Author Archives: DHarley

‘AdultSwine’ – Android malware with a dirty mind

The Register: ‘Mummy, what’s felching?’ Tot gets smut served by Android app – Google’s Play Store fails again

Actually, I didn’t know about felching, either, and I wish I hadn’t looked it up.

Based on Checkpoint’s blog article Malware Displaying Porn Ads Discovered in Game Apps on Google Play. Checkpoint says that this is a triple-threat attack: it may display ads that are often (very) pornographic, engineer users into installing fake security apps, and/or induce them to register with premium services.

David Harley

Meltdown/Spectre resources

[Content now transferred to the resource page here, which I intend to expand and maintain as time allows.]

Official commentary from Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs and from Google: Today’s CPU vulnerability: what you need to know

Related Resources:

David Harley

Ransomware attacks via iCloud

[23rd December 2017]

Monica Chin’s article for Mashable – Here’s how to guard your Mac against ransomware – isn’t the general guide to self-protection that you might think from the title. It’s actually about a specific attack via iCloud, where attackers have gained access to account names and passwords and used them to lock them out of their devices.

Chin says:

If this happens to you, you’ll have to bring your computer into an Apple Store and verify your identity to regain access to it. Otherwise, the only ways to get back control of your machine is to perform a hard reset (which would mean losing all the data) or pay the hackers and pray.

The article is actually several months old, but I’m flagging it here because the same problem – or one very closely related – has crossed my radar recently.

David Harley

Ransomware updates

(1) Raj Samani, Chief Scientist at McAfee, describes an attempt to explore the motivations that drive ransomware gangs. Why ransomware? Let’s ask the bad guys 

Perhaps the most useful and interesting fact to emerge from these exchanges is that ‘1 in 3 of the email addresses were fake/non-existent [implying] that almost one third of ransomware could potentially be pseudo since the promised ‘helpdesk’ does not even exist.’

(2) Bleeping Computer reports the arrest of five Romanian distributors of spam associated with the CTB-Locker and Cerber ransomware families: Five Romanians Arrested for Spreading CTB-Locker and Cerber Ransomware

David Harley

Tech support scams: alive, kicking, and audio talking trash

Paul Ducklin for Sophos: Watch out – fake support scams are alive and well this Christmas

The first part of the article is a recap of old-school tech support scam cold-calling, but the rest describes what happened when someone clicked on ‘one of those “you’ll never believe what happened next” stories’. The resulting ‘alert’ included an automatic voice-over. While the voice-over (which you can hear on the page above) is full of laughable transcription errors and false information, it could certainly scare someone not particularly tech-literate into falling for the scam.

David Harley

The Smiling Assassin (shaken not stirred)

 

I recently saw this article from Mark Stockley for Sophos entitled Ransom email scam from ‘hitman’ demands: pay up or die and assumed – as I suspect many people will – that it was some particularly horrible example of ransomware. In fact, while it is pretty horrible in its way, it turns out that there’s no real malware as such involved, just social engineering of the 419 persuasion, where the scammer claims to be an assassin ordered to kill the person who receives the email. In fact, I’ve written about this particular 419 sub-species several times before.

While the version noted by Mark Stockley rather more polished and up-to-date technologically (it wants payment in Bitcoin!) than most of the 419 scam messages I’ve seen that use a similar approach, it’s not much different, fundamentally. Here’s an extract from a particularly crass example I came across some years ago.

I want you to read this message very carefully, and keep the secret with you till further notice, You have no need of knowing who i am, where am from, till i make out a space for us to see, i have being paid $50,000.00 in advance to terminate you with some reasons listed to me by my employers, its one i believe you call a friend, i have followed you closely for one week and three days now and have seen that you are innocent of the accusation

[…]

You will need to pay $15,000.00 to the account i will provide for you, before we will set our first meeting, after you have make the first advance payment to the account, i will give you the tape that contains his request for me to terminate you, which will be enough evidence for you to take him to court (if you wish to), then the balance will be paid later.

Sometime later, my friend and colleague Urban Schrott drew my attention to a spam campaign that had been causing some hilarity over at ESET Ireland. The message had the subject “YOUR LIFE IS IN DANGER,” and apparently came from someone calling himself Spike Dwaggin, though later he signs himself Dai Teatime. A commenter on one of my earlier blogs pointed out that Spike Dwaggin is a dragon from My Little Pony, that the name Dai features the 4th, 1st, and 9th letters of the alphabet (419 – geddit?), and told me that Dai Teatime is the assassin from Terry Pratchett’s ‘Hogfather’. (In fact, Pratchett’s assassin is Jonathan Teatime, but close enough.)]

