Security Alerts & News
by Tymoteusz A. Góral

#993 KSN Report: Ransomware from 2014-2016
This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN). The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled who encountered ransomware at least once in a given period. The term ransomware covers mainly two types of malware: so-called Windows blockers (they block the OS or browser with a pop-up window) and encryption ransomware. The term also includes select groups of Trojan-Downloaders, namely those that tend to download encryption ransomware upon infection of a PC. Nowadays, encryption ransomware is widely regarded as synonymous with ransomware, although, according to Kaspersky Lab statistics the number of users that regularly encounters blockers remains high.
#992 3 million strong botnet grows right under Twitter's nose
Social media and advertising fraud investigations firm Sadbottrue has discovered a botnet of three million Twitter accounts, along with two smaller botnets of 100,000 bots each, which they suspect to be behind online services that sell or rent Twitter followers.

Selling Twitter followers is a lucrative business, even if Twitter forbids it. People crave attention, and companies don't want to embarrass themselves by having only 100 followers.

Usually, services that do sell Twitter followers, leverage botnets of a few thousand bots, which at the push of a button will become your followers.

Registering millions of Twitter accounts is out of the question since Twitter's staff might very easily detect a huge spike in new user account registration and investigate, exposing the botnet.

But that's exactly what happened, according to Sadbottrue, who discovered a huge botnet that was registered on the same day, on April 17, 2014. That's about 35.4 registrations per second.

The crooks behind this botnet also managed to synchronize their Twitter usernames with the Twitter ID. The Twitter account ID is usually assigned to a user after he registers, so a few tests were probably carried out in advance.
#991 PayPal dumped cloud company (Seafile) after It refused to monitor customers' files
Germany’s Seafile says it was forced to stop using PayPal.

A German Dropbox rival claims PayPal dropped it as a customer because it refused the payment company’s demands to spy on its users’ data.

Seafile GmbH informed its customers on Saturday that they would no longer be able to pay for the service using PayPal—the only payment method that the company had in place.

“We’re looking into alternative payment services, but currently we’re running a cloud service and not getting paid,” CEO Silja Jackson told Fortune.
#990 Bitcoin phishing campaign uncovered
For the last month, attackers have used a combination of phishing and typosquatting to carry out a campaign aimed at stealing Bitcoin and blockchain wallet credentials.

More than 100 phony Bitcoin and blockchain domains have been set up so far, many which mimic legitimate Bitcoin wallets. Most of the sites were registered on May 26 and more continue to pop up daily suggesting the campaign is still in the early goings.

Artsiom Holub, Dhia Majoub, and Jeremiah O’Connor, researchers with OpenDNS’ Security Labs, traced connections between IP addresses, name servers and Whois indicators over the last few weeks in order to determine the scope of the campaign.

Cyren, an Israeli cloud-based security firm, spotted the first signs of life from the campaign in early June when it observed the domain blocklchain[.]info spreading through a pay-per-click advertising scam via Google AdWords. If a user was tricked into visiting the site – a replica of the real deal – and actually logged in, they would have handed their Blockchain credentials over to attackers.
#989 Bitcoin rival Ethereum fights for its survival after $50 million heist
The attacker managed to combine 2 exploits. The first exploit was to call the split DAO function recursively. That means the first regular call would trigger a second (irregular) call of the function and the second call would trigger another call and so on. The following calls are done in a state before the balance of the attacker is set back to 0. This allowed the attacker to split 20 times (have to look up the exact number) per transaction. He could not do more—otherwise the transactions would have gotten too big and eventually would have reached the block limit. This attack would already have been painful. However—what made it really painful is that the attacked managed to replicate this attack from the same two addresses with the same tokens over and over again (roughly 250 times from 2 addresses each). So the attacker found a second exploit that allowed to split without destroying the tokens in the main DAO. They managed to transfer the tokens away before they get sent to address 0x0 and only after this they are sent back) The combination of both attacks multiplied the effect. Attack one on its [own] would have been very capital intensive (you need to bring up 1/20 of the stolen amount upfront)—the attack two would have taken a long time.
#988 NEC to launch AU$4.38m IoT-focused cybersecurity centre in Adelaide
NEC has announced plans to establish a AU$4.38 million Global Security Intel Centre (GSIC) in Adelaide that will focus on Internet of Things (IoT) security.

The IT services firm expects the cost of cyber attacks against enterprise and government IT systems to rise as the adoption of smart technologies and connected devices that make up the IoT accelerates.

Once established, the centre will form part of NEC's cybersecurity network, with the GSIC expected to complement security-focused facilities located globally, including Japan and Singapore.

The South Australian government has welcomed the GSIC, calling it a major boost to the state's IT capabilities.
#987 Tech support scams target victims via their ISP
A new scam, in which fraudsters pose as legitimate ISPs to offer bogus tech support, either via the phone or on the net, is on the rise, the BBC has found.

It is a twist on an old trick which involved cold-calling a victim - often claiming to represent Microsoft - and charging for fake tech support.

The new variants have been spotted in the UK and US.

BT said that it is investigating the issue.

The online version of the scam involves a realistic pop-up which interrupts a victim's normal browsing session with a message that appears to be legitimate and seems to come from the victim's real ISP.

US security firm Malwarebytes has spotted several from US and Canadian ISPs, including ComCast and AT&T. It has also seen webpages created for UK ISPs, including TalkTalk and BT.
#986 Hackers hit central banks in Indonesia and South Korea
In the month since activist hacking group Anonymous pledged to target banks across the world, senior officials have said the public websites of the central banks of both Indonesia and South Korea have been hit by cyber attacks.

In response to the attempted hacks, Bank Indonesia has blocked 149 regions that do not usually access its website, including several small African countries, deputy governor Ronald Waas told Reuters.

Waas said several central banks were hit by similar attacks and were sharing the IP addresses used by the perpetrators.

According to officials, no money was lost in the attacks on Bank Indonesia and the Bank of Korea, which were mainly distributed denial of service (DDoS) attempts. They also said there is no word on who is responsible for the attacks.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12