Jump to content

Search the Community

Showing results for tags 'Fake'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 26 results

  1. A roundup of some of the most popular but completely untrue headlines of the week. None of these stories is legit, even though they were shared widely on social media. The Associated Press checked these out. Here are the real facts. NOT REAL: A Ship Appeared After 90 Years Of Being Missing In Bermuda Triangle THE FACTS: The steamer S.S. Cotopaxi hasn't reappeared in the Bermuda Triangle, more than 90 years since it was last heard from. The Online Newsfeed site says Cuban authorities intercepted the ship, which was said to have run into a tropical storm in 1925. According to news reports at the time, the Cotopaxi did report water in its hold and that it was listing. The ship sent out distress signals, then went silent. The false story circulating this week about its reappearance is similar to others that date to at least 2015, when an article appeared on a site that publishes hoaxes. After another version of the piece appeared in 2017, Petty Officer 3rd Class Eric Woodall of U.S. Coast Guard office in Miami told The Associated Press his agency had received no reports of the Cotopaxi being recovered. The Coast Guard said Thursday that statement stands. NOT REAL: Trump Removes Muslim Federal Judge For Trying To Implement Sharia Law In America THE FACTS: President Donald Trump didn't use an executive order to remove a Muslim federal judge for trying to implement Sharia law in the United States, despite the claims of a story shared online. That's because there is no federal justice by the name of Hansam al Alallawalahi-Smith and there is no such body as the 22nd Circuit Court of Appeals in Dearborn, Michigan, as the identically worded articles on the floxyupdates and us-leader sites alleged. Also, presidents cannot remove judges from office with executive orders. The Constitution requires impeachment to remove a federal judge. The story is similar to ones previously circulated on social media about the nonexistent judge. The latest sites that published them couldn't be reached for comment, as they offered no contact information and registered their pages through third-party services. This is part of The Associated Press' ongoing effort to fact-check misinformation that is shared widely online, including work with Facebook to identify and reduce the circulation of false stories on the platform. Source
  2. A poisoning outbreak traced to synthetic cannabinoids sickened at least 52 people in Utah and sent 31 to the emergency room this past winter, reveals a new report released Thursday by the Centers for Disease Control and Prevention. But unlike other recent outbreaks, the victims weren’t trying to buy synthetic weed: They had bought what they thought was cannabis oil that only contained cannabidiol (CBD), the non-psychoactive ingredient of weed. And many had purchased these products from traditional smoke shops. More than 50 people got sick after taking products falsely advertised to be made of CBD oil. The real stuff is seen being processed from hemp above. Around the beginning of last December, according to the CDC report, the Utah Poison Control Center came across five cases of people visiting the ER with symptoms of seizures, confusion, and hallucinations. Just before the symptoms began, the patients had all taken a product marketed to contain CBD. Products that contain only CBD are created to not have the psychoactive effects commonly associated with THC. Eventually, state and federal health and law enforcement officials formed a task force that found at least 52 similar cases had occurred within the state from October 2017 to the end of January 2018. CBD is thought by some to help treat certain conditions, such as pain and depression (though evidence to support many of these claims is lacking). This April, a committee of outside experts assembled by the Food and Drug Administration unanimously voted to approve the first CBD-based drug to treat certain epileptic seizures. While CBD use can cause some unpleasant side effects, like nausea, it doesn’t cause the sort of symptoms doctors were seeing. Eventually, lab testing of the products the patients had used found no traces of CBD, but they did find 4-cyano CUMYL-BUTINACA (4-CCB), a synthetic cannabinoid meant to mimic the effects of THC. Of the nine products that tested positive for 4-CCB, eight were branded “Yolo CBD oil.” But the products had no labels indicating who had manufactured them or even what ingredients they was supposed to contain. Four of the five patients whose blood was tested also had 4-CCB in their systems, as did an unopened CBD product purchased by the task force from the same store and brand a patient had bought. “Synthetic cannabinoids, such as 4-CCB, act on the same receptors as THC, but the effects of synthetic cannabinoids can be unpredictable and severe or even life-threatening,” lead author Roberta Horth, an officer with the CDC’s Epidemic Intelligence Service, told Gizmodo via email. “Based on reported side effects of 4-CCB in case-patients, they appear to be more severe than THC. Fatalities following use of 4-CCB have been reported in Europe.” In interviews with the victims, all of whom survived, 33 said they had used Yolo-brand oil. Thirty-four people also said they had bought their product from a smoke shop, while eight said they had gotten it from a friend. Thirty-five said they bought it for recreational use, while 15 said it was for medicinal use. And 38 people used the oil by vaping it, while another nine placed it under the tongue. While the outbreak of CBD poisoning seems to have ended, the CDC officials warn there’s little preventing from it happening again, thanks to lax regulations in how the products are produced or tracked after they reach store shelves. “Because CBD is illegal at the federal level there is no regulation of product quality at that level. Some states allow for the sale and possession of CBD; however, regulation differs in each jurisdiction,” Horth said. “Products being sold in Utah at the moment are not done so legally so there is no way to ensure that these products are safe.” As a result, up to a third of CBD product might be incorrectly labeled, Horth added, referencing a 2017 study in JAMA. CBD products aren’t legal to sell in Utah, making government regulation impossible. But Horth noted that the state’s senate has passed a bill that would allow these products to be sold legally under a new framework. And last December, 4-CCB was also temporarily added to the list of controlled substances via emergency powers invoked by Hawaii law enforcement officials following several seizures linked to the product that same month. At the moment, it’s thought the 4-CCB was intentionally used as a replacement for CBD in these products, and the investigation to track down where it came from is still ongoing, Horth said. While some stores have voluntarily pulled their stock of Yolo-branded oils, the threat of more cases is real. “It is possible that other products could contain 4-CCB or other dangerous synthetic cannabinoids,” she said. Source
  3. The exploit is one of the largest-scale malware deliveries to be identified by MailGuard within the past year Emails purporting to be from the Australian corporate regulator and loaded with malware are filling inboxes around the country, according to local email filtering company, MailGuard. The attack began just after the start of the working day on 10 July and quickly escalated to become one of the largest-scale malware deliveries to be identified by MailGuard within the past year. The exploit, which is delivered via an email pretending to be from the Australian Securities and Investments Commission (ASIC), tells recipients that their business name is due for renewal, directing them to click on a link to download a renewal notice. However, the link downloads a .zip archive file, which contains a malicious JavaScript file. “While the exact type of malware isn’t clear – it could be anything from a virus to ransomware – the point of it is to disrupt, damage or gain control of a computer system or data,” MailGuard CEO, Craig McDonald, said in a statement. MailGuard has outlined a number of telltale signs that potential targets can use to identify the dodgy email. A sample of the dodgy email (MailGuard) First, the email appears to be from ‘ASIC Messaging Service’, and is sent from the domain ASIC.Transaction.No-reply @ asicdesk. com [altered] – the domain was recently registered in China. The subject line of the email is “Renewal”, while the well-formatted message contains ASIC branding and government coat of arms. It stands out, however, due to a lack of personalisation, simply addressing the recipient as “Dear customer”. This is something legitimate agencies don’t do, according to MailGuard. The email also provides details on how to renew a business name, telling recipients they can pay for the fake renewal with their credit card or by requesting an invoice. “The payment tips are just part of the scam; the cybercriminals want victims to download the malicious attachment rather than to open their wallets,” McDonald said. Finally, the suspect email is signed off by “Myra Tango, Senior Executive Leader, Registry”. No employee by that name appears to exist at ASIC, according to MailGuard. The file name to watch out for (MailGuard) This is not the first time ASIC has been used as a false identity for malware-laden emails, with similar scams landing in January, March and May. The new wave of malware comes just days after MailGuard released details of another email scam targeting Microsoft Windows users. In that scam, the sender pretends to be forwarding a document from the Australian Taxation Office (ATO) supposedly intended for the end victim. The sender claims to have mistakenly received the victim’s tax information and asks what should be done to solve the problem. By asking the recipients if they received a particular document with a link to the document in question, it lures the person into clicking on a link to a document loaded with malware. Article source
