STE WILLIAMS

The US Department of Justice (DOJ) on Thursday unsealed a 252-count, 145-page federal indictment charging 80 defendants – most of them Nigerian nationals – with conspiring to steal millions of dollars through online frauds that targeted businesses, the elderly and women.

Federal authorities cited the case of one of those romance-scam victims during a news conference on Thursday.

Identified only as “F.K.” in the indictment, the Japanese woman first met the fraudster who would come to bleed her of hundreds of thousands of dollars on an international social network for digital pen pals.

F.K. thought she was corresponding with a captain in the US Army captain, “Capt. Terry Garcia”, who was stationed in Syria. Over the course of 10 months, Garcia described in daily emails his scheme to smuggle diamonds out of the country.

F.K. borrowed money from her sister, her ex-husband and her friends to help out her fake boyfriend, but in the end, there were no diamonds.

She wound up $200,000 poorer and on the verge of bankruptcy. From the federal complaint:

F.K. was and is extremely depressed and angry about these losses. She began crying when discussing the way that these losses have affected her.

The indictment was unsealed after law enforcement arrested 14 defendants across the US, with 11 of those arrests taking place around Los Angeles. Two of the defendants were already in federal custody on other charges, and one was arrested earlier last week. The hunt is still on for most of the remaining defendants, who are believed to be abroad – mostly in Nigeria.

The conspirators allegedly used various online fraud schemes, including business email compromise (BEC) frauds, romance scams, and schemes targeting the elderly, to defraud victims of a total $6 million. The suspects also allegedly tried to get at another $40 million.

According to the criminal complaint, which was also unsealed on Thursday, the two heads of the conspiracy were Valentine Iro, 31, of Carson, California, and Chukwudi Christogunus Igbokwe, 38, of Gardena, California, both Nigerian citizens. They were basically brokers of bank accounts, the indictment alleges: co-conspirators would allegedly contact Iro and Igbokwe in order to set them up with bank and money-service accounts that could receive the funds they allegedly scammed out of victims.

Once the conspirators managed to talk victims into sending money, Iro and Igbokwe allegedly ran a massive money-laundering network that relied on a network of money mules who used a Nigerian banking application to transfer funds from their US bank accounts in naira (₦) – the currency of Nigeria. They moved money from Nigerian bank accounts they controlled to the Nigerian bank accounts specified by Iro and Igbokwe.

The two alleged ringleaders would set up bank accounts with a specific business name, if necessary, to trick companies into making payments. Besides cooking up accounts with fake business names that mirrored the names of legitimate companies, members of the conspiracy would also routinely file fictitious business name statements with the Los Angeles County Registrar/Recorder’s Office. Those statements would then be presented to banks when the fake accounts were opened.

Law enforcement arrested two defendants who they claim were money mules: Jerry Ikogho, 50, of Carson, California, who was taken into custody on the Sunday preceding the unsealing of the indictment, and Adegoke Moses Ogungbe, 34, of Fontana, California.

The US is charging each of the 80 defendants with conspiracy to commit fraud, conspiracy to launder money, and aggravated identity theft. A number of the defendants also face fraud and money laundering charges. Some of the defendants are also facing charges of operating illegal money transmitting businesses.

Iro, Igbokwe and Chuks Eroha, 39, are also facing charges for attempting to destroy their phones when the FBI executed a search warrant in July 2017. Iro also is charged with lying to the FBI in an interview conducted during the search. Eroha is believed to have fled to Nigeria shortly after the FBI executed the warrant.

Increase in reported romance scams

During Thursday’s press conference, Paul Delacourt of the FBI’s Los Angeles office warned about the escalating danger of romance scams.

Earlier this month, the FBI’s online crime division – the Internet Crime Complaint Center (IC3) – issued a warning about the rising number of faux lover-boys and -girls who are turning to online dating sites to run romance or confidence frauds. Besides talking marks into sending money, a rising trend for these con artists is to try to talk them into becoming money mules or drug runners, the FBI said.

