Month: September 2015

Porn Malvertising Targets Top Porn Site Visitors

Porn websites are often considered to be rife with malware, although the major websites spend big to keep their sites malware free. That said, a recent porn malvertising campaign hit one of the largest adult websites placing millions of site visitors at risk of infecting their devices.

Viewing Internet Porn Can Give you a Nasty Infection

Cybercriminals have targeted a number of adult websites over the past few weeks, with one of the Internet’s largest porn sites, one of those affected. The cyberattack was quickly dealt with once discovered, but not before many of the site’s half a billion monthly web visitors were displayed malicious adverts.

SSL Malvertising Campaign Hits Top Porn Site

The malvertising campaign that targeted the top porn site was not new. It has previously affected some other notable websites that attract huge volumes of monthly traffic. MSN.com was affected, as was Yahoo. The cybercriminals behind the campaigns then started to target porn websites and other adult web portals.

The malvertising campaign was delivered via the Ad serving network TrafficHaus. Adverts offers a sex messenger dating app. Download the sex messenger app, and you will be presented with a wide range of suitable partners looking for temporary love in your area. No download was actually required to get infected. Provided a security vulnerability existed the malware would be downloaded automatically.

The campaign cleverly included a number of security checks to ensure the adverts were only served to genuine web visitors with a browser version that was vulnerable to the exploit kit being used. Only Internet Explorer users were displayed the adverts provided they lacked certain security products. These checks allowed the hackers behind the campaign to ensure that real people were targeted and honeypots were avoided.

Visitors being displayed the adverts were subjected to the Angler exploit kit: The most commonly used exploit kit to deliver malware.

Second Porn Malvertising Campaign Hits Same Major Porn Site

This was not the only porn malvertising campaign that affected the top porn site. Some of the site’s visitors were recently hit with a ransomware attack known as browlock. Visitors have their web browsers locked with a page that they are unable to remove warning them that they have been caught viewing illegal pornography. The page in this case, showed a warning from Interpol. This porn malvertising scam was similar to the FBI browserlock campaigns previously seen.

In order to unlock their browsers and to avoid arrest, the porn malvertising campaign warned victims that their browser has been locked, files had been encrypted, and they were being recorded using their device’s audio and video capabilities. Users were given a time limit in which to pay to have the lock lifted.

Porn malvertising campaigns can be highly effective and victims are left with little alternative but to pay ransoms. It is possible to protect against infections and drive by malware downloads. If security vulnerabilities do not exist, they cannot be exploited, and if adverts are not displayed users cannot be infected. For the latter, a web filtering solution is the best option.

Apple Malware Attack Affects 225,000 Device Owners

Apple device security is particularly robust, yet the company’s operating systems are far from impregnable as a recent Apple malware attack has shown. Apple device users have recently been targeted by hackers believed to be operating out of China. The Apple malware attack has so far resulted in the credentials of approximately 225,000 iPhone users being obtained by the hackers.

KeyRaider Responsible for Apple Malware Attack

The malware in question has been named KeyRaider. Fortunately, only device owners who have jailbroken their iPhones are at risk of infection. Jailbreaking an iPhone will allow banned apps to be installed on the devices, but the process also introduces a vulnerability that can be exploited by hackers. KeyRaider attacks devices that have been jailbroken using Cydia: The most popular jailbreaking tool for Apple devices.

Device GUID as well as Apple account user names and passwords have successfully been stolen by KeyRaider. The malware can steal user credentials, Apple purchasing information, private keys, and Apple push notification certificates.

Once infected, user credentials are uploaded to a command and control server, and those data are made accessible to other individuals. The information can be used to purchase apps for Apple devices without the user being charged, instead the charges for the purchases are applied to infected users’ accounts.

To date it has been estimated that as many as 20,000 individuals have downloaded software that allows them to obtain Apple apps for free at the expense of other Apple device users. In some cases, users’ devices have been locked and attackers have demanded ransoms to be paid to unlock the infected iPhones and iPads.

The Apple malware attack was discovered by Palo Alto Networks and China’s WeipTech, although services have now been developed that are capable of detecting devices that have been infected with the malware.

iOS App Store applications being infected with malware

Palo Alto Networks has also recently issued a warning over IOS App Store applications that have been infected with malware. To date, 39 different apps have been discovered to have been infected, placing users of non-jailbroken Apple devices at risk of compromising their iPhones and iPads. Hackers were able to copy and alter Xcode development tools used by iOS app developers, and have been able to infect genuine applications by injecting malicious code.

It is not just relatively obscure apps that have been infected. WeChat is used by hundreds of millions of Apple device owners, and the app was one of those infected with malicious code. That said, the developers of the app, Tencent, have investigated the issue have reported that the malware has not been able to steal user credentials.

The malware infections are understood to be used to steal iCloud login credentials and Chinese security researchers have discovered close to 350 different mobile apps that have been injected with malicious code. Those apps include some of the most popular Apple apps being downloaded in China, such as Didi Kuaidi.

