InnfiRAT Malware Steals Litecoin And Bitcoin Wallet Information

The RAT searches for wallet.dat files in the %AppData%Litecoin and %AppData%Bitcoin folders, with the immediately being collected, if found and …

New InnfiRAT Malware Hunts Down Litecoin And Bitcoin Wallet Info

A remote access Trojan (RAT) dubbed InnfiRAT comes with extensive capabilities to steal sensitive information, including cryptocurrency wallet data. Zscaler’s ThreatLabZ team took a closer look at its inner workings, although the malware has been in the wild for a while.

The earliest this RAT was spotted is November 2017, according to security researcher James_inthe_box, but this is the first time it was analyzed more seriously.

InnfiRAT is a .NET malware the ThreatLabZ team found, with anti-VM and process checks designed to help it detect when it’s running in a sandboxed environment, typically used for malware analysis.

After infecting the target’s computer, InnfiRAT will copy itself into %AppData%/NvidiaDriver.exe and will write a Base64-encoded PE file in memory that gets decoded to another .NET binary with the actual functionality of the malware.

FYI #Innfirat has been rolling around since 2017:https://t.co/VR5zBLQKIK

— James (@James_inthe_box) September 13, 2019

Persistence and anti-analysis measures

If the RAT discovers that it’s running in a sandbox, it will automatically terminate itself, otherwise, it would collect the compromised machine’s HWID and country.

InnfiRAT will also terminate itself if it discovers the processes of tools used for process monitoring such as Process Hacker, Process Explorer, and Process Monitor.

The processes of several web browsers will also be enumerated (i.e., Chrome, Yandex, Kometa, Amigo, Torch, Orbitum, Opera, Mozilla) and, if found, will get immediately killed on sight, potentially to unlock the user profiles for easier harvesting.

The malware will also create a scheduled task designed to execute the malicious %AppData%/NvidiaDriver.exe executable on a daily basis just in case the RAT is discovered and killed.

Checking for specific processes
Checking for specific processes

Stealing crypto and cookies

While InnfiRAT’s command and control (C2) servers can send it 11 types of commands, the most interesting are those that instruct it to search for and steal Bitcoin and Litecoin wallet data, as well as cookie information from the web browsers that got killed in the reconnaissance stage.

The RAT searches for wallet.dat files in the %AppData%Litecoin and %AppData%Bitcoin folders, with the immediately being collected, if found and delivered to the malware’s C2 server.

“InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition, this RAT has ScreenShot functionality so it can grab information from open windows,” found the Zscaler ThreatLabZ team.

“InnfiRAT sends the data it has collected to its command-and-control (C&C) server and requests further instructions. The C&C can also instruct the malware to download additional payloads onto the infected system.”

Searching for Bitcoin wallet.dat
Searching for Bitcoin wallet.dat

Text documents of less than 2,097,152 bytes are also collected by the RAT if they’re stored on the victim’s desktop and get sent to the same pile of exfiltrated data stored on the C2 server.

InnfiRAT’s operators can also send it the following commands besides the ones already described above:

SendUrlAndExecute(string URL) – download a file from a specified URL and executes it

ProfileInfo() – collect and exfiltrate network, location, and hardware info

LoadLogs() – write files into specific folders

LoadProcesses() – get a list of running processes and send it to the C2 server

Kill(int process) – command to kill a specific process on the victim machine

RunCommand(string command) – execute a command on the victim machine

ClearCooks() – clears browser cookies for specific browsers

Indicators of compromise (IOCs) including malware sampled hashes and domains used to drop the RAT and as C2 servers are available at the end of ThreatLabZ team’s InnfiRAT write-up.

Last month, two new RATs were discovered by security researchers, one of them targeting several countries as part of a campaign operated by financially motivated threat actors who used a RAT payload dubbed BalkanRAT by the ESET researchers who spotted it.

The other undocumented RAT called LookBack was found by the Proofpoint Threat Insight Team researchers while being delivered via a spear-phishing campaign that targeted three U.S. entities from the utility sector.

