New MacOS Virus Emerges

I have stated this time and time again to my Apple friends. While MacOS is historically more secure then Microsoft’s Windows it is NOT because Apple has a secret security sauce. Apple’s “lead” in the security arena can basically be found in the numbers.

Cyber Criminals want the biggest bang for their hard – cyber crime work. Writing malware, ransomware and trojan horses for Windows as opposed to MacOS simply hurts more people because many more people use Windows when compared to MacOS.

This latest story demonstrates that yes – Apple’s MacOS is indeed vulnerable – just like Windows – just not as often.

While Mac malware tends to be a rather rare occurrence, Ars Technica is now reporting that security researchers have discovered two separate, new MacOS viruses that rely on old Windows tricks to get into your laptop and steal your data.

One of the attacks, documented by software firm Objective-See, exploits an established Windows technique which hides and executes malicious code using Word document macros.

mac, macos, windows, malware, virus

The hack tricks unsuspecting users into opening infected Word documents which subsequently run malicious macros once the file has been loaded. The good thing is that it’s fairly easy to identify infected files prior to opening them.

Anytime you open a Word file containing macros, your device will ask you for permission. Denying permission on its own is enough to prevent the malware from spreading.

But if you click ‘run’, all sorts of bad things could happen: A hacker could spy on you or pull your browsing history, or they could initiate a secondary infection by downloading additional malware.

More MacOS malware

While also inspired from older Windows exploits, the other recently found malware – uncovered by researchers from Iran Threats – appears to be slightly more advanced.

Unlike the previous example, which used an infected Microsoft Word document as its attack vector, this one is merely disguised as a legitimate application.

The virus essentially prompts users to download and install a fake software update. It then proceeds to harvest the user Keychain and phish for usernames, passwords as well as any other credentials, before eventually relaying the recovered data back to the attacker.

The best way to avoid this attack is to simply refrain from downloading software from third-party or untrusted websites. The safest route is to download updates straight from the App Store or simply from the official website of the app-maker in question.

While exploits for MacOS are still mostly a rarity, Apple has dealt with a litany of bugs and glitches for iOS in recent months.

Not too long ago, numerous iOS users reported their devices had frozen after a malicious three-second video spread on the internet. In another similar case, thousands of users reported experiencing unexpected shutdowns after trolls discovered a glitch in iOS that could crash any device by just sending a short text message.

Share This:

The Evolution of the Trojan Threat

As the news about an old Trojan, known as Betabot sadly demonstrates the cyberthreat we all face from infected and malicious software seems to be evolving to another level.

Image result for Beta Bot trojan

What is Betabot?

Previously, Betabot was primarily a banking information stealing Trojan, a password stealing Trojan, and a botnet, but it appears that the old school malware is now looking to capitalize on the current ransomware trend.

The Evolution of a Trojan

Now, Betabot becomes the first known weaponized document with password stealing malware that is also calling ransomware as a second stage attack.

In a new report on the threat, Patrick Belcher, Senior Director of Threat Research, Invincea, explains that the malware packs virtual machine awareness and can check for some sandboxes, which helps it evade detection and analysis. What’s more, the Betabot was observed last week being delivered by the Neutrino exploit kit, the researcher says.

As Always Be Very Cautious With Email Attachments

The infection campaign relies on weaponized documents delivered as email attachments, and on social engineering to trick users into enabling macros. The attachments claim to be resumes, but,once the malicious macros have been enabled, malware capable of scrapping all passwords stored in local browsers is served. The email campaign attempted to infect thousands of victims, Belcher notes.

Although Betabot has no further use of the compromised machine once it manages to steal passwords, a second-stage attack was also observed. In this new stage the malware deploys the Cerber ransomware on the endpoint. By taking this approach, the malware’s operators are looking to increase their profits.

