Question of the week: My phone was lost and there is no way to recover it. Thank goodness I had the data backed up. How do I use avast! Mobile Security to wipe all my information off of it? We’re sorry that you lost your phone. You are not alone. Over one hundred smartphones are […]
Many users in Australia and New Zealand have had their Apple IDs compromised. We are seeing reports on Apple’s support community and social networks that their Apple devices are being remotely locked and held for ransom by someone claiming to be Oleg Pliss, a software engineer at Oracle, who the attackers randomly chose to pin this attack on.
Figure 1. Locked iPhone ransom message
What happened to my Apple device?
Based on initial feedback, a number of Apple IDs have been compromised and used to lock iPhones, iPads, and Macs. It remains unclear exactly how the Apple IDs were compromised, but possible explanations include phishing attempts, weak passwords, or password reuse. A separate breach involving emails and passwords used to login to Apple and iCloud could have facilitated the compromise of the Apple IDs.
Once an Apple ID is compromised, attackers can access the Find My iPhone feature in iCloud. This feature is used to locate your devices if they have an internet connection and turn on the Lost Mode feature. Once Lost Mode is turned on, the attacker can remotely play a sound, lock the device, and display a ransom message.
Whatever you do, do NOT pay the ransom. There is no guarantee that the criminals responsible will unlock your device.
How to deal with a compromised Apple ID
While your devices have been locked, the root issue is the compromise of your Apple ID. First, you should login to your Apple ID account and confirm that your password has not been changed. If it has not, you should immediately secure the account by changing your password. Once changed, make sure you login to your iCloud account and sign out of all browsers just to be safe.
How to deal with a locked device
If you had set a passcode on your device prior to the compromise, you can simply unlock it by inputting your passcode.
However, if you did not set a passcode on your device, then your phone will remain locked. This is because the attacker is required to set a passcode for your device when enabling the Lost Mode feature. In this scenario, you should call Apple support for further assistance. However, most users are reporting that the only option to recover the device is to wipe the device and restore it from a backup.
How to secure your Apple ID and devices
Even if this did not impact you directly, it is a good time to review and implement the following security measures to protect your Apple ID and devices.
At the beginning of April, a vulnerability in the OpenSSL cryptography library, also known as the Heartbleed bug, made headlines around the world. If you haven’t heard of the Heartbleed Bug, Symantec has published a security advisory and a blog detailing how the Heartbleed bug works.
As with any major news, it is only a matter of time before cybercriminals take advantage of the public’s interest in the story. Symantec recently uncovered a spam campaign using Heartbleed as a way to scare users into installing malware onto their computers. The email warns users that while they may have done what they can by changing their passwords on the websites they use, their computer may still be “infected” with the Heartbleed bug. The spam requests that the user run the Heartbleed bug removal tool that is attached to the email in order to “clean” their computer from the infection.
This type of social engineering targets users who may not have enough technical knowledge to know that the Heartbleed bug is not malware and that there is no possibility of it infecting computers. The email uses social and scare tactics to lure users into opening the attached file.
One warning sign that should raise suspicion is that the subject line, “Looking for Investment Opportunities from Syria,” is totally unrelated to the body of the email.
Figure 1. Heartbleed bug removal tool spam email
The email tries to gain credibility by pretending to come from a well-known password management company. The email provides details on how to run the removal tool and what to do if antivirus software blocks it. The attached file is a docx file which may seem safer than an executable file to users. However, once the docx file is opened the user is presented with an encrypted zip file. Once the user extracts the zip file, they will find the malicious heartbleedbugremovaltool.exe file inside.
Figure 2. Encrypted zip file
Once heartbleedbugremovaltool.exe is executed, it downloads a keylogger in the background while a popup message appears on the screen with a progress bar. Once the progress bar completes, a message states that the Heartbleed bug was not found and that the computer is clean.
Figure 3. Popup message
After the fake removal tool gives a clean bill of health users may feel relieved that their computers are not infected; however, this couldn’t be further from the truth as they now have a keylogger recording keystrokes and taking screen shots and sending confidential information to a free hosted email provider.
As detailed in the official Symantec Heartbleed Advisory, Symantec warns users to be cautious of any email that requests new or updated personal information, and emails asking users to run files to remove the Heartbleed bug. Users should also avoid clicking on links in suspicious messages.
Symantec detects this malware as Trojan.Dropper and detects the downloaded malicious file as Infostealer.
Symantec.cloud Skeptic heuristics engine is blocking this campaign and detecting it as Trojan.Gen.
Twitter victims sold spam bots instead of promised “real” promoters.