Related Posts:

  • No Related Posts

The Week that Was.

Newly hatched unicorn Shape Security is said to be thinking of an IPO. The Silicon Valley-based company, which specializes in anti-fraud solutions, …

CRASHOVERRIDE intended to cause long-term damage.

Analysts at Dragos have reassessed the 2016 cyberattack against Ukraine’s power grid and have concluded that the blackout was intended to be far more damaging and longer-lasting than what was actually achieved. The attack appears to have had a final stage that failed for reasons unknown to Dragos. After the blackout was triggered, the attackers tried to launch denial-of-service attacks against the Siemens SIPROTEC protective relays in use by the plant. This initially seemed pointless, since the attack had seemingly already taken place. Dragos suspects, however, that the attackers wanted the plant’s operators to reactivate the systems while lacking visibility and without realizing that the protective relays were disabled. This could have greatly intensified the attack, causing physical damage to equipment and harming employees.

Dragos’ director of threat intelligence Sergio Caltagirone told WIRED that “they’ve pre-engineered attacks that harm the facility in a destructive and potentially life-threatening way when you respond to the incident. It’s the response that ultimately harms you.”

Is your cybersecurity program aligned with your business goals and objectives?

Cybersecurity is a business risk, not an IT problem, and a critical part of business strategy. Security should not be an afterthought. Taking a proactive approach facilitates board-level cyber initiative buy in, supports traction across business units, establishes management alignment for key priorities, and manages data complexity. Let Edwards Performance Solutions better structure and position your cybersecurity program – making it a business asset for continued success. Learn more

North Korean hackers use obscure file formats to evade detection.

Prevailion researchers describe “Autumn Aperture,” a North Korean campaign that’s deploying rarely used file formats like Kodak FlashPix (FPX) to avoid being flagged by antivirus systems. The attackers are using malicious Word files with subject matter that’s relevant to their targets, and they attempt to hide the resulting malicious functionalities by embedding them in FPX files. VirusTotal shows that these are much less likely to be detected than the standard VBA files. 

Prevailion believes the Kimsuky threat actors are behind the campaign, and the researchers conclude that “given the broad scope of entities targeted by Autumn Aperture, there is an increased likelihood that a third party within an organization’s ecosystem is at risk of exposure.”

Cybersecurity Fabric: The Future of Advanced Threat Response

Cyber Attacks continue to increase in size and speed, requiring greater flexibility to defend and respond to emerging security threats. Organizations need inline detection and mitigation to be successful against threats to the evolving network. The solution is one that weaves security throughout your network into a seamless fabric providing coordinated detection and response. Join LookingGlass for our upcoming webinar October 2, 2pm EST to learn how a Cybersecurity Fabric will strengthen your security strategy, simplify your stack, and advance your defenses.

Israeli intelligence may have placed StingRays in DC.

POLITICO reported that three “three former senior officials with knowledge of the matter” said the US government concluded that Israel was responsible for the placement of a number of StingRay devices in Washington DC. One of the officials said the devices were probably intended to spy on President Trump. Israel has denied the allegations, and President Trump said, “I don’t think the Israelis were spying on us….Anything is possible but I don’t believe it.”

Every business can benefit from a cookbook approach to developing a cloud strategy.

By focusing efforts on a living document, CIO’s can connect business strategy to cloud migration planning and implementation. Visit www.coalfire.com and download the latest Gartner Cloud Strategy Cookbook, 2019  The Cloud Strategy Cookbook provides actionable advice on structuring a cloud strategy document, while offering guidance on determining which applications go where.

BlueKeep RCE exploit now available to the public.

Rapid7’s open-source Metasploit framework now has an easy-to-use module for exploiting BlueKeep to achieve remote code execution on Windows systems, ZDNet reports. The module can’t be used for worm attacks, since it requires manual interaction for each system it’s deployed against, but it’s still quite effective against individual systems. ZDNet notes that there are still 700,000 vulnerable systems exposed to the Internet, and probably many more on internal networks.

