AVG’s perfect test score for real world protection translates into an Advanced+ award from AV-Comparatives. You can go about your daily browsing knowing you have award winning protection from AVG.
AVG’s perfect test score for real world protection translates into an Advanced+ award from AV-Comparatives. You can go about your daily browsing knowing you have award winning protection from AVG.
Independent Security Research Leader AV-TEST recently put our AVG Business solutions to the test. The result was a Top Product award that AVG channel partners can share with their clients.
What is QuadRooter? Researchers at Check Point® Software Technologies have released details of four vulnerabilities, which they have dubbed ‘QuadRooter’, that affect Android™ smartphones and tablets built with Qualcomm® chipsets.
Our latest AVG App & Trends Report unearthed surprising trends, about apps’ rise and fall—and their troubling tendency to suck phone life. Here we are pulling back the curtain …
Overnight sensation Pokémon GO! has continued to explode over a week after its New Zealand, Australia, and the US on Wed July 6. July 13th the game was released in Germany and the following day for the UK. According to the developer, Pokémon GO! was released in 28 additional countries on July 16 in a huge European rollout, followed by Canada on July 17th.
This game has been a global phenomenon, and while around 35 countries may seem like a lot, keep in mind, there are 196 countries in the world. That still makes for a whole lot of users clamoring for the game. As a result of such a massive demand, this is a cash cow waiting to happen for cybercriminals. Ever since the release of this game, there have been a host of reports in the media of cybercriminal activity involving this game such as free Pokecoin scams, Trojanized Pokémon Go apps, and permissions and privacy issues.
Since the game’s release, there has been an overabundance of reports of fake and malicious apps circulating the various app stores, the most dangerous to date being a discovery by a group of security researchers on July 15th. The first fake lockscreen app, dubbed “Pokémon GO Ultimate,” was found on the Google Play Store. When launched, the malware locks the screen, forcing the user to remove the battery in order to regain access to the device. Once the device has rebooted, the app icon has disappeared, and the app will use your device to collect ad revenue silently in the background. Luckily, the researchers have been quick to contact Google, and it has since been removed from the app store. However, while the first of its kind, it certainly won’t be the last.
When it comes to fake apps, it can be very difficult to tell them apart. Cybercriminals have gotten quite tricky in making fake versions of apps these days. They try to make their app look as close to the official app as possible by copying the original. However, there are some slight differences in the fake app that are used to fool users such as slight misspellings of company names, fake links that appear to be legitimate by having the company’s name somewhere in the link, and poor, inaccurate versions of company logos. While it can be done, distinguishing a fake app from the real thing can be a bit cumbersome and time consuming. And honestly, who wants to go through all that research when you’re just trying to download a game?
Luckily, Norton has you covered when it comes to malicious Android apps. The App Advisor feature automatically scans for malicious apps in the Google Play Store before they’re even downloaded to your phone. Think of it as a way of stopping threats before they even have a chance to get in your front door. App Advisor for Google Play is a special feature included with Norton Mobile Security. We even won an innovation award from AV-Test, a leading Android malware testing organization, for the feature and technology behind it!
If you don’t have Norton Mobile Security, you’re still in luck- you can currently get a 30 day free trial of Norton Mobile Security, which includes the App Advisor. App Advisor is like Insurance for your phone. You don’t wait to get fire insurance for your home after a fire occurs, so why should you do the same for your phone? Proactive protection is one of the key ways you can stay ahead of cybercriminals.
So before you join the world in the Pokémon GO! craze, be sure to take some precautions first, to ensure both you and your family’s safety, and then go catch ‘em all!
Researchers at Symantec have recently discovered a malicious app that can steal photos and videos from the popular instant messaging and VoIP app Viber. The malicious app, Beaver Gang Counter, which was available on Google Play, positions itself as a score-keeping app for a card game. Instead of helping you keep score, it secretly searches for the directories that Viber uses to store images and video files, which it then sends to a remote server.
This type of data could reveal host of personally identifiable information (PII). It is said that a photo is worth a thousand words, and in this case, these photos may be able to tell attackers information such as where and when the photo was taken. Not to mention any personally identifiable information that may be shown or said in these images. Whatever information is gleaned from the photos and videos can be used for criminal purposes, such as identity theft, blackmail, fraud, or pornography.
It was also found that the malicious app is using what is called time-delayed attacks in order to evade security measures. This means that the program does not engage in malicious activity right from the start, which is likely what allowed it to bypass Google’s security precautions and sneak onto the Google Play Store. Symantec alerted Google to this issue and the company has removed the app and its developer from the Google Play Store.
Figure 1. The Beaver Gang Counter app steals Viber media files
Symantec suspects that Viber was targeted because it is an extremely popular social media app with over 500 million installs on Google Play alone.
How to protect yourself from this threat:
Although Dridex (W32.Cridex) and Locky (Trojan.Cryptolocker.AF) have been unusually quiet, a new type of ransomware may be taking their place on the online threat landscape. Bart, a new ransomware variant, introduced by the same cybercriminal group behind Dridex and Locky, was spotted late last week.
