Google Chrome users need to be on the lookout for websites trying to trick them into downloading a font update package for their browser, as most chances are that the file is laced with malware.

This infection technique was discovered by Proofpoint researchers, who say that only Chrome users on Windows are targeted, only from specific countries, and only if they navigated to a compromised website using a specific route (referrer), such as search engine results.

Attack replaces HTML tags, destroys web pages

The technique relies on attackers compromising websites and adding their own scripts to the site's source code.

These scripts filter out the incoming traffic and load another malicious script only for Chrome users on Windows.

This second script will replace HTML tags with "& # 0," which ruins the site's content and displays "�" characters all over the page.

These characters are often encountered on websites and in software when there's a font and character rendering problem. As such, the crooks display a popup telling the user that a specific font wasn't found on their device, and the user will need to download and install a font package update.

To give it legitimacy, the popup is marked with Google Chrome's logo and uses classic button styles, as seen on the official Google Chrome website. A GIF showing the entire infection chain is available below:

EITest infection chain targeting Chrome users

According to Proofpoint, this technique was regularly found on hacked sites, as part of the EITest infection chain. EITest is the nickname given to a malware distribution campaign, similar to pseudo-Darkleech.

The group behind EITest works by compromising a large number of websites, usually WordPress or Joomla, using known vulnerabilities.

They act by stealing small amounts of traffic (users) from these sites and redirecting them to a malicious payload.

The EITest campaign appeared in 2014, and across time, the final payload has varied greatly, hinting that the EITest group is renting out their traffic source to multiple other cyber-criminal operations.

For the vast majority of its lifespan, the EITest group has rented traffic to exploit kit operators, who used Flash, Silverlight, IE, and other vulnerabilities to install malware on the users' devices automatically, without the user ever noticing anything wrong.

Chrome users infected with Fleercivet click-fraud malware

These recent "font wasn't found" attacks on Chrome users are different because they rely on users clicking a download button, something that doesn't guarantee the same high level of successful infections that exploit kits assure.

Proofpoint says that the font update packages that users download via this technique are infected with the Fleercivet click-fraud malware, which works by navigating to preset URLs and clicking on hidden ads behind the user's back, earning crooks money.

This same malware was advertised on underground cybercrime services under the name of Simby in early 2015, and Clicool in late 2015 and in 2016.

Author: Catalin Cimpanu
Source: https://www.bleepingcomputer.com/news/security/chrome-users-targeted-with-malware-via-new-font-wasnt-found-technique

Categorized in Internet Privacy

We’ve all come a long way, the good people and the black hats and the tech we all depend on. It used to be rainbow tables and dial-up, and most people weren’t online at all. Now your stuff connects to the Internet and phones home — often whether or not you want it to — and how many people do you know who don’t have a smartphone? In perfect lockstep with progress, there now exists a malware vector by which your smartphone can be forced to mine a new cryptocurrency.

The cryptocurrency is called Zcash, and it debuted on October 28. Its developers claim that it’s more anonymous than Bitcoin: “If Bitcoin is like HTTP for money, Zcash is HTTPS.” Zcash started out hot but rapidly declined in value, though it’s still in the top ten most profitable according to CoinWarz.

The malware is comparatively benign, as malware goes. All it does is eat processor time, tie up RAM, and raise your power bill to mine Zcash. But coin mining software will often take up all the RAM you’re not actively using, which means this malware can really kneecap performance. It’s distributed via links for things like pirated software, according to Kaspersky researcher Alexander Gostev, and there are around a thousand possibly infected computers so far.

Zooko Wilcox, founder and CEO of Zcash (a currency can have a CEO?), told Motherboard that the most users can do at this point is take preventative measures, like anti-malware, because he can’t rein the whole thing in; nobody can.

“Unfortunately, we have no way to prevent this kind of thing, since Zcash is an open source network, like Bitcoin, that nobody (including us) controls,” Wilcox said in the interview. “Our recommendation to security companies that detect this kind of activity, like Kaspersky, is that their software should alert users when potentially malicious software (like that described in their blog post) is detected, and give the user the option of shutting it down or, if it was deliberately installed by the user, allowing it to run.”

