Hackers Use the 2016 Rio Olympics to Target Potential Victims

With the 2016 Rio Olympics just a couple weeks away we are seeing new warnings of potential threats from hackers that include anything from malware and ransomware, to full blown interruptions of sites and services associated with the events. These potential threats mean that visitors to the Olympics and you viewers/followers at home should be extremely diligent and cautious when it comes to opening emails, viewing videos and visiting sites related to the 2016 Olympic Games.

It is fully expected that cyberthreats related to the games will escalate over the coming weeks and meaning you could see phishing emails pushed to your inbox or malicious attacks potentially affecting and infecting the websites you visit.

Malicious Apps and Sites

While we all like to think of our app stores and favorite sites as being secure, history shows us that is not always the case. Malicious apps can sneak past the gates and even our favorite sites can be hit with malicious ads or code that injects links for bad downloads. Add to that the warnings about phishing attempts above and users are likely to face the real threat of malicious downloads.

Again this all comes down to 'think before you click' mentality. When visiting sites related to the 2016 Olympics or installing applications to follow the games be sure you are using official applications on your smartphone rather than low-rated ones with small user bases.

If you are visiting a site from your phone or computer and you see pop-up boxes for things like Flash Updates, app installs or anything else that might not seem right, be sure that you use caution. Back out of the page, if you can, and download any and all updates directly from the source. If you are on your smartphone and an app is asking to install from '"Unknown Sources" stay away!

Beware Phishing Emails and Malicious Social Media Posts or Messages

 Major sporting events have always attracted the attention of would be scammers, targeting the public in just about any way imaginable. Over the years these world wide events have become very lucrative targets for hacking groups using tools like phishing emails, social media posts and malicious downloads.

Phishing emails and social media posts are particularly popular ways for hackers to spread malware and other malicious software. They offer high reward and returns for little work and are seen as highly effective. A favorite among hackers are messages and links, sending would be victims to a site tp view high profile video of a favorite star, record breaking event or something similar. Another favorite phishing scam are links to bargains on great seats to events, or fake confirmations for reservations, service or seating to events. In reality these emails and links contain, things like malicious downloads of ransomware or fake sites that utilize realistic looking log-in pages to steal your passwords and log-in information.

The old adage “Think before you click, especially if something looks too good to be true!” rings loud and clear when it comes to emails involving the 2016 Olympic Games and is one most security researchers are trying to reiterate to everyone!

Thomas Fischer, a security researcher at Digital Guardian, has already been noticing an increase in phishing scams trying to take advantage of the Olympics. Typically, a user will receive an email loaded with an attachment that invites them to an Olympics ticket lottery. Inside the attachment, however, is malicious code that will download the Locky ransomware and begin encrypting all the user’s files. Hackers are already blanketing email addresses with this kind of attack. They’ll also pretend to be an organization like an Olympics committee.

Banks and Banking Data Are A Popular Target

For those that are luck enough to visit Rio for the games you should use extreme caution when using banks and point of sale machines. We know that anks and banking data are always popular targets, however we are seeing several warnings that Brazilian hackers are developing applications that install Trojans (back door access to your computer or phone) that pretend to be legitimate banking software, but in actuality can steal the victim’s payment information.

These apps tend to target local users more than anything, but they may evolve into something more and could be potential threats to travelers. 

Dmitry Bestuzhev, the head of global research for security firm Kaspersky Lab has warned that visitors to the Rio Olympics be wary of ATM and point-of-sale machines in the country. They often can be infected with malicious code that can secretly steal payment data once a banking card is swiped. “The attacker has the capability to intercept the data and then to clone the card,” he added.

Another danger Bestuzhev is warning users of is the use of public Wi-Fi spots in Brazil to access important person, financial or business data. These access points are often times insecure. A hacker can use them to eavesdrop on victims and steal their passwords, Bestuzhev said, adding the recommendation that users buy a VPN service to encrypt their Internet communications.

The Office of the Director of National Intelligence, in a recent awareness campaign, took even more drastic step stating that visitors should consider leaving all of their devices at home. Instead uggesting that travelers carry a burner phone, which doesn't contain personal data or secure information might be a good idea.It was also suggested that you change your passwords often while you are there.

In the end all of these warnings are meaningless unless the user actually implements a good plan. If you are traveling to Rio for the games you should make sure all your data is backed-up, not only in-case of security breach but of loss or theft (another real threat). You should, as always, make sure your devices and security software are fully updated with the latest patches, virus definitions ect. You should also run frequent scans just in-case.

The most important thing though is to be DILIGENT! Don't open odd emails, click links without confirming them, use odd sites or download software from unknown places and you should be fine!