Bart then encrypts files with certain extensions on compromised computers. It displays its ransom note through a text file and the desktop wallpaper. Then the ransomware demands payment from the victim, promising that the encrypted files will then be decrypted.
Norton security products protect your computer against Bart. If you have Norton Security on your computer, it will detect the Bart ransomware. Remember, backing up your files is a preemptive strike against cybercriminals who try to hold your information for ransom. Under no circumstances should you pay the ransom, as it’s not guaranteed that you will get your data back.
Are your Apple AirPorts suddenly flashing yellow? That’s because Apple has sent out a major update to your AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations.
Apple discovered a vulnerability in the firmware of the AirPorts that could allow attackers to execute commands on the affected devices.
Luckily, it’s a snap to update your devices. Just go to AirPort Utility, and there will be a small, red notification next to the devices that need to be updated. Just click on that device and then on the “update” button for each device, and they will automatically update. Continue the process for each AirPort on the network.
A sudden drop in cybercrime activity related to major threat families Locky, Dridex, and Angler have Symantec cybersecurity experts taking note, but still keeping a vigilant eye on the associated malware gangs. One reason for the decrease may be the arrest of 50 people in Russia thought to be involved in the group behind the Lurk banking fraud.
One of the most prevalent ransomware threats in 2016, Locky has shown a significant drop in activity during the month of June. Blocked Locky infections per week went from more than 3,000 in May to the low hundreds this month. That means that new Locky cases, either from spam campaigns or exploit kits, have dramatically fallen.
Figure 1. Blocked Locky infections by week, showing drop in activity over past two weeks
Financial fraud Trojan Dridex has also almost disappeared — but not quite. The Dridex botnet’s subnets continue to operate, and Symantec has noted that Word macro downloaders are still delivering Dridex through spam campaigns.
Figure 2. Blocked Dridex infections by week, showing low activity in recent weeks
The Angler exploit kit has dropped off the radar, with no reported payloads being delivered since the start of May. This isn’t the first time Symantec Security Response has seen Angler go dark, so it remains uncertain whether this well-known exploit kit has gone extinct.
Figure 3. Payloads being delivered by Nuclear exploit kit. Activity ceases in first week in May.
Given that most of the affected threats have not disappeared entirely, it appears unlikely that they are directly connected to the Lurk group. One possible explanation is that the law enforcement takedown against Lurk could have resulted in the shutdown or seizure of infrastructure used by other attacker groups, who have since been working to resume their operations.
Symantec Security Response is continuing to monitor the situation and will provide further updates if new information comes to light.
FLocker (short for “Frantic Locker”) ransomware is now capable of locking up Android TV sets. This particular ransomware strain is not new, as it has been posing a threat to Android smartphones since May 2015. There are several thousand variants of this strain of malware, and one has now made its way onto smart televisions running Android OS.
While this variant of malware does not encrypt files on the infected device, it does lock the screen, preventing the user access to the TV. Additionally, this malware has the potential to steal data from the device.
This new version of FLocker, much like normal ransomware, displays a notification from a law-enforcement agency such as the Japanese Ministry of Justice and the U.S. Cyber Police, which are both fake entities. The message accuses the user of hosting illegal content or performing illegal activities, and then demands a “fine” of $200 US in iTunes gift cards, in order to release the television. The malware operates in the same way on Android smart TVs as it does on smartphones.
The concept of smart TVs and malware is not new. Security researcher Candid Wueest published a proof-of-concept for smart-TV ransomware on Symantec’s Security Response blog.
It’s a nasty variant, but your TV shows don’t have to be held hostage.
How To Stay Protected:
This ransomware is being delivered in the same ways traditional ransomware is on other devices.
It just so happens that the operating system on certain televisions are vulnerable to this strain of ransomware, and not specifically targeted.
This ransomware is typically transmitted to televisions that have SMS text messaging capabilities, or by using the web browser on the TV and accidentally visiting malicious websites. To keep yourself protected from this threat avoid using the SMS messaging or web browsing capabilities on your television. Make sure to never click suspicious links in texts, emails and on websites.
Also, be sure to stick to the official app store for your television, as third party app stores can contain malicious apps.
Be sure to perform a software update on your television, if available. These updates are known to help patch vulnerabilities, or “holes” where malware can be snuck into the device.
Norton Security protects against variants of this ransomware for PC users. Mainly we detect the malware as Android.Lockdroid.E and a few other versions of it as Android.Lockdroid.H and Trojan.Gen.2.
If you’ve fallen victim to FLocker, first and foremost, do NOT pay the ransom- it’s not guaranteed that you will gain access to your television. Instead, it is suggested to contact your smart TV’s vendor.
A critical new vulnerability (CVE-2016-4171) has been exploited via targeted attacks in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh, Linux, and Chrome OS.
