This year’s National Small Business Week is upon us, with 50 years of energy behind it. The occasion is sponsored by the US Small Business Association, celebrating how small businesses are critical to an economy of growth and job creation.
The mo…
Should you go mobile? Should you expand your retail business online? Should you build a website and do transactions? What does the Australian shopper want, really? The universal truth is that the entire world is moving digital, and cell phone usa…
FakeAV software is a type of scam using malware that intentionally misrepresents the security status of a computer and attempts to convince the user to purchase a full version of the software in order to remediate non-existing infections. Messages continue to pop up on the desktop until the payment is made or until the malware is removed. This type of fraud, which typically targets computers, began several years ago and has now become a household name. The scam has evolved over time and we are now seeing FakeAV threats making their way onto Android devices. One interesting variant we have come across, detected by Symantec as Android.Fakedefender, locks up the device just like Ransomware. Ransomware is another well-known type of malware that takes a computer hostage, by denying the user access to their files for example, until a payment/ransom is handed over.
Figure 1. Screenshot of FakeAV Android app
Once the malicious app has been installed, user experience varies as the app has compatibility issues with various devices. However, many users will not have the capability to uninstall the malicious app as the malware will attempt to prevent other apps from being launched. The threat will also change the settings of the operating system. In some cases users may not even be able to perform a factory data reset on the device and will be forced to do a hard reset which involves performing specific key combinations and/or connecting the device to a computer in order to perform a reset using software provided by the manufacturer. If they are lucky, some users may be able to perform a simple uninstall due to the fact that the app may crash when executed because of compatibility issues.
Please take a look at the following video to see how FakeAV can lock up a device.
<!–
By use of this code snippet, I agree to the Brightcove Publisher T and C
found at https://accounts.brightcove.com/en/terms-and-conditions/.
–><!–
By use of this code snippet, I agree to the Brightcove Publisher T and C
found at https://accounts.brightcove.com/en/terms-and-conditions/.
–>
We may soon see FakeAV on the Android platform increase to become a serious issue just like it did on computers. These threats may be difficult to get rid of once installed, so the key to staying protected against them is preventing them from getting on to your device in the first place. We recommend installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device. Malicious apps can also be avoided by downloading and installing apps from trusted sources. For general safety tips for smartphones and tablets, please visit our Mobile Security website.
Symantec detects this malware as Android.Fakedefender.
On June 20, Anonymous will launch the #OpPetrol campaign. It was announced on May 11, shortly after the campaign called #OpUSA began.
These types of attacks are often similar, as we have seen in previous operations, and may include:
There are various ways attackers may target these organizations, including using tools like the LOIC (Low Orbit Ion Cannon) or phishing emails to trick recipients into revealing account login details.
Symantec advises organizations to be prepared for attacks in the coming days.
Organizations should monitor for unusual activities in their networks, particularly any attempts to breach the perimeters. Staff members should be specifically trained on social engineering mitigation tactics along with regular security awareness training. As always, we continue to stress the importance implementing a multi-layered approach to defense.
These recommendations apply to all organizations as best practices that should be carried out regularly as most attackers do not provide warnings in advance to targets.
JustSystems, developer of the Japanese word processor software called Ichitaro, recently announced a vulnerability (CVE-2013-3644) that has been exploited in the wild. Symantec has seen the exploitation being used in targeted attacks since May, but it…
For sports fans, the most exciting time of the year is the post season. It is when the underdogs have a chance to topple the better teams in the league, or last year’s champions are trying to win it again. Depending on the sport, these events can draw a lot of viewers, whether it is a single event or a seven game series. So, its no surprise there are sites that claim to offer fans the ability to watch these events online.
Right now, we are in the midst of the NBA finals pitting some of the finest players in the league against each other in their quest to win it all. The series was just tied 2-2 before Game 5 on Sunday. On that day, some Facebook users may have seen pages offering a free live stream of the game.
Figure 1. Free live NBA Finals stream posted on Facebook
Facebook users may also see posts about NBA Finals live streams linking to a page hosted on Tumblr.
Figure 2. Free live NBA Finals stream page on Tumblr
When a user selects “YES I AGREE” on the Tumblr page they are redirected back to Facebook and asked to install an NBAFinals Facebook application.
Figure 3. Scam NBAFinals Facebook app, permissions request
This Facebook application requests access to your profile, friends list, and email address. If a user grants permission, the application will request more permissions.
Figure 4. Scam NBAFinals Facebook app requests additional permissions
In addition to posting to your friends on your behalf, the scam Facebook application requests more permissions that do not make any sense for an application to have in order to enjoy free live streaming, such as access to manage your Facebook pages.
Even worse, after the application installs, users are redirected to another Tumblr site and asked to spread the scam on Facebook before proceeding.
Figure 5. Scam NBA Finals site asks users to share on Facebook
Figure 6. NBA Finals scam spreads on Facebook
For the user, after all this, there is no live stream presented. Instead, users will see a video player that doesn’t work. Clicks on the video player redirects users to a plugin install page that earns the scammers money through affiliate links.
