Home Tags Apple ID

Tag: Apple ID

Benign iOS prompts are indistinguishable from those generated by malicious apps.
Credentials stored in the cloud succumb to forensic software ElcomSoft, the Russia-based maker of forensic software, has managed to find a way to access the data stored in Apple's iCloud Keychain, if Apple ID account credentials are available.…
Credentials stored in the cloud succumb to forensic software ElcomSoft, the Russia-based maker of forensic software, has managed to find a way for crime investigators to access the data stored in Apple's iCloud Keychain, if Apple ID account credentials are available.…
Enlarge / The iPad Air 2 and Mini 4.Andrew Cunningham reader comments 22 Share this story Apple's Activation Lock feature, introduced in iOS 7 in 2013, deters thieves by associating your iPhone and iPad with your Apple ID.

Even if a thief steals your device, puts it into Recovery Mode, and completely resets it, the phone or tablet won't work without the original user's Apple ID and password.

This makes stolen iDevices less valuable since they become more difficult to resell, and it has significantly reduced iPhone theft in major cities. The feature has been difficult to crack, but a new exploit disclosed by Vulnerability Lab security analyst Benjamin Kunz Mejri uses a buffer overflow exploit and some iPad-specific bugs to bypass Activation Lock in iOS 10.1.1. When you're setting up a freshly-reset iPad with Activation Lock enabled, the first step is to hit "Choose Another Network" when you're asked to connect to Wi-Fi.
Select a security type, and then input a very, very long string of characters into both the network name and network password fields (copying and pasting your increasingly long strings of characters can speed this up a bit).

These fields were not intended to process overlong strings of characters, and the iPad will gradually slow down and then freeze as the strings become longer.

During one of these freezes, rotate the tablet, close its Smart Cover for a moment, and then re-open the cover.

The screen will glitch out for a moment before displaying the Home screen for a split second, at which point a well-timed press of the Home button can apparently bypass Activation Lock entirely (but it will have to be extremely well-timed, since the first-time setup screen will pop back up after a second). This video shows the exploit in action, and we were able to reproduce it on an iPad Mini 2 running iOS 10.1.1.
In our testing, however, we couldn't reproduce the bug on an iPhone 5 running iOS 10.1.1—the first-time setup screens on all iPhone models doesn't rotate as it does on the iPad, nor can the iPhones be locked with Smart Covers.

These screens also wouldn't rotate into landscape mode in iPads running iOS 9, so if you haven't updated yet (or if you're using an older iPad and can't update), you're probably vulnerable to a whole bunch of other security bugs but it's not possible to make the screen glitch out in the same way. There could be an alternate form of the exploit that works on iPhones, though as of this writing it only appears to be possible on iPads running iOS 10.1.1. We've contacted Apple for comment and will update if we receive a response.

Apple doesn't offer the ability to disable the syncing of FaceTime and cellular call logs to iCloud.

Russian software maker Elcomsoft today announced an update to its Phone Breaker product that downloads your iPhone's call history from your iCloud account, taking advantage of the fact that Apple stores call logs in iCloud whether users want it to or not.

Apple's storage of call logs—both FaceTime and cellular—in iCloud might be welcome to those who, say, miss a call on their phone and want to call back later using their iPad or computer.

But it's also a boon for law enforcement, Elcomsoft said, since in many cases all they need to download call data is an iCloud user name and password, even if they can't access an encrypted iPhone.

The worst part? You can't turn off iCloud call syncing.

"Automatic cloud sync of call logs is great if you know about it and have an option to shut it off," Elcomsoft CEO Vladimir Katalov said in a statement. "While Apple works hard to improve security of their physical devices, they move more and more data into the cloud where law enforcement can easily obtain it."

Elcomsoft has a history of releasing software that exploits loopholes and can be used by law enforcement or other snoopers with more nefarious purposes. Phone Breaker is no exception; it's marketed specifically to "bring synced call logs before the eyes of the law enforcement."

For its part, Apple highlighted iCloud's security measures, but it did not say whether or not it plans to offer the ability to disable the storage of call records in the future.

"We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices," the company said in a statement. "Apple is deeply committed to safeguarding our customers' data.

Device data is encrypted with a user's passcode, and access to iCloud data including backups requires the user's Apple ID and password."

Apple has frequently been in the spotlight this year for its commitment to user privacy, including a high-profile refusal in February to assist the FBI in accessing encrypted data on the San Bernardino shooter's iPhone.

While iCloud call records may blemish this privacy commitment, Apple is not alone in storing the call records of its customers.

Another Elcomsoft product, called Cloud Explorer, extracts the call logs synced by devices running Android 6.0 or later by accessing the user's Google account.

 Download the PDF Introduction The Internet has changed forever how people shop.

By 2018, around one in five of the world’s population will shop online; with ever more people doing so on a mobile device rather than a computer.
In fact, it is estimated that by the end of 2017, 60% of e-commerce will come from smartphones.

That’s millions of people enthusiastically browsing and buying while at home, at work, in restaurants, airports, and railway stations, walking down the street, standing in stores, and on holiday, often outside the protective reach of a secure, private wireless network. Regardless of the device used, every interaction and transaction will generate a cloud of data that brands will want to capture in order to deliver ever more targeted and personalized offers. Unfortunately, others are waiting to seize consumers’ information too – through insecure public Wi-Fi networks, phishing emails and infected websites, among others.

They are the cybercriminals, and they don’t have a consumer’s or even a brand’s best interests at heart. The risks facing retailers and online shoppers peak during the busiest shopping days of the year: the late November Thanksgiving weekend that runs from Black Friday through to Cyber Monday, and all through December to Christmas and the New Year. As the number and speed of transactions increase, so do the cyberthreats.
In this overview, Kaspersky Lab reveals the reality in terms of the top cyber-attacks targeting consumers and retailers during this remarkable buying period. To put this data in context, it is worth looking back over the last few years to see how the landscape has evolved, focusing in particular on Black Friday and Cyber Monday. In 2013, the concepts of Black Friday and Cyber Monday were already well established in North America and starting to gain momentum elsewhere. In the US alone, Cyber Monday saw online sales grow by 21% on 2012, raking in sales of $2.27 billion.

Black Friday achieved $1.93 billion worth of transactions, but won out on average sales value. 17% of total sales were undertaken on mobile – a 55% increase on 2012.
In the UK, online sales rose by a slightly more modest 16% in November, with over $600 million believed to have been spent online on Cyber Monday alone. This was also the year when US retailer Target discovered that the credit card details of around 40 million customers were breached between 27 November and 15 December, apparently through hacked in-store point-of-sale systems. In 2014, the year of the now infamous Sony Entertainment hack, the records set in 2013 were all broken. Thanksgiving Day 2014 in the US marked the moment when more mobile devices (52%) than computers were used (48%) for browsing online; and Black Friday online sales were up 21% compared to the same day in 2013 – with around one in three (30%) orders placed using a mobile device.

Adobe estimates overall online sales in the US of $2.4 billion on Black Friday, $1.3 billion on Thanksgiving Day and $2.7 billion on Cyber-Monday.
In the UK, online sales peaked during the week of Black Friday sales surged by 44%, compared to the previous week, and up a staggering 135% on the same week in 2013. Mobile sales rose by 83%. And the records were all broken again in 2015. In the US, Cyber Monday 2015 was the largest online sales day, ever. Online consumers spent a record $3.07 billion – and $8.03 billion across the four-day Thanksgiving weekend.
IBM analysis shows that, overall, online sales were up by a quarter (26%) on 2014, with 40% of sales now coming from mobile devices. The big consumer hacks of the season involved malware targeting point-of-sales systems in hotels, including Hyatt, Starwood and Hilton worldwide. 2016 looks set to break records all over again, and criminals will probably try even harder to take advantage of all the noise and activity to steal credentials to financial accounts or even to grab the money directly.

This overview will cover the types of cyberthreats that buyers, sellers and providers of payment systems may face over the coming weeks.
Methodology and Key Findings The overview is based on information gathered from Kaspersky Lab malware and phishing detection systems (number of attacks or number of attacked users), and also from the analysis of events and conversations happening on the hacker underground – multiple internet forums where users allegedly involved in financial fraud operations tend to gather.

The overview covers Q4 in 2013, 2014, 2015 and partly (in some cases) 2016.

Even though, officially, the “Black Friday” sales period ends with Cyber Monday, right after the Thanksgiving holidays, just a few days later another “high” sales period begins: the so-called pre-Christmas period, which is also one of the most profitable times of the year for retailers. We count October as a high sales period as well, because so-called “Black Friday” sales campaigns often start prior to the actual sales days (Halloween sales are a good example), and – what is more important – cybercriminals tend to start preparations in advance of day X. The overview also contains a list of actions that could be implemented by regular users, business owners and owners of payment infrastructure in order to prevent fraud during the high retail season. Key Findings: The share of financial phishing during the high sales season is 9 percentage points higher than during other times of the year. The share of phishing attacks against online shops and payment systems during the period is usually higher than phishing against banks. Criminals are trying to connect their malicious campaigns, such as spreading financial malware and phishing pages, to particular dates: Black Friday, Cyber Monday, and the pre- and post-Christmas days. Underground vendors of skimmers and dummy plastic cards are already experiencing an increase in sales. Kaspersky Lab researchers expect blackmailing DDoS-attacks against online retailers during the holidays. More about these findings can be found in the overview. Phishing Among cybercriminals, phishing is one of the most popular ways to steal payment card details and credentials to online banking accounts.

A phishing scheme is relatively easy to set up (the fraudster doesn’t even need to know how to write malware; only basic web development and design skills are required), yet it is effective because it is mostly based on social engineering techniques.

During the holiday period, users are eager to find the best goods at the best price and they are expecting to see offers of this kind while surfing the web.

Cybercriminals know about that and try to exploit this feature as much as possible. Share of financial phishing in overall volume of attacks As statistics from the previous years show, financial phishing usually accounts for no less than a quarter of all phishing attacks registered in a year.

For example, in 2013, it was 31.45% of all registered phishing attacks, in 2014 – 28.74%, in 2015 – 34.33%.

The current year is not yet over, but judging by the quarterly statistics the trend is the same. Share of financial phishing in overall number of phishing attacks 2013 – 2016 And at the same time things are significantly different when it comes to what we call the holiday sales period.

As expected, the share of financial phishing at this time is noticeably higher than the typical yearly result. Share of financial phishing in different periods in comparison to the holiday period Although in 2013 the number of financial phishing attacks during the high sales period was only 0.5 percentage points higher than the total result for the same year, in 2014 and 2015 we detected a clear difference of around 9 p.p. in favour of attacks during the holidays. Of course these data are not enough to talk about a strong tendency; nevertheless, the chances are high that this year this difference will emerge again. Types of financial phishing At Kaspersky Lab we distinguish between three major types of financial phishing: Banking, E-payment and E-shopping.

They are all types of phishing pages that imitate the corresponding legitimate services dealing with financial transactions.

Based on what we have observed in Q4 in 2014 and 2015, during the “Holiday” period, the separation between different types of financial phishing is different to the result for the full year. For example, in 2013, shares of phishing attacks during the year and during the last “Holiday” quarter weren’t very different – less than 1 percentage point. However inside the category differences were much more visible. That year the share of e-shop phishing in Q4 increased more than 1 percentage point to 7.8%.

And the share of phishing against users of popular payment systems more than doubled compared to the rest of the year – 5.46% against 2.74%.

At the same time, the share of phishing against users of online banking was lower than during the year: 18.76% against 22.2%. The situation was repeated the next year, but with more visible amplitude.
Shopping phishing during the holiday season was 5.32 p.p. higher than the full year result.

And the payment systems’ phishing was 2.78 p.p. higher. 2013 Full year Q4 Financial phishing total 31.45% 32.02% E-shop 6.51% 7.80% E-banks 22.20% 18.76% E-payments 2.74% 5.46% 2014 Full year Q4 Financial phishing total 28.73% 38.49% E-shop 7.32% 12.63% E-banks 16.27% 17.94% E-payments 5.14% 7.92% 2015 Full year Q4 Financial phishing total 34.33% 43.38% E-shop 9.08% 12.29% E-banks 17.45% 18.90% E-payments 7.08% 12.19% The change in shares of different types of financial phishing in 2013-2015 These differences are accompanied by attacks against particular targets.
In 2014, Kaspersky Lab researchers conducted a small investigation into the dynamics of attacks during Black Friday and discovered that the number of attempts to load phishing pages detected and blocked by users of Kaspersky Lab products was actually growing. Here are the timeline graphs for several targets that are traditionally most often used by phishing scammers. Dynamics of detection of attempts to load phishing page where the American Express brand is mentioned demonstrates very similar behaviour in 2014 and 2015. Dynamics of phishing attacks using the American Express brand in the week of Black Friday 2014 2015 Example of timeline of attacks against a particular target And when it comes to other brands connected to online money and shopping the situation is repeated.

