Back in 2010, Facebook likejacking (a social engineering technique of tricking people into posting a Facebook status update) was a trending problem. So, whatever happened to likejacking scams and spam? Well, Facebook beefed-up its security — and the trend significantly declined, at least when compared to peak 2010 numbers.
But you can’t keep a good spammer down. Can’t beat them? Join them.
Today, some of the same junk which was spread via likejacking… is now spread via Facebook Advertising.
The top middle thumbnail above is some kind of malformed egg. Typical click-bait.
The ad links to a Page with localized campaigns. Note the “Ca” and the “Fi”.
The landing page uses an “app” trick to automatically redirect to a spam campaign:
We’re pretty sure such tricks are a violation of Facebook’s ToS. But so far, Facebook hasn’t reacted to the sample we sent them.
Some of the spam campaigns are not exactly “safe for work” depending on the source ads:
Also a concern: some of the ads appear to be linked to compromised websites. The spammers may not even be paying for these ads.
Are you judged by the company you keep?
That’s probably a question legitimate brands with a Facebook presence should be asking themselves.
Posted in F-Secure, English-Italian Translations and tagged Facebook Ad, Jailbait, Likejacking, spam by admin with no comments yet.
Yeh, one of our Security Response Analysts, came across an interesting report on a Chinese forum over the weekend about an Android app that basically turns the device into a hack-tool capable of stealing information from a connected Windows machine.
He managed to find a sample (Md5:283d16309a5a35a13f8fa4c5e1ae01b1) for further investigation. When executed, the sample (we detect it as Hack-Tool:Android/UsbCleaver.A) installs an app named USBCleaver on the device:
When the app is launched, it directs the user to download a ZIP file from a remote server:
Then unzips the downloaded file to the location /mnt/sdcard/usbcleaver/system folder. The files saved are essentially utilities used to retrieve specific pieces of information when the device is connected via USB to a Windows machine. Note: we detect most of the files with older detections.
The following details are grabbed from the connected PC machine:
• Browser passwords (Firefox, Chrome and IE)
• The PC’s Wi-Fi password
• The PC’s network information
The app gives the user the option of choosing what information they want to retrieve:
To run the utilities, the sample creates an autorun.inf and go.bat file at /mnt/sdcard. When the device is plugged into a Windows machine, the autorun script gets triggered, which then silently runs the go.bat file in the background, which in turn runs the specified files from the usbcleaver/system folder.
The collected details are stored on the device at /mnt/sdcard/usbcleaver/logs.The app’s user can click on the ‘Log Files’ button to view the information retrieved from the PC:
This isn’t the first Android trojan reported this year with PC-infecting capabilities, since that ‘distinction’ belongs to the trojan-spy apps family we detect as Sscul (listed in our Q1 2013 Mobile Threat Report).
Unlike the Sscul malware however, which is more focused on remote eavesdropping, USBCleaver seems to be designed to facilitate a targeted attack by gathering details that would be helpful in a later infiltration attempt.
Fortunately, the UsbCleaver’s Windows-infecting routine can be blocked by a simple measure that’s been standard security advice for the last couple years: disabling the Autorun by default (this is already standard on Windows 7 machines). An additional mitigating factor is that most older Windows systems need to have mobile drivers manually installed in order for this attack to work.
Analysis by – Yeh
Source: Android Hack-Tool Steals PC Info
Posted in F-Secure, English-Italian Translations and tagged Android Hack-Tool, trojan Android, trojan-spy, USBCleaver by admin with no comments yet.
Earlier today, while doing our daily data mining, we came across a new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock. Very interesting, turns out this slightly modified ZeuS 2.x includes a ransomware feature.
When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it’s currently unavailable because the site is offline.
The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.
Looking at the code that corresponds with a received win_unlock command, it’s clear the unlock information is stored to the registry.
