49% of All Phishing Sites Have SSL Credentials and Show Green Padlock

Nearly half of the phishing sites now have SSL credentials, begin with HTTPS, and show the green lock to display the sites are safe, as per new research by PhishLabs.

The number of phishing websites that have SSL credentials has been rising gradually since Q3, 2016 when about 5% of phishing websites were showing the green lock to show a safe connection. The proportion increased to roughly 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL credentials. At the end of Q3, 2018, the proportion had risen to 49%.

It is no shock that so many phishers have chosen to change to HTTPS, as free SSL credentials are easy to get. Most companies have now made the change to HTTPS and it has been drummed into clients to always look for the green lock next to the URL to make certain the connection is safe before any confidential information is disclosed. Some search engines also show the web page is ‘secure’ as well as showing the green lock.

The green lock shows a lot of web users that not only is the site safe, but also that it is safe and genuine, which is certainly not the case. A safe connection doesn’t mean the site is reliable.

A survey carried out by PhishLabs in late 2017 disclosed the level of the confusion. About 80% of surveyed people thought the green lock showed a site was legitimate/safe. Just 18% of respondents to the survey presently identified that the green lock only meant the connection between the browser and the site was safe.

The truth is that the green lock is no assurance that a site is genuine or safe. It only implies that the user’s data is encrypted between their browser and the site so it can’t be interrupted and read by a third party. If the website has been created by a scammer, any information entered through the site can be read by the scammer.

The survey, together with the surge in HTTPS phishing sites, indicate how significant it is for businesses to teach their workers about the correct meaning of the green lock to avoid them falling for phishing cheats.

In addition to beginning with HTTPS and showing the green lock, phishing sites often use stolen branding. They can look same as the genuine site they are deceiving. The only pointer that the site is not genuine is the URL. However, even the URL can seem identical to the actual site. A lot of phishing sites take benefit of internationalized domain names to make the URLs seem genuine.

Brian Krebs identified one phishing site that deceived the cryptocurrency exchange box and used a nearly identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are nearly indistinguishable, particularly on a small mobile screen.

Mobile screens also don’t show the complete URL, therefore it is easy to create a subdomain to impersonate the genuine domain, as only this part of the URL is likely to be shown on a mobile screen.

Marriott Announces 500 Million-Record Breach of Starwood Hotel Guests’ Files

The Marriott hotel chain has announced it has suffered a massive data breach that has resulted in the theft of the personal information of up to 500 million guests of the Starwood Hotels and Resorts group.

Marriott identified the data breach on September 8, 2018, after an alert was generated by its internal security system following an attempt by an unauthorized individual to access the Starwood guest reservation database. Third-party computer forensics experts were called in to assist with the investigation, which confirmed that the Starwood network was first gained in 2014. It is currently unclear howthe hacker breached security defenses and gained access to the network.

The hacker had encrypted data on the network which hampered efforts to investigate the breach and determine what data had been accessed. It took until November 19, 2018 for Marriott to decrypt the data and determine what the files contained.Only then was Marriott able to confirm that the database contained information on previous Starwood Hotels guests.

Analyzing such a huge database to determine which customers have had their information compromised has naturally taken some time. Marriott is still in the process of deduplicating the database to determine the exact number of guests impacted.

Marriott believes up to 500 million individuals who had previously made a reservation at Starwood Hotels and Resorts have been affected. They also include individuals who made reservations at Sheraton Hotels & Resorts, Four Points by Sheraton, Element Hotels, Le Méridien Hotels & Resorts, W Hotels, St.Regis, Westin Hotels & Resorts, Aloft Hotels, The Luxury Collection,Tribute Portfolio, Design Hotels that are part of the Starwood Preferred Guest program, and its Starwood branded timeshare properties.

The types of data present in the stolen database include the names of guests, mailing addresses, email addresses, and other information. Around 327 million past guests may also have had the following information stolen: SPG account information, birth date, gender, reservation date, arrival date, departuredate, their communication preferences, and potentially, their passport number.

Marriott has not yet confirmed whether the hacker stole payment card information. Payment card data were encrypted with the AES-128 algorithm, but the two bits of information that would allow the data to be decrypted may also have been stolen.

The data breach, which occurred two years before Marriott acquired the Starwood Hotels and Resorts Group, has been reported to law enforcement. Marriott is currently working with leading security firms to improve security and prevent any further data breaches.