What Is The Deal With Lenovo and Superfish and How Do I Remove It?

By now the chances are you've seen or heard the news that PC manufacture Lenovo has been  pre-installing software dubbed Superfish on its laptops. While the company has issued a statement proclaiming that the 'malware' is not as dubious has many have made it out to be. The level of access the software has and the behavior it exhibits should still be an area of concern for customers. Below we are offering a quick explanation of exactly what the software is and does as well as full details on removal...hopefully it helps anyone impacted!

What is Lenovo Superfish?

What Superfish is and isn't is a bit deceptive. The software itself is a legitimate tool created and developed by a legitimate tech company, also named Superfish. It is a Visual Search tool that is used as adware to allow companies such as Lenovo to insert their own custom advertising whenever a user of that PC does a Google search or visits other websites, which generates additional ad revenue for companies using the software.

Unlike most malware, and some adware, it isn't specifically intended to be malicious in nature. Though some would argue that hijacking your searches is a pretty malicious act. So why is it a big deal? Well that would be in how the software acts. Superfish also compromises all SSL connections on the impacted PC. In essence, Superfish uses a “man in the middle” approach, where Superfish is able to monitor and alter data going to and from websites without the knowledge of either the user using the system or the sites being visited. Something that I'm sure no one wants!

I own a Lenovo laptop am I infected by Superfish?

Here is a full list of the Lenovo consumer laptops that the company has confirmed it had pre-installed Superfish on, keep in mind they claim to have stopped installations as of January.

• G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
• U Series: U330P, U430P, U330Touch, U430Touch, U530Touch 
• Y Series: Y430P, Y40-70, Y50-70
• Z Series: Z40-75, Z50-75, Z40-70, Z50-70
• S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
• Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
• MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
• YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW E Series: E10-30

For those that own one of the models listed above, or those that want to double check their Lenovo products there are several options for detection and removal. One of the easiest tools is the LastPass Superfish Detector and online tool that quickly scans your laptop. Another is to use Microsoft’s free Windows Defender product, which has just been updated (version 1.193.444.0) to detect and remove SuperFish.

How do I remove Superfish?

Lenovo has announced plans to release an automated tool that will remove the Superfish adware from affected PCs, however that tool has yet to be released. In the mean time the company has offered its own removal instructions,though many have stated that these don't cover everything. Ars Technica has posted a very thorough Superfish Removal Guide that should cover all the bases. Below are some of the basics!

If you’re affected by Superfish, you must first uninstall the program:

1. Click the Windows Start button
2. Search uninstall program
3. Launch uninstall program
4. Right-click on Superfish Inc VisualDiscovery and select Uninstall
5. If prompted for administrator password, enter or provide confirmation

Then you must uninstall the certificates as well:

1. Click the Windows Start button
2. Type certmgr.msc into the Search box
3. Click the certmgr.msc Program to launch it
4. If prompted for administrator password, enter the password or provide confirmation
5. Click on Trusted Root Certification Authorities
6. Open Certificates
7. Look for certificates mentioning Superfish Inc.
8. Right-click on any Superfish Inc certificates and delete
9. Restart your browser and return to this page to see you are safe

Following the removal steps above should get you up and running on a clean PC but that likely doesn't mean all of your questions have been answered. Lenovo and Adi Pinhas, the chief executive of Superfish, have been adamant in regards to any security risks that Superfish may or may not have posed. In a statement released earlier today Pinhas wrote, "Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”

So at the end of the day it all comes down to whether or not we trust Lenovo and Superfish's intentions. They have admitted the mistake and we could give them the benefit of the doubt but that doesn't mean we've seen the end of these types of situations. Companies are always looking to gain an edge in the market and monetize your user experience as much as possible!

Warning: Keyloggers Found In Hotel PCs Used For Stealing Guests' Log-in Information

In a non-public advisory distributed to companies in the hospitality industry on July 10, the Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) warned that a task force in Texas recently arrested suspects who have compromised computers within several major hotel business centers in the Dallas/Fort Worth areas.

The advisory that was first discovered and reported on by KrebsOnSecurity reporter Brian Krebs  on Monday, explains that several PCs in the hotel's business centers had been infected with malware that steals passwords and other sensitive data from guests using those PCs.

Image via KrebsOnSecurity

“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning stated. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.

The report should serve as a serious reminder that while in some cases it may be necessary to use public PCs it's rarely a good idea to use them for anything more than casual browsing of websites. Even the most protected PCs can be hacked and/or infected given direct access and even when PCs are within eyesight of a business center employee, librarian, or other supervisor, it can still be easily infected and should be used with the most extreme caution! 