Unlocking can therefore be performed quite easily with a registry editor:
1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
Analysis by — Mikko S. and Marko
Posted in F-Secure, English-Italian Translations and tagged Ransomware, win_unlock, ZeuS by admin with no comments yet.
You’ve probably heard about the stratfor.com hack by now. Anonymous claimed responsibility.
Then Anonymous denied being responsible.
But then today, “Anonymous” claimed that the earlier anonymously posted pastebin post wasn’t Anonymous, but was really Stratfor employees claiming to be Anonymous.
Wait… doesn’t Anonymous claim that “we are all Anonymous”? If that’s true, then maybe it was Anonymous after all.
Does anybody care anymore?
Appears the public doesn’t. Google’s instant results for “anonymous is” and “anonymous are” contain few compliments for the group.
In other news: Anonymous promised another data dump today.
Pending denials by Anonymous of course.
Posted in F-Secure, English-Italian Translations and tagged Anonymous, Stratfor by admin with 1 comment.
We come across a fake FlashPlayer.pkg installer for Mac:
Once installed, the trojan add entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, etc) to the IP address 188.8.131.52, which is located in Netherlands.
The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.
As an example, this is what Google.com.tw looks like on a normal, uninfected system:
In contrast, this is what Google.com.tw looks like on an infected system:
When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.
Here’s a search request on the real Google.com.tw site on a clean system:
And here’s the same request on an infected system:
Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server:
At the time of writing, the pop-up pages aren’t displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.
The other remote server returning fake search requests appears to be still active.
We detect this trojan as Trojan:BASH/QHost.WB.
Analysis by – Brod
Posted in F-Secure, English-Italian Translations and tagged Trojan:BASH/QHost.WB by admin with no comments yet.
Android malware seems to be all the rage at the moment. Here’s a few comments on a couple interesting side issues we’ve been discussing as we’ve seen them crop up during analyses.
First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as ‘free apps’.
The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps. The earlier versions didn’t ask for anything other than Internet access:
However the later versions get a bit more personal than that:
With the changes, the app is able to access various bits of information from the device: the carrier and country, the device’s ID, e-mail address and phone number.
The information is sent out to a remote server.
An additional twist this app pulls is that it includes a little icon that when clicked, leads the user to other apps which presumably, they might like to try. The apps being promoted also appear to show the same suspicious behavior.
What was interesting is that both the earlier ‘unremarkable’ and later ‘suspect’ versions of the app appear to be from the same developers:
It appears to be a case of questionable new behaviors being added at a later date to an existing app, and not a repackaged app with foreign malicious routines added. We’re still looking into various aspects of this; for now, based on the observed behavior, we detect these applications as Spyware:Android/SndApps.A.
This case is interesting to us as we see it as an evolution in Android application development, specifically ‘greyware’. This kind of behavior seems to bear out one of our earlier predictions, where an ‘established’ developer would be able to push out an update containing suspicious/unwanted/unethical routines, which may invade the user’s privacy.
The newly added routines could include obtaining user information that can be used for other purposes, like sending marketing advertisements or spam. At worst, the details may be sold to a third party. We would have no way of knowing what is being done with the information.
In another case even more recently, we’ve been discussing the odd behavior of another reported Android app, this time a trojan.
It didn’t make sense that the trojan intercepted an SMS message and then reported it to a loopback address:
From our investigation, it seems like this app might be a test program. We detect this as Trojan:Android/SmsSpy.C.
However, one of our threat hunters did find a file (SHA1: 7d8004b107979e159b307a885638e46fdcd54586) that appears to be more useful:
That looks more like the real deal. We detect this as Trojan:Android/SmsSpy.D.
Analysis and post by: Zimry, Irene, Raulf and Leong
Posted in F-Secure, English-Italian Translations and tagged Android, Android/SndApps.A, Trojan:Android/SmsSpy.D by admin with no comments yet.
Another Android malware utilizing the root exploit “Rage Against The Cage” has been found, and we detected it as Trojan:Android/DroidKungFu.A.