  4. Fake website : http://шһатѕарр.com/?colors Actual site it redirects to : http://blackwhats.site/ Archive.is link : http://archive.is/9gK5Y Screenshots when you visit the website in smartphone : http://imgur.com/a/UsKue User gets the message saying whatsapp is now available with different colors " I love the new colors for whatsapp http://шһатѕарр.com/?colors " When you click the fake whatsapp.com url in mobile, the user is made to share the link to multiple groups for human verification. once your done sharing you are made to install adware apps, after you have installed the adware the website says the whatsapp color is available only in whatsapp web and makes you install an extention. Fake whatsapp extention : https://chrome.google.com/webstore/detail/blackwhats/apkecfhccjhdmicfliebkdekbkoioiaj these fake sites and spam messages are always circulating in whatsapp. Source Fake WhatsApp.com URL gets users to install adware Next time someone links you to whatsapp.com, make sure you take a second look. There’s some adware currently circulating around the web by tricking users to visit a ‘шһатѕарр.com’ domain instead. Yes, those are different URLs – the fake URL uses characters from the Cyrillic alphabet. As spotted by redditor u/yuexist, the site promises to let you install WhatsApp in different colors – I mean, everyone likes color options, right? If you visit the link, you’re asked to share the site with your friends for ‘verification.’ Your friends then receive a message saying “I love the new colors for whatsapp’ along with the fake URL. Once you’ve ‘verified’ yourself, you’re then told that WhatsApp’s colors can only be accessed on a desktop, and are asked to install an extension from the real Chrome Web Store called BlackWhats (still, click at your own risk). All this should send about 27,531 red flags to anyone remotely tech savvy, but there are plenty of WhatsApp users who don’t spend their time on tech blogs and might fall for it – the fake URL is certainly convincing enough at first glance. The extension itself has over 16,000 users and a 4 star rating from 55 ratings, though there are only 3 text reviews – it’s hard to tell if these ratings are somehow fake. We’ve reached out to Google to alert them about the adware. And as always, make sure to double check URLs on any unexpected links you may receive. Update: Google has removed this extension from the Chrome Web Store. Good riddance. Article source
  5. Yesterday, Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, wrote a blog article discussing how the EITest Chrome Font Update campaign is now distributing the Spora Ransomware. Previously, ProofPoint researcher Kafeine discovered this attack chain distributing the Fleercivet Ad Clicking Trojan, but with the popularity and successful revenue generation of ransomware, it is not surprising to see malware distributors testing this type of infection as well. As Spora diverges from most ransomware with the offering of a menu of different payment options, this could allow for a greater volume of payments compared to ransomware that only use a single large ransom option. As I am concerned that many people will be tricked by this attack and become infected with Spora, I wanted to provide a description as to how this attack works so people can recognize and avoid it. How the Chrome Font Pack Update Attack Works In order to protect yourself from the current EITest Chrome Font Update attack, it is necessary to understand how the attack works. In order to implement this attack chain, the EITest actors first hack legitimate web sites and add javascript code to the end of the page. This code will cause the page to look like gibberish and then display a popup alert stating that Chrome needs a "Chrome Font Pack" in order to see the page properly again. An example of how this code looks in the source can be seen below. Injected Javascript Source: malware-traffic-analysis.net When a visitor goes to this page, the script will scramble the text of the page so its not readable and then display a pop-up alert that states the page is not displaying properly because the "HoeflerText" font is missing. It then prompts you to click on the Update button in order to download the "Chrome Font Pack" as seen below. Fake Google Font Pack Prompt Source: malware-traffic-analysis.net When a user clicks on the Update button, the popup will automatically download a file called Update.exe and save it to the default download folder. The criminals will then show you a "helpful" screen that tells you how you can find and execute the program. Instructions on how to Execute the Update.Exe Program Source: malware-traffic-analysis.net The good news is this downloaded program is not automatically started and a victim must manually execute the program to become infected. The EITest gang are hoping that by pretending it is a Google Font for Chrome, they can trick people into actually running the file. Once a victim actually double-clicks and executes the file, the crap hits the fan and the computer becomes infected. In the previous Chrome Pack campaign, the Update.exe was called Chrome_Font.exe and would install the Ad Clicking Trojan called Fleercivet. In this round, EITest has changed the filename to Update.exe, which is actually the installer for the Spora Ransomware. Once this executable is launched, Spora will begin to encrypt a victim's data and most data files will become encrypted and unusable. When finished encrypting a victim's files, Spora will display a ransom note similar to this one, where a victim can login to the Spora payment site and determine the ransom amount or make payments. Spora Ransom Note Unfortunately, at this time there is no way to decrypt the files encrypted by Spora Ransomware for free. For those who need help with this infection or just want to discuss it, you can use the dedicated Spora Ransomware Support and Help Topic. What everyone should take away from this is that if you see a popup on a page stating that you need to download a Chrome Font Pack, you should immediately close the browser and not visit the site again. An alert like this is just an indication that something is not right with the site and it should be avoided. Sample of Update.exe: https://www.virustotal.com/en/file/d5a1c143b07475b367d2e12ff72fe5a3ec59c42fa11ae2d3eb2d4e76442e60b3/analysis/ Article source
  6. In a massive crackdown, police and law enforcement agencies across Europe have seized more than 4,500 website domains trading in counterfeit goods, often via social networks, officials said on Monday. The operation came as Europol, Europe's police agency, unveiled its newest campaign dubbed "Don't F***(AKE) Up" to stop scam websites selling fake brand names online. "The internet has become an essential channel for e-commerce. Its instant global reach and anonymity make it possible to sell nearly anything to anyone at any time," Europol said. "Counterfeiters know it and are increasingly exploiting the unlimited opportunities" the internet offers. But Europol warned that "despite these products looking like a bargain, they can pose serious risks to the health and safety of buyers." In the crackdown, agencies from 27 countries mostly in Europe but including from the US and Canada, joined forces to shut down over 4,500 websites. They were selling everything from "luxury goods, sportswear, spare parts, electronics, pharmaceuticals, toiletries and other fake products," Europol said in a statement, without saying how long the crackdown took. An annual operation run in collaboration with the US Immigration and Customs Enforcement and Homeland Security, there was "a significant increase in the number of seized domain names compared to last year," said Europol director Rob Wainwright. Spotting the fakes As part of the crackdown, Dutch anti-fraud police arrested 12 people across The Netherlands over the past two weeks as they searched homes and warehouses. Most of the raids were prompted by online sales of counterfeit goods on social networking sites such as Facebook and Instagram. "This is a relatively new phenomenon in the trade in counterfeit brand names," the Dutch Fiscal Information and Investigation Service (FIOD) said in a statement. More than 3,500 items of clothing and fake luxury goods were seized in Holland, including shoes, bags and perfumes purporting to be such brands as Nike, Adidas, and Kenzo, with a market value of tens of thousands euros. Publishing a guide on how to spot fake websites and social media scams, Europol warned consumers had to be on their guard. "When shopping online, you are more likely to fall victim to counterfeiters," it said as "without the physical product to look at and feel, it can be more difficult for you to spot the differences." It also warned that by using illicit websites online shoppers "are exposing your computer or mobile device to cyber-attacks like phishing or malware." Article source
  7. Fake Flash Player update sites have long been a favorite distribution method for adware and other unwanted programs. Today, a fake Flash update site was discovered by ExecuteMalware that is pushing the Locky ransomware. When someone visits the site they will be presented with a page that states that Flash Player is out of date and then automatically downloads an executable. If you look carefully at the URL in the browser's address you can see that the domain of fleshupdate.com does not seem to be spelled right. Fake Flash Update Web Page The executable automatically downloaded by this site is named FlashPlayer.exe and includes a flash player icon as seen below. Flash Icon in Downloaded File If you look at the properties of this file, though, things start to look strange. Locky Installer Properties Ultimately, if a user runs this program thinking that Flash will be updated they will be in for a big surprise. Instead of a flash player update, they will ultimately be shown a Locky ransom note when the ransomware has finished encrypting the victim's files. Locky Ransom Note The LockyDump information for the variant I tested is below. MalwareHunterTeam also saw a sample using an affiliate ID of 19, which as far as we know has not been previously seen. Verbose: 0 The file is a PE EXE affilID: 13 Seed: 9841 Delay: 30 Persist Svchost: 0 Persist Registry: 0 Ignore Russian Machines: 1 CallbackPath: /message.php C2Servers: 85.143.212.23,185.82.217.29,107.181.174.34 RsaKeyID: 85D RsaKeySizeBytes: 114 Key Alg: A400 Key: RSA1 Key Bits: 2048 Key Exponent: 10001 As you can see, it is not only attachments and exploit kits pushing ransomware. Everyone needs to be vigilant and careful when browsing the web. Furthermore, program updates should only be downloaded from their main product sites rather than 3rd party sites where you have no idea what you are installing. Article source