Botnet mining isn’t huge and probably isn’t going to get that way, because even a huge botnet can’t compete with ASICs. But Zcash was supposed to be the exception. Zcash’s creators say it’s ASIC-resistant because it’s not economical to implement on ASICs. ASIC market fraud and difficulty getting cryptocurrency turned into cash are probably what will make it most ASIC-resistant, though — not any wizardly subtlety of the algorithm.

Either way, Zcash is supposed to be lightweight and deeply decentralized. Its site crows that you can leave your smartphone mining while it’s plugged in and charging overnight. This is clearly both a blessing and a curse.

Author : Jessica Hall

Source : https://www.extremetech.com/internet/241021-malware-cryptocurrency-mining-zcash

Categorized in Internet Privacy

Malware called Gooligan breached the security of more than 1 million Google accounts, initially spreading through “tens of fake apps”, according to security firm Check Point.

Gooligan potentially affects devices using older (but still common) versions of Android, including Jelly Bean, KitKat and Lollipop. The majority of such devices (57 per cent) are in Asia, with 9 per cent in Europe.

Check Point added that the campaign is attacking 13,000 additional devices each day.

The firm found that every day Gooligan installs at least 30,000 apps fraudulently on breached devices, totalling more than 2 million apps since it began.

According to Adrian Ludwig, director of Android security at Google, the tech giant has investigated the case and found no evidence of user data access.

He said Google is working to strengthen the Android ecosystem security and recommends users update their devices to ones that support newer Android software.

Google is also working with the internet service providers that provide infrastructure used to host and control the malware.

“Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts,” Ludwig said.

How it works

Gooligan roots infected devices and steals authentication tokens that can be used to access data from services including Google Play, Gmail, Google Photos, and Google Docs.

It uses Google credentials to generate fraudulent installs of other apps.

CheckPoint explained it found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores, which are an “attractive alternative” to Google Play because many of their apps are free, or offer free versions of paid apps.

However, the security of these stores and the apps they sell aren’t always verified. Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.

Source : https://www.mobileworldlive.com

Categorized in Internet Privacy

Hotel and restaurant chains, beware. A notorious cybercriminal gang is tricking businesses into installing malware by calling their customer services representatives and convincing them to open malicious email attachments.

The culprits in these hacks, which are designed to steal customers’ credit card numbers, appear to be the Carbanak gang, a group that was blamed last year for stealing as much as $1 billion from various banks.

On Monday, security firm Trustwave said that three of its clients in the past month had encountered malware built with coding found in previous Carbanak attacks.

This particular campaign has been preying on the hospitality industry, said Brian Hussey, Trustwave’s global director of incident response. The hackers start by calling a business’s customer service line and pretending to be clients who can’t access the online reservation system.

To spread the malware, the hackers also send an email to the customer service agent with an attached word document purportedly containing their reservation information. In reality, this document is designed to download malware to the computer.

The hackers are very persistent, Hussey said. “They’ll stay on the line with the customer service rep until they open up the attachment,” he said. “They have excellent English.”

The hackers can also be very convincing. They appear to be researching their targets on business networking site LinkedIn and finding out the names of company department heads.  “During the call, they’ll do some name-dropping to establish credibility,” Hussey said.

Once the malware is installed, it can download other malicious tools to tamper with the rest of a business’s network. The goal of the attack is to record credit card numbers from point-of-sale machines or e-commerce payment processes, according to Hussey.

In recent years, retailers, restaurants and hotels all have been hit by similar attacks intended to steal payment card data. The malware in this case is more broad-reaching than most. It includes the ability to snap screenshots from the desktop, steal passwords and email addresses and scan a network for valuable targets.

Most, if not all, antivirus engines have failed to detect the malware used in these hacks, according to Trustwave. 

"We've talked to our law enforcement contacts, and they are seeing the same thing," Hussey said. 