New Android Ransomware Demands Payment To Unlock Phone

Security researchers have discovered a new piece of Android malware that depends a hefty payment to re-enable basic phone functions on an infected device and settle a supposed "fine" of about $300 for illegally viewing pornography.

According to the Ars Technica report the 'ransomware', dubbed Android-Trojan.Koler.A, uses the infected phone's geolocation functions to tailor a false security warnings to whatever country a victim happens to reside in. The screenshots, originally obtained by Bitdefender, shows the malicious software invoking an FBI warning which is the notice that's displayed on infected phones connecting from a US-based IP address.

Android Ransomware via Ars Technica

"The ransomware's main component is a browser view that stays on top of all other applications, Bitdefender Senior E-Threat Analyst Bogdan Botezatu wrote in an e-mail to Ars. "You can press Home and go to the homescreen, but a timer would bring it back on top in about 5 seconds. I managed to uninstall it manually by swiftly going to applications and dragging the icon on the Uninstall control, but it only works if the application icon is on the first row. Otherwise, one wouldn’t have the necessary time to drag it to the top, where the uninstall control is located."

The malicious Android software is automatically downloaded when users visit unspecified pornography sites using their Android phones. The site side-loads an APK file claiming to be video player used for premium access. To be infected, a user must change Android settings to allow out-of-market apps and then manually install the APK. According to the report the social engineering trick has already claimed at least 68 victims in the past six hours—40 in the United Arab Emirates, 12 in the UK, six in Germany, five in the US, and the rest in Italy and Poland.

Viruses and Malware On Your Smart TV May Soon Be A Reality

Security researchers warn that today's connected devices might soon become tomorrow's targets for hackers, viruses and malware.

Speaking to the Telegraph about the future of computer security in the wake of Heartbleed, Eugene Kaspersky, the chief executive of Kaspersky Labs warns consumers that as the Internet of Things expands more devices will be targeted by malware and viruses.

“The threats will diversify to mobile phones and to the home environment, such as through televisions, which are now connected to the Internet,” said Kaspersky.

Each year there are millions of attacks the thing we know. Like our Microsoft Windows equipped PCs, mobile phones running both Android, and Apple’s iOS.

Kaspersky warns, "More and more engineers are developing software for Android. All the systems are vulnerable and I am afraid it is very possible to see the scenario of bad guys developing malware for iOS. Technically, it is possible to infect millions of devices. Internet-enabled TV sets use both Android and Linux."

While Kaspersky admits that the company hasn't seen anyone produce a successful virus for a television set he believes it will happen stating that the company already has a product for mobile and we a prototype for TV. He said that it was only “a question of time” before a smart TV virus appeared in the wild.

Most Smart TVs on the market today run a version of Android similar to that found on any Android based smartphone. With the popularity of the connected devices growing, and the likely introduction of a new Apple TV soon which will likely grow the market even more. Smart TVs and other connected devices that for now have little to no security in place may soon become the next easy target on the web.

Skype Attracting More Malware

As with any service the bigger you are the better a target you are. As Skype's messaging platform continues to draw more and more users that is becoming ever more apparent as Skype is becoming an attractive target for malware writers.

More and more reports are surfacing about malware that is specifically engineered towards Skype's services and users. The latest reports came last week with the reporting of the Shylock financial malware spreading on Skype and yesterday two worms dubbed, Bublik and Phorpiex, were discovered spreading through Skype in Japan.

Bublik is a backdoor with rootkit functionality. It opens a direct connection between an infected computer and a control server and downloads additional plug-ins. In this case, Trend Micro discovered the Kepsy worm, which helps Bublik spread over Skype and also clears Skype message history. Bublik can also enable remote access for an attacker giving them total control over the infected machine. It also gathers and reports application data, system and network information, hardware specs and running processes.

The Phorpiex worm targets removable drives and spreads via Skype messages with links to sites hosting the worm. On Skype, the threat is distributed via messages that read “LOL,” followed by a link to what appears to be an image file. The Skype messages are actually generated by a plugin called WORM_PESKY.A. Trend Micro said Phorpiex connects to an IRC server and joins a particular IRC channel in order to execute commands from the attacker. It also downloads other malware onto the compromised system and sends itself out in email attachments. The worm will delete itself after it executes.

So far Phorpiex has been mainly targeting users from Japan with roughly 83% of all reported infections being found there.

With the widespread use and availability of the Skype in the Workplace beta, more users joining the service and Microsoft recommending Windows Messenger users move to Skype on March 15 when its platform disappears, these threats are likely to continue and likely to become even more sophisticated. Users need to remember to be ever vigilant when clicking links as most of these infections spread through infected sites that are linked in messages.