  8. Running Registry cleaners generally makes us nervous, as they're far more likely to remove some important setting than make any measurable difference to your system speed. Most developers try to address this by building real intelligence into their code, but "Clean PC Smart" takes a different route: despite listing thousands of "issues" and claiming to fix them, it never deletes anything at all. We first noticed the program in October, when it quickly raised concerns: new product, new website, unknown developer, no reviews, no clarity at all about the program license or functions. Other major review sites didn't seem to be concerned and listed the program immediately, but we decided to investigate a little further. We started by using Sysinternals Process Monitor to track what the program did during installation and its first run, and noticed that it buried its settings under a Microsoft key, where they'd be very difficult to spot: "HKEY_CURRENT_USER\SOFTWARE\Microsoft\SecurityXX". Network capture tool Colasoft Capsa showed how Clean PC Smart attempted to compromise our privacy on its first launch by obtaining our IP address, computer name and network adapter's MAC address, then uploading them to its own server. The program starts its "scan" immediately, and quickly delivered an almost useless report: "Registry Cleaner" listed thousands of legitimate keys, "Windows Startup" contained only four items from a single Registry key (even Task Manager listed 21), the "Browser Add-Ons" page actually referred to internet history files, the "Task Manager" section was a static list of running processes, and so on. We asked Clean PC Smart to "fix" these issues anyway, and ran more scans. Most maintenance programs will find more "issues" immediately, either because they were unable to delete everything they found last time, or removing Registry keys has created more inconsistencies, but Clean PC Smart claimed there were now no problems at all. Suspicious, so we used Sysinternals Process Monitor to watch what Clean PC Smart was doing during its Registry scanning and cleaning, and found it was just reading the same keys, over, and over, and over again. Even when it was supposedly "fixing" these "issues", nothing was ever deleted. As Clean PC Smart is a .NET program, we tried opening it in DnSpy, a .NET decompiler. This allowed us to follow the logic of the program's code, and see exactly what it was doing. The secret turned out to be childishly simple. The program was writing the date it scanned a particular area of the Registry, such as your shared DLLs. When you ran a scan later, it checked how many days had elapsed since your last check, and if this was more than a fixed figure -- 15 for shared DLLs, 25 for services etc -- it added the keys in that section to the list. The end result is the problem count would increase over time, sort-of simulating real life, but none of them represented any real issue on your PC. If you decided to "fix" these "issues", there was more fake activity to make it look like something was happening. But all that really mattered is the program updating its last scan dates, so if you ran a check immediately afterwards you'd get a "no issues found" message. This all seemed clear enough in the code, but we verified it manually, too. Running the program on our test PC initially displayed 9,828 Registry issues; we clicked Fix, scanned again and no issues were found. We then deleted the "HKEY_CURRENT_USER\SOFTWARE\Microsoft\SecurityXX" key with Clean PC Smart’s "last scan" dates, ran the program, and it reported the same 9,828 Registry issues it had supposedly just "fixed". What’s the point of this pretense? There might be a clue in the toll-free technical support number highlighted in the interface. Googling for that number found assorted websites recommending we call it to fix problems with printers, viruses, driver updates and more. Searching for the developer’s name, "TEK PC Solutions", led us to a Better Business Bureau complaint and a Facebook review which indicated just how expensive these calls might be. We don't know the whole story about these issues -- and there are also many more positive reviews -- but whatever the truth, "Clean PC Smart" is best avoided. Apart from being technically inept, it stays running when the main window is closed, we noticed other code to display pop-up messages and (possibly) fake virus alerts, and there may well be more sinister features we've missed. On the investigation front, if you've any knowledge of coding -- even basic VBScript -- then DnSpy is a great tool for helping you understand what a .NET program is doing. Check it out. Article source
  9. Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees. They said the secret campaign targeted Microsoft Corp (MSFT.O), AVG Technologies NV (AVG.N), Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers' PCs. Some of the attacks were ordered by Kaspersky Lab's co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said. "Eugene considered this stealing," said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation. Kaspersky Lab strongly denied that it had tricked competitors into categorizing clean files as malicious, so-called false positives. "Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing," Kaspersky said in a statement to Reuters. "Such actions are unethical, dishonest and their legality is at least questionable." Executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years. When contacted this week, they had no comment on the allegation that Kaspersky Lab had targeted them. The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients. Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran's nuclear program in 2009 and 2010. The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky's selection of competitors to sabotage. "It was decided to provide some problems" for rivals, said one ex-employee. "It is not only damaging for a competing company but also damaging for users' computers." The former Kaspersky employees said company researchers were assigned to work for weeks or months at a time on the sabotage projects. Their chief task was to reverse-engineer competitors' virus detection software to figure out how to fool them into flagging good files as malicious, the former employees said. The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other's virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google Inc's (GOOGL.O) VirusTotal. By sharing all this data, security companies could more quickly identify new viruses and other malicious content. But the collaboration also allowed companies to borrow heavily from each other's work instead of finding bad files on their own. Kaspersky Lab in 2010 complained openly about copycats, calling for greater respect for intellectual property as data-sharing became more prevalent. In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious. VirusTotal aggregates information on suspicious files and shares them with security companies. Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky's lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010. When Kaspersky's complaints did not lead to significant change, the former employees said, it stepped up the sabotage. INJECTING BAD CODE In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal. Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well. VirusTotal had no immediate comment. In its response to written questions from Reuters, Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an "unknown third party" manipulated Kaspersky into misclassifying files from Tencent (0700.HK), Mail.ru (MAILRq.L) and the Steam gaming platform as malicious. The extent of the damage from such attacks is hard to assess because antivirus software can throw off false positives for a variety of reasons, and many incidents get caught after a small number of customers are affected, security executives said. The former Kaspersky employees said Microsoft was one of the rivals that were targeted because many smaller security companies followed the Redmond, Washington-based company's lead in detecting malicious files. They declined to give a detailed account of any specific attack. Microsoft's antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in "quarantine." Batchelder said it took him roughly six hours to figure out that the printer code looked a lot like another piece of code that Microsoft had previously ruled malicious. Someone had taken a legitimate file and jammed a wad of bad code into it, he said. Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well. Over the next few months, Batchelder's team found hundreds, and eventually thousands, of good files that had been altered to look bad. Batchelder told his staff not to try to identify the culprit. "It doesn't really matter who it was," he said. "All of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed." In a subsequent interview on Wednesday, Batchelder declined to comment on any role Kaspersky may have played in the 2013 printer code problems or any other attacks. Reuters has no evidence linking Kaspersky to the printer code attack. As word spread in the security industry about the induced false positives found by Microsoft, other companies said they tried to figure out what went wrong in their own systems and what to do differently, but no one identified those responsible. At Avast, a largely free antivirus software maker with the biggest market share in many European and South American countries, employees found a large range of doctored network drivers, duplicated for different language versions. Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and "wanted to have some fun" at the industry's expense. He did not respond to a request on Thursday for comment on the allegation that Kaspersky had induced false positives. WAVES OF ATTACKS The former employees said Kaspersky Lab manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013. It is not clear if the attacks have ended, though security executives say false positives are much less of a problem today. That is in part because security companies have grown less likely to accept a competitor's determinations as gospel and are spending more to weed out false positives. AVG's former chief technology officer, Yuval Ben-Itzhak, said the company suffered from troves of bad samples that stopped after it set up special filters to screen for them and improved its detection engine. "There were several waves of these samples, usually four times per year. This crippled-sample generation lasted for about four years. The last wave was received at the beginning of the year 2013," he told Reuters in April. AVG's chief strategy officer, Todd Simpson, declined to comment on Wednesday. Kaspersky said it had also improved its algorithms to defend against false virus samples. It added that it believed no antivirus company conducted the attacks "as it would have a very bad effect on the whole industry." "Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted," Kaspersky said. Article source
  10. 50 incidents detected, 25 since September 2015 Speaking at the North American Network Operators Group’s NANOG 67 conference, Leslie Noble, Senior Director of Global Registry Knowledge at the American Registry for Internet Numbers (ARIN) revealed the lengths to which crooks go to get their hands on brand new IPv4 addresses. Last September, ARIN announced it depleted its IPv4 address pool, meaning there were no new IPv4 addresses to be assigned to companies that needed their own IP. Ever since then, ARIN has set up a waiting list for businesses willing to wait for the moment when a company returns unused IPv4 addresses, or ARIN strips addresses from offending ASNs. Crooks register old domain names, create fake companies According to Noble, some crooks aren't willing to wait and are impersonating so-called legacy networks. These legacy networks are companies or institutions that at one point requested and received an IPv4 address pool from ARIN, but failed to provide contact details. ARIN says it currently knows of over 14,000 legacy networks. Of these, some IPv4 pools are bound to belong to companies that have seized to exist. Crooks are leveraging these odd cases. Noble says they're scanning the IPv4 address pool and looking for the networks' contact information. If they don't find any, they try to impersonate the defunct company by re-registering old business names or expired domain names. There's a black market for IPv4 addresses They then get in contact with ARIN to register their own contact information, and once in possession of the IPv4 pool, they move on to sell it to other companies. Noble said they uncovered 50 IPv4 address pool hijacking incidents like these between 2005 and 2015, but 25 happened since ARIN announced last September it ran out of IPv4 address space. In another scenario, Noble also describes fraudsters that set up shell companies, and then legally apply to ARIN for IPv4 addresses. They quietly wait in line, and when they're assigned the requested IPv4 address pool, they immediately sell it on the Dark market. For more details, we defer to Noble's NANOG 67 presentation. The part you're interested in is right at the beginning. Play video: Article source
  11. straycat19

    Fake ZippyShare Site

    I was searching for a file that was on zippyshare that was part of a split rar and found it in google but when I brought it up I glanced at the url and even though the page was an exact duplicate of a ZippyShare page the url was ZippyShade.com The download link also pointed to that url Site: http://zippyshade.com Sharecode[?]: /v/download.php?id=UOCJzaLZ All the other data on the page is identical to what the actual pages for the other parts look like including name, file size and dates. A whois search showed the following information (the real zippyshare is registered on tucows) Domain Name: zippyshade.com Registry Domain ID: 2007248561_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Update Date: 2016-02-28T16:17:42Z Creation Date: 2016-02-28T16:17:42Z Registrar Registration Expiration Date: 2017-02-28T16:17:42Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Sebastian Aviles Registrant Organization: Tatusea.com Registrant Street: Bvard Ayacucho 531 Registrant City: Viedma Registrant State/Province: Rio black person Registrant Postal Code: 8500 Registrant Country: AR Registrant Phone: +54.2920410519 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Not Available From Registry Admin Name: Sebastian Aviles Admin Organization: Tatusea.com Admin Street: Bvard Ayacucho 531 Admin City: Viedma Admin State/Province: Rio black person Admin Postal Code: 8500 Admin Country: AR Admin Phone: +54.2920410519 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Not Available From Registry Tech Name: Sebastian Aviles Tech Organization: Tatusea.com Tech Street: Bvard Ayacucho 531 Tech City: Viedma Tech State/Province: Rio black person Tech Postal Code: 8500 Tech Country: AR Tech Phone: +54.2920410519 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: [email protected] Name Server: VPS151839.OVH.NET Name Server: SDNS2.OVH.NET DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2016-06-17T04:00:00Z <<<
  12. Drupal sites locked with new strain of Web ransomware One of the "locked" Drupal sites Unknown attackers are leveraging a two-year-old vulnerability in Drupal installations to break into sites and install Web-based ransomware that hijacks the website's main page but fails to encrypt any files. The first victims recorded complaining about this new strain of ransomware appeared in late March, on the official Drupal forums. Site admins were describing their websites as "being locked" with a message that read: A quick Google search for the Bitcoin address reveals that most websites are running on the Drupal CMS platform. Information provided to Softpedia by Stu Gorton, CEO and Co-Founder of Forkbombus Labs, shows that the first infections started appearing on March 11 but really picked up speed after March 18. Attackers using SQL injection flaw to get in Forkbombus Labs says that the threat actor behind this campaign starts by scanning websites for the presence of /CHANGELOG.txt (Drupal CMS specific file) and /joomla.xml files. The attacker's scanning bot extracts the Drupal site's version, then uses the CVE-2014-3704 vulnerability to break into the affected websites and eventually change the admin user's password. CVE-2014-3704 is an SQL injection vulnerability that affects Drupal 7.x installations prior to version 7.32. Even if the bot scans for the joomla.xml file, there are no reports of infected Joomla sites, and Mr. Gorton told Softpedia the threat actor removed Joomla scanning at a later stage. Ransomware is actually "fauxsomeware" Mr. Gorton also informed Softpedia that once the threat actor gains control of the site with the help of the SQL injection, automated operations set up a new page on the Drupal site that contains a file upload form. The crook's bot then uses this form to upload various scripts that extract emails from the Drupal database and make them available in "/sites/default/files/" as downloadable files. The .htaccess in this folder is also deleted, so the attacker can access the page and download the files. After this ends, the last uploaded file is a binary file written in the Go programming language, which is the actual ransomware. This Go binary deletes the file upload form and replaces it with the ransom note seen above. "It should be clear that this is fauxsomeware, rather than ransomware, as nothing is encrypted or truly locked," Mr. Gorton told Softpedia. "Simply, the content of the available nodes are replaced with the new message. It appears however the bot has trouble replacing the information on nodes with atypical formats, as several compromises we've witnessed still have a large portion of their data intact." Mr. Gorton also noted the existence of a C&C server infrastructure behind these attacks on Drupal sites, but the company is still investigating its mode of operation. Around 400 sites were infected, nobody paid the ransom Approximately 400 websites seem to be infected with this ransomware at the time of writing. The Bitcoin address used for the ransom has no transactions recorded, meaning nobody has paid the ransom as of this time. The same thing happened earlier this year with CTB-Locker and KimcilWare, two ransomware variants also targeting websites. Even if these two threats encrypted the site's files, admins never paid the ransom because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site. As for this Drupal-targeting ransomware, this looks to be another attempt at developing ransomware for the Web that has failed as miserably as CTB-Locker and KimcilWare. And to be fair, just by looking through the few Drupal sites hit by this ransomware, they all seem to have been abandoned by their creators, so no real harm has been done. If you remember installing a Drupal CMS lately, make sure to either upgrade it or delete it if it has no purpose or just an older test site. Article source