A single IP (93[.]174.91.49) is used for both Betabot and Cerber, and Belcher explains that the malware authors switched between the two sometime between August 11 and August 16. Weaponized documents called resume.doc were serving Cerber before Aug 11, but they started delivering Betabot (as bb.exe, bbcrypt.exe, and diablo.exe) on Aug. 16.

“This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack. This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques,” Belcher concludes.

Avoiding Betabot and Other Dangerous Exploits

You can avoid these dangerous exploits by doing the following:

  • Keep good and up to date security software on your PC. I recommend Kaspersky Lab.
  • Use a password manager so that you can have strong, unique and encrypted passwords. I recommend LastPass.
  • Never open unsolicited attachments in your email. If you are not sure about the attachments contact the sender and confirm it’s legitimacy before opening it.
  • Be wary of clicking on hyperlinks to websites you are not familiar with.

All of this will help protect yourself from security exploits like Betabot.

Share This:

Microsoft’s New Critical Flaw Users Printers as a Weapon

Microsoft has patched a security vulnerability found in every supported version of Windows, which if exploited could allow an attacker to take over a system.

microsoft headquarters

Microsoft reported in a bulletin posted today that as part of its monthly release of security fixes that a recently discovered “critical” flaw could let an attacker remotely install malware, which then could be used to modify or delete data, or create new accounts with full user rights.

The “critical”-rated flaw affects Windows Vista and later.

Those who are logged in as an administrator, such as some home accounts and server users, are at the greatest risk.

An attacker could exploit the flaw by conducting a man-in-the-middle attack on a system or print server and injecting malicious code. That’s possible because the print spooler service doesn’t properly validate print drivers when installing a printer.

The security flaw works like this.

Normally, User Account Controls are in place to warn or prevent a user from installing a new driver. To make printing easier, an exception was long ago created to avoid this control. This printer exception creates a mechanism that allows downloading executables (usually very bad) from a shared drive, and then run them without generating any warning on the user side. This is a dream come true for cyber criminals.

The result with this printer exception with executables was turning our printer into a “drive-by exploit kit.

Share This:

Finding & Killing HummingBad

Yesterday I reported that over 80 million Android devices could eventually be infected with the malware known as “HummingBad”. If you have an Android you are probably asking yourself, “How do I know if my phone is infected?”

HummingBad has reportedly infected an astounding 10 million devices already, with over 280,000 of those infections estimated to have taken place in the US. Unfortunately, chances are that even if you’ve been hit, you won’t know about it.

So how can you find out if your Android device has HummingBad?

Although the existence of mobile malware is frustrating, mobile app developers and security groups have had time to respond, which means that there are many apps on Google Play that can detect the bad software. As CNET suggests, if you haven’t installed anything yet, look to apps like Avast, Bitdefender, AVG and Zone Alarm to keep your phone safe from unwanted intruders. Of these options AVG is my favorite for Android devices.

If your chosen app happens to detect HummingBad on your phone sadly there’s really only one way to deal with it: a factory reset. Yes, it’s a pain, but it’s almost certainly preferable to putting your data at risk.

Once you’ve removed the malware, it might be time to reexamine your downloading practices. If you’ve downloaded an app from an untrusted source in recent weeks, there’s a high probability that that’s where you installed HummingBad. In the future, try to limit your downloads to the Google Play store.

But whether or not you were unlucky enough to catch HummingBad, this issue is likely only going to get worse in the future. In Check Point’s report, they claim that a “dangerous trend will escalate as other groups learn from Yingmob [the creators] and find new ways to achieve the independence they need to launch larger and more sophisticated attack campaigns in the future.”

Share This:

Over 80 Million Androids Affected With HummingBad

A malware program created by a Chinese hacking collective has gained control of 85 million Android devices, which the group is reportedly exploiting to the tune of $300,000 a month. The group, which researchers say is responsible for developing the HummingBad malware campaign, represents a dramatic increase in the organization and capabilities of hacking groups.