Security Researchers Warn Of Christmas Related Scams And Malware

Security researchers are warning online users that scammers and cybercriminals have ramped up the number of emails, text messages and social media posts used to spread scams and malware during the holiday season.

McAfee has issued it's 2012 edition of its 12 scams of Christmas list which features several approaches that aren't entirely new, but are rather new versions of some of the same old scams. These include social media scams utilizing channels, like Facebook and Twitter, malicious mobile apps, traditional phishing emails and even a new approach to instant messaging scam that targets Skype users.

As social media has grown so to have the numbers of scams targeting users. McAfee warns that users of Facebook and Twitter need to be extra cautious when liking Fan Pages, clicking on fake alerts from friends’ accounts that have been hacked, taking advantage of raffle’s, ads and deals that you get from “friends,” or installing suspicious “holiday deal” apps. Fake fan pages and app can be used to give your private data away or even target you for more dubious phishing attacks.

Smartphone are also a growing segment being targeted by scammers. Malicious Mobile Apps are becoming more prevalent as smartphone users are becoming more app crazy. To date there have been over 25 billion apps downloaded for Android devices alone! But as the popularity of applications have grown, so have the chances that you could download a malicious application designed to steal your information or even send out premium-rate text messages without your knowledge. Consider this: A recent study found that 33% of apps ask for more information than they need, such as access to your contacts or location.

Apps alone aren't the only risk smartphone users face. “SMiSishing” or phishing via text message is just like its email counterpart. Scammers send out official sounding/looking SMS Text messages to temp victims to reveal information or performing an action you normally wouldn’t do. This could be anything from logging into a fake account to verifying personal details and information.

Security researchers from Symantec are warning about a flood of the traditional email phishing scam "You Have Received a Christmas Card". A large number of emails have been intercepted by the security firm that follow the traditional greeting card scam that uses a legitimate looking "You Have Received a Christmas Card" email to trick users into download a malicious file for visit a malicious site.

These E-Cards type scams are nothing new having gained popularity several years back when E-Cards became a popular way to send a quick “thank you” or holiday greeting. While most e-cards are safe, some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting. Others ask you to click on an attachment to view the card, and then download a Trojan onto your machine. Users need to stay vigilant and pay close attention to the links contained in the email and the "from" line to make sure it is actually from a known source.

Tip: How to Protect Yourself Against Scams During the Holidays

1. Stay suspicious—Be wary of any offer that sounds too good to be true, and always look for telltale signs that an email or website may not be legitimate, such as low resolution images, misspellings, poor grammar, or odd links.
2. Practice safe surfing—Find out if a website is potentially dangerous before you click on it by using a safe search plug-in such as McAfee SiteAdvisor. SiteAdvisor uses easy-to-read red, yellow, and green check marks to rate websites when you search for them.
3. Practice safe shopping—Stick to reputable e-commerce sites and look for a trustmark that indicates that the site has been verified as safe by a trusted third-party, like the McAfee SECURE™ mark. Also, look for a lock symbol and  “https” at the beginning of the web address (as opposed to just “http”) to see if the site uses encryption to protect your data.
4. Use strong passwords— Make sure your passwords are at least eight characters long and contain a variety of letters, numbers and characters that don’t spell anything. Avoid using the same password for your important accounts, and never share your passwords with anyone.
5. Be careful when clicking—Don’t click on any links in messages from people you don’t know, and if you come across a shortened URL, use a URL expander to see where the link is directed to before you click.
6. Use a comprehensive computer security— You need complete protection that includes anti-virus, anti-spyware, anti-spam, and a firewall and make sure it is up to date. Online security and safety protection, such as McAfee All Access, can help protect all of your devices – PCs, Macs, smartphones and tablets – from holiday-related malware, phishing, spyware, and other common and emerging threats.
7. Educate yourself— Keep up-to-date on the latest scams and tricks cybercriminals use so you can avoid potential attacks. You can find helpful information on the McAfee Blog and the McAfee Advice Center.

Malicious Links Targeting Skype Users

Skype users be warned a new piece of malware has been detected that specifically targets you! A new piece of malicious software has been using Skype to send malicious instant messages. These message appear to come from users in your own contact list, however they contain malicious links that download a Trojan horse virus onto your machine.