  13. "Fifty Cent Party" mostly government employees, study finds Goal said to be to divert public away from sensitive issues China’s government fabricates about 488 million social media comments a year -- nearly the same as one day of Twitter’s total global volume -- in a massive effort to distract its citizens from bad news and sensitive political debates, according to a study. Three scholars led by Gary King, a political scientist at Harvard University who specializes in using quantitative data to analyze public policy, ran the first systematic study of China’s online propaganda workers, known as the Fifty Cent Party because they are popularly believed to be paid by the government 50 Chinese cents for every social media post. Contrary to popular perception inside China, the Fifty Cent Party avoids engaging in debates with critics and doesn’t make fun of foreign governments. Instead, it mostly works to distract public attention away from hot topics by highlighting the positive, cheering the state, symbols of the regime, or the Communist Party’s revolutionary past. "In retrospect, this makes a lot of sense -- stopping an argument is best done by distraction and changing the subject rather than more argument -- but this had previously been unknown,” King said in an e-mail. Although those who post comments are often rumored to be ordinary citizens, the researchers were surprised to find that nearly all the posts were written by workers at government agencies including tax and human resource departments, and at courts. The researchers said they found no evidence that people were paid for the posts, adding the work was probably part of the employees’ job responsibilities. Fifty Cent Party is a derogatory term since it implies people are bought off cheaply. About half of the positive messages appear on government websites, and the rest are injected into the 80 billion social media posts that enter China’s Internet. That means one of every 178 social media posts on China’s micro blogs is made up by the government, the researchers said. The sites affected include those run by Tencent Holdings Ltd., Sina Corp. and Baidu Inc. The team based their findings on leaked archives of 2013 and 2014 e-mails from the Internet Propaganda Office of Zhanggong, a county-level district of nearly half a million people in Ganzhou City, in Jiangxi, a province in southeast China. The archive included a mix of multiple e-mail formats, programs and attachments that required King and his team to build customized computer code to crack the archive and deploy automated text analysis and extraction. They pulled out 2,341 e-mails of which more than half contained a Fifty Cent post, totaling 43,797 posts that formed a benchmark for identifying other propaganda posts. They were able to identify Fifty Centers by cross referencing names from leaked e-mails with online social media profiles. They found the name, contact information, and even photographs of many of the authors but chose not to disclose them because it didn’t serve an academic purpose, they said. The timing of the posts showed coordinated control. Typically, the Fifty Cent Party workers would go into action right after some kind of social unrest or protest and try to distract public opinion with a wave of social media that researchers said was “interesting, but innocuous and unrelated topic.” For example, they found 1,100 posts touting the China Dream, local economic development following the July 2013 riots in Xinjiang, or pegged to senior politicians’ gatherings in Beijing. “Many revolutionary martyrs fought bravely to create the blessed life we have today! Respect to these heroes,” read one post cited in the study. People also criticized the West and drew favorable comparisons to China. “On one hand, the US publicly asserts that if China does not perish the West will wither; on the other it tells the Chinese people: your government is problematic, you have to overthrow it so you can live better lives than you do today. I can ask, is there a more ridiculous and contradictory logic than this?” another poster wrote. After analyzing the database they created from the leaked accounts, researchers used machine learning to find other Fifty Cent posts in other parts of China. Volunteers in China set up Weibo micro blog accounts to try to contact Fifty Centers to verify if they worked for the government. “Of course, the difficulties of interpreting these answers is complicated by the fact that our survey respondents are conducting surreptitious operations on behalf of the Chinese government designed to fool users of social media into thinking that they are ordinary citizens,” the researchers said in their paper, “and we are asking them about this very activity.” They researchers said they deduced the rules for the messages: First, don’t engage in controversial issues. Second, stop discussion about potential collective or street protests by active distraction. Allowing some dissent serves the purpose of letting the regime gauge public opinion on local leaders, they concluded, while complete censorship only serves to stir up anger. “The main threat perceived by the Chinese regime in the modern era is not military attacks from foreign enemies but rather uprisings from their own people,” they said. Revealing a paternalistic approach, the guiding policy of China’s Fifty Cent Party appears to be that distraction is better than conflict. “Letting an argument die, or changing the subject, usually works much better than picking an argument and getting someone’s back up (as new parents recognize fast),” they wrote. The Source
  14. Users on the Dutch Tweakers Forums report that a Groupon seller sold fake Sandisk MicroSD cards. The cards work and have the advertised capacity but their maximum transfer speed is much slower than the speeds specified on the packaging. The fake Sandisk MicroSD cards were sold by UK seller Connectronics who according to the Groupon page sold more than 1000 items. The cards were available in capacities of 8GB, 16GB, 32GB, 64GB and 128GB and sold at €7.99 / ($9), €11.99 ($13.50), € 13.99 ($15.85), €24.99 ($28.30) and €49.99 ($56.70) respectively. Instead of the promised maximum 48MB/s transfer speed, users report a maximum transfer speed of 25 MB/s which is about 50% slower. At first sight the packaging looks legit but users report spelling errors on the back and the picture of the phone on the front-image isn’t sharp. Sandisk also confirmed to the users that the cards are fake based on the serial printed on the packaging and other characteristics. The seller of the fake memory cards so far denied they are fake and still sells them, Groupon has stated it needs up to 10 days to come up with a solution. It’s apparently not the first time fake Sandisk memory cards are sold. According to the website The Counterfeit Report, about 33% of all memory card on the market are fake of which the majority is sold on Ebay. The website also lists method of separating fake cards from legit ones. Besides Sandisk also Samsung, Kingston, Toshiba and Transcend counterfeit SD cards have been spotted. While the Sandisk MicroSD cards from this report appear to work and have the advertised capacity, this isn’t always the case. Some simply don’t work, only have a small part of the advertised capacity available or contain many read errors. Article source
  15. When it comes to passwords, one piece of advice we give our readers is to use password managers / vaults to help them maintain, keep track of, and store away account logins that are impossible to recall by memory on a daily basis – for example, Dashline, Keychain, 1Password, and LastPass. We also advise our readers to download directly from the official websites of these password managers or from highly trusted third-party app markets, such as Google Play, the App Store, and the Chrome Web Store. But even legitimate sites can harbour fake apps, and we’ve seen this happen time and time again. As such, extra care is needed more than ever in weeding out the real ones from the knock-offs. This post is to remind our readers to keep a sharp eye on apps that claim to be the real thing but are actually rogue versions of those they’re imitating. Recently, we spotted one such app claiming to be LastPass on the Chrome Web Store: Those with trained eyes can tell that something is already off upon looking at this page. Firstly, this LastPass app seem to rate poorly even if it’s one of the most sought after and popular password vaults on the Web. Secondly, the supposed named developer, AdGetBlock, seem to be the wrong brand to offer such a product. In case you’re not aware, the real LastPass app is being offered by “lastpass.com” on the Chrome Web Store. We downloaded and installed the fake LastPass app on Chrome on one of our test machines, and the popup notification states that the app wants to “Display Notifications”. Once done, we clicked the icon on Chrome’s app page expecting it to execute malicious code, but instead it redirected us to a page on the website: appforchrome[DOT]com Website redirection is the main purpose of this fake LastPass app. That may be the least straightforward way of doing things, but at the very least we can see that this tactic works. Moving on, the working download link on the page is the text “Download App”. Hitting that directed us to this page: Of course, like most questionable sites, the genuine link can easily be missed in amongst the wealth of download button adverts (in the above case, the link is directly above the central green “Start Download” advert). Be reminded that this is the kind of deceptive ad placing that Google has been clamping down from the early months of 2016. Since this download page is the only one that contains ads, we can surmise that this is also an attempt to cash in on clicks and page views. If users are able to spot the “Click here” link text, they can be assured that a legitimate copy of the LastPass executable is sitting on it. If users click at least two of the big green button ads instead, they are directed to Easy Doc Merge (or EasyDocMerge), an application distributed by Mindspark: Now, we’ve written about Mindspark in the past, and we can also link to other examples of installing unwanted toolbars and PUPs. Anyway, clicking the “Free Download” button triggers a prompt to download and install a browser app. Thankfully, Google has already removed the fake LastPass extension from the Chrome Web Store. As for the websites mentioned on this post, they are now being actively blocked by our product. In addition, our very own Pieter Arntz recently posted a removal guide for Easy Doc Merge that you can check out on this Malwarebytes forum post. Article source