Read more…
The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. […]
Security matters to everyone, however security of our children is our top priority. We make sure that they are safe at school, home, and on the streets. Equally we need to provide them with a safe experience in the cyberworld. Recently, we published a blog about general online security of the children, which suggested that […]
We’re really excited by the popularity of our Free for Education program. It’s growing so much that we recently reached the 5 million milestone for the number of free licenses issues. This means that over 1/10 computers in schools, libraries and charities in the US could be protected by our enterprise-grade antivirus for FREE already! […]
Kids are online now more than ever with Internet access at home, school and on-the-go with mobile devices. The United Kingdom’s four largest Internet Service Providers have collectively launched Internet Matters, a non-profit organization that helps parents keep their kids safe online. According to Internet Matters, nine in ten kids under the age of ten go […]
FBI、欧州警察組織、その他複数の法執行機関は、Blackshades(別名 W32.Shadesrat)として知られるクリープウェアに関連するサイバー犯罪活動の疑いで数十名を逮捕しました。今回の一斉摘発において、シマンテックは FBI と緊密に連携し、関与した容疑者たちを追跡するための情報を提供しました。今回の摘発作戦により、Blackshades を販売する Web サイトが閉鎖されたため、このマルウェアに関連する活動は大幅に減少すると予想されます。
Blackshades は、初心者レベルのハッカーから高度なサイバー犯罪グループにいたるまで、さまざまな攻撃者によって使用されている有名かつ強力なリモートアクセス型のトロイの木馬(RAT)です。Blackshades は、専用の Web サイト bshades.eu 上で 40 ~ 50 米ドルで販売されていました。手頃な価格で豊富な機能を備えており、攻撃者はこれを使って、侵入先のコンピュータを完全に制御することができます。クリックするだけの簡単なインターフェースから、データを盗み取る、ファイルシステムを閲覧する、スクリーンショットを撮影する、動画を録画する、インスタントメッセージアプリケーションやソーシャルネットワークを操作する、といった処理を実行することができます。
図 1. Blackshades のコマンド & コントロールパネル
今回の逮捕の数日前、FBI は、米国市民を標的とするサイバー犯罪に厳しく対処していくことを宣言し、近日中に捜索、逮捕、起訴を行うという約束を発表したところでした。
図 2. Blackshades の感染件数(2013 年~2014 年)
図 3. Blackshades による被害の上位 5 カ国(2013 年~2014 年)
今回のおとり捜査の一環として、販売元である bshades.eu が閉鎖されたことで、Blackshades の販売と流通には大きな影響があるでしょう。2014 年の Blackshades の活動は大幅に減少すると予想されます。クラック版のビルダーやソースコードは Web 上のいくつかのフォーラムに残ってはいますが、サイバー犯罪者は他のトロイの木馬に移行し始めると予想されます。
Blackshades に対する摘発活動はこれが初めてではありません。FBI は 2012 年、Blackshades プロジェクトへ関与した疑いで、他の 20 名以上と共にマイケル・ホーグ(Michael Hogue)容疑者(別名 xVisceral)を逮捕しました。しかし、その後も販売は継続され、2013 年も Blackshades の活動は増加を続けました。
サイバー犯罪グループは、高度に組織化された攻撃によって数百万ユーロを獲得し、Blackshades に感染したコンピュータを使って巨額の資金移動を行っています。Francophone と呼ばれる最近の活動では、フランスの企業を標的とする金銭の詐取を狙った攻撃で、高度なソーシャルエンジニアリングの手口の一環として Blackshades が使われました。Blackshades 活動に関連する損害の総額を正確に算出するのは困難ですが、個々の事例から推測すると莫大な損失が出ていると考えられます。また、アラブの春においては、政治的な動機による攻撃でも Blackshades が確認されています。騒乱中にリビアとシリアでは、政治活動家を標的として Blackshades の亜種(W32.Shadesrat.C)による攻撃が行われました。
シマンテックは、今回の FBI による摘発を歓迎するとともに、今後も法執行機関および民間のパートナーと協力して、ますます高度化するサイバー犯罪活動に対処いたします。
保護対策
シマンテック製品をお使いのお客様は、以下の検出定義によって Blackshades から保護されています。
ウイルス対策検出定義
侵入防止シグネチャ
シマンテック製品をお使いでない場合に Blackshades として知られるクリープウェアに感染した疑いがあるときは、無償のノートン パワーイレイサーを使ってシステムから除去することができます。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Google Drive phishing page served over SSL from the legitimate Google Drive service itself.
Read more…