Marriott is in the process of notifying all affected individuals by email. All breach victims have been offered free enrolment in WebWatcher for one year. WebWatcher monitors the Internet for instances of user information being shared and issues alerts. U.S. guests are also being offered fraud consultation services and reimbursement coverage. Since email addresses have been stolen, breach victims have been warned to be alert for phishing attacks that attempt to obtain sensitive information. All official communications are coming from the starwoodhotels@email-marriott.com, although care should still be taken with any emails that appear to have been sent from that email address as sender field could be spoofed.

Microsoft and Adobe December 2018 Patch Tuesday Updates

December 2018 Patch Tuesday has seen Microsoft issue repairs for 39 vulnerabilities, 10 of which have been ranked serious, and two are being actively abused in the wild. There are 9 critical vulnerabilities in Microsoft products and one critical weakness in Adobe Flash Player.

The repairs include the following products and services: Microsoft Windows, WindowsKernel-Mode Drivers, Windows Kernel, Windows Azure Pack, Windows Authentication Methods, Visual Studio, Microsoft Windows DNS, Microsoft Scripting Engine, MicrosoftExchange Server, Microsoft Dynamics, Microsoft Graphics Component, MicrosoftOffice SharePoint, Microsoft Edge, Internet Explorer, Microsoft Office, and .NET Framework.

December 2018 Patch Tuesday Serious Microsoft vulnerabilities

The serious ulnerabilities affect the Chakra Scripting Engine of Microsoft Edge (5),.NETframework (1), Microsoft Text-to-Speech (1), Internet Explorer (1), and Windows DNS server (1).

  • CVE-2018-8583; CVE-2018-8617; CVE-2018-8618; CVE-2018-8624; CVE-2018-8629: Chakra Scripting Engine: Memory corruption
    vulnerabilities because of how Microsoft Edge manages memory items. Misuse would require a user to visit a specifically created website, via a link in a phishing electronic mail or malvertising, for instance.
  • CVE-2018-8540: .NETFramework: A distant code injection vulnerability when the .NET framework fails to authenticate input properly. An attacker could gain complete control of an affected system if an admin user’s account is compromised.
  • CVE-2018-8626: WindowsDNS Server: A heap overflow vulnerability affecting Windows servers arranged as DNS servers, which could let distant code implementation on the Local System Account.
  • CVE-2018-8631: InternetExplorer: A memory corruption weakness that might let distant code implementation. Misuse would require a user to visit a specifically created website, via a link in a phishing electronic mail, for instance.
  • CVE-2018-8634: Microsoft text-to-Speech: Distant code implementation vulnerability because of a failure to properly manage items in the memory. The fault could be abused to take complete control of a vulnerable system.
  • ADV180031: Adobe FlashPlayer: Adobe repaired two vulnerabilities in an out-of-band update on December 5. Microsoft has tackled these vulnerabilities, which are presently being abused in the wild.

Adobe Updates: December 2018 Patch Tuesday

Adobe has issued a large number of updates to tackle a slew of lately found
vulnerabilities. 87 updates had been included in the total, 39 of which have been ranked serious and could let an attacker implement the arbitrary code or elevate privileges on vulnerable appliances. Many of the vulnerabilities could be used collectively to give anattacker complete control of a susceptible computer.

These repairs are in addition to an out-of-bounds update released earlier in December to repair two actively abused vulnerabilities.

All repairs must be applied as soon as possible.

2018 Safety Awareness Training Figures

A new study carried out by Mimecast has produced some interesting security mindfulness training figures for 2018. The survey shows a lot of companies are taking substantial risks by not providing sufficient training to their workers on cybersecurity.

Question the IT department what is the greatest cybersecurity danger and several will say end users. IT teams put a considerable amount of effort into applying and maintaining cybersecurity fortifications, only for employees to take actions that introduce malware or lead to an electronic mail breach. It is understandable that they are annoyed with employees. Most cyberattacks start with end users. By compromising one appliance, an attacker gains a footing in the system which can be utilized as a Launchpad for more attacks on the business.

However, it doesn’t need to be like that. Businesses can create a strong last line of protection by providing safety awareness training to employees to help them identify threats and to prepare them how to respond and report difficulties to their IT group. The difficulty is that a lot of businesses are failing to do that. Even when cybersecurity teaching is provided, it is often insufficient or not obligatory. That means it is just partly effective.

Mimecast’s security awareness training figures show that just 45% of firms provide workers with recommended safety awareness teaching that is obligatory for all employees. 10% of firms have training programs available, however, they are only voluntary.

Explore deeper into these safety awareness training statistics and they are not quite as they appear. Certainly, 45% of firms provide obligatory cybersecurity training but, in many cases, it falls short of what is needed.