We’ve seen plenty of these scams in past years: FBI numbers show that in 2017, more than 15,000 people filed complaints with the IC3, alleging that they were victims of romance/confidence frauds and reporting losses of more than $211 million. The following year – 2018 – that number skyrocketed by more than 70%: the number of victims filing complaints increased to more than 18,000, and they reported more than $362 million in losses.

Based on the number of victims, this type of fraud was the seventh most commonly reported scam last year. Money-wise, it was the second costliest scam in terms of losses reported by those victims. It’s ensnaring every type of victim, regardless of age, education or income bracket, the FBI says, though the most targeted demographics are the elderly, women, and widows or widowers.

Modus operandi

This is how these swindles go: First, the conman or woman gets their victim’s trust. Then, they try to convince them to send money, whether it’s for an airfare to visit, to ostensibly bail them out when they claim to have gotten arrested en route, to prove they can be trusted, to buy a home for the heartthrob they’ve never met, or for any other of an endless litany of sob stories.

It works. It works far too often.

BEC scams

Romance scams are only one of the ways that this massive conspiracy made its profits. As court papers describe, BEC was also a big money machine.

BEC scams and the amount of profits they’re netting crooks are exploding. In its 2018 Internet Crime Report, the FBI said that it received 20,373 BEC/email account compromise (EAC) complaints, reflecting losses of over $1.2 billion, last year.

The scams typically involve legitimate business email accounts that have been compromised, be it through social engineering or computer intrusion, to initiate unauthorized transfers.

They’re getting increasingly sophisticated. From the FBI’s 2018 Internet Crime Report:

In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.

We saw an example of an EAC scam in the real estate sector earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia.

More recently, a North Carolina county fell for a BEC scam, to the tune of $1,728,083. It could have been even worse: Cabarrus County managed to claw back some of a total $2,504,601 it paid to a scammer posing as a contractor working on building a new high school.

The crooks used social engineering to pose as Branch and Associates, which is a general contractor that’s working on building a new school for the Cabarrus County Schools District.

Everybody’s a target

Clearly, the fraudsters are going after anybody and everybody, be it women looking for love on dating or pen-pal sites, the elderly or companies they can social-engineer money out of. In Thursday’s press conference, US Attorney Nick Hanna said that fraud networks are now targeting individuals and businesses alike:

In the BEC scams, the fraudsters will often hack a company’s email system, impersonate company personnel, and direct payments to bank accounts that funnel money back to the fraudsters in Nigeria. In the romance scams, victims think they are developing a dating relationship, when in fact they are just being tricked into sending money to the fraudsters.

Hanna said that authorities believe this is “one of the largest cases” of its kind in US history.

To learn more about romance scams, watch Alice and Duck discuss how crooks recruit money mules from dating sites.

(Watch directly on YouTube if the video won’t play here.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6Wnqyl2R-08/

With iOS 13 nearing release, Apple users perhaps thought they were done with iOS 12 updates for good.

If so, they were wrong. On 26 August 2019, another update was released for the four-week-old iOS 12.4 in the form of iOS 12.4.1.

Apple doesn’t describe this as an ‘emergency’ patch – though as it addresses a serious vulnerability, it’s hard to interpret it as being anything else.

Why the rush? This is where it gets awkward for Apple. Version 12.4.1 closes a jailbreaking hole, which we delved into in some detail last week.

The short version

Originally patched in iOS 12.3 in May 2019 after being revealed by Google Project Zero researcher Ned Williamson as the ‘Sock Puppet’ exploit (CVE-2019-8605), the arrival of iOS 12.4 in July inadvertently undid that fix.

A researcher known as Pwn20wnd subsequently released a follow-up jailbreak exploit dubbed ‘unc0ver’ on 18 August 2019 which jailbroke some Apple iOS devices.

In other words, Apple fixed the flaw, accidentally unfixed it, and with the appearance of a jailbreak had to rush out iOS 12.4.1 to re-fix it for a second time.

