Tweet

When it comes to cybercriminal targets, it truly is a popularity contest. Multiple sites were found compromised, including those popular with Japanese users. There were 40 compromised domains identified using feedback provided by Trend Micro Deep Discovery; since yesterday almost 60,000 hits have been recorded on these sites.

One of the compromised sites contains an obfuscated JavaScript (detected as JS_BLACOLE.SMTT) designed to load a hidden iframe that loads behind the user’s browser.

Figure 1. Encrypted JavaScript inserted onto compromised site

Figure 2. Decrypted JavaScript that could lead users to malicious sites

Figure 1 shows the obfuscated JavaScript, or JS_BLACOLE.SMTT, that’s on the compromised site. Figure 2 shows the decrypted JavaScript, which leads users to more malicious sites.

The hidden iframe loads a .PHP file (detected as JS_BLACOLE.MT) that checks which software are installed in the user’s computer. After checking, it then loads the appropriate exploits. These lead to the download of malicious PDF files, which exploit an old vulnerability (CVE-2010-0188) in Adobe Reader and Acrobat. Other software applications targeted for exploits include Java and Flash. This behavior indicates that the attacker used the Blackhole Exploit Kit in these attacks.

Users should remember that cybercriminals are catching up with the digital landscape. They will take advantage of any online activity—no matter how mundane—to gain more victims. They are also not selective; one of  the (compromised) sites caters to both students and businesses.

End users should ensure that their installed software is patched, as this can prevent attacks that use old exploits – like this one – from succeeding. Site owners should exercise similar precautions with their installed server software – particularly content management systems – and ensure that their own passwords are sufficiently random and difficult to guess by attackers. Inputs should be sanitized as well, to prevent SQL injection attacks.

Trend Micro provides protection by blocking related malicious sites and detecting the malware.

With additional inputs from Threat Researcher Rhena Inocencio and Threats Analyst Yoshikawa Takashi.

Update as of June 5, 2:15 AM PDT

The malicious PDF files noted earlier in this post are detected as TROJ_PIDIEF.MT. The files downloaded by this malware are saved with legitimate filenames. however they are non-executable and non-malicious files despite their .EXE extension. However, the files could easily be replaced by malware; it is possible that this attack was still being tested when it was released into the wild.

Tweet

Last week, the US government shut down Liberty Reserve, a digital currency service operating out of Costa Rica. Its founder, Arthur Budovsky, was arrested at the Madrid airport as he tried to return to Costa Rica. Other arrests were made in Spain, Costa Rica, and the United States.  The company is accused of laundering over 6 billion dollars in illegal funds, with more than a million users globally – 200,000 of these being in the United States. The company’s site now sports a notice that it has been seized by US law enforcement.

Liberty Reserve has long been a favorite way for cybercriminals to exchange money securely without exposing their identity. So how are they taking to the shutdown of Liberty Reserve?

In a word: poorly. Not only did they lose access to Liberty Reserve, making underground transactions more difficult, but they also lost funds as well. Many cybercriminals are claiming they lost thousands of dollars, if not more: we saw one claim that he’d lost $300,000 in the seizure. We have to take the more extravagant claims with some skepticism, but it’s clear many cybercriminals did lose money thanks to Liberty Reserve’s closure. Somewhat amusingly, some are still in denial about the whole affair, saying that the service would return on June 1 with improved security. Obviously, that didn’t happen.

What are cybercriminals going to replace Liberty Reserve with? Even in the underground forums, that isn’t clear. Both gold and Bitcoins have both been mentioned as possible substitutes. Other digital currency services like PerfectMoney have been mentioned as well. Coincidentally, some of these services have explicitly banned users from the US, perhaps in an attempt to shield themselves from US law.

In the short term, we may actually see more online theft occur due to cybercriminals trying to make their money back. In the long run, if other digital currencies are targeted, it could make life for cybercriminals very complicated.

Tweet

The World Cancer Research Fund has recently released its statement regarding a story being circulated in social media and blogs about processed meat and cancer. The said piece was widespread that they had to step in and make their official statement. But what is striking is how users get their information these days.

It is no surprise that social media sites is now considered a news source by most people, with most people sharing, tweeting, pinning stories and news items via their accounts. None has this in spades more than Facebook, which has an estimated billion active users per month and 4.7 million content items shared by its users everyday.