For example, only 6% of firms provide monthly training and 4% do so three-monthly. For that reason, just 10% of the 45% are providing training regularly and are adhering to acceptable industry standards for safety. 9% of the 45% only provide safety awareness training when an employee joins the company.

The training processes used proposed safety awareness training, for a lot of businesses, is more of a checkbox item. 33% provide printed lists of cybersecurity guidelines or electronic mail instructions even though several employees will simply neglectthose messages and handouts.

30% issue prompts concerning possibly risky links, in spite of that little is done stop employees actually clicking those links. Businesses are in its place relying on their employees to know what to do and to take care, even though formal cybersecurity training is often lacking and they lack suitable skills. Only 28% are using interactive training videos that involve users.

These safety awareness training figures show that firms clearly need to do more. As Mimecast proposes, effective safety awareness training means making training obligatory. Training must also be a continuous process and simply handing out advices is not sufficient.

You must involve workers and make the training more enjoyable and ideally, amusing.  “The easiest way to lose your audience is by making the training dull, unconnected,and worst of all, unmemorable.”

New Office 365 Phishing Attack Detected

The latest Office 365 phishing attack has been identified that uses warnings concerning message delivery failures to attract unsuspecting users to a website where they are requested to provide their Office 365 account particulars.

The new cheat was found by safety scientist Xavier Mertens during an examination of electronic mail honeypot data. The electronic mails closely resemble formal messages transmitted by Microsoft to warn Office 365 users to message distribution failures.

The phishing electronic mails contain Office 365 branding and warn the user that action should be taken to make sure the delivery of messages. The text notifies the user that Microsoft has found a number of undelivered messages which have not been delivered because of server jamming.

The user is informed the failed messages should be resent by manually re-entering the receivers’ electronic mail addresses or by clicking the handy “Send Again” button in the message body. Users are supposed to click the button instead of manually re-entering a number of electronic mail addresses.

If the user clicks the Send Again button, the browser will be started and the user will be presented with a webpage that appears precisely like the official Office 365 web page, complete with a login prompt where they are requested to type their password. The login box already has the user’s electronic mail address so only a password is needed.

If the password is typed, it will be seized by the attacker together with the paired electronic mail address, and the user will be redirected to the official Office 365 website and might not be conscious that electronic mail identifications have been seized.

Official non-delivery alerts from Microsoft seem very similar, but don’t have a link that users can click to resend the electronic mails. Nevertheless, as the messages have the correct branding and use a similar format, it is likely that a lot of receivers will click the link and reveal their identifications.

Contrary to several phishing campaigns, the messages are well written and don’t include any spelling errors, just a missing capital letter in the warning.  The trap is believable, but there is one clear indication that this is a cheat. The domain to which the user is directed is obviously not one used by Microsoft. That said, a lot of people don’t always check the domain they are on if the website appears official.

This Office 365 phishing attack emphasizes just how important it is to cautiously check the domain before any confidential information is disclosed and to halt and think before taking any action advised in an unsolicited electronic mail, even if the electronic mail appears official.

Vital AMP for WP Plugin Weakness Allows Any User to Gain Admin Rights

A recent critical WordPress plugin weakness has been identified that might let site users increase rights to admin level, providing them with the capability to add custom code to a vulnerable website or upload malware. The vulnerabilities is in the AMP for WP plugin, a trendy plugin that changes standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has over 100,000 active users.

Although the plugin was expected to carry out checks to decide whether a particular user is allowed to carry out certain administrative jobs, inadequate checks were carried out to confirm the existing user’s account permissions. As a consequence, any user, including a user listed on the site to submit remarks, might gain admin rights to the site.

The vulnerability was found by WordPress plugin developer Sybre Waaijer who clarified that the vulnerability would let any user read and download files, upload files, modify plugin settings, insert HTML content into posts, or load malware such as a cryptocurrency miner or install malevolent JavaScript. Although there were some safety checks carried out, in most instances unauthenticated users might easily carry out illegal activities on a site with the vulnerable plugin installed.

As per web safety company WebARX, the vulnrability is present in the ampforwp_save_steps_data hook – An Ajax hook that can be called by all listed users on a site. As insufficient checks are carried out to confirm the account role of the user when the hook is called, any site user can use the functions.

The vulnrability has been rectified in version 0.9.97.20 of AMP for WP. The update is being pushed out automatically to all sites with the plugin installed.

The new variety of the plugin includes a check of the wpnonce value to decide whether the user is accredited to update plugin settings. Updates will only be allowed if the user has admin rights.

