Phishing Scam With Fake Invoices Spreads Across US and UK

A malware called Emotet is spreading through the US and UK, specifically targeting banks and financial sectors according to a report published by Menlo Security. Cybercriminals have implemented a malware campaign that spreads via phishing emails, with the attachment of a malicious Microsoft Word document attachment. The email is made to look official through mention of financial topics such as invoices or banking details in the subject line, attracting victims to click on the file. 

Emotet malware use was on the decline back in December 2019, yet began to pick up momentum again early into the new year as cybercriminals use it for new malicious purposes. 

These targeted attacks are meant to disrupt multiple sectors including media/entertainment, transportation, and food/beverage in locations such as the US, UK, Philippines, Spain, and India. Emotet attacks have largely been focused on the financial services sector, with half of these campaign attacks affecting the US and a quarter affecting the UK. 

After a user clicks to download the infected Word file and presses on “enable editing”, embedded macros are deployed onto the victim’s computer, which then successfully transfers the Emotet malware. Once transferred over to the user’s device, Emotet not only steals sensitive information, but can also facilitate the spread of more malware to other computers that use a shared network.  

Emotet can’t be traced to just one source of administration, since its function as a botnet infects Windows computers globally, which then spreads further through those infected devices. 

As Emotet continues to wreak havoc, business employees should take precautionary measures in avoiding any suspicious emails that arrive in their inbox, as documents or any links attached could very well be infected with malware. Users should be cautious of those emails that ask to “enable macros”. Keeping computer operating systems up-to-date is also an important step to take in order to stay safe.

New Trojan Malware Spreads via Word Document

There’s a new trojan malware spreading through malicious Word documents, and cybercriminals are using this virus to steal personal information and sensitive banking details. The malware, Ursnif trojan, attacks Windows operating systems and is popular with hackers since its main source code was leaked, becoming a more widely available option for cybercriminals to take advantage of. This type of trojan has existed in different forms over the years, starting in 2007 when the code first surfaced in the Gozi banking trojan. 

Since the code was leaked, hackers have customized it to their liking, stealing banking account information and other valuable account details. Cybersecurity firm Fortinet has identified a new version of the trojan that spreads through Word documents, it’s file format name: “info_[date].doc.” The hacker attaches a malicious macro script to launch once the document’s macros (a series of operations done through a single command) have been enabled.  

The macros can be enabled by clicking “Enable Content” which releases a VBA code that drops a version of the Ursnif malware onto the victim’s computer. This malware then runs “iexplorer.exe” processes to connect to a command and control server on the hacker’s end. In an effort to sway user suspicion, the host list for the server refers to security companies as well as Microsoft. 

Researchers have stated that the campaign is still operating. Even though these techniques might seem a little basic, an easy phishing email attack could give these cybercriminals a chance to invade networks and initiate an extensive cyberattack. 

As always, be mindful of the emails you receive, especially those with unsolicited document attachments, and check the sender email address to verify if the email is spam. When in doubt, directly contact the company referenced in the email using a phone number provided on the actual website.

Malware Increases on Google Play Due to Click-Fraud Apps

Since the previous year, there has been a 100 percent increase in the number of malware that comes from Google, specifically Google Play. Google stated that the reason behind this increase is because potentially harmful apps (PHAs) now contain click -fraud apps.

Google later stated that the rates of malware downloads are quite low and customers are better off with the safer option of continuing to download applications from Google Play. According to ZDNet via Google, “28 percent of malware outside the Play Store are backdoors, while 25 percent are trojans, 22 percent are hostile downloads, and just 13 percent are click-fraud apps.”

Google believes that if they remove click-fraud stats, it would show that the PHAs that were installed would decrease by 31%, however, there are about 55 % of PHAs that have been installed through Google Play. The click-fraud apps is an outcome of application developers using SDK, software developer kit, without realizing that it’s the cause of the fraud.

There have been about 1.6 billion PHAs installation attempts in the last year, but Google Play’s anti-malware system prevented this. There has been a 20% improvement in blocking PHAs installations. Chamois, which is the same house of malware, sometimes come preinstalled in certain Android devices. As the article on ZDNet explains, “Chamois apps are preinstalled on popular devices from different OEMs that didn’t carefully scan for malware. As a consequence, users are buying compromised systems. When users start up their new devices, the preinstalled Chamois apps (usually disguised as system apps) download and install PHAs and other apps in the background.”

Beware: TrickBot Malware Is on the Rise for Tax Day

Tax Day is coming up on April 15th, and cyber criminals are out to seek profit at many victims’ expense. A tax theme malware called TrickBot is being sent to inboxes, the hackers impersonating payroll providers like Paychex and ADP and sending malware infected Excel documents to their recipients.

TrickBot works by exploiting network vulnerabilities to essentially enter and steal sensitive information such as passwords and bank account details in order to file fraudulent Tax forms to receive returns. Scams caused by TrickBot have cost the IRS over a million in losses back in 2016.

Researchers from IBM X-Force noted how cyber criminals are using domains that look highly similar to actual payroll providers in order to deceive recipients into thinking the email is from a legitimate source.

IBM global executive security advisor Limor Kessem stated how “this campaign [is] highly targeted in its efforts to infiltrate US organizations,” and the threat from TrickBot doesn’t look like it’ll cease. Kessem continues on by explaining that “TrickBot [is] one of the most prominent organized crime gangs in the bank fraud arena, [so] we…expect to see it maintain its position on the global malware chart, unless it is interrupted by law enforcement in 2019.”

Before clicking on any email link, it is highly advised to double check the legitimacy of the email by looking closely at the sender information. Hovering over an email link also allows you to check on where the URL leads before you actually click on it; just check the small window that pops up above the link to make sure the site is safe.

1-800-FLOWERS Affected by Undetected Credit Card Breach Over Four Year Period

In a recent filing with California’s Attorney General Office, 1-800-FLOWERS was revealed to be the victim of a silent malware attack that affected the business within a four year period. As the filing explains, customer credit card information was stolen from the Canadian branch’s website, while the main website was unaffected.

What is interesting to note is how the malware affected the site for four years without any detection. During the time frame between August 15, 2014 and September 15, 2018, consumers’ first and last names, as well as card numbers, expiry dates, and security codes were all accessed by the unknown hacker(s).

The report did not disclose the number of consumers affected by the breach, but the company is required to inform its customers of the incident when a breach affects more than 500 people, this according to California law.

Interestingly enough, 1-800-FLOWERS was the second company to report a four-year long breach, as the Marriott was also affected within a four-year period when hackers stole 500 million guest records.

For now, the company recommends that all its customers keep a close watch on their payment records and to report any suspicious charges to their bank or issuing card company.

Apple Bans Cryptocurrency Mining Apps on iOS to Protect Mobile Users

For a time in 2017, “Coinbase” was the #1 application available in the App Store, but Apple is now taking action to stop cryptocurrency on its devices for the sake of keeping users’ devices safe.

The company has set a few rules for developers at the WWDC which states that any apps, including third-party advertisements displayed within them, cannot run unrelated background processes, such as cryptocurrency mining.

Many still wonder if the decision Apple has made makes sense, so Martha Bennett–a principal analyst at Forrester Research–explains:

“Just like with all the cryptocurrency mining utilities you get for PCs (in the shape of apps or browser plug-ins, most of which are malware), they thrash your CPU, and if you’re running on battery, which you almost invariably are on a mobile device, they drain your battery,” Bennett said via email. “Plus, Apple won’t want to be associated with all the shady stuff that’s going on in relation to cryptocurrencies.”

The problem with malware is that siphons CPU is spreading from desktops and mobile devices for the purpose of cryptocurrency mining which is relatively new but has been growing quickly. For example, cryptocurrency mining service “Coinhive” has been known as one of the top spreading malware for its own purpose.

Coinhive” – Monero JavaScript Mining has the ability to hijack a portion of computer power or any device that is used to visit the site. Then, it unwittingly enlists a device to mine Monero cryptocurrency. The practice is known as “cryptojacking.”

A Trend Micro antivirus vendor said, “It’s no surprise that the rise of “Cryptomining” malware has been the reason the rate of cryptocurrency has gone up.”

According to the article, cryptocurrency mining has overtaken ransomware in Northern America in recent years.

“Cryptocurrencies are made through a procedure known as Proof of Work (PoW). PoW powers a PC to extend CPU capacity to solve complex cryptographic-based equations before they’re approved to add data to a blockchain-based, dispersed ledger; those computer nodes that complete the equations condition the fastest are compensated with a portion of digital coins, for example, bitcoin,” as Lucas Mearian of ComputerWorld explains.

Collecting significant cryptocurrencies has turned out to be so popular to the point that the majority of people, including large companies, have set up mining rigs and data centers with a large number of servers for the express motivation behind producing bitcoin or other kinds of cryptocurrencies.

The purchase price of Graphics Processing Units (GPUs) and Application Specific Integrated Circuits (ASICs) has gone up, and many cities have even banned all the mining operations because of the amount of electrical power it uses.

Apple is not the first tech company to take such action in regards to banning cryptocurrency mining. Last April, Google announced that it’ll no longer accept extensions like cryptocurrency mining on its Web Store.

It’s worth mentioning once again that this banning procedure is the best choice, as crypto mining on smartphones is a somewhat unproductive movement in any case; the preparing intensity of this device isn’t sufficient to complete the assignment fast enough to get enough of it. A user’s device would be continuously under load for up to zero rewards, so it is not by any means justified, despite all the trouble over the long haul. Indeed, even work area mining is fading as individuals are understanding that ASICs are the best way to mine proficiently. So it’s for the best that Apple has put a limitation on it so fewer individuals harm their devices.

To view the original article, please click here.


Prowli Malware Targeting Servers, Routers, and IoT Devices

After the discovery of the VPNFilter malware, security analysts have revealed another monster botnet that has damaged 40,000 servers from over 9,000 businesses in many domains, including finance, education, and government organizations. This malware–called “Prowli”–has been spreading malware and infusing harmful codes to take over servers and websites around the world, using attack techniques like the exploits that have been excessively abusing weak configurations.

Here’s the list of devices and services infected by the Prowli malware:

  • Drupal and WordPress CMS servers hosting popular websites
  • Joomla! servers running the K2 extension
  • Backup servers running HP Data Protector software
  • DSL modems
  • Servers with an open SSH port
  • PhpMyAdmin installations
  • NFS boxes
  • Servers with exposed SMB ports
  • Vulnerable Internet-of-Thing (IoT) devices

As HackerNews explains in their recent article, “the attackers behind the Prowli attack are abusing the infected devices and websites to mine cryptocurrency or run a script that redirects them to malicious websites, [and] researchers believe they are more focused on making money rather than ideology or espionage.”

According to GuardiCore researchers, Here is how the worm runs commands on remote victims and then reports credentials to a C2 server:

In simplistic terms, the researcher explains:

“r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it breaks in, it runs a series of commands on the victim…”

Attackers Also Trick Users Into Installing Malicious Extensions

Other then the cryptocurrency miner, attackers are also using a well known open source web-shell called “WSO Web Shell” to modify the compromised servers. Eventually, they trap the visitors of the website into directing them to fake malicious browser extensions. Moreover, researchers have found that the Prowli campaign is related to various industries mentioning how “[o]ver a period of 3 weeks, [they have] captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations.”

How to Protect Your Devices From Prowli-like Malware Attacks

Since there is a mix of known vulnerabilities and credential guesses to compromise devices attackers are using, users should always make sure their systems are patched and up to date and always use strong passwords to avoid the possibility of getting hacked.

In particular, users should also consider securing the frameworks and segmenting vulnerable or hard-to-secure systems in order to separate them from the rest of their network.


2018 Winter Olympics “Olympic Destroyer” Malware

Picture of the Olympic Rings on the Montreal International Olympic Committee (IOC) building (Canada), built for the 1976 Summer Olympic Games

During the Winter Olympics opening ceremony last week, there was a strange failing of WiFI and television systems for on-site journalists that were covering the event. On Sunday, officials from the Olympics reported that the failures weren’t simply an accident – they were the result of a targeted cyberattack against the international events.

Unfortunately, this isn’t the only cyberattack that the 2018 Winter Olympics have been targeted with. The attacks came after the banning of certain Russian athletes from the games. A Russian hacking group, Fancy Bears, claimed responsibility for the various attacks on the U.S. and International Olympic Committees in result of the ban.

After the attack, Cisco Talos looked into the Olympic Destroyer malware and determined that the malware was capable of interfering with a Windows computer’s data recovery processes. Also, it had the capabilities of deleting critical services.

The researchers stated, “The samples identified, however, are not from adversaries looking for information from the games, but instead they are aimed to disrupt the games. The samples analyzed appear to perform only destructive functionality.”

Another major issue was the fact that the files on network shares were also gone. Additionally, the malware uses a self-patching feature that allows it change after moving from one host system to the next. Lastly, it was discovered that it was using the EternalRomance exploit, which is an NSA exploit leaked by Shadow Brokers in 2017 – also used to spread NotPetya ransomware last year (alongside EternalBlue).

As of now, that’s the latest information we’ve seen. We’ll update this if there is more information.


Cybersecurity Experts Give 5 Tips to Avoid Ransomware

Malware – a mashup of the words ‘malicious’ and ‘software’ – is what cybersecurity experts use to describe any malicious program on a computer or mobile device. Ransomware, a type of malware, is a version that encrypts files and asks for a ransom (typically through bitcoin), in order to decrypt said files. Though there are various types of malware that exist, many versions install without user consent. The effects of malware range from crippling your computer to stealing sensitive data.

Recently, there has been an increase in attacks on hospitals in exchange for hefty funds. In February, Hollywood Presbyterian Medical Center paid a $17,000 ransom (40 bitcoin) after a hacker seized their patients medical records and important files. Unfortunately, this is a trend that is happening all too often. We’ve put together an infographic to help you fight against ransomware and protect your important files. If you do not have a proper backup plan set up, Inverselogic’s cybersecurity experts can put a plan of action together for you and your business.

Malware Infographic