While it’s not unusual for purveyors of 419 scams to use noms de plume reminiscent of famous people (real or fictional), this one is notably rich in popular cultural references. The article cited above references a few more, if you’re interested. But here’s the message from Spike/Dai, with some comments from me.

As I sit here sipping a martini it is my regretful duty to inform you that you have been selected for assassination.

[Given the subsequent references to SMERSH, I can only assume that this would be a vodka martini (shaken not stirred).]

I am a professional assassin (I enclose my certificate of assassination as proof) and SMERSH have contracted me to assassinate you and have specifically paid extra for a particularly nasty death which makes it look like you died in a particularly bizarre sex game gone wrong; I had already bought the shire horse stallion (he’s called Henry – picture attached), the lard and the dragon dildo (from Bad Dragon of course, I only use the very best tools) when I found out that you are innocent of the accuse, so I make out this time to contact you. Unfortunately international crime syndicates won’t admit to mistakes and cancel the hit so I will be forced to carry out the assassination on you. Sorry about that old chap but rules are rules…

[Interestingly, the killer’s modus operandi seems to have been influenced by a story relating to the Russian empress Catherine the Great, who was said (quite untruthfully) to have died as a result of being somewhat over-intimate with a horse. And could this particular horse be the Henry who ‘of course dances the waltz’ in the Beatles song ‘Being for the benefit of Mr Kite’?]

There is an option for me to help you in other for you to know who had paid SMERSH for your DEATH and don’t forget my men had been monitoring you for the past few days and daily record of your activities is been sent to me but I have refuse to order your DEATH.

[If your acquaintanceship with James Bond is limited to the movies, you may be unaware that a fictionalized version of SMERSH (a real Russian counter-intelligence agency that was wound up in 1946) plays a significant part in the very early novels.  Oddly enough, a lot of commentary on 419-related forums relating to this particular example misses the fact that SMERSH and SPECTRE (a purely fictional criminal organization) are by no means the same thing, though there seems to be a certain amount of traffic from one to the other in terms of personnel. A bit like the AV industry…]

Get back to me if you value your LIFE with all due speed or else I regret I will have to carry out my original contract to assassinate you and although he is quite charming for a horse I don’t think Henry is the most sensitive of lovers.

Toodle Pip!

Dai Teatime
International Assassin

When I first saw the message on ESET Ireland’s site, I assumed it was some kind of spoof intended to amuse rather than threaten. However, after checking on one or two scam-baiter forums, it seemed that Mr Teatime was probably quite willing to take money from anyone who appeared to have fallen for his shtick. And however funny this particular message may seem to people who are security-savvy, there are others who will find messages from self-described assassins as genuinely frightening. Sadly, I suspect that not all of them will come across articles like Mark Stockley’s (or even this one) to reassure them that it’s just another scam, mailed out more or less at random.

Still, sometimes all you can do with stuff like this is laugh at it.

David Harley

 

ESET Trends report, including my ransomware article

The end of another year, and another look backwards and forwards at the threat landscape from ESET. Well, yes, most security vendors do something of the sort at this time of year, but this one is quite interesting.  Tomáš Foltýn introduces the 2018 Trends Report in his article Cybersecurity Trends 2018: The costs of connection.

The article itself is here: Cybersecurity Trends 2018: The Cost Of Our Connected World. It may be of particular relevance on this site, in that it includes my article ‘The ransomware revolution’.

David Harley

Tech Support Scams: leveraging Spotify for Google and Bing SEO

Lawrence Abrams for Bleeping Computer: Tech Support Scammers Invade Spotify Forums to Rank in Search Engines

Extract: “Over the past few months, Tech Support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google & Bing search results. They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google.”

David Harley

‘Spider’ ransomware – apparently targeting Bosnia & Herzegovina?

Amit Malik for Netskope: Spider: A New Thread in the Ransomware Web

Extract: “Netskope Threat Research labs has detected new ransomware named Spider propagating in a mid-scale campaign. This ongoing campaign, identified on the 10th December,  uses decoy Office documents which usually arrive as email attachments. These attachments are auto-synced to the enterprise cloud storage and collaborations apps.”

The decoy Word document is written in Bosnian.

David Harley