The virus, which was first reported on Friday by GFI Labs, takes advantage of the Skype API to spam out messages that appear to come from a user in your contact list. These message similar to the one below instead send you a link that contains software for download:

lol is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]

Clicking on the suspicious links leads to the download of a ZIP files (variously called skype_06102012_image.zip or skype_08102012_image.zip) that contains executable files detected by anti-virus products as Troj/Agent-YCW, Troj/Agent-YDC, TROJ_DLOADER.IF or Trojan.Win32.Generic!BT. The Trojan horse opens a backdoor, allowing a remote hacker to take control of infected PCs, communicating with a remote server via HTTP.

The virus which is known as the Dorkbot worm (WORM_DORKBOT.IF or WORM_DORKBOT.DN) is previously known for targeting users of Twitter and Facebook. Once installed the virus uses its host computer to engage in click fraud leading an infected users computer to other malicious sites and eventually installing further ransomware that locks the user out of the machine. Once installed the ransomware displays screens saying that they user's data will be deleted unless a $200 "fine" is paid in the next 48 hours.

Skype officials have said they are "working quickly to mitigate" the attack. They also advise users to ensure they're running the most up-to-date version of the Skype client.

"Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable.

New Phishing Scams Target Apple Users

Threads have popped up over on the Apple Support forums detailing new phishing scams aimed directly at Apple owners and iTunes users. In a multitude of individual threads forum members have posted information about at least three attempts to scam them out of their Apple ID or get them to visit malware infected links or site.

 In one post a user shows a fake receipt for iTunes charges which offers several links including a download link. The link then leads off to a malicious site. In other postings users posts fake emails claiming the "users account has been temporarily blocked." A third posting shows a rather realistic looking Apple Care email as well as a few follow-up emails offering information about OSX 10.8 Mountain Lion or claiming that iTunes will be shut down.

In this case it is fairly easy to spot the scam as the email comes from a Gmail account or asks the user to reply to the Gmail account. However, should the recipient click one of the links contained in the email they are likely sent to a fake landing page which would ask for your Apple ID and password.

In the cases pertaining to emails telling the users their accounts had been blocked the e-mails provided a “Confirm Your Identity” button or link, which, of course, leads you to a phishing site. The malicious site will either ask you for your Apple ID or attempt to load malware on your machine. Most companies, including Apple, will not send you "account blocked" emails and if they do you should check the email closely for discrepancies. I always prefer to visit the sites directly to verify that I need to re-instate my account. In this case an Apple user can simply head over to Apple’s My Apple ID site, where you can login, reset your password, and check that your credentials are safe and sound.

Phishing is not something new to the online community and certainly not something new to Apple. But phishing attacks have become big business and scammers are becoming increasingly more sophisticated. If you receive an email from Apple or iTunes (or any other site for that matter) you should be very wary of the links provided. Legitimate emails from legitimate companies will never ask you to provide personal information or sensitive account information (such as passwords or credit card numbers) via email.

For more help determining the validity of those Apple emails checkout Apple's support page "Identifying legitimate emails from the iTunes Store."

Warning! Facebook Cancellation Request May Be Malware

Check your inbox carefully! That email that appears to be coming from Facebook asking if you’d like to cancel your accounts might actually be malware in disguise.

According to reports from ZDNet and Sophos, users have been receiving Facebook-centric e-mails that ask users if they wish to confirm or deny a Facebook account cancellation request. In fact these requests are from a malicious third party looking to install malware on your computer.

These very realistic looking Facebook e-mails ask users to follow a link to confirm a cancel requests to delete their account, something Facebook will never do! If followed, you are then offloaded to third-party Facebook application that will download a Java applet. Once the applet is loaded it will ask you to install a "Facebook Plugin" and continually harass the user to allow it run until they do – if the user allows the applet to run it will trigger a fake Adobe Flash update message. Once users download the update, they'll unsuspectingly install a backdoor Trojan to their computer, allowing attackers to monitor their activities and remotely access their computer.

Sophos security products detect the malware as Mal/SpyEye-B and Troj/Agent-WHZ. There is no word yet as to what information the malware is collecting, however it could be used to obtain just about anything.

For more details as well as screenshots of the email view the Sophos security alert posted here.

Fake Google Chrome Installer Is Trojan In Disguise

Researchers at Trend Micro have discovered a fake Google Chrome installer named ChromeSetup.exe, that is actually a bank-account-stealing trojan in disguise. he Trojan at present appears to target users in Brazil and Peru however indications are the malware is a work in progress and could potentially affect US users as well.

According to to their findings an analysis of the file ChromeSetup.exe done by Trend Micro's security researchers has verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ. Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites.