The patch

Both Williamson and Pwn20wnd are credited by Apple in the company’s advisory, the latter with a single sentence:

We would like to acknowledge @Pwn20wnd for their assistance.

To which Pwn20wnd responded with the following tweet:

The iOS 12.4.1 security content mentions patching the bug used by the SockPuppet exploit.

Apple also credited me f… twitter.com/i/web/status/1…

—
Pwn20wnd is reviving 0-Days (@Pwn20wnd) August 26, 2019

As previously explained, jailbreaking iOS devices fascinates some owners but the freedom it offers comes at the expense of making those devices vulnerable to hackers.

Ironically, this has happened only days after Apple boosted its maximum bug bounty reward for anyone able to find a kernel-level security flaw in iOS to $1 million, the biggest public bounty offered by any tech company.

While it’s unlikely the latest jailbreaking hacks would qualify (big rewards are reserved for flaws that require no user interaction) the fact that Apple somehow undid a fix for a flaw that might have qualified for a reward looks rather clumsy.

What to do?

Unless you really, definitely, absolutely want/need to jailbreak your iPhone – in which case you would probably have done it already anyway – we strongly recommend that you get the latest iOS update, given how widely the CVE-2019-8605 hole has been publicised.

To check if you’re up-to-date, and to get the update if not, head to: Settings → General → Software Update.

Note that this bug also exists in macOS, so Mac users need to update too. The macOS patch doesn’t get a new version number (it’s still macOS Mojave 10.14.6), so you need to check your build number instead.

At the time of writing [2019-08-28T14:45Z] your build number should be 18G95– here’s how to check:

Watch directly on YouTube if the video won’t play here.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tkCnj_wl2M4/

Set-top tuner boxes have become the infection vector in the spread of Internet of Things malware.

This came out of a report from mobile security house WootCloud, which said its team has caught a botnet called Ares, targeting Android entertainment boxes from Huawei, Cubetek, and Qezy Media.

The WootCloud malware detectives said the Ares infection preys on the poorly secured configurations many set-top boxes use with the ADB debugging interface in Android. In many of the boxes, TCP port 5555 has been opened for both ADB and remote management commands, making it an easy target to any attacker able to scan the open internet.

When a vulnerable device is detected, the malware then attempts to install itself via the remote commands over port 5555. From there, the bots connect to a command-and-control server, then scan for other vulnerable Android devices within reach, thus spreading the infection. From there, the infected machines are sent crypto-mining tools and other unspecified malware payloads.

The Ares outbreak marks the intersection of two rapidly growing malware arenas: Android mobile devices and embedded IoT gear. The attacks on IoT devices in particular have proven startlingly effective in recent years with the rise of massive botnets like Mirai that make quick work of poorly-guarded appliances and network gear.

WootCloud said it saw the biggest risk from Ares in the potential for the malware to use the pwned set-top boxes as the jumping-off point for attacks on other Android devices, particularly smart TVs, which in many cases use the same vulnerable ADB policies to manage their connections.

“The biggest threat associated with these Android set-top boxes, apart from the Ares vulnerability that we discovered, is the presence of an open and unauthenticated ADB service running on internet-connected devices,” said WootCloud founder and CTO Srinivas Akella.

“Unless we stay vigilant, the probability is huge that any enterprise or consumer could find themselves a victim to hacking attacks through these set-top boxes and, down the line, even by way of the smart TVs and other consumer IoT devices.”

Those with the technical prowess can protect against attacks by locking down ADB access to only authorized IP addresses and keeping an eye on outgoing network traffic from the set-top boxes. Users are also advised to set passwords on their devices for interfaces like Telnet, SNMP, and web. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/28/android_set_boxes_ares_malware/

You never know what those late-night infomercials are going to turn up.

Source: TheEllenShow

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/never-forget-your-passwords-again!/b/d-id/1335666?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security has lagged behind adoption of the Internet of Things. The devices hold much promise, but only if a comprehensive security model is constructed.