  16. Hackers try different methods to hack your system and one of the common ways of hacking is by disguising malicious files with fake extensions. When you try to open that file, it will execute and can destroy your machine. Some of the ways used by hackers to hide viruses in files with fake extensions are discussed here. What is a Computer Virus? A computer virus is actually a computer program that gets installed in your system usually when you are browsing the Internet. These programs, when executed, infect your computer. Viruses can be used for many purposes. Hackers try to gain access to your computer to steal valuable information from your system like your passwords, bank account details, email account details etc. As a user, you should make sure you have antivirus software installed in your computer that can protect your system from virus attacks. Files with fake extensions are a favorite way of hackers to get you to download a virus. Who is a Hacker? A hacker is a person who tries to take control over your system and get confidential details about you from your system with the help of a virus that got installed in your computer. Hackers then misuse the data received from your system and try to benefit from the information, which creates issues for you. Different Ways Hackers Hide Viruses in Files with Fake Extensions By Unitrix method: Hackers use different methods to infect your computer with a virus. With the Unitrix method, a hacker uses special characters in the computer coding. These characters are Unicode, so they reverse the order of the file name characters. This method hides the dangerous file extensions in the middle of the filename and puts harmless file extensions towards the end of the filename. A common example of this type of method is: In “Song[U+202e]3pm.SCR,” the Unicode used by the hacker is U+202e. When you download this file, it will look like an ordinary mp3 file”Song.mp3”. By running this file, the virus will infect your system. It is advised that you keep an eye on the type of files you are downloading and download only from sites you trust so that you can protect your system from viruses in files with fake extensions. Hiding file extension with the help of Windows: Even though computer users all over the world know that it is not safe to run unwanted and untrusted .exe files on the system. However, when we get a .JPEG file or .GIF file, we always open it without worrying about virus attack. The main problem here is that Windows, by default, hides file extensions. That means the actual file name you are trying to open may be “Star.JPEG.exe,” but because of the property of Windows, you will be seeing only “Star.JPEG.” Most hackers use this method to hide viruses in files with fake extensions. Using the standard image icon method: Adding a common and standard image icon to the virus file is a way to attract a user to the file and make him open it. For example, the hacker may have a virus file “Flower.JPEG.exe.” The hacker will ensure that he gives a flower icon to the file. Windows, by default, hides the extension of the file. So, it will show the file as “Flower.JPEG.exe” with a flower icon. When a person sees this, he will be tempted to open the file to see the image, and when he does that, the virus will be uploaded into the system. Most hackers use this easy trick to infect computers with files with fake extensions. Conclusion You should always be extra careful when running programs and opening files from untrusted emails. By enabling the option to show file extensions, you can protect your system from files with fake extensions. Article source
  17. Experts have spotted an OS X scareware campaign that leverages fake Adobe Flash Player installers to trick users into downloading shady software onto their devices. Johannes Ullrich, dean of research at the SANS Technology Institute, came across the campaign while analyzing Facebook clickbait scams. The attack starts with a popup window informing users that their Flash Player is outdated and instructing them to install an update. While it’s uncertain what triggers this popup, Ullrich believes it was likely injected by an advertisement on the page he was visiting. Users who click the “OK” button in the popup are taken to a webpage set up to serve a fake Flash Player installer that had been detected as malicious by only a handful of antiviruses on VirusTotal. The fake Flash Player installer is designed to mimic the legitimate application and is not blocked by Apple’s Gatekeeper security feature. The installer, signed with a valid Apple developer certificate issued to one Maksim Noskov, installs a genuine copy of the latest Flash Player and attempts to convince users to download applications apparently designed to resolve problems on the victim’s system. These applications are actually pieces of scareware that attempt to trick users into calling a “support” line where they can allegedly get instructions for addressing the so-called problems. The samples tested by Ullrich were clearly scareware because they claimed to have found serious problems on the system even though the tests were conducted on a clean installation of OS X 10.11. The expert has published a video showing the fake Flash Player installer and the scareware in action. Threats designed to target OS X are increasingly common and cybercriminals have been using all sorts of tricks to bypass security mechanisms. A malicious installer spotted last year by researchers exploited a then zero-day local privilege escalation vulnerability in OS X to install adware and other shady software. A newer version of the same installer was later observed using an old method to access the OS X Keychain. Symantec reported in December that the number of OS X systems infected with malware in the first nine months of 2015 was seven times higher than in all of 2014, despite a drop in the number of newly detected threats. Article source
  18. Google announced yesterday an addition to the company's Safe Browsing technology (Deceptive Site Ahead) that will flag sites with deceptive buttons to users of the company's Chrome web browser and in other programs that make use of Safe Browsing. Deceptive buttons, either in the form of advertisement displayed on a page or embedded directly on a page by the owner of the site, come in many forms. These buttons may display actions to download, update, install or play on a site they are displayed on, and are usually accompanied by a notification-type message that makes the action seem important. Basic examples are actions to install software to play media on a page, or download buttons that don't download the software hosted on the site but unrelated third-party offerings. Deceptive Site Ahead The new "deceptive site ahead" message appears in the Chrome web browser instead of web pages if Google considers the site to be "social engineering" due to the use of content that tries to deceive users who visit it. The message reads: A click on details displays an option to override the warning and continue to the site. Google mentions two specific scenarios in which sites may be flagged as deceptive: While some webmasters use these types of deceptive practices on purpose, others may be affected by it indirectly though advertisement displayed on their sites. Google has created a support page for webmasters that offers instructions on how to troubleshoot the issue and resolve it so that the "deceptive site ahead" warning notification is removed from the site. Webmasters whose site's were flagged for containing social engineering content may start the troubleshooting by opening the security issues report on Google Webmaster Tools. There they should find listed information such as sample urls that were flagged. The actual removal may be problematic, as webmasters need to find the source of the deceptive content and remove it. Afterwards, they need to request a review of the site which Google claims may take between two and three days to complete. Article source
  19. Last week, we reported on a post office email scam that was recently observed to be targeting PostNord customers with Cryptolocker2 ransomware. Our story noted that customers commonly fall for this type of scam because, by nature, they tend to trust institutions with which they are familiar. As a result, users were more than willing to click on a URL to arrange a pick-up time for an undelivered package from the local postal service, especially around the holidays. It would appear that attackers are once again exploiting this trust, albeit with a different institution as bait. Security firm Heimdal Security has spotted a spam campaign that is leveraging fake emails from the Internal Revenue Service (IRS) to drop two payloads onto victims’ computers: Kovter ransomware and CoreBot malware. According to a blog post written by Andra Zaharia of Heimdal, each fake email takes on the following format: From: [spoofed / fake return address] Subject Line: Payment for tax refund # 00 [6 random numbers] Attached: Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js The Javascript, known as “Nemucod” or “Swabfex”, ultimately loads up the first payload: Kovter. Back in January of this year, researchers at Cyphort Labs observed that both the Neutrino and Sweet Orange exploit kits were targeting visitors to The Huffington Post‘s website with Kovter ransomware as part of a malvertising campaign. Since then, Kovter has incorporated some of the tactics employed by Trojan.Poweliks that in part allow the malware to persist in an infected computer’s registry. These adaptations, among other things, have shifted Kovter in the direction of stealthier campaigns, including click-fraud activities, and away from something as blunt as ransomware. However, its authors can use the malware to hold victims’ computers for ransom whenever they choose. Kovter lockout screen (Source: Malware Don’t Need Coffee) Case in point, Heimdal notes in the IRS spam campaign that Kovter connects to three domains: “http:// ahmadhania [.]com”, “http:// hkcpafirm [.] com”, and “http:// martenmini [.] com”. From those locations, the malware retrieves a Win32PE masquerading