Dubbed Yingmob, the hacking group is also believed to be the brains behind the iOS malware campaign known as Yispecter, which I reported on back in October 2015. The group is highly organized and unbelievably works in tandem with a legitimate Chinese advertising analytics company.

Understanding Hummingbad

The malware consists of a persistent rootkit, which the hackers install on Android devices. The group then uses that rootkit to generate fraudulent ad revenue and install additional fraudulent apps. Yingmob has 25 employees organized into four different groups who are responsible for developing HummingBad’s malicious components, according to Check Point researchers.

Yingmob’s efforts have paid off. The group has been able to achieve self-sufficiency, proving that hacking groups can now generate enough income from their illegal activities to sustain themselves indefinitely. But financial gain is only the tip of the iceberg, according to the researchers.

The hackers try to root thousands of devices every day, and are able to successfully get its malware installed on devices hundreds of times each day. Yingmob can then use those devices to create a botnet, enabling the group to launch more targeted attacks against businesses and government agencies, or even sell the access it has gained on the black market.

Avoiding Hummingbad & Other Nasty Infections

Mobile devices today are becoming more and more suspectable to malware and other security exploits. As mobile devices continue to become, for many, their primary way of communicating with the world, these devices are also going to gain in popularity as targets for cybercrime. The best way to avoid these very real security problems is to only install apps on your mobile devices from the official app store and to take a few minutes to read the reviews. If there are no reviews or bad reviews simply move on to another app.

Also just like on your PC do not visit questionable websites and so not – never ever – click on hyperlinks or attachments in your email – unless you are 100% certain that it is legitimate.

Share This:

Avoiding Email Scams with 10 Easy Tips

Recently I have been asked about a couple of suspicious email messages, which were both of course not legitimate messages but scams in which the sender, a truly bad guy was “phishing” in order to steal money from the receiver.

Every day countless phishing emails are sent to unsuspecting victims all over the world. While some of these messages are so outlandish that they are obvious frauds, others can be a bit more convincing. So how do you tell the difference between a phishing message and a legitimate message? Unfortunately, there is no one single technique that works in every situation, but there are a number of things that you can look for.

This article lists 10 of them.

1: The message contains a mismatched URL

One of the first things I recommend checking in a suspicious email message is the integrity of any embedded URLs (or website addresses). Often the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook). If the hyperlinked address is different from the address that is displayed, the message is more then likely fraudulent or malicious.

2: URLs contain a misleading domain name

People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the very telling. For example, the domain name would be a child domain of because appears at the end of the full domain name (on the right-hand side). Conversely, would clearly not have originated from because the reference to is on the left side of the domain name.

I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this:

I have found that sadly this often works because most people trust companies like “Microsoft” and “Apple” so when long standing names like this are used people often let their guard down. The lesson here is to never let your guard down when it comes to email messages.

3: The message contains poor spelling and grammar

Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality, among other things. So if a message is filled with poor grammar or spelling mistakes, it probably did not come from a major corporation’s legal department.

4: The message asks for personal information

No matter how official an email message might look, it’s always a bad sign if the message asks for personal information. Your bank does not need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

5: The offer seems too good to be true

There is an old saying that if something seems too good to be true, it probably is. That holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

6: You didn’t initiate the action

Just yesterday I received an email message informing me I had won the lottery! The only problem is that I have never-ever bought a lottery ticket. If you get a message informing you that you have won a contest you did not enter, you can bet that the message is a scam.

7: You’re asked to send money to cover expenses

One telltale sign of a phishing email is that you will eventually be asked for money. You might not get hit up for cash in the initial message. But sooner or later, phishing artists will likely ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

8: The message makes unrealistic threats

Although most of the phishing scams try to trick people into giving up cash or sensitive information by promising instant riches, some phishing artists use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

Just recently a workmate received an official looking email that was allegedly from a co-worker. The email went on to ask for our “account number” and “routing number”. Although it appeared to be an email from one staffer to another staffer the email originated from a hidden domain and as I mentioned in Tip #3 the spelling and grammar was poor.