As adoption of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) ramps up, the cybersecurity threat landscape changes from PCs, tablets, and conventional networks to all sorts of connected devices, including large, durable goods (think airplanes, automobiles, and construction equipment). IIoT connects major equipment such as aircraft, automobiles, and critical pieces of national infrastructure, including turbines used in power generation and transformers and switches in our electricity grid.

Cisco estimates that the number of devices connected to IP networks will be more than three times the global population by 2022, in the range of 30 billion to 50 billion, with a projected annual economic impact of $3.9 trillion to $11.1 trillion worldwide by 2025. Even if growth projections are overly optimistic, cybersecurity must assume a much more critical role. If a piece of durable machinery becomes infected, the consequences pose a serious threat to business performance and production, as well as overall safety — and could even have national security implications. As older, unconnected equipment is replaced with new, connected machinery, fears are beginning to rise about how secure this new equipment is and what can be done to make it more impregnable from cyberattacks.

Here are three things that original equipment manufacturers (OEMs) should focus on to enhance data security, while also fully realizing the promised economic benefits of IoT and IIoT.

1. Adopt Industrywide Standards
In the software world, we design with security in mind and adhere to a set of well-defined and mature industry standards that allow for different parts of the technology stack to interact with each other. However, the industrial manufacturing world lacks overarching standards for IoT. Instead, in certain industries, there is often competition between large players who rely on a small set of proprietary and incompatible technology standards. This lack of common standards makes it difficult to develop end-to-end security. The manufacturing industry needs to follow the software industry’s lead and come together to define standards. Equipment is becoming increasingly complex with millions of lines of code and the introduction of more equipment that’s designed with software in mind. OEMs must work more closely with suppliers and industry organizations to accelerate the development of industry standards for the greater benefit of everyone.

2. Improve Communication and Sophistication
In the manufacturing world, specifically the operations technology (OT) sphere, legacy operational standards such as OPC and Modbus are still in use today but were designed more than 20 years ago using old technologies, including COM. They were not designed for communication over modern IP networks with multiple security layers and, due to a general lack of cybersecurity sophistication, traditional OT networks have most security options disabled to simplify configuration.

By its nature, a large open network of connected devices opens many new attack vector threats, even if individual devices may be secure when used independently. Because the weakest point in the system determines its overall security level, a comprehensive end-to-end approach is required to secure it. The lack of industry standards within the manufacturing space makes it difficult to develop such an approach because hackers concentrate on breaching a specific element within the technology stack.

To combat this, manufacturers must adopt a similar standard to what’s found within the software industry, where communication networks are completely closed and ports are only opened as needed, and comprehensive end-to-end approaches are designed. Traditional industrial component suppliers and OEMs are not well positioned to perform this task, but the industry has to improve its level of sophistication to provide end-to-end protection against all types of attack vector threats.

3. Increased Focus on On-Device Security, Leveraging IoT Strengths
While network-level or cloud infrastructure cybersecurity is very important, manufacturers also must realize that device-level cybersecurity is equally or more important. Most data is still stored in the cloud, yet manufacturers must come to terms with data and information also being stored directly on devices themselves. This means a “cloud only” cybersecurity strategy won’t get the job done.

Endpoint security solutions designed for smartphones and tablets can’t be expected to work for IoT sensors and devices because the design of IoT devices makes this unfeasible at a typical enterprise level. Manufacturers need a combination of network-level security and solutions tailored specifically for IoT architectures, including sensor devices. One of the biggest strengths of IoT is the sheer amount of data that devices are expected to generate, and this same strength could be used to apply machine learning models to detect anomalous malicious behavior that could compromise security.

IoT technology is one of the most exciting disruptions to hit the manufacturing space in years. However, security has lagged behind technology adoption, and if we don’t r-think and adopt a new comprehensive security model for connected devices, the value that IoT promises to deliver will just remain that — a promise. By implementing the steps above, OEMs and industry can better prepare for cybersecurity challenges and have more peace of mind when adopting IoT technology.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 7 Malware Families Ready to Ruin Your IoT’s Day
• 6 Security Considerations for Wrangling IoT
• Why the Network Is Central to IoT Security
• Mirai Groups Target Business IoT Devices

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.”