This vulnerability can cause a system crash and possibly allow an attacker to take control of the affected system.
Once available, Flash Player users should update to the latest version(link is external). Since this is an active vulnerability that is already being exploited, it is crucial that users update their software immediately.
If you are concerned about this issue you can temporarily disable Adobe Flash in the browser until the update is available by taking the following steps:
1. Open Internet Explorer
2. Click on the Tools menu, and then click Manage add-ons
3. Under “Show”, select All add-ons
4. Select Shockwave Flash Object and then click on the Disable button
You can re-enable Adobe Flash by repeating the same process, selecting Shockwave Flash Object, and clicking on the Enable button.
Guidance for users of earlier versions of Internet Explorer is available on the Microsoft website(link is external).
1. Open Firefox
2. Open the browser menu and click Add-ons
3. Select the Plugins tab
4. Select Shockwave Flash and click Disable
You can re-enable Flash by repeating the same process, selecting Shockwave Flash, and then clicking on the Enable button.
1. Open Chrome
2. Enter chrome://plugins/ in the address bar and hit the Enter key
3. Click the Disable link under the Adobe Flash Player plugin
You can re-enable Flash by repeating the same process and clicking the Enable link.
Norton offers protection against this vulnerability (CVE-2016-4171), which is due to be patched by Adobe tomorrow as part of Adobe’s monthly security update.
A hacker group that calls itself OurMine claims that it has gained access to several of social media tech giant, Mark Zuckerberg’s social media accounts, as a result of the 2012 LinkedIn data breach. Zuckerberg is the latest example of what can happen when you create and reuse weak passwords. What is surprising is how weak his password was. According to the hackers, his password was “dadada.” However, his Facebook account remains intact and best practices have been employed to secure his compromised accounts.
Are you a victim too?
The LinkedIn data breach reportedly exposed 117 million passwords. As a result, LinkedIn inactivated all the passwords on LinkedIn for members who hadn’t updated it since the 2012 incident. They also reached out and let them know what had happened, reminding them to reset their passwords on other sites. You can also run a check to see if your email account has been included in a released database. The website Have I Been Pwned? provides a simple yet useful service to help determine if you have been a victim of data breach. Simply enter your email address and the website will reveal if your data has been leaked. If you have been ‘pwned’ then change your password across all social media immediately.
What are the precautions to take?
When creating and updating passwords, make sure that your new password is a minimum of eight characters long and doesn’t contain your real name, username, or any other personally identifying information. The best passwords include a combination of uppercase and lowercase letters, numbers and special characters.
accounts, they’ll try to use it to gain access to all your accounts. This is why it’s important to create a unique password for each account.
Remember unique passwords for each account, so consumers should consider using a password manager like Norton Identity Safe that stores your passwords in a secure, cloud-based vault.
their email account can be a front door to their entire digital life. Think about how many times you may have reset your password on some other site and the recovery link is sent to your email account. Ensure you use a particularly strong password with both characters and numbers for your email account. And don’t reuse it!
step) authentication, which adds an extra layer of security to your account by requiring you to enter your password, plus a code that you will receive on your mobile device via text message or a token generator to login to the site. This may add complexity to the login process, but it significantly improves the security of your account. If nothing else, use this for your most important accounts.
Our first line of defense from cyber criminals is our knowledge. Staying aware of the ongoing threats in the cyber world is a good first step towards keeping yourself safe. Remember to keep all your devices updated with the latest security software and use strong passwords.
Over 2,500 Twitter accounts have been taken over by scammers and are tweeting links to adult dating and sex personals websites. Once the accounts were compromised, the attackers essentially “rebranded” the account by changing profile photos, biographies, and name of the accounts to match the websites they were promoting.
Symantec has been investigating this issue, and they have found that there were a few high profile accounts that had followers from 20,000 upwards to hundreds of thousands that had been compromised.
It seems that these attackers are going after a variety of accounts, no matter the amount of followers. If you’re an active Twitter user, some steps you can take to secure your account:
1. Beef up your Password:
It’s a good chance that a sizable amount of the accounts that were compromised used weak passwords, or re-used passwords on other services. Always use complex, unique passwords for each website you visit. You can learn more about how to create strong passwords and how to manage them here.
2. Password managers makes things easier:
Unique passwords are key. If one set of credentials is leaked in a data breach, chances are they will be tried on other popular websites as well, especially ones that are related to finance. Keeping track of multiple passwords doesn’t have to be difficult. We suggest using a password manager such as Norton Identity Safe.
3. Double up on your security by considering enabling Twitter’s Login Verification:
In addition to using your username and password to log into a website, Twitter’s Login Verification sends a code to your mobile phone that you will use as an additional log in step.
For the in-depth report on this investigation, you can read the Symantec Security Response Connect blog post here.
In 2012, LinkedIn suffered a data breach of six million user account names and passwords. Apparently, that breach is extremely larger than originally reported.