So far Trend Micro has detected the 3 different binary files have been downloaded from several of the following popular URLs:

• hxxp://br.msn.com/ChromeSetup.exe
• hxxp://www.facebook.com.br/ChromeSetup.exe
• hxxp://www.facebook.com/ChromeSetup.exe
• hxxp://www.globo.com.br/ChromeSetup.exe
• hxxp://www.google.com.br/ChromeSetup.exe
• hxxp://www.terra.com.br/ChromeSetup.exe

A closer look at the downloads indicated that all downloads are being redirected to two different IPs, instead of the legitimate IPs of the accessed domains. How this is happening is yet unknown, however users should take notice that if they've downloaded the installer from any of the above URLs the might be infected.

"While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware," Cayanan wrote. "We will continue our investigation related to this incident and will update this blog with our findings.

"Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google."

Wikipedia Warns Users "Ads May Mean You Have Malware"

In an official statement released today Wikipedia warned its millions of visitors that if they see ads for anything except Wikipedia's own fundraising appeal, which occurs at the end of the year, here's a good chance their computer is infected with malware.

"We never run ads on Wikipedia," the online encyclopedia said in its statement. "Wikipedia is funded by more than a million donors, who give an average donation of less than 30 dollars. We run fundraising appeals, usually at the end of the year. If you’re seeing advertisements for a for-profit industry (see screenshot below for an example) or anything but our fundraiser, then your web browser has likely been infected with malware."

Malware installed on your computer may inject advertising into a page on popular websites, such as the above example of an article being displayed from an infected computer. This is only one of a few examples that Wikipedia has said they have seen in the wild. Note the tiny text "ads not by this site" immediately below the ad, which may or may not appear next to these types of injected advertisements.

Wikipedia suggests you browse using a secure, encrypted HTTPS connection, disable browser add-ins, and run anti-spyware and anti-virus software on your computer. Personally I'd suggest anyone seeing ads on Wikipedia run scans with Ad-Aware and Malwarebytes as well as running scans with anti-virus software like AVG to make sure there aren't any other infections.

New Mac Malware Targets Microsoft Office

Microsoft is reporting that security researchers have discovered a new piece of malware that's targeting Macs running OS X Snow Leopard and an Microsoft Office.

"As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well," Jeong Wook Oh of the Microsoft Malware Protection Center, said in a blog post on the malware.

The vulnerability that the malware exploits is actually a three-year-old flaw that affects Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac and the Open XML File Format Converter for Mac. The flaw was patched by Microsoft in June 2009 however if user failed to apply the patch their system can become infect. Microsoft's researcher found that the exploit in this specific piece of malware doesn't work on versions of OS X newer that Snow Leopard because the particular address it uses to write to isn't writable in OS X Lion. So users of the newer releases of Apple operating system should be safe. To be on the safe side however Microsoft is recommending that users using Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac or Open XML File Format Converter for Mac, be sure to update using the latest product updates.

"Exploiting Mac OS X is not much different from other operating systems," Oh wrote. "Even though Mac OS X has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications."

For this specific vulnerability, you can visit the Microsoft Security Bulletin MS09-027 page and download the update.

New App Makes Detecting Mac Flashback Malware Easier

A new application has arrived that aims at helping Mac owners detect and possibly remove the now highly publicized Flashback Mac malware.

We first learned of the new tool thanks to Ars Technica. The new tool is the brain child of Juan Leon, a software engineer at Garmin International, the Kansas-based company best known for its GPS devices. The tool automates the steps given by security firm F-Secure and previously described in our post "How To Remove The Mac Flashback Infection."

F-Secure's procedure required entering multiple commands in Terminal, the Mac OS X command line utility. The new tool makes it as easy as a single click. When Flashback Checker has finished running the commands it displays "No signs of infection were found" or provides additional information if it does detect changes the malware has made to the infected Mac.

Click the following link to grab Flashback Checker

How To Remove The Mac Flashback Infection

If you are a Mac user then by now you should have heard the news that security experts believe that nearly half of all Macs have been infected by a new piece of malware called Mac Flashback trojan. If you haven't then you should take special care when reading this post and make sure you follow all the steps carefully!

The Mac Flashback trojan is the latest variant of a piece of malware that originally posed as a Flash Player installer. Instead of downloading and adding in the latest version of Flash the installer instead infected a user computer with a trojan capable of stealing an unsuspecting user personal information. This new variant, Trojan-Downloader:OSX/Flashback.I and Trojan-Downloader:OSX/Flashback.K, targeted an unpatched Java vulnerability within Mac OS X. That was at the time of discovery unpatched by Apple.

Apple has since distributed two Java updates that should remedy the vulnerability useless. It is highly recommended that user with Java installed on their Mac install these updates immediately but users should still check to make sure their machine aren't currently infected.