Some of the Chinese App Store apps discovered to have been compromised

hacked iPhone apps

The recent Apple malware attacks have come as a surprise to many security researchers and users who considered Apple devices to be perfectly safe. While Apple is without any shadow of a doubt the safest mobile platform, owners of the devices should not consider iOS to be 100% safe.

Cisco Router Malware Discovered

According to reports from FireEye, IT security professionals do not only need to be concerned about malware attacks on computers, servers, and Android devices: Cisco router malware has now been discovered.

Cisco router malware discovered on 79 devices to date

Cisco router malware is highly sophisticated and particularly worrying. The malware can survive a restart and will be reloaded each time. Cisco router malware is also highly versatile and can be tweaked to suit an attacker’s needs. It has been found to support up to 100 different modules.

The malware was first discovered in Ukraine, although the infections have now spread to 19 different countries around the world; including the US, UK, Germany, China, Canada, India and the Philippines. At this stage it is not clear who created the malware, or what the main purpose is.

It is also not clear whether the malware has been installed via exploited vulnerabilities. It is possible that routers have been hijacked as a result of default logins not being changed, or weak passwords being set.

It is known that Cisco router malware is sophisticated and it appears to have been professionally developed. This had lead security researchers to believe that foreign governments have had a hand in its development. Should that be the case, it is likely that the main purpose of the malware is spying. While it has been known for some time that router malware is possible in theory, this is the first time that malware had been discovered to affect routers in the wild.

SYNful Knock came as a big surprise to many security professionals

The malicious software is called SYNful Knock and it serves as a fully functional backdoor allowing remote access of networks. The attacks are also silent in many cases, and hackers are able to use the malware without risk of detection.

To date, the United States has been targeted by the cybercriminals behind the malware infections, with 25 of the 79 infections discovered in the U.S. That said, the infection was discovered to have affected an ISP which was hosting 25 infected routers. Lebanon has also been targeted and 12 infections discovered in the country, while 8 of the 79 infections have been found in Russia.

The infections were discovered using ZMap. Four full scans of public IPv4 addresses were probed for signs of the malware by sending out TCP SYN packets. At this stage it would appear that only Cisco routers have been affected by SYNful Knock, but there is concern that other manufacturers’ routers may also be infected with malware. Researchers are now investigating to find out if router malware is a more widespread problem.

Malicious Web Adverts Spread Infections Among Daters

Nasty malware infections have been spread via the world’s largest dating website, which has been serving malicious web adverts to its visitors. Individuals trying to attract a new partner via the Match.com’s UK site may have found out that it is much easier to attract malware.

Malicious web adverts used for drive-by malware downloads

Users of the dating website were not required to download any malware manually. Their browsers were probed for security vulnerabilities that could be exploited without any user interaction required. Provided they were enticed to click on one of the malicious website adverts served via Match.com, they would be directed to a site that contained an exploit kit. That exploit kit would then download malicious software onto their devices, delivering a payload of ransomware without their knowledge. Files would subsequently be locked by Cryptowall ransomware until such time that the victim paid a ransom.

Match.com is hugely popular and attracts over 5 million visitors every month in the UK alone. The potential for infection with malware was considerable, although it is not known how many individuals have been infected as a result of clicking on the malicious web adverts.

Malicious web adverts can be placed on popular sites for just a few cents

Malicious web adverts are displayed via ad networks that popular websites use as an additional revenue source. Code is placed on a website and adverts will be displayed.

Participants in the ad programs are able to select the websites where they want their adverts displayed. The cost of displaying each advert is set by the popularity of the website. For just a few cents, the criminals behind the malvertising campaign were able to target Match.com’s users. Reportedly for a cost of just 36 cents. Malvertisers were keen to take advantage of the huge traffic that the site attracts.

Most websites serve adverts of some description. They are an essential revenue stream that site owners can ill afford to ignore. While ad networks do vet the companies that sign up, some rogue advertisers invariable get past the controls and manage to get their malicious web adverts displayed. Once discovered, the accounts are blocked by the ad networks, although not before the malicious website adverts have been displayed to millions of individuals.

Once Match.com discovered that its site was being used to display malicious website adverts, to protect its site visitors the company temporarily suspended all advertising until the problem was addressed. Unlike the Ashley Madison hack, no user data was exposed as a result of the security breach.

How to protect against malicious web adverts

Malvertising campaigns are increasingly common but attacks can be easily prevented. Drive by downloads are possible, but users will need to be directed to a website hosting an exploit kit. They must have a browser that can be exploited.

Protecting against malicious web adverts requires all browsers and browser plugins to be kept up to date. As soon as a new version of a browser or plugin is available for download it must be installed.

When zero-day vulnerabilities are discovered security professionals get to work developing patches to plug the security holes. There is a lag however, and during that time users will be at risk.

For the individual the risk may be relatively low, but for an employer with tens or hundreds of end users, that risk will be considerable. One of the best methods to ensure corporate networks and devices are protected is to employ a web filtering solution such as WebTitan.

WebTitan can be configured to block third party adverts from being displayed on websites. If adverts are not displayed, they cannot be clicked and end users’ devices and corporate networks will be protected from drive-by malware downloads.