Vivek Shah is the Senior Product Director at Syncron. For more than 15 years, Vivek has excelled as an IIoT analytics product director and strategist, delivering advanced analytics powered outcomes for digital customers worldwide. He has served industries … View Full Bio

Article source: https://www.darkreading.com/risk/securing-our-infrastructure-3-steps-oems-must-take-in-the-iot-age/a/d-id/1335592?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CamScanner, a legitimate app used to scan and manage documents, was found executing payloads on Android devices.

CamScanner, an Android app commonly used to scan and organize electronic documents, was found to contain malicious components to download malware onto infected Android devices.

The PDF creator is legitimate and has been downloaded more than 100 million times, Kaspersky Lab researchers report, noting recent reviews indicated unwanted features. CamScanner relied on ads and in-app purchases to make money. At some point, things changed, and analysis shows the app was updated with an advertising library containing a malicious dropper component.

Researchers call the dropper Trojan-Dropper.AndroidOS.Necro.n. When CamScanner is run, the module extracts and runs a payload from an encrypted file in the app’s resources. This “dropped” malware, they explain, can download more malicious code. As a result, the module’s owners can use an infected device any way they want; for example, they could push false advertisements to the screen or charge victims paid subscriptions to benefit from financial gain.

When Kaspersky Lab researchers analyzed a recent version of the app and found the malicious module, they reported their findings to Google, and CamScanner was removed from Google Play. While it seems the app’s developers removed the malicious code in the latest update, researchers warn that versions of the app vary from device to devices, and some may still contain the malware.

These findings highlight that any app, even a legitimate one from an official store with positive reviews, can be updated to contain malware. Even Google can’t thoroughly scan the millions of apps in the Play store and, as a result, malware can slip through the cracks and end up in apps that have been vetted.

Read more details here.

Related Content:

• 7 Biggest Cloud Security Blind Spots
• Consumers Urged to Secure Their Digital Lives
• WannaCry Remains No. 1 Ransomware Weapon
• More Than Half of Social Media Login Attempts Are Fraud

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/malware-found-in-android-app-with-100m-users/d/d-id/1335670?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than half of social media logins are fraudulent, according to a new report.

Specifically, 53% of social media logins are fraudulent, and 25% of all new account applications on social media are also coming from scammers, according to the Arkose Labs Q3 Fraud and Abuse report.

Of course, there are plenty of good reasons to care about the fakery that saturates social media, given that the fraudulent activity is focused on stealing data and squeezing us all for money. Large-scale bots are behind most of these transactions, launching attacks on social media platforms with the goal of “disseminating spam, stealing information, spreading social propaganda and executing social engineering campaigns targeting trusting consumers,” according to a media release from Arkose.

Arkose looked at fraud across the internet, but with specific regards to social media fraud, the activity took on a host of different forms: account hijackings, fraudulent account creation, and spam and abuse were among them. It found that more than 75% of attacks on social media are coming from automated bots.

Social media was distinct among the industries Arkose analyzed: account hijackings were more common, with logins twice as likely to be attacked than account registrations, the report found. Arkose says that the account takeovers are being done by attackers looking to harvest valuable personal data from the accounts of legitimate users.

We’ve often written about how these account takeovers manifest and what they’re after: In November 2018, for example, Facebook said that the US Department of Justice (DOJ) had recently discovered an alleged IS supporter warning others that it’s gotten tougher to push propaganda on the platform, and thus was suggesting that fellow propagandists try to take over legitimate social media accounts that had been hijacked: to act like wolves pulling on sheepskins in order to escape from Facebook’s notice, as it were.

Profit is another big motivator: We’ve seen valuable Instagram accounts held for ransom and virtual loot worth real money that was motivating attackers to hijack 77,000 Steam accounts a month, for example.

