company’s software even more disconcerting.

Should you remove it?

Despite the company’s repeated denials of any connection to the Russian government, with the plethora of security programs that don’t come with the “Russian baggage,” switching to another program is the safest way to go.

To be realistic, the likelihood that you would somehow become the target of Russian government hackers just because you are using a Kaspersky program is pretty slim, but there’s no reason to take the chance.

Alternative programs

The vast majority of security programs on the market are actually from companies outside of the U.S. For example, popular programs such as AVG & Avast (Czech Republic), Bitdefender (Romania), ESET (Slovakia), F-Secure (Finland), Panda (Spain), Sophos (UK) and Trend Micro (Japan) are all controlled by companies outside the U.S.

Many in the U.S., because of ongoing concerns about the U.S. government’s overreach, have proclaimed their preference to using a program based in another country, especially allies such as Finland, the U.K. and Japan.

Switch to Trend Micro, Security You Can Trust.

Removing Kaspersky Lab products

The standard way of removing programs in Windows is via Start > Control Panel > Add/Remove Programs, or you can use Kaspersky’s removal tools for either Windows or MacOS.

Advanced Windows users may want to take the additional step of manually scanning the registry to a make sure that all Kaspersky-related keys have been removed.

Mac users can also use the free Dr. Cleaner app to ensure that it’s properly removed as simply dragging it to the trash does not properly remove it. Some programs like Trend Micro Worry-Free Business Security can automatically remove other programs, which makes converting a large number of computers more efficient.

Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.

Read more »

Android security: This newly discovered snooping tool has remarkable spying abilities

A newly-uncovered form of Android spyware is one of the most advanced targeted surveillance tools ever seen on mobile devices, coming equipped with spying features never previously seen active in the wild.

Named Skygofree by researchers because the word was used in one of its domains, the multistage malware is designed for surveillance and puts the device in full remote control of the attackers, enabling them to perform advanced attacks including location-based sound recording, stealing communications including WhatsApp messages, and connecting to compromised networks controlled by the malware operators.

Researchers at Kaspersky Lab say those behind spyware have been active since 2014 and are targeting select individuals -- all in Italy. Those behind the mobile surveillance tool are also thought to be based in Italy.

"Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions," said Alexey Firsh, malware analyst in targeted attacks research at Kaspersky Lab.

The malware was uncovered during a review of suspicious file feeds, with its capabilities uncovered after analysing the code.

Researchers say Skygofree has some of the most advanced features ever seen in mobile malware.

Image: iStock

Still thought to be receiving updates from its authors, Skygofree offers attackers 48 different commands, allowing them flexibility to access almost all services and information on the infected device.

That includes the ability to secretly to use the device's microphone eavesdrop on the user and their surroundings when they enter a specified location -- a surveillance feature which has never previously been seen in the wild.

Other previously unseen features bundled with Skygofree are the ability to use Accessibility Services to steal WhatsApp messages of victims and an ability to connect an infected device to wi-fi networks controlled by the attackers.

The malware is also equipped with all the features and root access privileges usually associated with trojan spyware, including capturing photos and videos, seizing call records and text messages, as well as monitoring the user's location via GPS, their calendar, and any information stored on the device.

If the user has chosen to run battery-saving measures, Skygofree is able to add itself to the list of 'protected apps' in order to ensure it can carry on its malicious activity, even when the screen is off or the phone isn't active.

It remains unclear if those targeted by Skygofree have anything in common outside of being based in Italy, but research suggests that those infected with the Android malware have been compromised after visiting fake websites which mimic those of leading mobile operators.

While researchers still don't know how the victims are lured onto these malicious sites, once there, they're asked to update or configure their device configuration, allowing the malware to be dropped in the process.

Most attacks appear to have taken place in 2015, but there's evidence that Skygofree is still active with evidence of attacks as recently as 31 October 2017. The attackers have gone out of their way to ensure that Skygofree remained under the radar without being detected.

"High-end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion," said Firsh.

In addition to actively infecting Android devices, the attackers also appear to have an interest in Windows systems: researchers uncovered recently-developed modules to target the platform.

However, given the treasure trove of information a mobile device can provide to attackers, it's no surprise that those behind Skygofree put their main focus on Android -- especially given the chance it offers to track a user's movement and therefore activate attacks based on location.

"Mobile spyware is becoming more effective than PC variants, because victims keep their mobile phone close by them at all times, and such implants can exfiltrate a large amount of sensitive information," Vicente Diaz, deputy head of the global research and analysis team at Kaspersky Lab, told ZDNet. "Some of the never before seen-in-the-wild features of Skygofree are remarkable in their capability."

In order to protect against falling for these sorts of targeted cyber-attacks, mobile users are encouraged to use a security tool to help protect their device and to exercise caution when they receive emails from people or organisations they don't know, or with unexpected requests or attachments.

via Zdnet

Read more »