A Russian hacker going by the name of “Peace” has claimed responsibility for the 2012 hack. This hacker has now resurfaced, and instead of just the six million credentials, he is selling a whopping 117 million credentials on the Dark Web acquired from that same breach.
This hacker waited four years to release the data on the black market.
This just goes to show how important it is to use strong and unique passwords for each service and not to re-use passwords. Hackers tend to rely on repeat password usage and will try to break into other accounts with the credentials obtained from the breach. It can be a cumbersome task to have to remember so many unique passwords, however, with Norton Identity Safe, you can eliminate that hassle. The app will securely store your passwords and automatically log you in to the sites you visit.
It’s entirely possible to have your information breached without you knowing about it. Usually, with data breaches, hackers tend to hold on to the information for months, and in this case, years, in order to evade detection from law enforcement and not draw any suspicion from the breached users.
According to a statement from LinkedIn, the new data released is indeed legitimate, working credentials and “LinkedIn is invalidating passwords and is letting members know how to reset.”
If you have a LinkedIn account, change your password immediately! Even if you don’t think you’re affected- there’s no way of completely verifying that.
You can reset your password for LinkedIn here: https://www.linkedin.com/psettings/change-password
In addition to changing your passwords, it’s an excellent idea to turn on Two-Factor Authentication, which LinkedIn provides. Two-Factor Authentication adds an extra layer of security to your account, usually be sending a text code to a device you own, and the hacker does not have access to.
Hot on the heels of the zero-day flaw announced earlier this week, Adobe has released a patch today that patches 25 newly discovered vulnerabilities. The vulnerabilities that were found affect Flash for Windows, Mac OS X, Linux, and ChromeOS operating systems. These vulnerabilities can allow an attacker to take control of the affected computer if exploited. Some of these attacks may already have been executed by cybercriminals.
How to Protect Yourself from This Threat
If you are running Flash and if it has not already automatically updated with the emergency fix, patch Flash immediately.
Zero Day Vulnerabilities are a newly discovered software vulnerabilities that are unknown to the manufacturer. A software vulnerability is a weakness in the software where cybercriminals can sneak malware onto your computer. In these cases hackers will rush to exploit the newly discovered vulnerability before the software company has the chance to fix it.
While Norton customers are automatically protected in most cases, it’s still always a good idea to err on the side of caution and continue to apply vendor patches as they become available.
Performing these updates can be a cumbersome and annoying task. They tend to pop up usually during the most inconvenient times- while you’re working on something on your device-so, of course, there is the option to update later. People tend to push the updates off (and off, and off again).
The good news is, even if you don’t have the chance to apply it immediately, Norton automatically defends against most of these vulnerabilities. However, it is still a strongly recommended best practice to apply software updates as soon as they are available. In addition to fixing the holes identified in the software, these manufacturer patches also serve up a plethora of other benefits to your system, such as adding new features, removing outdated features, updating drivers, delivering bug fixes and more.
While most operating systems do come with their own form of anti-virus protection built in, it is not always as comprehensive as a proper Internet security suite. Internet security suites have much more functionality than regular anti-virus software. Anti-virus software protects against some threats such as spyware, adware and malware, but not much more. In order to reach far beyond those limitations, it’s important to have technology that can specialize in the detection of higher-risk malware, contain anti-spam filters and email protection, built-in firewall protection, safer web browsing by blocking malicious websites, parental controls and can even safeguard your identity while you’re conducting online transactions. That’s something that is built into a product like Norton Security.
The Internet threat landscape has evolved into so much more than viruses, that simple anti-virus detection is just not enough. The best way to stay ahead of all threats on the Internet is to take a multi-layered approach to your security by installing an Internet security suite such as Norton Security as well as applying those patches A.S.A.P.!
American cyber investigation company Hold Security has discovered a massive data breach of more than 250 million webmail accounts around the world.
The company’s founder, Alex Holden, reportedly told Reuters that:
“The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users.”
The discovery was made when a researcher at Hold Security stumbled upon a young Russian hacker, known as “The Collector” boasting in an online forum about how he had stolen these records. Hold Security is a firm that attempts to recover stolen credentials from cybercriminals. Intrigued by such a large number of records, the company reached out to the hacker, and learned that the data was actually a collection of multiple breaches over time. Shockingly, they learned that the hacker only wanted 50 rubles, which is about .75 cents for the lot. The hacker stated that he just wanted to get rid of it, but he didn’t want to do it completely for free. Instead, the hacker just asked them to add likes/votes to his social media page.
Once Hold Security retrieved the collection, they began investigating the legitimacy of the records. According to their blog, after checking the 272 million records against the records they have obtained from previous incidents, only 42 million of these are ones they have never seen before. While it is still a major security breach, it appears that a bulk of it may be older, recycled information from previous data breaches. Hold Security is still investigating the new records that have been found, and will be “distributed to companies and individuals who can secure their systems against abuse.”
According to a statement from Mail.ru, Mail.ru claims that the findings are overstated.