Arkose CEO Kevin Gosschalk, from the press release:

The extremely high attack rate on social-media logins is indicative of the value placed on the data fraudsters extract from compromised social accounts. Because more than 50% of social media logins are fraud, we know that fraudsters are using large-scale bots to launch attacks on social-media platforms with the goal of disseminating spam, stealing information, spreading social propaganda and executing social-engineering campaigns targeting trusting consumers.

Using bots to launch the attacks makes economic sense, Arkose says. It saves crooks the money they’d otherwise have to spend on wages.

Arkose didn’t just look at social media logins. It looked at over 1.2 billion real-time transactions, including account registrations, logins and payments from financial services, e-commerce, travel, social media, gaming and entertainment industries, in real-time, to paint a portrait of the evolving threat landscape.

Besides the bogus social media account logins, the analysis also found that overall, one in 10 transactions of any type is an attack, coming from a range of sources from automated bots to malicious humans.

Automated attacks made up the bulk of the traffic Arkose analyzed, ranging from large-scale account validation attacks, to bots blocking seats on an airline, to scripted attacks that scrape user data and inventory.

But sometimes attacks need humans to carry them out, and that’s where cheap labor comes in handy. Attacks relying on human labor are mostly – 59.3% – coming from China, the analysis found. That’s four times higher than human-driven attacks coming from the US, Russia, the Philippines, and Indonesia.

Here’s Vanita Pandey, vice president of strategy at Arkose Labs:

Sometimes fraudsters have to rely on humans to carry out attacks; these attacks cost more, but the value they can extract from the attack makes the investment worthwhile. Developing economies are quickly becoming fraud hubs because they have easy access to sophisticated tools, cheap manual labor and good economic incentives associated with online fraud.

Pandey said that the fraudsters are now gearing up for the peak scam time of the year: the holidays.

As we head into the holiday season, this is critical for the retail industry, which sees high volumes of seasonal and human driven fraud. Right now, fraudsters are actively preparing to launch large-scale attacks on retail vendors during the holidays by validating and testing stolen gift cards and identities compromised in recent breaches. The long-term solution to this problem is not rooted in applying new defenses – because fraud will continue to evolve – but rather to break the economics of the attack and eliminate a fraudster’s financial incentive.

For some examples of holiday scams that SophosLabs has caught in its spamtraps, plus some advice on how to avoid getting hooked, check out our advice on how to stay off the hook – useful at any time of the year.

Other data points from the report:

• Most attacks are coming from the Philippines. The top originating countries for attacks are the US, Russia, the Philippines, UK and Indonesia. The Philippines is the single biggest attack originator for both automated and human-driven attacks with the US coming in at a distant second.
• Most Chinese attacks (59.3%) are coming from humans. That’s more than four times higher than those coming from the US, Russia, the Philippines, and Indonesia.
• Human attackers are going after tech companies. The technology industry is heavily targeted by “human click-farms and sweatshops,” the report found – as in, places that employ low-paid workers hired to make fraudulent transactions or create fake accounts. According to the report, 43% of all attacks on tech companies are human-driven and account registrations for tech companies are four times more likely to be attacks than logins. This isn’t surprising: in November 2018, for example, more than 100 Indian police swarmed 16 tech support scam call centers, arresting 39 people for allegedly impersonating legitimate support reps for companies including Microsoft, Apple, Google, Dell and HP.
• The travel industry is heavily targeted. Payment transactions in the travel industry are 10 times more likely to be attacked, Arkose found, especially from automated bots looking to block inventory, leading to denial of inventory attacks or a significant increase in ticket price. Almost 10% of all login attempts on travel sites are fraud, and 46% of all payment transactions for travel are fraud. Attackers try to make fraudulent purchases, conduct denial of inventory attacks or steal hard-earned customer loyalty points, which are as good as cash.

To protect yourself on social media from account hijackings and scam, start with our video, Five ways to stay secure on social media.

(Watch directly on YouTube if the video won’t play here.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GlHMOtyrs8I/

An Android PDF maker with more than 100 million downloads from the official Play Store has been caught silently installing malware on victims’ phones.