In a blog post, TrustWave outlined the technical details of the malware and other indicators that businesses can use to determine if they’ve been compromised.

“Once this malware finds what it wants, it can steal every single credit card that passes through your servers,” Hussey said. “For a large restaurant chain, that can be a million customers over a period of time.”

Source : pcworld.com
Categorized in Internet Privacy

Law enforcement agencies and malicious hackers may have a harder time getting access to the IP addresses of Tor users.

Thanks to upcoming security upgrades that Tor Project and the creators of Mozilla Firefox have been discreetly working on.

Since Tor’s security is never-ending as it stands, hacking an individual user’s computer has proved to be the only vulnerability on which the authorities have banked on time and again to de-anonymize Tor users.

By hacking these endpoints, investigators are able to acquire the IP addresses of the users and thus, their locations.

The new twists and upgrades serve to make the process of unmasking these users a lot harder, if not impossible.

Firefox Security Lead, Richard Barnes explained in an email to Motherboard that currently, they had already created all the basic tools needed for the security upgrades and were in the process of gaining those tools in order to turn realize the concept.

Where the Vulnerability Lies

To break it down, Barnes explained that the Tor Browser has two major constituents: the Tor proxy that is necessary to route the browser’s traffic through the Tor network itself and the modified part of Firefox that makes accessing the network possible.

The Firefox part of the Tor Browser is where the vulnerability lies, according to Barnes, as it is dependent on network access in order to communicate with the Tor proxy.

When compromised, the Firefox part of the Tor Browser can be used to connect to another entity—say a government server—which then puts the user’s anonymity at risk as it reveals information such as the user’s IP address.

FBI Has Successfully Breached Tor Using That Weakness

Tor Project and Mozilla Firefox developers are working together on a security upgrade to deter law enforcement to access the identity of Tor users.
Tor Project and Mozilla Firefox developers are working together on a security upgrade to deter law enforcement to access the identity of Tor users.

The FBI has manipulated this vulnerability before in February 2015 when they used a NIT (Network Investigative Technique) to reveal the IP address of a visitor of a child pornography site.

The malware is suspected to have exploited one of Tor Browser’s weaknesses that people suspect the FBI have under wraps to access the computer before forcing it into contacting a government server outside of the encrypted network.

This way, the law enforcement agency was able to get information that led to the arrest of the suspect.

The upcoming upgrade looks to remove the need for network access in order for the two halves of the Tor Browser to communicate.

With the support of Unix domain sockets’, the two integrated programs should be able to communicate with each other without necessitating an underlying network protocol.

As such, the Firefox side of the Tor browser will no longer be easy to compromise.

Sandboxing Will Cut Off Network Access to the Firefox Half

Barnes added that the new security upgrade will allow Tor users to run it in a sandbox without requiring any network access other than a Unix domain socket to the proxy.

Furthermore, in the event the Firefox half of the Tor browser was compromised, law enforcement agencies would have no network connection with which to relay the user’s information to their servers.

Barnes gave a brief overview of how the Tor Project and the Mozilla Firefox team came to collaborate on this new project.

While Tor Project gave the Tor proxy and the Tor browser Unix socket capabilities, Mozilla made the Firefox browser generally capable of talking to proxies over Unix domain sockets.

Afterward, Tor proceeded to add this capability to their browser as Mozilla chipped in every once in a while to fix any bugs that came up.

Release Set For Early Next Year

As it stands, Barnes revealed that the upgrade will only work on MacOS and Linux platforms since they already have the necessary sockets, although they are working on extending the capability to the Windows platform.

However, there are some stipulations to be followed in order to get the plan to work.

Other than the availability of the sockets in question on all the platforms, users will also require a compatible sandbox in order to inhibit the Firefox half of the Tor browser from gaining network access in case it is compromised.

The support will be available in Firefox 51, which is set for release in January 2017.

Source : darkwebnews

Categorized in Internet Privacy

Computer viruses and malware are spreading faster than their biological counterparts it seems.

Numbers from security firms point to the fact that close to 20 million malware threats have been neutralized in the first quarter of 2016. This equates to about 27,000 in one single day.