While stolen email account credentials may seem like small potatoes, they are actually extremely useful to cybercriminals, for many reasons. Once cybercriminals can access your email account, this can give them access to scamming your friends, family, or any other email contacts, including companies you do business with.
In addition to scamming people in your address book, they can also siphon important personal data, allowing them to commit identity theft.
As well as stealing data and scamming friends, they also have the ability to break into other online accounts, such as financial accounts that are associated with the email account by attempting password resets.
If you think you may have been compromised in this breach, you should do the following immediately:
Since this contains data from older data breaches, that information may start recirculating the web again. It may take weeks to months to know if you have been breached, as the criminals may hold the data for a long amount of time in order to evade detection. So if you haven’t changed your password in a few months, it’s best to be safe rather than sorry and change those passwords now.
As mobile payment platforms become more popular, scammers are taking notice to this uptick in digital currency exchange. Fake Android apps have been discovered on the Google Play Store that pose as popular mobile payment platforms.
Researchers from security firm PhishLabs discovered 11 of these phishing applications since the beginning of 2016 hosted on the Google Play store.
The scam works by displaying fake webpages designed to look like legitimate pages, however, these webpages are launched inside the app, allowing the attackers to hide the actual web address of the webpage, leaving users with no real way of verifying the validity of the site.
These fake webpages will display various pages asking for log in credentials, and sometimes will seek additional information under the guise of updating security questions. Once sufficient data has been collected by the app, it will then display an error message to the user stating that the username and password combination was incorrect or some other error.
After the malware has collected and sent all the information it is after, it presents the user with an error message claiming that either the username and password combination was wrong or some other similar error.
How to Stay Protected:
If you think that you have been compromised with one of these apps, you should immediately delete the app from your phone, and then go to the website in question via a web browser, and change your login credentials.
1.1 Million people are at the risk of having their private data exposed in the underground economy, also known as the Dark Web. Controversial website, BeautifulPeople.com, which claims to have “the largest network of attractive people in the world” has announced that they have become a recent victim of a data breach.
When setting up a profile on the site, users are asked to provide sexual preference, relationship status, income, address and other physical attributes like weight, height, job, education, body type, eye color and hair hue, as well as email address and mobile phone number. Based on this data the existing pool of users vote and decide if the applicant is allowed to join this “elite” club.
All this information was strictly confidential until the website’s data was breached and sold on the dark web. One researcher claims that 15 million private messages between users is also part of the leak.
In a statement sent to Forbes, the website owners said: “We can confirm we were notified of a breach on December 24th of 2015 of one of our test servers. This was a staging server and not part of our production database. The staging server was immediately shut down. All impacted members are, of course, being notified once again. The data does not contain any credit card information and user passwords are encrypted.”
However, according to Australian security researcher Troy Hunt, who manages the popular HaveIBeenPwned breach notification website, the data is not only genuine and online but is now being traded for money on the dark web.
Data breaches of popular websites like BeautifulPeople.com are not new to the cyber world. In the past, several dating websites in business with adulterous individuals were ruined due to data breaches.
Two zero-day vulnerabilities showed up recently that could spell trouble for Apple users who use QuickTime for Windows.
The ZDI-16-241 and ZDI-16-242 vulnerabilities allow an attacker to run malware or malicious code remotely. It gains access to a computer when a user is tricked into visiting a malicious webpage or opens a malicious file.
This vulnerability is critical because Apple is no longer providing security updates for QuickTime on Windows. Since these vulnerabilities are never going to be patched, the best line of defense is to uninstall QuickTime for Windows immediately.
Since the primary mode of entry for these vulnerabilities is through phishing, users are advised to be cautious before clicking on a suspicious link or opening emails from unknown sources. It is best to keep all your software and operating systems up-to-date and keep your devices safe with a reliable security suite like Norton Security.
It has been found that two separate exploit kits known as “Magnitude and Nuclear” have been using this vulnerability to spread ransomware to the target via drive by downloads. An exploit kit is a package of software that finds and takes advantage of security holes, or software vulnerabilities in computer software. They are primarily used to spread malware. Drive-by downloads means that malware can be installed on your computer simply by browsing to a compromised website.
How can I protect myself?
This is another example of how crucial it is to keep all of your software up-to-date. Exploit kit operators know that they can take advantage of only those computers that have out-of-date software.
Another essential way to keep yourself protected from this threat and others is to install a reliable Internet security software suite, not just for your computers but your cell phones and tablets as well. Norton Security protects customers from this threat and a multitude of others.
Adobe has now released the patch for the vulnerability. You can read about it here.
Adobe announced it will soon issue an update for its Flash Player in response to the discovery of critical vulnerability CVE-2016-1019, which is currently being exploited in the wild. According to Adobe, the vulnerability could cause computer crashes and potentially allow an attacker to take control of an affected computer.
The vulnerability affects Adobe Flash Player versions 22.214.171.124 and earlier for Windows, Mac, Linux, and Chrome operating systems. Exploitations on computers running Windows 7 and Windows XP with Flash Player versions 126.96.36.1996 and earlier have been reported.
The imminent Flash Player update will fully patch the vulnerability, but Adobe says that Flash Player version 188.8.131.52 currently prevents exploitation of this flaw, protecting users running that version or later.
Adobe Flash Player users should immediately update to the current version while waiting for the update to be released. Or users can temporarily disable Flash in their browsers by following these instructions:
You can re-enable Adobe Flash Player by repeating the same process, selecting Shockwave Flash Object, and clicking on the Enable button.
Guidance for users of earlier versions of Internet Explorer is available on the Microsoft website. Select the version of Internet Explorer you are using at the top right corner.
You can re-enable Flash by repeating the same process, selecting Shockwave Flash, and then clicking on the Enable button.
You can re-enable Flash by repeating the same process and clicking the Enable link.
To stay up to date on this vulnerability, see the Adobe Product Security Incident Response Team blog.
Benjamin Franklin once said that the only certain things in life are death and taxes. While individuals, businesses, and tax preparers get ready for tax season at the beginning of each year, another certainty exists: Cybercriminals will attempt to victimize these entities with tax-related scams.
Tax season is a ripe time for phishing and spreading malware; without fail, tax-related online scams remain a most popular type of phishing scam each and every year. Through our threat intelligence network, we have identified four types of tax scams that individuals and businesses should be wary of as they’re preparing to file their taxes in 2016.
“Your account or tax return is locked or restricted”
The first type of phishing scam arrives in the form of an email claiming to be from the Internal Revenue Service (IRS). The email states that the recipient’s tax return is restricted. We have also observed phishing emails impersonating TurboTax, a popular tax preparation software, claiming that the recipient’s TurboTax account is locked. In both cases, the goal is to convince them to click on a link, and submit their personal information to unlock their tax return or TurboTax account.
Figure 1. Fake IRS and TurboTax emails claiming the recipient’s tax refund is restricted or their account has been locked
“Update your tax filing information”
The second type of phishing email claims that the recipient needs to update their “tax filing information” or their tax return.
Figure 2. Fake IRS-branded emails asking the recipient to update their tax filing information
Most phishing emails contain a link to a fake site, where personally identifiable information can be captured and submitted to the cybercriminals. In some cases, the link is replaced by an HTML attachment.
“Tax payment was deducted from your account”
Owing the IRS money is often a scary prospect, so it comes as no surprise that cybercriminals are also sending out emails claiming that a tax payment was deducted from the recipient’s bank account.
Figure 3. Fake email claims tax payment was deducted and includes a “receipt”
Attached to the email is a “receipt” that acts as a reference for the deduction. It contains a malicious file that security software products detect as W32.Golroted.
“You are eligible to receive a refund”
On the flip side of being told they owe money to the IRS, being told that the IRS owes the recipient money and that they are eligible for a tax refund is an even greater prospect. While we do see these types of emails, we uncovered an interesting variation on this scam in 2016.
Figure 4. Fake email from the IRS seeking proof of identity documents
We see plenty of tax-related scams asking users to click on links or open up HTML attachments or malicious files on their computers; however, this particular scam asks the recipient to provide proof of identity. The requested proof of identity documents include a copy of a valid (signed) full passport as well as a scanned copy of a utility bill, bank statement, or credit card statement. Recipients are asked to send these documents to an @consultant.com email address.
When preparing to file your taxes this year and every year hereafter, here are some tips to keep in mind when receiving unsolicited communications.
Try to stay safe online this tax season, and remember that the deadline to file is on Monday, April 18.
One of the most prevalent Android ransomware threats in the West has now expanded to Asia, choosing Japan as its first target. Android.Lockdroid was spotted on March 11th, and disguises itself as a system update. Once the ransomware detects that it’s installed on a device in a certain country, it displays the ransom message in that country’s language. This is the first type of “chameleon” ransomware we’ve spotted. Once the ransomware is installed and running on the device, it “phones home” to the cybercriminal’s server, and then uploads the device’s information to figure out the phone’s language. If it finds that the app is on a Japanese device, it pushes out a message in Japanese. If the user is located in the United States, the app displays the warning in English, users in Europe receive notices in their own languages, and so on. If the ransomware doesn’t have a ransom message in the language for the user’s region, the server then sends the message in English, posing as if it were coming from Interpol.
In all languages, the ransom message states that law enforcement has locked the device because the user has viewed or stored illegal pornography on the device. The warning asks the user to pay the fine using an iTunes card in order to get their device unlocked. The cost is around $100, depending where the victim is located. The app will also attempt to use scare tactics to get the user to pay- it will attempt to take a picture of the victim using the device’s camera, and will then add the photo as part of the ransom warning. In addition to these scare tactics, the malware will gather other data from the device such as the IP address, region, device model, OS version, and the name of the user.