This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:
Infection: Part 1
The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A‘s service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.
This will call for checkPermission() that will check if com.google.ssearch.apk is already existed. If not, it will install the “legacy” file, which is an APK file, to the “system/app” (the application folder).
Infection: Part 2
The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.
Here is a screenshot showing the com.google.ssearch.apk installed.
The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:
- execDelete – execute command to delete a supplied file
- execHomepage – execute a command to open a supplied homepage
- execInstall – download and install a supplied APK
- execOpenUrl – open a supplied URL
- execStartApp – run or start a supplied application package
Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:
- imei – IMEI number
- ostype – Build version release, e.g., 2.2
- osapi – SDK version
- mobile – users’ mobile number
- mobilemodel – Phone model
- netoperator – Network Operator
- nettype – Type of Net Connectivity
- managerid – hard-coded value which is “sp033″
- sdmemory – SD card available memory
- aliamemory – Phone available memory
Root is set to 1 as to signify with root, and these information are then sent to “http://search.gong[...].php.”
The malware obtains the commands from “http://search.gong[...].php” by posting in the “imei,” “managerid” and root value. It also reports the status of the commands on “http://search.gong[...].php” by posting in “imei,” “taskid,” “state” and “comment.”
Threat Solutions post by – Zimry
Posted in F-Secure, English-Italian Translations and tagged Android, DroidKungFu, Rage Against The Cage by admin with no comments yet.
Android has become the main target for mobile malware.
Here’s “Hot Girls 1″, which was still yesterday available for download to your Android phone from Android Market:
This application was originally harmless. However, a malicious developer called “Magic Photo Studio” downloaded the original application, modified it and re-uploaded it to Android Market.
As an end result, when installing “Hot Girls 1″, you might notice that it requires suspicious rights, especially for an application which is just supposed to show you pictures of, well, hot girls:
The malicious developer has inserted code that triggers when the phone receives a call.
The added code will connect to a server and send details about the infected handset to the malware authors. So we’re talking about a mobile botnet.
Our Android security product F-Secure Mobile Security blocks this as a variant of the DroidDream trojan, with the detection name Trojan:Android/DroidDream.B.
Dozens of examples of infected applications have been found from Android Market, uploaded under such developer names as Magic Photo Studio, BeeGoo and Mango Studio. Google has now removed them from the Market.
Posted in F-Secure, English-Italian Translations and tagged Android Market, BeeGoo, DroidDream, Hot Girls 1, Magic Photo Studio, Mango Studio by admin with no comments yet.
Google Docs allows users to create documents, spreadsheets, et cetera at google.com (hosted in Google’s cloud):
Spreadsheets can even contain functionality, such as forms, and these can be published to the whole world.
Unfortunately, that means we regularly see phishing sites via Google Docs spreadsheets and hosted on spreadsheets.google.com.
Here are some examples:
These are nasty attacks, as the phishing pages are hosted on the real google.com, complete with a valid SSL certificate.
While researching these, we ran into this Google spreadsheet form:
And for the life of us, we just can’t figure out if this is phishing or if it’s a valid page run by Google [see below for the answer].
Initially, the page obviously looks like phishing: it’s hosted on the public spreadsheets.google.com server where anyone can host forms. And it asks for your Google Voice number, your e-mail address and the secret PIN code.
But then, you can also find that apparent Google Employees are linking to the form.
So, we can’t figure it out. Can you?
Here’s the URL to the form:
If you can figure this one out, let us know via comments.
Updated to add: The consensus on Twitter seems to be that it’s a phishing site. The jury’s still out though.
Updated to add: We got contacted by a Google employee.
They informed us that, surprisingly, the questionable page is indeed the official Google form to request Google Voice account transfer. They also told us to remove all references to the form in this blog post. But I’m afraid we can’t do that.
Posted in F-Secure and tagged Google Documenti, Google Voice by admin with no comments yet.