This leads us to a frightening scenario: huge amounts of malware is being created and distributed intentionally on a daily basis only for the creators to make huge sums of money over the internet.

The hackers employ a variety of methods to spread the viruses on the victims’ computers.

Methods of Spreading Malware

Spreading is the name of the technique used by hackers to circulate viruses. These days it seems to be getting easy with many tutorials being made available on the Clearnet that teaches one the many methods used to spread malware.

The effort to spread starts with making payloads in a manner that makes the malware most effective once it is delivered to a victim’s computer.

It is usually done by packing the malware within contents of other files. The .exe files which are portable have a lot of space left that is used up by hackers for loading the malware programs. This makes it easy to be transported over the internet safely.

Sometimes, the hackers attach the malicious files to bundles of executable files that otherwise appear safe and normal. Viruses may be inserted even into .pdf and document files.

In a client-server setup, hackers sometimes use vulnerabilities of software that reside on client-side machines. The hackers use a technique called “java drive-by” and make it possible for the malicious software to download and run itself with or without user intervention.

This is possible when client-side browsers are weak and insecure. There are many platforms used by hackers to spread malicious software.

One example is pirate bay which is a torrent network. Using such a platform, it is possible even for a beginner hacker to infect millions of users within a short period.

In one instance, about 12 million users were infected with malware in a months’ time.

Malvertising is another common method used by hackers to spread malware.

They attach the malicious software into advertisements on well-trusted websites that earn their revenues through advertisements.

This ends up infecting millions of unsuspecting users’ computers from trusted platforms.

The biggest advantage that the hackers have is that there is no suspicion caused.

Anti-Virus and Malware

In the midst of such a scenario, it has now been understood that an anti-virus program alone is just not enough to keep data safe against malware these days.

However, in this context, it is important to know as to how an anti-virus program works.

Anti-virus programs are designed to scan all files residing on the hard disk and detect typical signatures that are found in infected files. The anti-virus program maintains large databases of signatures or even bits of code that typically come from malware or virus programs.

However, it is possible for the hackers to change signatures of virus programs with reasonable ease.

For this purpose, hackers use programs called runtime crypters that are available in darknet markets and specific forums that are frequented by hackers. Crypters are programs that contain coded versions of the actual malware.

When such a program is executed, the malware decrypts itself and runs from the memory. The malware thus effectively evades the action of the anti-virus.

Some anti-virus programs work by quarantining programs that remotely resemble malware. This is referred to as sandboxing.

In these methods, also called heuristic methods, a file’s contents are examined using algorithms which detect suspicious code.

Malware programs are now being designed to outwait the surveillance times of anti-virus programs before they start to work.

The latest malware programs are also designed to do nothing if they are run on virtual machines. Popular types of malware include Remote Access Trojan, spyware, and rootkits. Distributed denial-of-service (DDoS) attacks using malware is becoming more common.

Such programs are also called ransomware where an attack encrypts all data, and the hackers demand a ransom for regaining the data through an encryption key.

At the end of it all, according to security experts, the best option for any unsuspecting user to avoid such pitfalls is to educate oneself about lesser known aspects of computer security.

Source : darkwebnews

Categorized in Internet Privacy



Cortana, Windows 10’s built-in virtual assistant, is both really cool and really creepy


When I first saw Mr. Spock talking to the Enterprise’s computer, I thought it was so cool. I still do. But the more I look at Cortana, Windows 10’s inherent virtual assistant, the more creeped out I get.

Let’s start with Cortana’s fundamental lust for your data. When it’s working as your virtual assistant it’s collecting your every keystroke and spoken syllable. It does this so it can be more helpful to you. If you don’t like that, well, you’ve got more problems than just Cortana. Google Now and Apple Siri do the same things. And it’s not just virtual assistants; every cloud-based software as a service (SaaS) does this to one degree or another — Google Docs, Office 365, whatever.

But Cortana doesn’t stop there. With the recently released Windows 10 Anniversary Update, hereafter Windows 10 SP1, you can’t shut Cortana off.