In general, Android.Lockdroid needs to be manually downloaded by the user from adult sites to infect devices. It could also automatically arrive on the device when the user clicks on advertising links, which is known as malvertising, a form of malicious advertising.
This malware can also be tricky by posing as a pornographic video app and try to trick users into installing it. Other versions can appear as fake system updates and can attempt to deceive users into believing that a patch is required for their device’s operating system. This new campaign mainly distributes the malware disguised as system update variants.
This particular version will wait around 30 minutes or longer until it begins any activity. This is to avoid the detection of the malware by the user because it doesn’t want the user to suspect that the most recent app they’ve just installed is the cause of the issue.
There’s a perception that OS X is impenetrable, especially when compared to Windows. In recent times this assumption is being proven wrong.
The latest in a series of flaws discovered in OS X and iOS is a vulnerability in Apple’s security system. The shortcoming showed up in the System Integrity Protection (SIP), a security feature that Apple introduced with El Capitan last year. SIP was designed to prevent modifications to protected files and folders on Mac. The OS X bug has not only bypassed SIP but can also be used to make malware harder to remove from an infected system.
This zero-day vulnerability exists in all versions of OS X and it has been addressed in the latest update to the operating system (OS X 10.11.4) that Apple announced March 21. Since the exploit code is available on the Web, Apple users are highly recommended to apply the patch.
How it works
To exploit this flaw, an attacker has to first compromise the targeted OS X system. This flaw is not directly exploitable remotely. The attacker would have to find a way to gain physical access to a system to leverage existing malware or may resort to spear phishing or try a browser exploit.
Once in, the attacker can use the exploit to load an unauthorized kernel code on the system and fully disable SIP protections inside the kernel.
With the newfound privileges to root access, an attacker can read and write privileges to all areas of the file system and potentially take control of the whole system.
Who is at risk?
Anyone with OSX and iOS. Since the nature of the exploit is to take control of the system, shared OS X computers such as those found in schools, government offices, large data systems are at high risk.
How to stay protected
To execute this attack, the attacker needs physical access or will resort to spear phishing tactics. You can stay protected by never giving out more information than needed on social media. It’s also important to keep your passwords strong. And be cautious when signing up for apps you don’t trust.
Always keep your software updated and invest in reliable security software. Norton Security Premium comes with protection for up to 10 Macs and iOS devices with a single subscription. It also safeguards your identity and online transactions. With a security service for all your devices you can rest easy as the service comes with dynamic updates to keep your device safe from emerging threats.
Most of all, use common sense when responding to emails. If you think something is not looking right, call, text or email the person before clicking on links.
Even though OS X is famous for fewer threats it doesn’t mean Macs are immune to attacks.
It’s tax season, so our finances are top of mind for many of us. Cybercriminals are thinking about our money, too. After all, most cybercrimes are committed for monetary gain. According to the Symantec report titled “Financial Threats 2015,” cyber thieves are developing stronger attacks on banks and other institutions to try to access our hard-earned money. Here’s an inside look at the top threats financial companies faced in 2015, plus tips on keeping your own bank accounts secure.
Financial institutions of all shapes and sizes are vulnerable to cyber attacks — from small local banks to global giants — with the United States, Germany, and India being home to the most targeted financial institutions. Every year they are bombarded by hundreds of financial Trojans, typically designed to steal log-in credentials. Although the report found that the number of detected Trojans has dropped, their scope has increased
Highbrow Spam Attacks
Like the sophisticated companies and institutions that guard our money, the attacks cybercriminals are devising against them are growing more sophisticated, too. The underground community of financial fraudsters is well organized, offering for sale or rent a long list of malware kits and other methods to defraud their targets.
The number one tactic cyber attackers use to gain a foothold in financial institutions is by sending malicious spam email attachments. Currently the Dridex financial Trojan is one of the most serious financial threats, distributed through massive spam email campaigns. The cybercriminals send millions of seemingly authentic emails daily, which are cleverly disguised as financial emails with document attachments such as invoices, receipts, and orders that appear to be from companies with high name recognition. To make these emails more plausible, the attackers even follow a typical workweek schedule, only sending emails Monday through Friday, and taking a break during year-end holidays.
Once opened, the attachments prompt users to enable a malicious macro, which then allows the Dridex Trojan to be installed.
Dridex: Man-in-the Browser (MitB)
Dridex can perform many functions, but the most important ones are to steal a victim’s banking credentials and add their computer to the Dridex botnet.
Dridex steals credentials via MitB attacks, following a webinject. Dridex injects its malicious code into its target’s Web browsers whenever they are opened. The malware then waits for the victim to initiate an online banking session. When the user logs on to a site, Dridex tries to steal the log-in credentials by capturing online forms data, logging keystrokes, or taking screenshots.
10 Ways to Protect Your Own Financial Information
The Dridex Trojan is just one of seven common financial Trojans detected in 2015. But you can apply the following tips to help protect your own financial accounts against malware attacks.
