Security Alerts & News
by Tymoteusz A. Góral

History
#978 Aggressive Triada, Horde variants up mobile malware threat
Two mobile variants of Triada and Horde malware have been spotted in the wild by Check Point Software Technologies researchers who warn the latest samples have adopted dangerous new techniques including the ability to evade Google’s security on some OS versions.

The Android Trojan called Triada, researchers say, now is capable of infecting the Android default browser along with three other niche Android OS browsers including 360 Secure, Cheetah and Oupeng. Once infected, attackers can intercept browser URL requests. Next, if a user happens to visit one of a number of specific URLs, the malware will deliver a spoofed website designed to capture personal financial data.

Up until now, Triada main function was to steal money via SMS messages as part of in-app purchases. However, armed with the new URL spoofing capabilities, the Triada Android malware can now intercept any URL on infected phones and entice a user to “enter credentials in a fraudulent page, or even download additional malware, without knowing he is visiting a malicious site,” wrote Oren Koriat, Check Point analyst in a research blog outlining his research.
#977 Malware infections by Locky, Dridex and Angler drop - but why?
The number of network infections generated by some of the most prolific forms of malware -- such as Locky, Dridex, and Angler -- has suddenly declined.

Instances of malware and ransomware infection have risen massively this year, but cybersecurity researchers at Symantec have noticed a huge decline in activity during June, with new infections of some forms of malicious software almost at the point where they've completely ceased to exist.

Locky has been one of the most prolific ransomware threats of 2016, as the high-profile infection of a Hollywood hospital demonstrated, but researchers have seen very few new cases of the system locking malware in recent weeks -- and that's just a month after infections peaked.
#976 xDedic – the shady world of hacked servers for sale
Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.

The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.
#975 The PhotoMiner campaign
Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.
We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware.
#974 Algeria blocks social media to beat exam cheats
Algeria has temporarily blocked access to social media across the country in an attempt to fight cheating in secondary school exams.

Almost half of students are being forced to retake the baccalaureat exam, starting on Sunday, after the initial session was marred by online leaking.
#973 Attackers used nearly one million IPs to brute-force a financial institution
In just one week back in February this year, Akamai's security products picked up automated attacks that employed over one million different IPs to test login credentials and hijack user accounts.

Akamai says the crooks used 1,127,818 different IPs to launch 744,361,093 login attempts using 220,758,340 distinct email addresses.

Attackers targeted multiple services, but a vast majority of the login attempts were aimed at two companies, one in the financial sector, and one in media & entertainment.

The automated attack against the financial target accounted for over 90 percent of the total attack volume.

Akamai says crooks used 993,547 distinct IPs to check 427,444,261 accounts. The security and networking giant was alerted to the presence of this campaign because 22,555 IPs had been previously blacklisted by their WAF (Web Application Firewall).

The campaign against the financial institution started strong, with the attackers checking over 248,000 IPs on the first day, and ended even stronger with the attackers testing over 526,000 IPs on the seventh day, which accounted for more than half of the total IPs used in the attack.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12