Banking Malware ‘Dridex’ is Back!

We’ve all had that moment, those unwanted pop-ups and advertisements on your computer that make you suddenly realise “I’ve got a virus”. It’s one of the things we tend to think happens to others but it can happen to anybody and with the internet it’s easier and easier to spread malicious software, or malware, around the world. One piece in particular has reappeared, this time targeting your online banking experience.

Dridex has made several appearances before, such as when the NCA estimated its cost to the UK was around £20 million. IBM’s X-force have found a more recent version of the malware and it features a whole new trick up its sleeve. By targeting something known as the DNS (Domain Name Service), instead of getting redirected to your banks website, Dridex will now send you to a fake site. From there, users enter their details believing everything to be okay, only to have then handed over their login details to the malware.

The issue with this is that you can be on the “right” website, the page looks normal, the web address is correct and everything else that makes you trust the site, but suddenly its only when you’ve logged in that you realise there is nothing right about the site.

13 of the U.K’s largest banks have had their websites replicated, which may not seem like many but if you count how many times people check their bank accounts online, even taking a few pounds from each of them could quickly reach millions.

The malware is spread through several ways, one of the most common being a manipulated Office document. As a result we remind our readers that attachments are like candy, never accept them from strangers and if you are not expecting them, be extra careful!

Netflix Debates Geoblocking and VPN Use

Following its global rollout to over 130 countries, Netflix has been discussing the reality of its users bypassing geoblocked content via VPN services, admitting that it’s “not obvious” how to prevent it, The Globe and Mail reports. The technique of using VPNs, proxies, and DNS spoofers to access Netflix content in other countries has become widespread, especially in territories like Canada, citizens of which have access to only limited Netflix TV and movies, for which Ted Sarandos, Chief Content Officer for Netflix, blames “sliced and diced” territorial rights deals.

“Our ambition is to do global licensing and global originals, so that over maybe the next five, 10, 20 years, it’ll become more and more similar until it’s not different,” Neil Hunt, Netflix’s Chief Product Officer, during CES 2016 in Las Vegas last week. “We don’t buy only for Canada; we’re looking … for all territories; buying a singular territory is not very interesting anymore.”

Netflix in Canada also has to deal with cable providers such as Bell Media, which ‘protects’ its content to a fault, with CEO Mary Ann Turcke shopping her own daughter for bypassing Netflix’s geoblocking with a VPN, accusing her of “stealing”.

“We do apply industry standard technologies to limit the use of proxies,” Hunt added. “Since the goal of the proxy guys is to hide the source it’s not obvious how to make that work well. It’s likely to always be a cat-and-mouse game. [We] continue to rely on blacklists of VPN exit points maintained by companies that make it their job. Once [VPN providers] are on the blacklist, it’s trivial for them to move to a new IP address and evade.”

Netflix, however, hopes that users bypassing its geoblocks will become a thing of the past with global licensing deals. “When we have global rights, there’s a significant reduction in piracy pressure on that content. If a major title goes out in the U.S. but not in Europe, it’s definitely pirated in Europe, much more than it is if it’s released simultaneously,” Hunt said.

Anonymous Claims They Are Responsible for Crippling Turkey

Anonymous has made recent news with taking part in and claiming hacks against several large groups, their latest campaign being targeted against ISIS (now more commonly known as ISIL or Daesh), with splinter groups even supporting the FBI with information. Now it would seem that they are not only directly attacking the group but also those that might support it.

According to reports from Radware and a claim from their own twitter stating that they had been part of the an operation that took down some of Turkey’s websites.

The group claims that they are targeting ISIS due to Erdogan’s support of ISIS and directly funding them by purchasing oil from the group.

With several servers working with peaks of 200 GBPS the attack is stated to have left more than 400,000 websites down across turkey and internet traffic throughout the country intermittent at best.

The attack was so bad that eventually all traffic to the country was cut off in an attempt to shut down the attack, however, the attacks was still going on several days later.

The claims are considered strong with Anonymous later posting links to a news site claiming that a telephone found on an ISIS commander contained messages from Turkish Intelligence Services.

One thing can be said for sure, though, Anonymous are known for conducting large-scale cyber attacks and organising something like this would not be out of the ordinary for them.