Kaspersky’s eggheads Igor Golovin and Anton Kivva claim CamScanner, an application that turns images into PDFs to share and edit, contains a library that quietly fetches and runs spyware and other software nasties. According to the pair on Tuesday, the trojan, known as Necro.n, was most likely snuck into the app under the guise of an advertising package.

Golovin and Kivva suggested the developers of CamScanner may not even be aware of the lurking nasty, though the duo say that the malicious code has been present and doing its thing long enough to draw a number of complaints in the reviews section of the Play store.

“After analyzing the app, we saw an advertising library in it that contains a malicious dropper component,” the Kaspersky crew said.

“Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser.”

Security gone in 600 seconds: Make-me-admin hole found in Lenovo Windows laptop crapware. Delete it now

READ MORE

According to the malware hunters, the Necro.n trojan itself doesn’t actually perform any malicious activity on its own, such as spying on users or harvesting device and contact information. Rather, it is simply acting as the downloader for other modules that will actually do the dirty work.

“The owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions,” Kaspersky explained.

The Register has reached out to CamScanner’s developer for comment, but has yet to hear back at the time of publication. The software has vanished from the Play Store.

This would not be the first time an Android application has been found to be secretly serving up malware to unsuspecting users. Previously, malware operators have used tricks ranging from dodgy advertisements to re-packaging legitimate apps with attack code in order to get past Google’s security protections. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/28/camscanner_android_malware/

Brit retailer Dixons has lashed back at McAfee’s £30m High Court broadside, saying it was entitled to promote rival antivirus (AV) tech from Symantec if McAfee’s software wouldn’t work on Windows 10S devices.

Not only was McAfee trying to punt AV onto devices it simply wouldn’t run on, Dixons argued in legal filings seen by The Register, but it also suggested making Dixons’ “Team Knowhow” staff manually install “numerous free apps (including Truekey and Web Advisor)” on customers’ new hardware while it raced to build something that would work with Windows 10S.

This was “not viable”, said Dixons. Although the two companies had been in talks since late 2018 about how “the lack of a McAfee Security Software product compatible with 10S” meant that Dixons’ customers were “generally being denied the ability to purchase 10S products” from it, McAfee only managed to develop a working AV suite for Windows 10S by June 2019.

Despite both sides disputing the exact cutoff date, it was agreed that McAfee and Dixons wanted a viable product in stock and ready for its Back To School (BTS) Windows Laptop sale, planned to begin in August this year. Dixons claims the cutoff date was “March/April 2019, when final plans for the BTS period would be put in place”, while McAfee said it delivered its “10S compatible product” on 20 June 2019.

“From January 2019 a number of new devices with 10S came on to the market and were being offered by DSG’s competitors at very competitive prices because they were able to take full advantage of a subsidy offered by Microsoft to hardware manufacturers selling hardware running 10S,” alleged Dixons.

McAfee flung its sueball at Dixons earlier this month, as first reported by the Sunday Times, after the British gadget souk stopped promoting its AV software for use with Windows 10S, a variant of the operating system that was originally targeted at educational establishments.

In its particulars of claim, McAfee stated that in the 12 months from June 2018, a full 40 per cent of its retail sales in the UK and Ireland came through Dixons, totalling £2.7m. It claimed a further £27.9m against Dixons in “lost sales and lost renewal fees” from “future gross revenue”.

Windows 10S was demoted from a standalone OS to a mere “mode” last year. Its main feature is that it runs in a sort of kiosk mode, aimed at minimising the kind of chaos that results from bored schoolkids being forced to use a computer for educational purposes.

Dixons also said it expects Windows 10S laptops to make up 41.5 per cent of its mobile PC shipments during the “Windows Laptops Back to School” sale season, running between now and the end of October. That translates, as its lawyers explained, to shifting 120,000 units over the three-month period.