Also – As I mentioned in Tip #4 – legitimate companies will not ask for sensitive information by email and you – of course should never-ever send this type of information via email.

9: The message appears to be from a government agency

Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes they will send messages claiming to have come from a law enforcement agency like the IRS, the FBI, or just about any other entity that might scare the average law-abiding citizen.

I can’t tell you how government agencies work outside the United States. But here, government agencies do not normally use email as an initial point of contact. That isn’t to say that law enforcement and other government agencies don’t use email. However, law enforcement agencies follow certain protocols. They do not engage in email-based extortion.

10: Something just doesn’t look right

In Las Vegas, casino security teams are taught to look for anything that JDLRjust doesn’t look right, as they call it. The idea is that if something looks off, there’s probably a good reason why. This same principle also applies to email messages. If you receive a message that seems suspicious, it is usually in your best interest to avoid acting on the message.

Share This:

MAC’s First Malware Threat Exposed

I have been suggesting this for years. There is no magic Apple potion that prevents security scourges such as viruses, Trojan horses and malware from infecting MAC operating systems. Their secret to avoiding these security issues was not in code but in market share. Windows has struggled with these security issues because it’s 98% market share was so enticing to cyber-criminals.

Well now it seems that MAC users need to be on alert for security threats just like Windows users.

This is because the first-ever fully functional ransomware that targets Apple’s Mac OS X operating system, dubbed “KeRanger” has recently been identified.

As its name suggests, ransomware is malicious software that holds computing assets ransom. The software blocks users from accessing computer systems until a ransom is paid, typically in digital currency, such as bitcoins, which is hard to trace.

KeRanger was first observed in two installers of the Transmission BitTorrent client, just hours after the installers were first posted. The ransomware still appears to be under active development and may change its behavior in the future, according to the researchers.

Ransomware Still Under Development

Once a user installs the infected apps, an embedded executable file is launched on the individual’s system, according to Palo Alto Networks. The ransomware then waits three days before connecting with command and control servers over the Tor network. It then begins encrypting certain types of document and data files on the user’s system. After completing the encryption process, KeRanger demands the victim pay one bitcoin (about $400) to a specific address to retrieve the files.

Apparently KeRanger is still under development due to the existence of several functions within the malicious app’s code that seem to have been finished, but are not being used in the current version of the malware.

First Active Mac Ransomware

Apple said it has since revoked the abused certificate, and Gatekeeper will now block the malicious installers. Apple has also updated its XProtect signatures to cover the family, and the signature has been automatically updated to all Mac computers. The Transmission Project removed the malicious installers from its Web site as of March 5.

Nevertheless, that still leaves plenty of users who may have inadvertently downloaded the infected files over the weekend. Palo Alto Networks is providing a list of security checks at its Web site for users to employ to ensure their systems are safe.

Although the threat seems to have been uncovered and countered relatively quickly, the appearance of ransomware targeting the Mac platform could be considered a frightening new development. KeRanger is not the first piece of OS X ransomware to be discovered — that was FileCoder, discovered by Kaspersky Lab in 2014. However, FileCoder was incomplete at the time of its discovery, making KeRanger the first fully functioning piece of ransomware to attack Macs.

Share This:

Android Malware Alert – Avoiding Mazor BOT!

If you have an Android Smartphone be sure to read this article.

A new and nasty malware lets hackers gain administrator access to Android devices using only text messages. The malware, dubbed Mazar BOT, was discovered recently.

What is Mazor BOT?

Mazar BOT allows an attacker to make, send, and receive SMS messages from the compromised device, make phone calls, access the Internet, and even erase the device completely, according to a blog post by the company.

The attack works by sending a text message informing the user that he has received a multimedia message and instructing him to click on a link to download it. When a user clicks on the link, a malicious APK (Android application package file) is downloaded instead, which in turn retrieves Tor, a legitimate Android app, and installs it on the device. Once the Tor app is installed, the malware can surf the Internet anonymously via the Tor network. It can then send the data and other communications it steals over the anonymous network.

Complete Remote Control of Your Android

The hack opens users up to a veritable Pandora’s box of malicious behavior. Among other things, Mazar BOT lets an attacker open a backdoor to a device, as well as monitor, and control the device remotely. The hacker can also force the device to send premium SMS texts to run up a user’s phone bill. By reading SMS texts, the hackers can read identification codes sent as part of two-factor authentication mechanisms.

That capability already gives the hackers a massive amount of control. But the Mazar BOT is only part of the attack. The hackers also set up a Polipo proxy, which criminals can use to impose man-in-the-middle attacks between victims’ phones and Web services, and can stop phone calls and launch other aggressive commands.

The malware is also able to inject itself into the Chrome server, compounding the damage. And it can give the attacker control of a device’s buttons, enable a phone’s sleep mode, and save actions in the phone’s settings.

Avoiding This Hack

Users with Android phones are urged not to click on links in SMS messages, as they are particularly vulnerable to attacks through that vector. Android users should also change their security settings to prevent apps from sources other than the Google Play store from being installed.

Share This:

Cyber Threat Shifts from Spam to Malware

There may finally be some good news in the war against spam. The overall percentage of spam among e-mail messages dropped an amazing 49.7 percent last month, the lowest level since 2003. This is the first time the figure has been below 50 percent in more than a decade, according to a new study by Symantec.

Symantec reported these figures in its “Symantec Intelligence Report” for the month of June. Enterprises in the mining sector had the highest spam rate, at 56.1 percent, according to the report. The manufacturing sector was a close second at 53.7 percent. The finance, real estate, and insurance sectors had the lowest of any industry, at 51.9 percent.

It is apparent that spammers treat all businesses the same with regard to size. On average, companies experienced a spam rate of between 52 percent and 53 percent no matter the number of employees. The only variance to this pattern was companies with 251-500 employees, which experienced a 53.2 percent spam rate.

Spam Appears on the Decrease While Malware Increases

Despite the good news with spam, there were several troubling observations I found in Symantec report. There was a grand total of 57.6 million new malware variants reported in June, up from 44.5 million created in May and 29.2 million in April. The increase in malware variants indicate, something that many of us already knew. Hackers are changing tactics and shift to the very dangerous cybercrime tool of malware, as opposed to spam and phishing,

In addition to the increase in malware variants, ransomware attacks were up in June, with over 477,000 detected during the month. While still below the levels seen at the end of 2014, June represented the second month in a row that ransomware attacks increased since reaching a 12-month low in April. Crypto-ransomware was also up in June, reaching the highest levels since December.

On social media, meanwhile, hackers continued to rely primarily on manual sharing attacks, which require victims to propagate the scam by sharing content themselves.

Share This:

Firefox Blocks Flash

Mozilla has blacklisted all vulnerable versions of Adobe Flash in its Firefox browser, following the discovery of numerous critical security flaws in the platform.

Today Mark Schmidt, head of Firefox Support, took to Twitter to announce the change.

Theis news comes just a day after Facebook’s chief security officer Alex Stamos called for moves to force the extinction of Flash, as the plugin is widely being reportedly to being used to spread malware on users’ systems via security exploits (in Flash).

Three major Flash vulnerabilities were recently discovered when 400GB of security firm Hacking Team’s internal documents and product source code were leaked online. Adobe is aware of the issues and has said that it will release a fix this week.

Mozilla has noted that Flash will remain blocked until Adobe releases a version that isn’t being actively exploited by publicly known vulnerabilities.

With a major browser blocking the plugin by default and working on other alternatives, it may finally, be too late for Adobe to rescue its aging multimedia platform.

Share This:

1 2 3 6