1. Choose a strong security solution that also protects and scans for malicious emails, such as Norton Security Deluxe. Keep it, other software, and your operating systems updated.
2. Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
3. Follow your instincts. If you receive an email notification that appears to come from a legitimate organization but your instinct tells you something isn’t right, verify the issue with the organization in question first by visiting their website or calling the customer service phone number on their website. Do not use hyperlinks or call contact numbers within the questionable email.
4. Beware any email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that the email is genuine and from a trusted source, do not enable macros and instead immediately delete the email.
6. Sign up for log-in notifications whenever available. And always log out of your session when done.
7. Monitor your bank statements regularly for suspicious activity.
8. Exercise caution when conducting online banking sessions, especially if the behavior or appearance of your bank’s website changes.
9. Notify your financial institution of any strange behavior while using their service.
10. Immediately change your online banking account passwords using an uninfected system if you suspect a Dridex infection. Then contact your bank to alert them to look for any potentially fraudulent transactions.
It’s time to patch ALL the Apple things!
Apple has released a slew of software updates this week for various products. Most importantly, the updated iOS 9.3.
These vulnerabilities and others are also affecting other versions of Apple’s OS, so it’s a good idea to take a moment and update all your iDevices. Yes, it’s a lengthy and bothersome task, but in addition to patching all of these nasty vulnerabilities, there are also improvements and shiny new features bundled up in these updates as well.
This is hot on the heels of the very first of the first Mac-focused ransomware campaign executed by cybercriminals. This just goes to show the importance of performing software updates when they are immediately available.
**Update from Apple**
iOS 9.0 introduced aggressive certificate pinning across iOS applications, which made the attack more difficult to perform. The most recent version, iOS 9.3 fully patched the vulnerability.
Here are just a few of the vulnerabilities that Apple patched this week across various OS’s:
Just when you think the Angler Exploit Kit is wreaking havoc to its full potential, it surprises us by getting more aggressive.
Last weekend several mainstream websites, fell victim to a massive malvertising campaign. The tainted ads in these websites may have directed thousands of unsuspecting users to a landing page hosting the notorious Angler Exploit Kit, a kit that stealthily installs crypto-ransomware and other malware on computers.
Malvertising is a shortened term for malicious advertising, and uses legitimate online advertising services to spread malware. Malvertising requires placing malware infected advertisements on regular web pages through authentic online advertising networks in order to infect a device through the web browser.
An exploit kit opens a medium for cyber criminals to communicate with your system and feed it codes that include different types of commands. These kits are big money in the underground economy.
Once someone lands on the ad they are then redirected to the landing page carrying the Angler Exploit Kit. Here it checks for vulnerabilities and attempts to install the ransomware. If it is installed, it encrypts files on the user’s computer and a ransom note appears demanding payment in form of bitcoins for the release of files. A user does not need to click on a pop-up in order to get redirected.
Cybercriminals regularly use exploit kits to innovatively find vulnerabilities in systems and infect users with malware. An exploit kit opens a medium for cyber criminals to communicate with your system and feed it codes that include different types of commands. These kits are big money in the underground economy and one of the most notorious among them is the Angler Exploit Kit.
A recent victim of this Angler Exploit Kit is ‘Burrp’, a popular local food and restaurant recommendation website based in India. Burrp was compromised to redirect users to the Angler exploit kit (EK) in order to deliver the TeslaCrypt ransomware. Cyber criminals took over users’ computers and encrypted their files. They also demanded a ransom for decrypting the files.
The site has been sending users to the exploit kit since the beginning of February. Symantec notified Burrp of the compromise and the company has stated that it is working to resolve the issue. Most of the users who have been impacted by this attack are based in the US and India.
How the attack works
1. Injecting malicious code
2. Script received from the exploit kit’s server
The script then sends a POST request to the same remote location. The response to this request includes a file that redirects users to the Angler exploit kit landing page.
3. Angler attempts to exploit the vulnerabilities
If the exploit succeeds, then the TeslaCrypt payload is dropped onto the computer. If the exploit doesn’t work, then the kit drops another file with a different type of exploit to download TeslaCrypt onto the computer.
4. TeslaCrypt in action
Once TeslaCrypt arrives, it writes an executable file to memory, which carries the Trojan’s main functionality. The Trojan then drops the ransom message into every folder with encrypted files. This notice demands that the user pays in bitcoins to obtain the decryption key and restore their data.
Prevention and Protection
The best way for users to avoid infection from these types of attacks is to take preemptive action:
If you suspect that a site you use has been compromised, notify the site’s administrator as soon as possible to prevent the attack from spreading further.
The discovery of a critical Adobe Flash Player zero-day vulnerability, CVE-2016-1010, “that could potentially allow an attacker to take control of the affected system” prompted Adobe to issue an emergency patch on March 10. Adobe says the vulnerability has been identified as “being used in limited, targeted attacks.”
How to Protect Yourself from This Threat
Patch Flash immediately if you are running Flash and if it has not already automatically updated with the emergency fix.