How to check your system for Mac Flashback infection

These Terminal commands will give you an easy way to find out whether or not you have a possible Flashback infection. First, launch Terminal from /Applications/Utilities on your Mac. Then individually type or paste these three lines into the Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

If the Terminal returns back to you lines that look like this:

The domain/default pair of (/Users/jacqui/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

Then you're home free and you're not (yet) infected by Flashback.You can feel safe again and comfortably install the latest patches for Java, disable Java completely or live life on the edge and do nothing.

How to get rid of Mac Flashback

If the above shows anything but the intended results then life gets a bit more complicated. You'll need to remove the infection and apply the patches as needed. These removal instructions are from security research firm F-Secure's removal page.

1. Run the following command in Terminal: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
   
2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message: "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
4. Otherwise, run the following command in Terminal: grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
   
5. Take note of the value after "__ldpath__"
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2): sudo defaults delete /Applications/Safari.app/Contents/InfoLSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
   
7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
   
9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
10. Otherwise, run the following command in Terminal: grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
    
11. Take note of the value after "__ldpath__"
12. Run the following commands in Terminal: defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
    
13. Finally, delete the files obtained in steps 9 and 11.
14. Run the following command in Terminal: ls -lA ~/Library/LaunchAgents/
    
15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
16. Run the following command in Terminal: defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
    
17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.
18. Delete the files obtained in steps 15 and 17.

In addition to these steps, F-Secure recommends checking for another variant of Flashback, Flashback.K. The instructions can be found on another page on F-Secure's website.

How do I update Java on my Mac?

Now that you are presumably infection free the next step is to update Java on your Mac. Apple has pushed the Java updates to the Software Update channel so you would simply run the standard Mac OSX software update and you should see the patches. You can also manually download the update for Lion and Snow Leopard, respectively, from Apple's support site.

Conclusion - what you need to do now

If you've followed the above advice and performed these steps to update your system then you're inoculated against the current known version of the Flashback malware, but that doesn't mean the variant won't change again sometime in the future to exploit a different vulnerability on your Mac. This means you need to STAY VIGILANT!

Almost all malware needs user interaction to infect your machine but that doesn't mean there isn't a nasty piece of software out there that doesn't. You need to keep your software up to date. Don't just apply operating system patches, apply those third party application updates as well. You should also be open to the idea that your Mac is not as secure as you once thought it was. You might want to grab some security software. You might also want to pay closer attention to your system and how you use it. Don't blindly install files from strange sources, don't click to open those odd emails and definitely don't blindly click to install anything you are sure of or blindly enter your admin password for anything ever!

Newest Smartphone Threat QR Code Malware

Security vendor AVG has issued a warning for smartphone users that like to scan Quick Response codes that some of these codes may contain text and URLs with hidden malware.

In its latest report, entitled AVG Community Powered Threat Q4 2011, the company warned that hackers are putting their own malicious stickers over the top of legitimate QR codes. These codes lead unsuspecting users to malicious sites or offer up downloads in the form of malicious malware. Some of the codes install malware which sends costly SMS messages to premium numbers and also redirects to a URL which downloads a malicious file.

In most cases the user does not know what lurks behind the QR code until the malware is already installed and running.

"Putting a malicious QR code sticker onto existing marketing material or replacing a website's bona fide QR code with a malicious one could be enough to trick many unsuspecting people. In Q4 we clearly saw the convergence between computers and mobile phones applies to malware too. As phones become more like computers, so do the risks,” said Yuval Ben-Itzhak, Chief Technology Officer, AVG Technologies. “Many sophisticated tricks of the trade from computers are now being repurposed for phones. However, as phones are often tied into billing systems the gains can be far greater.”

Full Q4 Threat Report: AVG_Community_Powered_Threat_Report_Q4_2011

New Scareware Targets Mobile Phone Users

A new fake antivirus suite has popped up this time targeting users of mobile operating systems like Android rather than traditional PC based OS's.

Late last week Kaspersky Lab researcher Denis Maslennikov posted details of the new threat on the Kapersky labs Securelist blog. As with traditional variants the new "scareware" or "ransomware" utilizes a replica of legitimate anti malware software to trick users into installing malicious programs that then steal private user information or encrypts hard drives and extorts money from the owner to decrypt the data.

Maslennikov says that cybercriminals are using black SEO for redirecting users to web pages which emulate AV scanning. All a user has to do is a basic Web search for some of the more popular mobile applications, such as the mobile version of the opera Web browser. The users are the redirected to scam Web sites offering "free" virus scans of mobile devices, including Android.