Setting the Trap with Kevin Mitnick: Crafty Ways the Bad Guys Use Pretexting to Own Your Network

Today’s phishing attacks have evolved beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization to set the perfect trap. And pretexting is the key.

Join us for this exclusive webinar where Kevin Mitnick, the World’s Most Famous Hacker and KnowBe4’s Chief Hacking Officer, will show you how the bad guys craft such cunning attacks. And he’ll share some hacking demos that will blow your mind.

Save your spot!

Thrip cyberespionage group isn’t new after all.

Symantec told CyberScoop that it believes the Chinese threat actor the company tracks as “Thrip” could actually be a manifestation of another group, “Billbug” or “Lotus Blossom,” which has been active for about a decade. Symantec previously believed Thrip was a new operation discovered last year, but an analysis of one of its backdoors uncovered multiple striking similarities to a tool used by the older threat actor. Symantec’s technical director Vikram Thakur told CyberScoop that “these guys are not absolutely brand new like we had pointed out last year. They seem to be using an evolution of a tool that has almost been used for ten years at this point.”

Cobalt Dickens is back, and pretending to be your university library.

Researchers at Secureworks report a resurgence of activity by the Iranian threat group called “Cobalt Dickens.” The threat actor has been associated with the Mabna Group and others the US Department of Justice indicted in 2018 in connection with cyberespionage Justice said was conducted on behalf of Iran’s Islamic Revolutionary Guard Corps. Secureworks says the latest activity consists of a phishing campaign directed against American and British universities.

Stealth Falcon spyware campaign update.

ESET says it’s associated a hitherto overlooked backdoor with Stealth Falcon. Stealth Falcon itself has been connected by the University of Toronto’s Citizen Lab with the distribution of spyware against a range of Middle Eastern targets. It’s regarded as being, probably, a United Arab Emirates’ operation, linked to Project Raven, earlier described by Reuters.

Big business email compromise.

Toyota Boshoku, a Toyota parts unit, continues to investigate a business email compromise scam in a European subsidiary that may have cost the company ¥4 billion (approximately $37 million). According to Infosecurity Magazine, the incident occurred on August 14th, and if it followed the usual business email compromise template, the theft depended on social engineering. Toyota Boshuku says can’t reveal more because of ongoing police investigations. It does say it’s working to recover the funds its subsidiary lost, and it asks for patience and understanding until investigations are complete.

Patch news.

Microsoft fixed seventy-nine security flaws on Patch Tuesday, seventeen of which were rated critical. KrebsOnSecurity notes that two of these vulnerabilities affected all supported versions of Windows and were being exploited in the wild.

Adobe patched two critical vulnerabilities in Flash Player that could have led to arbitrary code execution.

Crime and punishment.

The US Department of Justice announced on Tuesday that an international law enforcement effort called “Operation reWired” had resulted in the arrests of 281 people allegedly involved in business email compromise schemes. The operation involved law enforcement agencies in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia, and the United Kingdom, along with the United States’ Department of Homeland Security, Department of the Treasury, Postal Inspection Service, and Department of State. 167 of the arrested individuals were in Nigeria and 74 were in the United States. The FBI also released updated statistics on BEC attacks, showing that there has been “a 100 percent increase in identified global exposed losses” between May 2018 and July 2019.

The Washington Post reported that Fedir Hladyr, a Ukrainian national US prosecutors said was affiliated with the FIN7 cybercriminal gang, took a quilty plea Thursday to two counts of hacking and wire fraud. Mr. Hladyr, who was arrested in Germany last year, was FIN7’s admin. The group is believed responsible for carding and other forms of cybercrime that may have netted them a billion dollars, give or take a baker’s dozen. In exchange for his plea, the Government agreed to drop twenty-four other charges, conviction on which would have earned the defendant hundreds of years in prison. As it stands he faces up to twenty-five years. Observers speculate that the Government made the deal in exchange for information Mr. Hladyr may provide on the rest of the gang.