Because of the impressive online presence (like in social media), cybercriminals see this as a potential moneymaker. More users equal more possible victims. And just this May, we’ve seen several noteworthy threats that prove that the bad guys are not slowing down:

• Early in May, we reported about several fake Iron Man 3 streaming sites sprouted across the web employing social media – in this case, Tumblr and Facebook – to spread their baits. Such social engineering tactics continue to work because summer flicks like Iron Man appeal to users and can be effective social engineering lures.
• Because of their increasing popularity, it is not a surprise to see scams for mobile platform. Just this month, we noted the fake free Instagram followers ruse, which in the end leads users to download a mobile malware capable of gathering and selling data stolen from the infected device.
• As majority of financial transactions these days are done over the Internet (e.g. online banking, shopping etc.), banking and e-commerce sites are natural cybercrime targets. Just a few weeks ago, we saw how online banking users in Brazil, were targeted by cybercriminals using fake homemade browser. From this incident, we uncovered the use of effective social engineering tactics that lured users to unintentionally disclose their Banco do Brasil login credentials.
• Recently, we also saw how mobile ads in Android apps actually led to scam sites aimed at defrauding users and stealing their money. Although the incident was limited to Chinese users, it’s highly plausible similar attacks could occur in other parts of the world.

But the immediate question that comes to mind is how big web threats are. In our infographic, Are You Safe Online?, we provide an overview of the current threat landscape vis-à-vis the boom in contemporary online engagement. Based on this, we noticed a direct correlation between the two: the more we do things online, the more threats are likely to materialize.

The upside to all this is that we see more software vendors, social media sites and organizations offering added and improved security measures. But as commendable as these developments are, users must also do their share.

As June is declared as the National Internet Safety Month by the National Cyber Security Alliance, Internet users are reminded of simple steps that they can do to stay safe. Other practices like bookmarking reputable sites and regular system updating can go a long way. Treat your mobile devices like your PC that can be open to online threats.

To check out the full infographic, please click the thumbnail below:

Tweet

One of the biggest issues of the Android OS is its fragmentation problem. We’ve covered this before – about how almost all Android updates have to pass through both device manufacturers and service providers before getting to end users. Unfortunately, this process is not quick or assured, which results in fragmentation: multiple versions of Android are present and in use.

This results in a many users being stuck with an outdated version of Android that may be riddled with vulnerabilities and security flaws. As of May 1, only 2.3% of Android devices in use are actually on the latest version, with more than a third still using Gingerbread – a version last updated in September 2011, and known to have 3-11 vulnerabilities, with the exact number depending on the specific version.

Leaving users on older versions of Android has two consequences: vulnerabilities are left unpatched, and new features won’t reach them. At this year’s Google I/O developer conference, Google announced plans to fix at least part of this problem: instead of rolling out a new version, they instead announced updates to core apps. This allows them to add new features to Android, while at the same time not needing to push a completely new version out to users. It does not solve all potential problems due to fragmentation, but it’s a step in the right direction.

Out latest monthly mobile report looks at this issue in full. It discusses the root of the problem itself, why it’s become a long-standing complaint, and how it may be a problem that may take Google a very long time to straighten out. Find out what you can do to help secure yourself and your device better if you are affected by this problem.  We also have our infographic for an illustrated glance at the issue.

Tweet

Last January, we talked about a critical vulnerability in Ruby on Rails (CVE-2013-0156). At the time, we pointed out that there was no known attack, but because its code had been released as part of the Metasploit exploit framework and that this would increase risks of an attack moving forward. It was only a matter of time before this can be used in an attack in the wild. We strongly urged server administrators to patch their Ruby on Rails software to the latest, patched versions.

At the time, we noted that Trend Micro Deep Security has protected users from the said vulnerability via the following DPI rules:

• 1005331 Ruby On Rails XML Processor YAML Deserialization DoS
• 1005328 Ruby On Rails XML Processor YAML Deserialization Code Execution Vulnerability

These rules allow Deep Security to block network traffic that is related to this vulnerability, preventing any exploitation of the security flaw.

Fast forward to May 28 this year: an exploit in-the-wild was found targeting the said vulnerability. The vulnerability was used to gain access to the affected systems and make them part of an IRC botnet. (The malicious payload is detected as ELF_MANUST.A.)

Despite the vulnerability being several months old, it was still exploited very heavily in the past week. The answer is simple: not everyone patches regularly for various reasons. Security administrators have to consider several aspects, such as business continuity. Other factors may include making sure that patches actually work, and delays due to unexpected system behaviors that may occur once updates are implemented. To know more about this, you may read our report Monitoring Vulnerabilities: Are Your Servers Exploit-Proof?.

This case, however, illustrates the downside of not patching: systems are put at increased risk, particularly if vulnerability shielding solutions are not integrated into existing systems. We will continue to monitor this threat and release updates as needed.