The case, before the Chancery Division of the High Court, continues. ®

Bootnote

“DSG does not trade as Carphone Warehouse” stated DSG Retail Ltd, the corporate body behind Dixons and PC World, in its court filings. The boilerplate at the bottom of Carphone Warehouse’s homepage states that it is known to Companies House as Dixons Carphone plc, so that’s that.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/28/dixons_mcafee_30m_antivirus_lawsuit/

Of all of the ransomware variants spotted targeting victims in the first half of 2019, the infamous WannaCry was by far the most prevalent, according to Trend Micro’s detection data.

More than two years after the historic WannaCry ransomware campaign rocked the world, rapidly locking down data on more than 200,000 Windows machines in 150 countries, the known and preventable variant remains by far the most commonly detected ransomware: About 10 times as many machines were found targeted by WannaCry in the first half of this year than all other ransomware variants combined.

WannaCry exploits an old SMB vulnerability that Microsoft patched in 2017, so the machines where WannaCry attacks were detected are mostly outdated Windows 7 systems – some 95% of them, according to attack attempts detected and stopped by Trend Micro’s Smart Protection Network.

“The crooks running ransomware schemes are using a reliable tool – WannaCry – for their crimes. There’s no innovation or deep thought. It’s just a way for them to steal,” says Bill Malik, vice president of infrastructure strategies at Trend Micro, whose midyear security report, published today, includes the ransomware data.

These machines are mostly enterprise Windows machines in manufacturing, government, education, and healthcare, not consumer devices, Trend Micro’s telemetry shows. “Those machines, deployed years ago, are mission-critical in those industries, so the victims are willing to pay to have their systems and data back,” Malik notes.

The security firm also found WannaCry targeting machines in finance, technology, energy, food and beverage, and oil and gas organizations.

At the same time, the number of overall ransomware variants dropped dramatically in the first half of 2019, according to Trend Micro’s report, A total of 118 new ransomware families emerged in the first half of 2018, but only 47 new ones debuted in the first six months of this year. That’s because attackers have learned it’s all about quality, not quantity. They have moved from casting a wide net to targeting victim organizations more likely to pay up, which is making them more money overall.

“Variants within a family give additional potency to those attack [new] vectors,” Trend Micro’s Malik says.

Ransomware attacks have become an epidemic among municipalities over the past year –  most recently the attack campaign that hit 23 localities in Texas this month. These small government entities are a prime target for obvious reasons.

“Cities have critical systems and not a lot of money for skilled information security people, so they are running thin. Attackers realize that a city cannot simply stop operations, so in many cases they have no choice but to pay,” Malik says. “Note that this comes at a painful local cost. The money isn’t sitting in a bank account; it is funding that would otherwise go to libraries, after-school programs, road repair, emergency services, and other basic needs.”

Overall, Trend Micro spotted a 77% increase in ransomware attack attempts via malicious files, emails, and URLs. Ryuk ransomware was among the hottest and most prolific newer variants going after machines from January through June. Ryuk also tallied the largest ransomware payout of the year, when Riviera Beach, Florida, was infected with Ryuk and paid the $600,000 in ransom to the attackers, followed by Lake City, Florida, which shelled out $460,000 in ransom.

“We recognize that the number of older, unpatched, installed systems will remain a target for attackers, whether running ransomware, cryptocurrency mining, botnets, credential harvesting, or other forms of malware,” Trend’s Malik says. 

And those older systems don’t appear to be going anywhere fast. Some 48% of small to midsize businesses still run heavily on Windows XP or Windows 7, according to new research from Kaspersky Lab, which found that 41% of consumers run these shuttered or nearing end-of-life operating systems. The security firm’s anonymized telemetry data shows that 47% of SMBs run Windows 7, as do 38% of consumers and very small businesses. Windows 7 will no longer be supported by Microsoft as of January 2020.

Related Content:

• 8 Head-Turning Ransomware Attacks to Hit City Governments
• Ransomware Shifts Focus from Consumers to Businesses
• Malware Researcher Hutchins Sentenced to Supervised Release
• To Pay or Not To Pay? That Is the (Ransomware) Question

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Culture Eats Policy for Breakfast’: Rethinking Security Awareness Training.”

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/wannacry-remains-no-1-ransomware-weapon/d/d-id/1335659?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple