Neu Cyber Threats – 7th October 2021
Trojan found to have affected millions of users globally
A recently discovered cybercrime campaign has been found to have affected over 10 million victims worldwide, potentially causing hundreds of millions of pounds in losses.
The campaign operators have maximised the spread of the trojan through applications that posed as harmless software, but actually subscribed victims to paid services that charged them roughly £30 per month.
The campaign operators started distributing the Android Trojan – which researchers call GriftHorse – in November 2020 through Google Play and third-party stores. The malware has since been removed from Google Play but continues to be distributed via third-party application stores.
To date, users in more than 70 countries have fallen victim to the attackers, which served them tailored malicious pages, based on geo-location, using the local language. On infected devices, users are bombarded with notifications that they have won a prize, until the offer is accepted.
Once that happens, the victim is redirected to a webpage where they are prompted to provide their phone number for verification. Instead, however, the victim is submitting the phone number to a premium SMS service.
The attack has proven highly successful because it takes advantage of misinformation, curiosity, small phone screens, and the trust users put in local web pages. Furthermore, the attackers attempted to stay under the radar by avoiding hardcoded URLs or the reuse of domains, in addition to serving malicious payloads based on the user’s IP address.
This attack is particularly dangerous as it can generate millions in revenue each month, potentially causing hundreds of millions in total losses. Researchers added: “The timeline of the threat group dates back to November 2020, suggesting that their patience and persistence will probably not come to an end with the closing down of this campaign.
Neuways advises against the use of downloading applications from third-party application stores. This is because these stores do not always verify that the apps are free from malware or trojans, such as in this case. Safe cyber security hygiene is the key here, to avoid becoming another victim.
Locked iPhones can be used to pay for thousands of pounds worth of goods
Researchers have demonstrated that criminals could use a stolen, locked iPhone to pay for thousands of pounds worth of goods/ services, with no authentication needed.
The problem appears to be with smartphones which have stored Visa cards. Researchers think that the issue is due to unpatched vulnerabilities in both the Apple Pay and Visa systems. While Visa, for its part, said that Apple Pay payments are secure and that any real-world attacks would be difficult to carry out.
Researchers explained that fraudulent tap-and-go payments at card readers can be made using any iPhone that has a Visa card set up in “Express Transit” mode. This setting allows commuters around the world, including those riding the London Underground network, to tap their phones on a reader to pay their fares without unlocking their devices.
They said: “An attacker only needs a stolen, powered-on iPhone, as the transactions could be relayed from an iPhone inside someone’s bag, without their knowledge. The attacker needs no assistance from the merchant.”
The attack is an active man-in-the-middle replay and relay attack. The criminals would need to set up a terminal that emulates a legitimate ticket barrier for transit. This can be done using a cheap, commercially available piece of radio equipment, researchers said. In turn, this tricks the iPhone into believing it’s connecting to a legitimate Express Transit option, and therefore, it doesn’t need to be unlocked.
Once this malicious reader-spoofing terminal is live, the next step is to intercept and relay the payment-authorisation signals from Apple Pay via the emulator to everyday, non-transit contactless payment readers – such as those found in shops. This is something the researchers were able to do with a special application they created, running on an Android phone. The application modifies the communications coming to and from the iPhone.
Neuways advises businesses using iPhones as company phones to switch off the Express Travel Card mode. If not, then they could find themselves down thousands of pounds, due to the actions of opportunistic criminals. It should be noted that the bug does not affect other types of payment cards or payment systems – Mastercard on Apple Pay or Visa on Samsung Pay, for instance, are safe from such attacks.
Trio of ransomware groups dominating threat attacks
While the likes of REvil, Ragnar Locker, BlackMatter and Conti are the ransomware gangs that steal the headlines for devastating cyber attacks, surprisingly it is three lesser-known gangs that account for the majority of global ransomware attacks.
These three ransomware families make up 64% of all threats detected, according to telemetry data gathered by researchers.
A new report revealed that there are a total of 250 different ransomware families, but just three dominated the field in terms of sheer attack volume.
WannaCryptor accounted for 30% of threats, Stop/DJVU tallied up 19% and Phobos just behind with 15%.
Other threat actors to appear in the report include BearCrypt, Locker, Avaddon, BrainCrypt, GoldenEye, Cerber and Lockbit. The report, unfortunately for businesses, shows the sheer scale of the current ransomware threat landscape. It is large and seemingly ever-increasing, making it all the more important for businesses to stay aware of what is going on in the cyber world.
Lockbit, one of the better-known names on the list, was behind the late August attack on Bangkok Airways and published the airline’s sensitive files after they failed to pay up. The cyber hit was reportedly linked to an Accenture breach earlier in the month.
With the headlines that groups such as REvil, Ragnar Locker, BlackMatter and Conti generate, most would think their attacks represent the greatest threat to organisations. However, those attacks are rare and highly targeted, go after large ransoms, and take weeks or even months of intense recon and preparation.
The higher-volume attacks are instead carried out by ransomware affiliates looking for quick strikes and low-hanging fruit, many of them aimed at smaller businesses.
Researchers said: “Opportunistic adversaries and Ransomware as a Service groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer more volume instead of higher value.”
This means that many of the attacks might be limited, but this doesn’t mean they should be taken lightly. This point is especially pertinent as the report only analysed detected malware, rather than the extent of the infections within a company that fell victim to an attack.
While detection isn’t the same as an infection, the results show the ransomware threat landscape continues to be dominated by a handful of RaaS groups launching mass attacks on unsuspecting users and organisations.
Neuways advises businesses to be extremely wary of any emails received. This report presents the scale of the cyber threats that could be targeting your own organisation, in order to extort you for money. Phishing Awareness Training can help your employees come to understand and recognise the types of phishing email threats that they could receive.
Cyber criminals duping Android users into downloading malware
Cyber criminals behind the Flubot banking trojan are using fake security warnings to trick Android users into thinking that they’ve already been infected…with Flubot.
While the fake warnings are a lie, it will become a reality if recipients of the text messages fall for it and click on the hyperlink behind the “install security update” button.
The message victims receive is as follows: “Android has detected that your device has been infected,” there are then instructions that detail how to install a security update that will ‘scrub off’ the malware.
Researchers then confirmed that clicking “install security update” will actually trigger the Flubot infection. The same researchers went onto add that Flubot malware is spreading via text SMS messages on Android phones, using wording that’s continually changing, to catch out victims.
When the attack wave began earlier last week, researchers warned that the new scam text was purporting to be an alert from a courier company that asked users to click on a link or download an application to get information about a parcel delivery.
Then, by the end of last week, the threat actors changed their attack, with scam texts that pretend that photos of the recipient have been uploaded. Then, the latest twist is this, “security update”, communication.
Users should expect further variations of these Flubot scams. Neuways recommends Android users to not engage with these texts, instead deleting them – no matter what the content urges you to do. In all cases, there will be a link asking recipients to install an app or a security update.
Researchers added: “Messages are sent from smartphones that are already infected with this app so there is no simple way to prevent your phone from receiving these messages.”
iPhone users should not fear, as Flubot is only currently a danger to Android devices. While iPhones can receive the text, they can’t be infected. Android phones are not infected until users download and install the anti-FluBot software.
It is worth noting that users who did click on the link but didn’t download anything likely didn’t trigger a Flubot infection. However, it is still recommended that these users change all their online account passwords and contact their banks just to be safe.
The same goes for those users who entered personal information into a form – particularly payment card details: change passwords and contact your bank to check for any unusual activity. This is particularly important as Flubot is a banking trojan, that is known for chasing victim’s banking and credit card information, as well as contact lists that it uses to continually spread.
If you think you’re a victim of the Flubot malware, then it is time to do a full factory reset as soon as possible, deleting all your phone’s data. Restoring from backups is not an option, either, with researchers adding: “Do not restore from backups created after installing the app. Seek the services of a qualified IT professional if you require assistance”.