Maybe you don’t mind Microsoft listening to your every word so it can catch when you say, “Hey, Cortana.” I do. Yes, I want the coolness factor of being able to talk to my computer. But I want the reassurance that it’s not listening when I don’t need it to be. I want a simple on/off switch. Windows 10 SP1 doesn’t have one. This is interesting, though: Windows 10 Education does. Microsoft apparently is willing to respect the privacy of students. The rest of us? Not so much.

What you can do in Windows 10 SP1 is cripple Cortana when you install the operating system. But Cortana then becomes no more than a front end to Microsoft’s Bing search engine. You lose the ability to talk to your computer. You’ll no longer be able to tell Windows 10 to get you an Uber or tell you how the Chicago Cubs did today.

If you’re anti-Cortana, don’t install Windows 10 SP1 with “Express settings.” Instead, follow the steps described by Jared Newman in PC World. You will make Windows 10 less useful but a lot more private. If you’re not comfortable with Cortana collecting your contacts, location, calendar data, and text and email content and communication history, you’ll want to do this. Don’t, though, if you want the full Cortana experience and you don’t mind Microsoft collecting everything except your car keys.

And maybe you don’t. Many of us are reconciled to the mantra of the internet economy: “If you’re not paying for it, you are the product.” Companies such as Facebook and Google give all their free social and search goodies in return for our web history, which they then transform into cash with targeted

advertising. And as for Microsoft, it makes a point of saying Cortana doesn’t do that. Why do I not feel reassured?

Now that I think of it, though, you can’t (easily) get Windows 10 for free anymore. So you get to pay Microsoft with both cash ($199.99 for Windows 10 Pro) and your data. Oh boy!

Microsoft calls this a feature that gives you the ability to ask your PC simple questions without logging in. But I call anything that lets me input data into a PC without being logged into it a bug. It’s a security hole begging to be exploited. Windows, which God knows has had more than enough security problems, now has a new attack surface.

Fortunately, you can fix this one easily. Just open Cortana’s Settings and turn off the “Use Cortana even when my device is locked.”

By the way, Microsoft always claims that Windows is new and improved and more secure than ever. And yet, if you look at any significant Windows patch report, you will notice that every major bug affects every supported version of Windows. Shouldn’t the new and improved Windows 10 be immune from the bugs that affect Windows 7, 8 and 8.1? It’s funny how they seem to slug every version of Windows.I like Microsoft a lot more than I used to, but I’m not ready to trust it with everything and the virtual kitchen sink. So I followed Newman’sadvice when installing the OS. I’m afraid I will never be as cool as Spock.

I should note that, if your distrust of Microsoft exceeds mine, you can rip into your operating system’s guts and totally disable Cortana. You need to beware, though, because it involves going in deep, to places where it’s really way too easy to foul up Windows. In killing Cortana, you could end up seeing a lot more Windows crashes.

In Windows 10 Pro, you type gpedit.msc into the Start menu. Head down to Computer Configuration > Administrative Templates > Windows Components > Search. Once there, double-click on Allow Cortana to toggle it to Disable Cortana. Log off and back on, and you’re done.

In Windows 10 Home, open the registry with regedit and head to

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindows Search

Next, right-click the Windows Search folder and choose New > DWORD (32-bit) Value. Name this new DWORD AllowCortana and set it at 0. Now log off and reboot your computer.

Let me reiterate: If any of that sounds mysterious, don’t do it.

And, you know, why should you have to? Why can’t Microsoft just make it easy to turn off Cortana? I’d appreciate it.

Source : http://www.computerworld.com/article/3106863/microsoft-windows/cortana-the-spy-in-windows-10.html


Categorized in Internet Privacy
Page 3 of 3


World's leading professional association of Internet Research Specialists - We deliver Knowledge, Education, Training, and Certification in the field of Professional Online Research. The AOFIRS is considered a major contributor in improving Web Search Skills and recognizes Online Research work as a full-time occupation for those that use the Internet as their primary source of information.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.