Large Scale DDoS Attempted Take Down of DNS Root Servers

Someone actually tried the impossible on two separate occasions, to take down the internet’s backbone. They did ultimately fail for multiple reasons, but at the same time, they actually got a surprisingly good result out of their attack.

Early last week the Internet’s DNS Root Servers, that are the authoritative reference for mapping domain names to IP addresses, were hit with a flood of as many as 5 million queries per second for up to three hours with the goal to crash the servers. The Distributed Denial of Service (DDoS) attack took place on November the 30th and December the 1st.

The DDoS attack effectively managed to take 3 of the 13 DNS Root Servers offline for a couple of hours which in itself is quite impressive. It does however not have any real effect on the world due to the nature of DNS’ structure. DNS servers are built up in a mesh structure which means that you’ll need to take down all of them at the same time to have any real effect. And that includes the thousands of DNS servers that users connect to from their ISPs as well as all the public ones. Should the request to one DNS server fail, another will jump in and you’ll merely have a minor delay and no breakdown.

According to an analysis published by the root server operators on Tuesday, each attack fired up to 5 million queries per second per DNS root name server, and that was enough to flood the network and cause timeouts on the B, C, G, and H root servers.

At this time, there is no indication of who or what was behind this large-scale DDoS attacks. The source IP addresses used in the attacks were very well distributed and randomized across the entire IPv4 address space, so there is no clue to go by. The same goes for the motive, maybe it was a ‘let’s see if we can do it’ thing.

Exploit Found In Netgear Routers

So we’ve all had those periods where we come home and think our stuff has been moved around, you know when you think you’ve put your keys down beside the door and you find them on the sitting room table. Now imagine that you came home and found that some of your technology has had its settings changed, and most worryingly the technology in question is your router, the central point for all your devices to enter the world wide web. Turns out this happened to Joe Giron when he found out that his router had its settings changed on the 28th September.

Joe Giron told the BBC that he had discovered that some settings, not any settings, but the admin settings on his personal router had been changed. After the device was changed it began to send web browsing data to an internet address, clearly for a malicious reason.

The router in question is one of Netgear’s, a known brand all around the world. Netgear has accepted that the vulnerability that Giron was affected by is “serious” but will affect less than 5,000 devices.

The problem is the data that was changed was the domain name server setting, normally set to your web providers or in this case Google’s. The DNS transforms web addresses into formats which computers can understand, most commonly a form of IP address. With control over these settings it’s not only possible to track visited sites but also redirect the user to whichever site you want.

Updated:

It has been confirmed by Netgear that  an update to deal with this issue will be released on the 14th October. Affected users will be prompted to update their firmware if they log into their admin settings or have the Netgear genie app installed on any connected device.

Thank you BBC for the information.

Roaming The Open World Of GTA V Money Generator Scams

Grand Theft Auto is a franchise which has captured the imagination of fans with an engrossing open player world and also regular updates which never fail to entertain. But, with every tech development lays the reality of scammers and hackers who regularly target consumers with the notion of “free” items which are not as generous as they appear to be.

This time around it’s the good old-fashioned money generator scams which are attempting to persuade GTA V players with the promise of free money to be used within the game. So, what are the potential traps for those who stumble onto the wrong site and decide to commit a bit of GTA of their own?

Example – gta5moneyserver(dot)com

This site is in the business of counterfeiting news articles from popular legitimate websites, this is with the aim of touting its own service while convincing consumers of its own credibility. There are problems which are easy to spot; firstly, the articles are badly written which is a red flag in itself; secondly, none of the articles appear on the genuine sites if cross referenced and the formatting is uneven.

OK, let’s imagine I believe this, I don’t of course, that would be idiotic, the perpetrators of the site would need to implement a technique in order to send users free GTA cash. According to them, they have “exploited a cloud server through a very private 264bit encrypted DNS IP”  If a user submits a gamer tag through the site then he/she would be promoted to fill in a scam survey, which has plagued the internet for what seems like forever and a day. You won’t be receiving your coins anytime soon so it’s best to avoid.

All sites purporting to offer free in-game, well, anything, that is not from an official URL address site or provider is in all probability too good to be true. It will either contain a survey, virus or some .exe file which is little more than a fake, it might also ask for personal details which is also to be avoided. Oh, and while you’re at it, avoid any sites which “offer” in game Money, free DLC generators, rank improvements, account unbanning and any kind of DNS code tricks.