as a “.gif” file. It then uses a “sleep mode” function built into mshta.exe to encrypt all data files found on the computer and available network drives. Finally, all of this data is harvested and sent to the attackers via a C&C server. The spam campaign is nearly complete. All that remains are the finishing touches added by CoreBot. Originally detected by IBM X-Force researchers back in August of this year, CoreBot is a modular malware that can be easily updated by attackers via a plugin system. This design makes CoreBot an adaptable threat capable of stealing passwords, grabbing forms, hooking into web browsers, harvesting credentials and performing man-in-the-middle (MiTM) attacks. It can also work in tandem with other forms of malware. Once Kovter successfully encrypts a victim’s data, CoreBot in the spam campaign observed by Heimdal forces a system shutdown, which completes the ransomware payload and saves it in obfuscated form to the registry. A system restart activates the payload, at which point in time the user is alerted to the fact that all of their information has been encrypted and that they must pay a ransom in Bitcoin to regain access. As of this writing, not one of the three Kovter domains identified above scored a detection rate of more than 4/66 on VirustTotal. That makes this spam campaign particularly dangerous. Users are therefore urged to avoid clicking on suspicious links in emails, to verify the senders of important electronic documents, and to keep a regular backup of their data. For information on how to protect against ransomware, please click here. Source
  20. In a sign that the internet is indeed the end of all good and rational thoughts, The Washington Post has thrown in the towel on its "What was fake on the Internet this week" column. In what it said would be its final column Friday, columnist Caitlin Dewey revealed that, as with many things online these days, the internet has out-crazied the crazy. "There is nothing – NOTHING – too crazy for the Internet hoax beat," she starts, before noting that when the column started a mere 82 weeks ago (can you even remember what the internet was like in 2014?) the online world was a rosy picture of urban legends and pranks. Absurd nonsense that was fun. "Light-hearted, silly things." Now, with the boom in social media, Facebook likes, and a general sense that society has given up altogether in even caring if something is true so long as it's shareable, there is no place for a column that says "this here is utter nonsense." Dewey points out that the enormous rise in fake news in the past year or so has come complete with a ready acceptance that it is fake. "Where debunking an Internet fake once involved some research, it's now often as simple as clicking around for an 'about' or 'disclaimer' page," she notes. Unpleasant What's worse is that fake news has taken on a much more unpleasant tone, with people creating fake news stories in order to reflect their own hatred and prejudices. Just this week, the seemingly accepted fact that the San Bernardino shooters had posted their devotion to the Islamic State in a public Facebook post moments before shooting 14 of their co-workers was revealed to have been a complete fallacy. And if it hadn't been the FBI saying as much, you can imagine that most people would have continued to believe it. Dewey references the "Casey Anthony found dismembered in truck" fake story. Anthony, if you don't remember, was the young woman who was acquitted of the murder of her two-year-old daughter despite what looked like suspicious behavior and her repeatedly changing her story (she was found guilty on four counts of providing false information and was sentenced to four years in jail). But there have been many, many other fake news stories, and Dewey reckons it's because they have become profitable. "Since early 2014, a series of Internet entrepreneurs have realized that not much drives traffic as effectively as stories that vindicate and/or inflame the biases of their readers. Where many once wrote celebrity death hoaxes or 'satires,' they now run entire, successful websites that do nothing but troll convenient minorities or exploit gross stereotypes." Some of these fake sites are truly unpleasant. Take Now8News which posts ridiculous, usually unpleasant news stories but often crosses the line from humor into conflating stereotypes and aggressively mocking people, complete with real mugshots of people. World News Daily Report is a slick site that purposefully treads a fine line between believable and outrageous. Its content is often xenophobic and racist. Like And then there is the speed with which news is spread though non-professional outlets – people's shared Facebook updates; retweets. Following the gun attack in Paris in November, an enormous number of seemingly true stories spread like wildfire. The Eiffel Tower was dimmed (no it wasn't); Donald Trump tweeted a tasteless comment about gun control (for once, he wasn't being offensive and was referring to the previous Paris attack); Uber's surge pricing never happened, and so on. There was so much of it that NPR ran a story on the fact there was so much false news. "Frankly, this column wasn't designed to address the current environment," says Dewey. "This format doesn't make sense." In short, there is too much fake news and so many people revel in producing it that the concept of debunking seems, in her words, "pointless." As one researcher who has looked into this phenomenon sadly recounted: "People who fall for hoax news stories are frequently only interested in consuming information that conforms with their views – even when it's demonstrably fake." Spread And so the "What was fake on the internet this week" column is no more. The bigger issue, though, may not actually be why the internet has become such a ready purveyor of knowingly false information dressed up as truth, but rather what impact that shift has had on us as a society. You need only tune into the campaign for the very few candidates that are vying for, and will become, the most powerful person on the planet – the President of the United States – to see that being wrong, provably wrong, and almost instantly provably wrong, appears to be less important than getting attention. In that sense, the small column pointing out fake news could be taken as a canary in the coal mine. Source
  21. A recent study by Japanese security software company Trend Micro has uncovered nearly 900,000 fake Android apps floating around in the wild, designed to fool users into downloading them before stealing user data and aggressively serving ads. The company cataloged the top 50 free Android apps in the Google Play Store, and then searched the same store to see if fake versions of the same apps were present. For 77% of the apps in the top 50, at least one fake version existed on the store, cleverly disguised to look and act like the real apps but loaded with malicious code. Even more concerning for Android users is the sheer volume of fake apps Trend Micro uncovered in a survey conducted in April. The company found 890,482 different fake apps spread throughout many app stores and online forums; more than half of the apps were malicious, 394,263 were malware, and 59,185 contained aggressive adware. While the Google Play Store only contained a selection of these fake applications, it was still possible for people with malicious intent to infiltrate the most popular Android app store. The most common type of fake app disguised itself as antivirus software, often asking users to approve a wide set of privileges beyond what would be necessary for actual antivirus software. Trend Micro highlighted in particular an app called 'Virus Shield', which was found on the Google Play Store with a 4.7-star rating, 10,000+ downloads and a price of $3.99. The app did absolutely nothing and was a complete scam, but it still managed to reach the top new paid apps section of the Store before Google removed it. The report from Trend Micro comes just as Google announced Project Zero, designed to find vulnerabilities in third-party software. JD Sherry, VP of technology and solutions at Trend Micro, thought this was particularly ironic considering the prevalence of fake apps in the Play Store. She strongly suggested Google "take aim" at their own stores as part of the project. Source
  22. Google has identified and blocked unauthorized digital certificates for a number of its domains issued by the National Informatics Centre (NIC) of India, a unit of India’s Ministry of Communications and Information Technology. National Informatics Center (NIC) holds several intermediate Certification Authority (CA) certs trusted by the Indian government’s top CA, Indian Controller of Certifying Authorities (India CCA), which are included in the Microsoft Root Store and so are trusted by a large number of applications running on Windows, including Internet Explorer and Chrome. The use of rogue digital certificates could result in a potentially serious security and privacy threat that could allow an attacker to spy on an encrypted communication between a user’s device and a secure HTTPS website, which is thought to be secure. Google became aware of the fake certificates last Wednesday on July 2 and within 24 hours, the Indian Controller of Certifying Authorities (India CCA) revoked all the NIC intermediate certificates and also issued a CRLSet to block the fraudulent certificates in Chrome. CRLSets enable Chrome to block certificates in an emergency. The search engine giant believes that no other root stores include the Indian CCA certificates, which means that Chrome on any other operating systems, Chrome OS, Android, iOS and OS X were not affected. “Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misused certificates for other sites may exist,” saidGoogle security engineer Adam Langley. Langley added that “Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.” It’s the second high-profile incident of a government agency caught issuing fake SSL certificates since December, when Google revoked trust for a digital certificate for several of its domains, mistakenly signed by a French government intermediate certificate authority. Google has taken many measures to advance the security of its certificates, as SSL certificates are still one of the core elements of online security and still, since hundreds of entities issue certificates, it makes the company difficult to identify fake certs that aren’t following proper procedures. One such measure is Google’s recently launched Certificate Transparency project, which provides an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. DigiCert was one of the first Certificate Authority’s to implement Certificate Transparency after working with Google for a year to pilot the project. Google also upgraded its SSL certificates from 1024-bit to 2048-bit RSA to make them more secure and unbreakable. Because longer key length would make it even more difficult for a cyber criminal to break the SSL connections that secure your emails, banking transactions and many more. Source