The website then proceeds with a fake scan of the device returning a false "positive" result. In turn encouraging the mobile device user to "activate" security protections on their device by clicking on a link in the scan results. Clicking that link downloads and installs a malicious application that Kaspersky detects as Trojan-SMS.AndroidOS.Scavir for Android. In the case of a non-Android device the user will be asked to download ‘VirusScanner.jar’: a file which is detected by us as Trojan-SMS.J2ME.Agent.ij.

When the application executes , the user is asked to press the ‘Continue’ button if he wants to launch VirusScanner with some options like ‘Turn on multi-level protection’, ‘Disable remote control of a device’ or ‘Turn on web site scanning’. But in fact after pressing ‘Continue’ this app will send SMS messages to expensive premium rate numbers.

The FTC Begins Reimbursing Rogue Antivirus Victims

The Federal Trade Commission (FTC) has begun sending out reimbursement checks to more than 300,000 people scammed by a rogue antivirus software (also know as scareware) which held a victims computer hostage demanding payment for bogus security software to alleviate the symptoms.

The payments come as the result of lawsuits and a subsequent $8 million settlement reached between the agency and several vendors of the malicious software.

Several companies agreed to surrender the more than $8 million total in ill-gotten gains to settle FTC charges that they used deceptive ads to trick consumers into thinking their computers were infected with viruses or spyware, and then sold them software programs such as Winfixer, Drive Cleaner, and XP Antivirus to "fix" their non-existent problem.

Will the software often charged users more than $100 the average amount of the checks will be $20, however the FTC has said the exact amounts will be based on the amount of individual loss.

Approximately 320,000 checks will be mailed by the FTC's settlement administrator, Epiq Systems. Consumers who believe they are entitled to a refund or have questions may call the settlement administrator toll free at 1-877-853-3541 or visit www.FTC.gov/refunds for more information.

Apple Releases Malware Scanner, Fails To Catch Newest Variants

The MacDefender malware has made big news of late forcing Apple to release an update to Mac OSX that was supposed to provide a malware detection system that would eradicate the infect. Unfortunately the group behind the infection are very sophisticated and appear to be one step ahead of Apple.

"Apple's [antivirus] did not detect the new sample," said Peter James, a spokesman for Intego, the French security firm that originally reported the malicious software. Intego confirmed what ZDNet blogger Ed Bott reported earlier today, that the scammers had created a new version that wasn't detected by Apple's new defenses.

According to James, the new malware file is identified as "mdinstall.pkg" and if installed, plants the phony MacGuard software on the victim's Mac. Like the previous Mac Defender/Mac Guard malware attack this one is capable of installing itself without the need for the user to input their password.

On Tuesday, Apple released an update for Mac OS X 10.6, that warns users that they've downloaded fake Mac security software and scrubs machines already infected with the previous versions of the scareware.

It comes as little surprise to anyone that the team behind the Mac Defender/Mac Guard malware has made this move. It might be a bit shocking that they were able to act so quickly to counter Apple's move but that just goes to show that they are well organized and have found a niche that is making them money.

Newer Nastier Version Of MacDefender Malware Found

Just days after Apple posted a fix for the recently discovered MacDefender malware a new even nastier version new version called MacGuard has reared its ugly head!

Intego has issued a new warning for Mac users that a new variant of the Mac Defender malware has been found. Much like the old version it uses an infected site to act like scareware. Users see a prompt that tells them their system is infected and they need to download the "security tools" to remove the infections.

The so called fake tools come in several variants: MacDefender, MacProtector, MacSecurity and now MacGuard, all of which are the same application using different names. The goal of this fake antivirus software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Macs.

The difference with this new variant is that unlike previous versions it doesn’t require that you provide an administrator password during the installation process.

The new malware comes in two parts. The first part is a downloader, called avSetup.pkg. Should you happen upon one of the afflicted sites this package may be downloaded automatically. If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

This package installs a secondary downloader application named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The second part of the malware is the new fake anti-virus software MacGuard. This is downloaded by the avRunner application from an unknown IP address that is hidden within an image file in the avRunner application’s resources folder.

Precautions from Apple and Intego, as well as general Mac-using common-sense precautions, include disabling Safari’s “Open ‘safe’ files after downloading” option (under Safari -> Preferences -> General), and immediately quitting (or force-quitting) your browser if you see a Web page that attempts to disguise itself as an OS X window.

Apple provides detailed instructions on removing the older variants from your system. The company also promises a software update that will remove the infection. At this time its unclear if the update will address this new variant or not or if there are any nastier variants out there. So Mac users should use caution and common sense when they see anything suspicious.