These scams will vary in order to seem relevant, but it will be in all likelihood the same outcome.

Thank you malwarebytes for providing us with this information.

Popcorn Time Vulnerability Leaves Users Open to Attack

A security engineer has found a vulnerability in popular pirate movie application Popcorn Time that could leave users’ devices open to being hacked by a “man-in-the-middle” attacker. Antonios Chariton (aka ‘DaKnOb’), a Security Engineer & Researcher living in Greece, found the vulnerability in at least one fork of Popcorn Time’s code, and warn users that using the software in its present form could be a risky proposition.

“There are two reasons that made me look into Popcorn Time,” Charlton said. “First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time.”

Popcorn Time uses Cloudflare to bypass ISP-level blocking in the UK – “a really smart” technique, according to Charlton – but the lack of layered security on top of that system is what leaves Popcorn Time open to attack.

“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” Chariton explained. “The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.”

Charlton exploited this vulnerability as a proof-of-concept, performing a “content spoofing” attack which changed the name of movie Hot Pursuit to Hello World:

Using the same technique, Charlton could change any other information in Popcorn Time, but chose a method by which he could demonstrate the trick easily.

Next, he launched an XSS attack:

“We have injected malicious JavaScript and the client application executed the code. Using this attack we can show fake messages or even do something smarter. Since the application is written in NodeJS, if you find an XSS vulnerability, you are able to control the entire application,” Chariton said. “This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”

So, what can be done to protect users? Nothing on the user-end, sadly, but Charlton has some advice for Popcorn Time’s developers. “HTTP is insecure,” he warned. “There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response.”

“Last but not least, just because something is Open Source doesn’t mean it’s audited and secure. Discovering and exploiting this vulnerability was literally one hour of work, including the time to write all the JavaScript payloads and come up with cool stuff to do,” Charton adds.

Popcorn Time has responded to the threat, saying:

“This attack requires that the attacker is either inside the local network, inside the host machine, or has poisoned the DNS servers.

In any case, there are far more valuable attacks than simply hitting Popcorn Time. Especially because it does not run with elevated privileges and won’t let the attacker install new programs for example.”

Popcorn Time’s full statement can be found here.

Thank you TorrentFreak for providing us with this information.

Image courtesy of GeekZine.

Nubem Start to Offer a Free Dynamic DNS Service

Nubem, an emerging service providers in cloud computing technologies, has announced that it will start offering a Free Dynamic DNS service to all customers.

For those who do not know, Dynamic DNS, or DDNS, is the process of keeping up-to-date DNS record used by a computer with a dynamically assigned IP address. The DDNS service automatically updates with record of IP addresses, without the need for anyone to manually input it in its memory.

Also, DDNS allows a fully qualified domain name to be associated with a dynamically assigned IP address. This is why Nubem is founded on open standards, being widely compatible and supporting almost any devices.

In order to get the service, users can navigate to Numbem’s page, click on the ‘Get Your Free Dynamic DNS’ button and follow the instructions given on-screen.

Source: Nubem

Latest Sony Leaks Reveals How MPAA Want To Change DNS

It’s no secret that the MPAA are wanting to take stronger measures against piracy, but recent Sony leaks suggest they’re pushing to crack down even harder than they already are; they want to target the internet’s Domain Name System (DNS).

The plan was first proposed as part of SOPA a few years ago, but as many of you know, it failed to pass Congress after a lot of protesting and complaints. New information suggests that the MPAA’s lawyers have been looking for a way to use the tactic under existing law, allowing them to remove offending sites from DNS, effectively removing them from the internet phonebook and preventing people from finding the sites. Of course, the major issue here is, who defines what an infringing site is and will we just end up with a trimmed down internet that only shows sites deemed suitable for us.

“A takedown notice program, therefore, could threaten ISPs with potential secondary liability in the event that they do not cease connecting users to known infringing material through their own DNS servers,” the letter reads. “While not making it impossible for users to reach pirate sites (i.e., a user could still use a third-party DNS server), it could make it substantially more complicated for casual infringers to reach pirate sites if their ISPs decline to assist in the routing of communications to those sites.”