Two Coalfire employees were arrested while conducting a physical penetration test at a courthouse in Iowa, according to the Des Moines Register. The two men had been hired by the state court administration to try to gain unauthorized access to court records, but the administration says it “did not intend, or anticipate, those efforts to include the forced entry into a building.” The pentesters have been charged with third-degree burglary and possession of burglary tools, and as of this writing they’re being held on a $50,000 bond.

Courts and torts.

Google will pay €965 million ($1.1 billion) to France to settle a four-year-long probe into whether the company avoided paying taxes in the country, Reuters reports.

Cloudflare voluntarily disclosed in a regulatory filing with the US Securities and Exchange Commission that its services may have been used by persons or organizations currently under US sanctions, the Wall Street Journal reported. The parties the company dealt with (presumably without fully understanding who they were) included some designated as terrorists or narcotraffickers.

Policies, procurements, and agency equities.

US President Trump yesterday extended the “National Emergency With Respect To Foreign Interference In or Undermining Public Confidence In U.S. Elections” for one year. The extension maintains the provisions of Executive Order 13848, issued on September 12, 2018, in force. 

France’s finance minister said at an OECD conference that Facebook’s Libra cryptocurrency should be blocked in Europe, and he suggested that the EU should develop its own public digital currency, Cointelegraph reports. Libra’s head of policy and communications told the Independent that “we welcome this scrutiny and have deliberately designed a long launch runway to have these conversations, educate stakeholders and incorporate their feedback in our design.”

US Federal agencies are working out roles and responsibilities in cyberspace during the course of wargames. Breaking Defense describes the exercises as bringing together organizations from the Departments of Defense and Homeland Security. The US Defense Department has also offered Congress a look at some of its current thinking on cyber deterrence. Deterrence is commonly thought of as involving the credible threat of retaliation, but the Department calls its approach to deterrence “multifaceted,” with denial playing a significant part. An adversary can be deterred if they became convinced that their attacks would be futile.

Charles Kupperman, Fox News reports, will serve as interim National Security Advisor to the US President. Kupperman had been serving as deputy to the now-departed John Bolton. A search for a permanent replacement is in progress.

NIST is seeking public comment on the Final Public Draft of NIST Special Publication (SP) 800-160 Volume 2, “Developing Cyber Resilient Systems: A Systems Security Engineering Approach.” The comment period closes on November 1st. The Institute has also released a preliminary draft of the new NIST privacy framework. Comments on this draft are due by October 24th.

Fortunes of commerce.

Symantec, as it goes through Broadcom’s acquisition of its enterprise security business, and as other investors show an interest in its Norton and LifeLock units (the Wall Street Journal says suitors may be offering more than $16 billion), has begun a round of layoffs. The San Francisco Chronicle reports that the company has begun layoffs in California, cutting one-hundred-fifty-two jobs at its corporate headquarters in Mountain View, eighteen in San Francisco, and thirty-six in Culver City.

The Wikimedia Foundation received a $2.5 million donation from Craigslist founder Craig Newmark. The money is intended to help the organization boost its cybersecurity in the wake of a DDoS attack that hit Wikipedia last weekend, Infosecurity Magazine reports.

Mergers and acquisitions.

Akamai is acquiring Exceda, its largest Latin American channel partner. In statements published by BNamericas, Akamai says that it sees the acquisition as a step toward meeting increased regional demand for its content delivery and cloud security services.

Investments and exits.

Cloudflare priced its IPO this week at a share price of $15, which should give the company a market capitalization of about $4.4 billion, PitchBook reports. The lead underwriters are Goldman Sachs, JP Morgan, and Morgan Stanley.

As expected, Colorado-based Ping Identity has filled for its IPO. The company will offer $12.5 million shares of common stock, which it expects to fetch between $14 and $16 a share.

Newly hatched unicorn Shape Security is said to be thinking of an IPO. The Silicon Valley-based company, which specializes in anti-fraud solutions, has raised $51 million in an investment round led by C5 Capital, VentureBeat says. Seven other firms also participated: Kleiner Perkins, HPE Growth, Norwest Ventures Partners, Focus Ventures, JetBlue Technology Ventures, Top Tier Capital Partners, and Epic Ventures. When will there be an IPO? That’s not known, but Shape’s Chief Marketing Officer told VentureBeat that “preparation for an IPO is part of our plan.”

HackerOne has raised $36.4 million in a Series D funding round. VentureBeat reports that the round was led by led by Valor Equity Partners, with participation from Benchmark, New Enterprise Associates, Dragoneer Investment Group, and EQT Ventures.

Threat intelligence startup Cyware Labs has raised $3 million in a seed funding round led by Emerald Development Partners. The company intends to use the funding for the usual growth purposes: product development and increased marketing.

Snyk, whose specialty is detecting and fixing vulnerabilities in open-source code, has raised $70 million. TechCrunch says the funding round was led by Accel, GV, and Boldstart Ventures.

Virginia-based Shift5, which specializes in software and hardware security for weapons and aerospace systems, has raised a $2.5 million seed round. Squadra Ventures led the round, with participation by Lamphere Capital, Outland, Nue Capital, and Emerging Ventures.

Lacework, the Silicon Valley-based cloud-security shop, has closed a $42 million investment round with Sutter Hill Ventures and Liberty Global Ventures. Lacework intends to use the funding to maintain its momentum in DevOps and workload security.

And security innovation.

New Zealand has decided to offer assistance to other Pacific nations as they develop their cybersecurity capabilities. The Government has decided, ZDNet reports, to earmark NZ$10 million over the next five years in aid.

SINET has announced this year’s SINET 16. This annual selection of the most innovative, potentially disruptive companies in the cybersecurity industry picks sixteen winners from an international pool of applicants. This year’s selection was made from among one-hundred-sixty-one companies based in eighteen countries. In reverse alphabetical order, the SINET 16 class of 2010 includes:

  • XM Cyber, which specializes in fully automatic breach and attack simulation that enables customers to recognize attack vectors and prioritize their remediation.

  • Tigera, whose zero-trust network security supports continuous compliance for Kubernetes platforms across a range of environments.

  • Tempered Networks, which provides simple and affordable means of segmenting and isolating control systems and industrial Internet-of-things devices.

  • Sonrai Security, with a Cloud Data Control (CDC) service that delivers a risk model for identity and data relationships across a range of cloud and third-party data stores.

  • Siemplify. an  independent security orchestration, automation and response provider whose workbench enables enterprises and managed security service providers. to manage and respond to cyber threats.

  • OPAQ delivers security-as-a-service from its cloud that enables enterprises to overcome staffing and management challenges in the protection of their IT infrastructure.

  • Kenna Security, whose platform delivers cyber risk predictions that enable security teams to get ahead of exploitation.

  • Karamba Security’s embedded cybersecurity solutions protect connected systems with automated runtime integrity software that does particularly well against remote code execution.

  • CyberSponse, which offers an automated incident response orchestration platform that automates security tools to make human experts more effective.

  • CryptoMove, whose continuous moving target defense and distributed fragmentation offers a new approach to data protection for managing keys and DevSecOps secrets.

  • BigID, a machine-learning shop that enables personal data discovery, correlation, and privacy automation for compliance at scale with regulations like GDPR and CCPA.

  • Balbix, whose specialized artificial intelligence delivers continuous and predictive assessment of breach risk.

  • Awake Security, which offers advanced network traffic analysis for a privacy-aware solution that can detect and visualize incidents in full forensic context.

  • Arkose Labs, which solves fraud by pairing global telemetry with an enforcement challenge to control fraud without false positives or degraded throughput.

  • Aqua Security, which secures container-based and cloud-native applications from development to production.

  • And, finally, Acceptto, which delivers continuous identity access protection by inferring contextual data to analyze and verify user identity and behavior.

The sixteen winners will be featured at the SINET Showcase in Washington, DC, November 6th and 7th at the National Press Club.

Related Posts:

  • No Related Posts

Phishing scams targeting Mac users on the rise with 1.6 million attacks in 2019

Kaspersky caught 1.6 million phishing attacks disguised as the Apple brand in the … Kaspersky said the total number of phishing attacks have grown … the amount of malicious and unwanted software is growing,” stated the release.

How sophisticated phishing grants attackers total control of your computerPhishing is all about the bad guy and fooling the victim, says Kevin Mitnick, founder, Mitnick Security Consulting. Mitnick knows about bad guys-he used to be one.

Apple users like to think their devices are a bit safer than other brands, but a new report from Kaspersky shows that cybercriminals are increasingly trying to attack Mac customers.

Kaspersky’s mid-year “Threats to MacOS Users” report highlights just how many attacks the company stops for its customers.

COVER STORY

Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas

Cyberwarfare has already begun. Unlike nuclear weapons, cyberweapons can be proliferated more quickly and the threat from accidentally setting them off is even greater.

In only the first six months of 2019, the number of phishing attacks disguised using the Apple brand grew to 1.6 million. Kaspersky said the total number of phishing attacks have grown exponentially since 2015, when there were only 852,293 attacks. Just in the first half of this year, 5,932,195 attacks were committed, the report stated.

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

“The owners of MacBooks and iMacs are only rivaled by Linux users in terms of the level of confidence in their own security, and we must admit that they are right to a certain degree: Compared to Windows-based systems, there are far fewer threats that target macOS,” said Kaspersky researchers Mikhail Kuzin, Tatyana Shcherbakova, Tatyana Sidorina and Vitaly Kamluk, in a press release.

However, the press release continued, that situation is changing, since the popularity of the latter platform is growing. “Due to this and despite all the efforts that have been taken by the company, the threat landscape for Apple devices is changing, and the amount of malicious and unwanted software is growing,” stated the release.

Of the 6 million phishing attacks Kaspersky dealt with, nearly 12% targeted corporate users. Hackers also concentrated on Mac users outside of the United States, according to Kaspersky’s survey.

“While technically these fraud schemes are nothing new, we believe they pose an even greater danger to Apple users than similar schemes against users of other platforms – such as Windows or Android,” said Tatyana Sidorina, security researcher at Kaspersky. “That is because the ecosystem around Macs and other Apple devices is generally considered a far safer environment. Therefore users might be less cautious when they encounter fake websites. Meanwhile the successful theft of iCloud account credentials could lead to serious consequences. We urge users of Apple devices to pay more attention to any emails they receive claiming to be from technical support, which request your details or ask you to visit a link.”

To compile the report, Kaspersky used statistics from their Kaspersky Security Network cloud infrastructure, which stores information about all of the malicious programs or threats that affect Mac users.

Brazil had the largest share of unique macOS users who experienced phishing attacks at 30%, while both France and India had about 22%. Kaspersky highlighted that hackers were increasingly using Apple iconography to trick people into handing over Apple IDs and credentials.

“These phishing attacks aim to steal users’ Apple IDs. Links to these sites are usually sent in emails that allegedly come from Apple Support. The recipient is threatened that their account will be locked unless they click the link and log in to confirm the information that has been specified in their profile,” the Kaspersky report stated.

The report continued, “Another phishing trick is to send thank you messages for purchasing an Apple device or app on the App Store. The ‘client’ is invited to learn more about the product (or cancel the purchase) by clicking a link that leads to a phishing page. Here, the victim is required to enter their Apple ID login and password, which, of course, will be sent to the attackers.”

Last year there were 1.5 million attacks using Apple’s branding, which pales in comparison to this year. By June 2019, Kaspersky stopped 1.6 million similar attacks, and the security company said these kinds of attacks grows by 30–40% every year.