  23. In recent days an estimated 30,000 Internet users have received emails containing copyright warnings and demands for cash settlements. The emails, which detail alleged infringements on content from EMI, Sony, DreamWorks and Paramount, are not only fake but also have a sting in the tail - a nasty trojan just waiting to be installed. It used to be the case that when a copyright holder tracked down an alleged file-sharer they would have to make contact via regular snail mail. Legal threats in the post nearly always mean business and have to be dealt with in an appropriate manner. With the advent of companies such as Rightscorp, however, demands for cash settlement now regularly arrive via email. While some recipients treat these emails as spam, they are sent by a legitimate company acting on behalf of genuine rightsholders. Whether people should pay up on presentation of a mere email is a personal matter, but there are some instances in which no payment should ever be considered. During the past several days there have been increasing reports of Internet users in Germany receiving cash demands for alleged copyright infringement. The emails detail alleged piracy offenses on tracks from Jay-Z, R Kelly, James Blunt, Bullet for My Valentine, and metal bands Sepultura and Children of Bodom, to name just a few. It’s a very big operation indeed. According to lawyer Christian Solmecke, a lawyer who regularly defends in piracy cases, up to 30,000 individuals are affected, with many calling his offices for legal advice. But while the emails say they are being sent on behalf of a range of rightsholders from EMI, Sony, and Warner Bros. to DreamWorks and Paramount Pictures, drilling down into the details reveals the whole operation as a huge scam. The ‘settlement’ mails demand between 200 and 500 euros within 48 hours to make potential lawsuits go away. One reads: This is a warning because of your violation of § 19a of the Copyright Act on 07.06.2014. The music album ‘Bullet For My Valentine – Temper Temper’ was downloaded from your IP address 8.149.94.13 at 3:40:24. This violates § 19a of the Copyright Act and must be reported to the responsible District Court. Only the fastest possible payment of a fine of 400.88 euros can prevent this. We expect payment within the next 48 hours. For details see the attached document XXXXXXXXX.zip As can be predicted from the final line, the real plan is to trick recipients into opening a file apparently containing details about their case, but which in fact carries a suspected trojan. “It is very likely that the zip file contains a virus, designed to spy on credit card and account information. The floodgates would then be opened to online banking fraud and identity theft,” Solmecke warns. “For this reason, all users that have opened the ZIP file attachment should check their PC immediately with a virus scanner and install the security updates for their anti-virus software,” the lawyer concludes. Finally, by including legitimate law firms’ contact details in the emails, specifically companies that are involved in the settlement business already, the scammers are using a particularly crafty technique to come across as genuine. One lawfirm, Sasse & Partner, was forced to issue a statement denying involvement in the scheme. “The ‘warnings’ are sent under the name of our lawyer Jan Spieldenner. The perpetrator or perpetrators are apparently making use of the fact that our firm regularly sends warnings on behalf of various clients and has thereby acquired a certain reputation. We point out that the warnings provided by us are never sent as a zip file,” the company explains. Quite how many people will actually pay up on receipt of such an email is unknown, but by sending out tens of thousands it seems likely that a few will. At the full 500 euro rate, just a couple of dozen ‘settlements’ will net a sizable amount of cash – as ‘genuine’ copyright trolls know only too well. Source
  24. Last month Google offered refunds to users who bought a fake antivirus app from Google Play, but the scam seems to be catching on and security researchers have recently identified similar apps in both the Android and Windows Phone app stores. Malware analysts from Kaspersky Lab found a fake app called Kaspersky Mobile in the Windows Phone Store, which is unusual because cybercriminals tend to target Google Play and because Kaspersky doesn't even make an antivirus product for Windows Phone. The fake app, which was available for 149 rubles or around US$4, used Kaspersky's logo and other branding elements and even pretended to scan files when run, said Roman Unuchek, senior malware analyst at Kaspersky Lab in a blog post Thursday. Kaspersky Lab was not the only brand abused by the people behind this scam. The same developer account had created fake apps using the names and logos of other popular programs, including Avira Antivirus, Mozilla Firefox, Google Chrome, Opera Mobile, Internet Explorer and Safari. One of the developer's fake Windows Phone apps used the same name as a fake antivirus app found in Google Play in April -- Virus Shield. Despite costing $3.99 and doing nothing to protect devices, the Android version of the app was downloaded over 10,000 times and made it into several "top paid" lists before being identified as a fraud. Google removed the application and offered refunds to affected users, as well as $5 in store credit. The researchers also identified a Kaspersky-branded fake app in Google Play using the name Kaspersky Anti-Virus 2014. The app's description was copied from the official Google Play page for Kaspersky Internet Security for Android, one of the company's legitimate products. The app's creators didn't even bother to add a scan simulation to the application, Unuchek said. "It is quite possible that more and more of these fake apps will start appearing," he said. "One thing is for sure -- the mechanisms put in place by the official stores are clearly unable to combat scams like this." Source
  25. Microsoft today pulled six fake Google apps from the Windows Phone Store, after we contacted the company about the issue. The apps in question were: “Hangouts,” “Google Voice,” “Google Search,” “Google+,” “Google Maps,” and “Gmail – email from Google.” All of these are published by a “Google, Inc” (instead of “Google Inc.”) and priced at $1.99 each. The only app that Google offers for Windows Phone is its search app, and the publisher is “Google Inc.” The apps in question were first spotted by WinBeta this morning, after being originally published yesterday. We got in touch with Microsoft to ask about the issue. Here are the fake apps: In the six hours it took Microsoft to respond, another fake app managed to get through: The company responded with the following generic statement: Microsoft takes the intellectual property our ecosystem seriously and we use several layers of deterrence and response to help protect it. First, we encourage developers to take advantage of obfuscation tools for an added layer of protection. Because the Windows Phone Store is the only authorized source of public apps and games for the Windows Phone, developers can more easily police infringement of their apps by monitoring the Windows Phone Store and notifying Microsoft if infringement occurs. Microsoft provides online tools and an email alias ([email protected]) to enable developers to quickly report infringement of any apps they locate on the Windows Phone Store for immediate review and, when appropriate, removal. In cases where the infringement is disputed, we permit alleged infringers to dispute infringement via counter notices. Finally, Windows Phone educates every developer from the very start – before apps are even submitted – reminding them in our developer agreements and policies that Microsoft does not permit infringement of intellectual property of others. While this is all true, the fact of the matter is that these apps should not have made it through in the first place. The last sentence implies that developers are told they shouldn’t submit fake apps, but unsurprisingly that isn’t enough of a deterrent for some. Microsoft has been regularly criticized for having a low bar when it comes to approving apps into the Windows Phone Store. While these six apps may be gone (they still appear here, but we checked on a Windows Phone device and they have indeed been removed), many fake apps still remain. Searching for “Google” or “YouTube” or really any other big name that doesn’t have an official app brings up many apps that shouldn’t be available. Unfortunately, Microsoft hasn’t addressed the bigger problem here: fake apps are getting through, and the company’s app approval process needs a serious overhaul. We have contacted Microsoft again to find out how these apps were approved in the first place. We will update this story if we hear back. Update: “We removed a series of apps for violating our policies concerning the use of misleading information,” a Microsoft spokesperson told TNW. “The apps attempted to misrepresent the identity of the publisher.” Unfortunately, Microsoft still isn’t addressing the larger issue of these apps being approved in the first place. Source
×