It’s a brute force tactic and one that would be very effective, but currently it’s also illegal to do so. Even current DMCA notices walk a fine line, as they’re often handed out broadly and without proper investigation. Worst case scenario is we end up with people using dodgy DNS servers, exposing themselves to severe security issues in the process.

SOPA may be dead, but those behind it are still trying to find ways of rebranding it and making it law.

Craigslist Knocked Offline

Craigslist was knocked offline yesterday (Sunday) and at the time of writing, it still hasn’t come back.

The suspected DNS hijack was previously redirecting visitors to a website called Digital Gangster. The Next Web points out that this site was behind a famous 2009 Twitter hack and another hack which took pictures from Miley Cyrus’ Gmail in 2008.

They also point out the fact that the domain name shortly had its owner changed to “steven wynhoff @LulzClerk” – a name associated to hackings of YouTube accounts and the email account of the supposed creator of Bitcoin, Satoshi Nakamoto.

The site appears to be slowly coming back to life, but still hasn’t fully resumed service.

Source The Next Web 

Virgin Media Customers Lose Service After Internal Error

A number of Virgin Media customers found themselves starved of internet access last weekend, as a bug crashed the ISP’s child filtering system.

The Websafe service is utilised by Virgin to prevent children seeing inappropriate content, a system used by all UK ISPs. For customers, use of the service is optional, however it has been reported that too much of Virgin Media’s internet traffic was routed through the server in charge of the filtering, causing it to crash. Subsequently, a significant number of Virgin Media customers found themselves unable to access any websites on Saturday (8th November). Virgin has said that they apologised to customers, however a number of them responded in anger on social media, with many concerned that their browsing activity was being filtered even though they opted out of the service.

Virgin advised customers to reboot their router to fix the problem and they have since resolved the issues with the server itself.

Source: The Register

Hacker Diverts Traffic from 19 ISPs to Steal a Large Sum of Bitcoins

It is said that researchers over at Dell’s SecureWorks security division have uncovered a series of hacking attempts in which a bitcoin thief redirected a portion of online traffic from 19 ISPs, including data from Amazon, DigitalOcean and OVH, in order to steam digital currency from a group of bitcoin users.

The hijack said to have lasted just 30 seconds, but the hacking attempt is said to have been performed 22 times. On each attempt, the hacker gained control of the processing power of a group of bitcoin miners, redirecting their mining activity towards his private pool. Security researchers say that the hacker was able to pocket a flow of bitcoins and other digital currencies worth roughly $9,000 through the hijacking.

“With this kind of hijacking, you can quite easily grab a large collection of clients,” said Pat Litke, one of the Dell researchers. “It takes less than a minute, and you end up with a lot of mining traffic under your control.”

A technique called BGP is said to have been used, exploiting the border gateway protocol. The hacker took advantage of a staff user account at a Canadian ISP to periodically broadcast a spoofed command that redirected traffic from other ISPs from February throughout May this year. The command, along with miners not checking their rigs to notice the ‘new’ settings, led to the hacker pocketing $83,000 worth of cryptocurrency.

“Some people are more attentive to their mining rigs than others,” said Joe Stewart, a Dell researcher whose own computers were caught up in one victimized mining pool. “Many users didn’t check their setups for weeks, and they were doing all this work on behalf of the hijacker.”

The BGP hijacking method has been discussed as a potential threat to the internet security since 1998. Back then, a group of hackers known as L0pht stated that they could use the attack to take down the entire Internet in 30 minutes. The discussion was followed at the DefCon security conference in 2008 and was later used in 2013 to temporarily redirect a portion of US internet traffic to Iceland and Belarus.

Thank you Wired for providing us with this information

Trans-Atlantic Network Outage Affecting Internet Traffic Between US & EU

Over the last few hours we have been hearing a lot of people comment through the likes of Facebook that they are having problems in getting online to a number of major and smaller sites around the globe, bur particularly in the EU and US. To save you the torment of trying to diagnose what the problem is, we have got word that there is a major issue currently being looked into on the Transatlantic Internet Pipeline that joins Europe to the US between Amsterdam and New York. According to Digital Ocean, the AMS1 and AMS2 datacentres on Amsterdam are currently experiencing a major outage, with the result being widespread connection issues across the EU.