Figure 7. NBA Finals scam page contains no live stream
There are some references in the final page to other sites that claim to offer live streams of the game. These pages are not official however, and these types of streaming sites are prohibited.
For the scammers, getting the user to install their Facebook application keeps the scam going because the application posts messages to your timeline on your behalf.
Figure 8. Scam NBAFinals app timeline post on Facebook
In cooperation with Symantec, Tumblr has removed the sites associated with this scam and we have reported the application to Facebook.
Users should be aware which applications they install on Facebook, especially when looking for special features or access to websites that offer live sport streams. If it seems suspicious, most likely it is.
Hospitality is the friendly bonding between the guest and host, especially efforts to make the guest feel comfortable. Spammers exploit hospitality events, and the bond between guest and host, with fake promotional offers. We are currently observing an increase in spam messages which exploit hospitality offered by major events, festivals, and concerts. The spam messages invite users to watch the events at entertaining venues happening in different places. Hospitality spam tries to entice users with bogus offers such as the following:
Figure 1. British Grand Prix hospitality spam
Figure 2. Ashes Series hospitality spam
A variety of subject lines have been observed in the hospitality spam attacks, such as the following:
The “From” address associated with these hospitality spam emails include the following:
The main motive of these spam campaigns is to lure recipients by providing fake promotional offers and asking users to reply with questions about the event to the spam domain which is only registered for a year and hosted in the United Kingdom.
Symantec advises our readers to use caution when receiving unsolicited or unexpected emails. We are closely monitoring these spam attacks to ensure that users are kept up to date with information on the latest threats.
You know just what a boon SSL can be to your business when it comes to keeping your transactions safe, ensuring that your sensitive information – such as credit card numbers, social security numbers and login credentials – is transmitted se…
寄稿: 篠塚大志
マルウェアの作成者は、より巧妙な手口を求めて常に新しい方法を模索しています。サイバー犯罪者の前にはシマンテック保護技術がいくつも立ちふさがり、ユーザーのセキュリティ意識も高くなっているため、彼らの攻撃が成功することはますます難しくなってきました。
最近の調査で、シマンテックは Word13.exe という変わった名前のサンプルを発見しました。外見だけからすると、デジタル署名された Adobe 社製のファイルのように見えます。
図 1. Adobe 社の署名の付いた Word13.exe ファイル
図 2. 偽のデジタル署名のプロパティ
しかし、よく調べてみると、実に興味深い点に気づきます。
図 3. 偽の署名と証明書
これが偽物であることは、[発行者]フィールドに「Adobe Systems Incorporated」と書かれていることでわかります。Adobe 社は VeriSign 製品の顧客だからです。また、証明書の情報を見ると、CA ルート証明書を信頼できないこともわかり、これも決定的な証拠になります。
図 4. Adobe 社の正規の署名と証明書
シマンテックは、このファイルに対する保護対策を提供しており、Backdoor.Trojan として検出します。
Backdoor.Trojan は、自身を実行して iexplore.exe または notepad.exe にインジェクトし、バックドア機能を開始します。
作成される可能性があるファイルは、以下のとおりです。
また、ポート 3337 で以下のコマンド & コントロール(C&C)サーバーに接続します。
そのうえで、このトロイの木馬は以下の処理を実行する可能性があります。
このマルウェアの被害を受けないように、ウイルス対策定義を常に最新の状態に保ち、ソフトウェアも定期的に更新するようにしてください。ダウンロードの URL が提示された場合には、必ずその URL を再確認し、必要に応じて念のために証明書と署名を確認してください。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Contributor: Hiroshi Shinotsuka
Malware authors are always seeking new ways to hone their craft. As cybercriminals are facing a multitude of preventative technologies from Symantec and users are becoming more security conscious, it is becoming increasingly difficult for the bad guys to win.
Recently, during research, we came across an oddly named sample, Word13.exe. Upon first glance, it appears to be a digitally signed file from Adobe.
Figure 1. Fake digital signature properties
But upon closer inspection we found something very interesting.
Figure 2. Fake signature and certificate
It’s fake, as the “Issued By” field says “Adobe Systems Incorporated” – Adobe is a VeriSign customer. Also, in the certificate information, we see that the CA Root certificate is not trusted – another dead giveaway.
Figure 3. Legitimate Adobe signature and certificate
Symantec has protection in place and detects this file as Backdoor.Trojan.
Backdoor.Trojan will execute and inject itself into iexplore.exe or notepad.exe and start a back door function.
It may create following files:
It connects to the following command-and-control (C&C) server on port 3337:
This back door may then perform the following actions:
To ensure that you do not become a victim of this threat, please ensure that your antivirus definitions are always up-to-date and that your software packages are also regularly updated. Always double check the URL of the download that is being offered and, if applicable, check the certificate and signature just to be safe.