“The vast majority of threats for macOS in 2019 were in the AdWare category. As for the malware threats, the Shlayer family, which masquerades as Adobe Flash Player or an update for it has been the most prevalent,” the Kaspersky study stated.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic Premium)

Kaspersky stressed that Apple users needed to shed the idea that the company’s devices were infallible because multiple hacking groups were hard at work on a variety of methods to steal information.

According to Kaspersky, there were at least eight full-fledged campaigns aimed squarely at attacking the users of MacBook, iPhone, and other devices over the past few years.

Mac users have traditionally seen themselves as safe because for many years, they truly were. There are more Windows and Android devices worldwide, making it more cost effective for hackers to focus on those operating systems over Apple, which still largely has a niche, US-centered audience.

Business users should be particularly wary considering the steep rise in attacks centered around Apple products used by financial institutions and other companies.

“Several well-known cybercriminal groups are currently working to develop malware for these operating systems, but the likelihood that a random user will be the target of such programs is extremely small,” Kaspersky said in the report. “However, if you work in a financial institution, such as, for example, a bank, and your MacBook or iPhone is a corporate device, then the chances that you will be targeted increase considerably. In this case the threat is significant enough, so we do not recommend relying on the fact that Apple devices are in general less popular targets, and we recommend seeking out a reliable security solution. More so as we expect the number of targeted attacks on macOS and iOS devices to increase between 2019 and 2020.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today Sign up today

Also see

phishing

Image: iStockphoto/weerapatkiatdumrong

istock-488437074.jpg

Related Posts:

  • No Related Posts

Phishers eye MacOS devices

This was one of the findings of a Kaspersky ‘Threats to macOS users’ report. Although the volume of malicious software threatening the iOS mobile …

The number of phishing attacks targeting users of iOS devices and the associated Web services ecosystem has reached 1.6 million in the first half of 2019 – a figure about 9% greater than attacks experienced during the whole of 2018.

This was one of the findings of a Kaspersky ‘Threats to macOS users’ report. Although the volume of malicious software threatening the iOS mobile platform is significantly lower than those threatening Windows and Android platforms, when it comes to platform-agnostic cyberthreats, things look quite different.

The research is based on threat statistics voluntarily shared by users of Kaspersky Security Network – a global cloud infrastructure designed for immediate response to emerging cyberthreats.

According to the company, phishing attacks depend heavily on social engineering, which means most have nothing to do with software. In fact, the report revealed that certain regions had more macOS users hit by phishing than others.

The most common phishing schemes are ones that mimic the iCloud service interface, aimed at stealing credentials to Apple ID accounts. Links to these services usually originate from spam e-mails pretending to be e-mails from technical support, and often threaten to block user accounts should they not click the link.

Another popular scheme is the use of scaremongering pages that attempt to convince the user that their machine is under serious threat and it will only take a couple of clicks and a few dollars to solve the issue.

Tatyana Sidorina, security researcher at Kaspersky, says although technically these attacks are nothing new, Kaspersky believes they pose an even greater danger to Apple users than similar schemes against users of other platforms, because the ecosystem around Apple devices is generally thought of as a far safer environment, and users are naturally less cautious.

“Meanwhile the successful theft of iCloud account credentials could lead to serious consequences – an iPhone or iPad could be remotely blocked or wiped by a malicious user, for example. We urge users of Apple devices to pay more attention to any emails they receive, especially those claiming to be from technical support and requesting the user’s details or asking the user to visit a link,” she adds.

The report also delved into other types of threats to users of macOS-based devices. The most common threats to Mac users are not critically dangerous malware, such as banking Trojans, but rather AdWare, which is less harmful.

To protect macOS devices, Kaspersky recommends keeping macOS and all apps and programs up to date, and encourages users to only use legitimate software, downloaded from official Web pages or installed from the Mac App Store. Finally, a reliable solution that delivers advanced protection on Mac, as well as on PC and mobile devices is essential.