Adobe Repairs Actively Abused 0-Day Weakness in Flash Player

On Wednesday, December 5, 2018, Adobe released an update to rectify a weakness in Adobe Flash Player that is being leveraged by a threat group in targeted attacks in Russia. The threat group has previously attacked a healthcare service in Russia that is used by senior civil servants.

The weakness was recognized by researchers at Gigamon who passed on details of the weakness to Adobe in late November. Qihoo 360 scientists lately recognized an advanced constant threat campaign that was actively abusing the weakness.

The weakness is being abused using a particularly created Word document which is being dispersed using a spear phishing campaign. The campaign is extremely targeted; however, it is possible that other threat groups might try to abuse the same weakness in bigger, less-targeted campaigns.

The spear-phishing campaign used social engineering methods to deceive the receiver into opening a malicious Word document that impersonated as a worker survey. The document was transmitted as a .rar attachment to the electronic mail, with the compressed file having the document, the exploit, and the payload. The Word document had a malevolent Flash Active X control in the header.

Upon opening the document, the user is presented with a Microsoft Office alerting that the document might be damaging to the computer. If the content is enabled, the malevolent code will be performed, the weakness will be abused, and the attacker will gain command line access to the user’s system.

The payload, named backup.exe masquerades as an NVIDIA Control Panel application with a matching icon and (stolen) certificate. If the payload is performed, system information will be gathered which will be sent back to the attacker’s distant server through HTTP POST. Shellcode will also be downloaded and run on the infected appliance.

The weakness, followed as CVE-2018-15982, is present in type 31.0.0.153 and all earlier types of Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11. Types 31.0.0.108 and earlier of Adobe Flash Player Installer also have the weakness.

Users are suggested to update to type 32.0.0.101 (Type 31.0.0.122 of Adobe Flash Player Installer) as soon as possible. The update also repairs the Insecure Library Loading (DLL hijacking) privilege escalation weakness CVE-2018-15983.

Persistent New LoJax Rootkit Survives Hard Disk Substitution

Oct 7, 2018

Security researchers at ESET have identified a new rootkit that takes perseverance to a whole new level. As soon as infected, the LoJax rootkit will remain working on an appliance even if the operating system is reinstalled or the hard drive is reformatted or substituted.

Rootkits are malevolent code that is used to provide an attacker with continuous administrator access to an infected appliance. They are difficult to detect and subsequently, they can remain active on an appliance for long periods, permitting cybercriminals to access an infected appliance at will, thieve information, or infect the appliance with more malware variations.

Although reformatting a hard drive and reinstalling the operating system can typically remove a malware infection, that is not the case for the LoJax rootkit because it compromises the Unified Extensible Firmware Interface (UEFI) – The interface between the firmware of an appliance and its operating system. The UEFI runs pre-boot apps and manages the booting of the operating system. As the LoJax rootkit continues in Flash memory, even substituting a hard drive will have no effect.

The LoJax rootkit may not be detected as most antivirus programs don’t check the UEFI for malware. Even if the rootkit is detected, removing it is far from straightforward. Removal needs the firmware to be flashed.

A lot of cybersecurity experts consider these UEFI rootkits to be theoretical instead of actively being used in real-world attacks, as ESET remarks in a fresh blog post. “UEFI rootkits are generally seen as extremely risky tools for executing cyberattacks. No UEFI rootkit has ever been noticed in the wild – until we discovered a campaign that effectively positioned a malevolent UEFI module on a victim’s system.” The rootkit was installed by a threat group known as Fancy Bear, a cyberespionage group supposed to have strong connections to the Russian military intelligence organization, GRU.

LoJax is not, in itself, an information taker. It is a backdoor that permits a system to be retrieved at will for spying purposes, data thievery, or for the installation of malware. It can also permit an infected appliance to be followed geographically.

What is vague is how the attackers gained access to the device to install the rootkit. ESET considers the most likely way that was reached was with a spear phishing electronic mail. As soon as access to the appliance was achieved, the UEFI memory was read, an image was generated, then changed, and the firmware was substituted with the rootkit installed. The rootkit was installed on an older appliance which had several other kinds of malware installed. More modern appliances have controls in place to avoid such attacks – Secure Boot for example.  However, that doesn’t necessarily imply they are protected.

“Companies must study the Secure Boot construction on their hardware and make certain they are constructed properly to avoid illegal access to the firmware memory,” wrote safety intelligence team lead at ESET, Alexis Dorais-Joncas. “They also require to think about controls for detecting malware at the UEFI/BIOS level.”