At this time we’re experience a network outage in our AMS1 and AMS2 datacenters. With secondary impact affecting customers in Europe. As a result, you may experience latency, connectivity issues, or slow pings. Preliminary investigation indicates that Telias Transatlantic cable are down. We are working to resolve the issue and apologize for any interruption this causes for you.

Whilst engineers attempt to resolve this server outage, they are attempting to redirect traffic around the AMS servers in order to restore connections across the globe.

As we mentioned previously, we have routed around the affected network provider. Unfortunately, since this is a widespread problem affecting a significant portion of all Internet traffic between North America and Europe, you may continue to see degraded performance.

How long this outage is going to last for is an unknown entity at the moment, naturally this does mean for some of our EU readers that eTeknix may be unreachable and we are aware of the problems. As we can see from the image above though, there are a number of alternative routes that engineers can redirect traffic to in order to maintain a good level of service, but this does take some time to do. As soon as I hear any updates regarding the link I’ll be sure to update this post below.

UPDATE: No sooner have we got the news out, Telia have managed to resolve the issues in Amsterdam and service across the Atlantic is being resumed.

 

Hackers Target E-Banking Users By Exploiting Router Vulnerabilities To Hijack the DNS

There have been reports about critical vulnerabilities in a variety of routers, including Cisco, TP-Link, ASUS, TENDA and Netgear among others, all of which can be found in a normal household.

According to Polish Computer Emergency Response Team (CERT Polska), they have noticed an increase in cyber attack, leading to a cyber attack campaign aimed at Polish e-banking users. The hackers apparently use known router vulnerability that allow attackers to change the router’s DNS configuration remotely. This allegedly is used to lure users to fake bank websites or can perform Man-in-the-Middle attacks.

“After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all.” CERT Polska researchers said.

The DNS can be changed and point to a malicious DNS server from the router’s settings, giving the hacker complete control to facilitate interception, inspection and modification to the traffic between the user and the online banking website.

It is said that most of the Banking and E-commerce sites are using HTTPS with SSL encryption, making it impossible to impersonate them without a valid digital certificate issued by a Certificate Authority (CA), but to bypass such limitation cyber criminals are also using the SSL strip technique to spoof digital certificates.

The recommended steps to take in case of such attacks are to change the default username and password for the router, update the router’s firmware to the latest version and disable Remote Administration features in the router’s settings. Another way to notice fake websites is to lay attention to the browser’s address bar and HTTPS indicators.

Thank you TheHackerNews for providing us with this information

Some TP-Link Routers Found Vulnerable To Exploits

Several TP-Link routers have been found to be vulnerable to webpage based DNS hijacking attacks. Worryingly the researcher who uncovered information about this vulnerability, Jacob Lell, has also found “an active exploitation campaign,” aimed at the affected TP-Link routers. Meanwhile TP-Link has released updated firmware for some but not all of its affected networking hardware.

There have been many router exploits before, however this newly reported TP-Link exploit looks more immediately serious as Mr Lell has found “five different instances of the exploit on unrelated websites so far”. An automated client honeypot system set up by Lell generated “some 280 GB of web traffic”. The five unrelated instances of the exploit he found tried to change the primary nameserver to three different IP addresses.

The affected TP-Link routers have something called a CSRF vulnerability. These routers allow access to their web-based administration page using HTTP authentication. “When entering the credentials to access the web interface, the browser typically asks the user whether he wants to permanently store the password in the browser. However, even if the user doesn’t want to permanently store the password in the browser, it will still temporarily remember the password and use it for the current session,” explains Lell.

If a user then visits a compromised site, like one of the five discovered so far, the site attempts to “change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks,” says Lell. After that DNS change web addresses typed in by the user can be easily redirected to phishing sites and similar places you wouldn’t ordinarilty want to visit. Also, among many other consequences, software updates can be blocked and email accounts hijacked.

The following devices are confirmed to be vulnerable:

  • TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405 is vulnerable (version 3.3.13 build 130325 and later is not vulnerable)
  • TP-Link TL-MR3020: firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n are vulnerable (but not affected by current exploit in default configuration)
  • TL-WDR3600: firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n are vulnerable (but not affected by current exploit in default configuration)
  • WR710N v1: 3.14.9 Build 130419 Rel.58371n is not vulnerable
  • Some other untested devices are also likely to be vulnerable

Thank you Hexus for providing us with this information
Image courtesy of Hexus