Other findings of the report include

  • The total number of phishing attacks detected in the first half of 2019 on Mac computers protected by Kaspersky solutions was almost 6 million. The whole of 2018 saw 7.3 million hits.
  • Some 40% of the detected attacks were aimed at stealing users’ financial data. That is 10% more than in the first half of 2018.
  • Some regions had more macOS users hit by phishing than others: Brazil leads this list with 31% of users attacked, followed by India with 22% and South Africa with 17.5%.
  • The most active malware to hit macOS users were variations of the Shlayer family, that succeeded in distribution by disguising itself as Adobe Flash Player updates.

Related Posts:

  • No Related Posts

iOS users under phishing attack

Phishing attacks rely on social engineering, which means most have nothing to do with software. In fact, Kaspersky’s recent Threats to Mac Users …

The number of phishing attacks targeting users of Mac computers, iOS-based mobile devices, and the associated web services ecosystem to lure them into fraudulent schemes has reached 1,6-million in the first half of 2019 (H1-19) – demonstrating that the growing number of users of popular digital devices is clearly attracting more and more cybercriminals.

While the volume of malicious software threatening users of macOS and the iOS mobile platform is much lower than those threating users of Windows and Android platforms, when it comes to phishing – a platform agnostic cyberthreat – things are quite different.

Phishing attacks rely on social engineering, which means most have nothing to do with software. In fact, Kaspersky’s recent Threats to Mac Users research highlighted that the number of cases where users faced fraudulent web pages utilising the Apple brand, as a decoy, has increased significantly in the first six-months of the year, reaching 1,6-million.

This figure is around 9% greater than attacks experienced during the whole of 2018, when Kaspersky security solutions prevented more than 1,49-million attempts to access Apple-themed phishing pages.

What’s more, some regions had more MacOS users hit by phishing than others. Brazil leads this list with 30,9% of users attacked, followed by India with 22,1% – and, while not as prominent as other regions (and in proportion to the number of ‘i-users’), South Africa still sits at 17,5%.

The research is based on threat statistics voluntarily shared by users of Kaspersky Security Network – a global cloud infrastructure designed for immediate response to emerging cyberthreats.

Among the most frequent fraud schemes are those designed to resemble the iCloud service interface, aimed at stealing credentials to Apple ID accounts. Links to such services usually come from spam emails posed as emails from technical support. They often threaten to block user accounts should they not click the link.

Another widespread scheme is the use of scaremongering pages that try to convince the user that their computer is under serious security threat and it will only take a couple of clicks and a few dollars to solve those issues.

“While technically these fraud schemes are nothing new, we believe they pose an even greater danger to Apple users than similar schemes against users of other platforms – such as Windows or Android,” says Tatyana Sidorina, security researcher at Kaspersky. “This is because the ecosystem around Macs and other Apple devices is generally considered a far safer environment. Therefore, users might be less cautious when they encounter fake websites.

“Meanwhile the successful theft of iCloud account credentials could lead to serious consequences – an iPhone or iPad could be remotely blocked or wiped by a malicious user, for example. We urge users of Apple devices to pay more attention to any emails they receive, especially those claiming to be from technical support and requesting the user’s details or asking the user to visit a link.”

In addition to a rise in phishing, the report also revealed other types of threats to users of macOS-based devices. The results have demonstrated some relatively positive tendencies: the most common threats for Mac users proved not to be critically dangerous malware, like banking Trojans, but instead AdWare threats, which are not-necessarily fatal and defined as “potentially unwanted programs”.

Most are threatening users by overloading their devices with unrequested advertisements, yet some of these programs might, in fact, turn out to be a disguise for more serious threats.

Other findings of the report include:

* The total number of phishing attacks detected in the first half of 2019 (H1-19) on Mac computers protected by Kaspersky solutions was almost 6-million. The whole of 2018 saw 7,3-million hits.

* 39,95% of the detected attacks were aimed at stealing users’ financial data. That is 10%more than in the first half of 2018 (H1-18).

* The most active malware to hit macOS users were variations of the Shlayer family, that succeeded in distribution by disguising itself as Adobe Flash Player updates.

Related

Related Posts:

  • No Related Posts