Danabot Banking Trojan Utilized in U.S. Campaign

The DanaBot banking Trojan was first noticed by safety scientists at Proofpoint in May 2018. It was being utilized in a single campaign targeting clients of Australian Banks. More campaigns were later noticed targeting clients of European banks, and nowadays the attacks have shifted beyond the Atlantic and U.S. banks are being targeted.

Banking Trojans are the main danger. Proofpoint notices that they now account for 60% of all malware transmitted through electronic mail. The DanaBot banking Trojan is being dispersed through spam electronic mail, with the malevolent messages having an embedded hyperlink to websites hosting a Word document with a malevolent macro. If permitted to run it will introduce a PowerShell command which downloads DanaBot.

The DanaBot Trojan thieves identifications for online bank accounts via a blend of banking site web injections, keylogging, taking screenshots and seizing form data. The malware is written in Delphi and is modular and is able of downloading additional parts.

Proofpoint notices that the campaigns it has noticed use different IDs in their server communications which indicate that several people are carrying out campaigns, most probably through a malware-as-a-service offering. So far, nine different IDs have been identified which indicates nine people are carrying out campaigns. Each actor aims a particular geographical area aside from in Australia where there are two people carrying out campaigns.

The latest campaign targeting U.S bank clients is also being conducted through spam electronic mail and similarly links to a Word document with a malevolent macro. The spam electronic mails intercepted by Proofpoint spoof eFax messages, and are complete with proper branding. The electronic mails assert the Word document has a 3-page fax transmission.

Enabling the macro will result in Hancitor being downloaded, which in turn will download the DanaBot banking Trojan and other information stealing malware. A number of U.S banks are being targeted including Wells Fargo, Bank of America, TD Bank, and JP Morgan Chase.

Proofpoint has identified similarities with other malware families proposing it the work of the group behind CryptXXX and Reveton. “This family started with ransomware, to which stealer functionality was added in Reveton. The evolution carried on with CryptXXX ransomware and now with a banking Trojan with Stealer and distant access functionality included in DanaBot.”

Q2, 2018 Saw an 86% Increase in Cryptocurrency Mining Malware

2018 has proven to be the year of cryptocurrency mining malware. Cybercriminals are gradually discarding other types of malware and ransomware in support of malware capable of hijacking computers and mining cryptocurrency.

Mining cryptocurrency needs computers to solve the difficult problems necessary to confirm cryptocurrency dealings and add them to the blockchain account book. That needs substantial processing power and takes time. In exchange for carrying out the service, the miner that resolves the problem is compensated with a small amount of cryptocurrency. In order for this to be lucrative, substantial computer processing power is needed. That can be accomplished in two ways. Purchasing the hardware or hijacking other people’s computers.

The high value of cryptocurrencies makes mining an attractive possibility, particularly if a cybercriminal can hire an army of computers to carry out the processing. One computer can earn a few dollars a day. 10,000 computers infected with cryptocurrency mining malware makes this a very lucrative operation. That fact has not been lost on cybercriminals.

2018 has seen a huge increase in the use of cryptocurrency mining malware. In the first quarter of 2018, McAfee informs there was a 629% increase in the number of cryptocurrency mining malware samples it interrupted. That rising tendency has continued all through Q2. As per the September McAfee Threat Statement, there was an additional 86% rise in identified cryptocurrency mining malware samples in Q2.

“Using cryptomining malware is simpler, more straightforward, and less dangerous than conventional cybercrime activities – causing these schemes to rise steeply in fame over the last few months. Actually, cryptomining malware has rapidly developed as a main player on the danger landscape,” said Raj Samani, chief scientist at McAfee.

Although PCs are most usually targeted, cybercriminals have now split out and are also using other Internet-connected appliances to mine cryptocurrency, including Android smartphones. These appliances have much lower processing power than PCs, however since they are comparatively easy to capture, the sheer number of appliances that can be infected more than makes up for their low processing power.

There has also been the main increase in the use of malware that abuse software weaknesses. These kinds of malware rose by 151% in Q2, 2018. “WannaCry and NotPetya provided cybercriminals convincing instances of how malware might use weakness exploits to gain a footing on systems and after that rapidly spread across networks,” said Christiaan Beek, Lead Scientist and Senior Principal Engineer at McAfee. A lot of malware variations have been created that impersonate WannaCry and NotPetya.

The McAfee report also demonstrates there was a 57% growth in ransomware samples in the previous year, and although use is still increasing, reputation is decreasing with just 27% increase seen in Q2, 2018.