Though the growth of attacks in 2015 happened after Black Friday and peaked on Cyber Monday. Dynamics of phishing attacks using the Visa brand on Black Friday 2014 2015 Example of timeline of attacks against a particular target Last but not least phishing attacks that utilize online shopping brands also obviously have a connection to specific days, such as Black Friday. Dynamics of phishing attacks using the Wal Mart brand on Black Friday 2014 2015 Example of timeline of attacks against a particular target Example of timeline of attacks against a particular target Spikes in the number of detections are also typical for Christmas and the New Year period – basically they’re the second highest period in the whole quarter.

Further in this overview we will show that attack peaks are typical features not only for phishing, but for financial malware attacks as well. Examples of “Holiday” Phishing In most cases cybercriminals don’t bother themselves with inventing anything special.
Instead they just copy pages of legitimate shops, internet banking and payment systems. As can be seen on the picture below the phishing copies of the Amazon shop quite precisely resemble the original website. Example of a fake Amazon e-shop Which is also true for sites of payment systems and banks.

Below are pictures of phishing sites imitating Visa and American Express data submission forms.

Along with some others, these two brands are traditionally among the top of those faked by phishers. Example of a fake Visa payment form Example of a fake American Express payment form Sometimes criminals create whole fake web-shops simply to collect victims’ credit card data. Example of 100% fake internet shop They attract victims with extremely low prices for goods from famous brands.

And then – when the victim has chosen the item they like and proceeds to the payment page, they simply steal their financial credentials. Example of 100% fake internet shop, part 2, the payment page Another way in which criminals exploit the hot sales period is by creating allegedly legitimate websites that are selling gift cards and coupons that – if they’re real – can be monetized in legitimate internet shops. However, criminals sell phony coupons, not real.

The only purpose of these websites is to collect card credentials.

An example of such a website is displayed in the picture below. Example of a fake shop selling phony coupons And of course criminals exploit the brand of Black Friday itself and they start their preparations way in advance. While preparing this overview Kaspersky Lab researchers came across a number of fake websites, which have the word Black Friday in the name and the content of which offers outstanding discounts on expensive goods. Example of a fake Black Friday themed shop In all, Kaspersky Lab security specialists expect that in 2016 the trends which emerged in previous years (higher than average percent of financial phishing, topical Black Friday scams, etc.) will continue their development as phishing remains one of the main source of credit card data for criminals and is still one of the easiest ways to set up a fraud scheme. Financial malware For years, banking trojans were one of the most dangerous cyberthreats out there. Unlike usual spyware which hunts for any type of credentials and, in most cases, is not very sophisticated, banking trojans are aimed specifically at users of internet banking and remote banking systems.

Criminals tend to invest a lot of resources in the development of such malware and also develop different sophisticated techniques to avoid detection by AV products, and spread the malware as effective as possible.

The most famous examples of banking malware are: ZeuS, SpyEye, Carberp, Citadel, Emotet, Lurk and others. In previous years Kaspersky Lab experts have prepared two reports covering the global financial malware landscape, in 2013 and in 2014.

And since then multiple things have changed: first of all the number of users attacked with banking malware has started to decrease. Most likely this is due to the fact that criminals have largely switched their attention from clients of banks to the banks themselves, because a sophisticated attack against a bank can bring much more profit than an attack against a regular user.

Another reason is the rise of encryption ransomware which has proven itself a relatively effective way of getting money illegally. What hasn’t changed a lot is the attention of criminals to the high sales season. the change in the number of attacks and attacked users from November to December 2015 According to Kaspersky Lab telemetry, during the holiday season of 2015, 261,000 users were attacked with banking malware That’s significantly less than in the same period a year ago, when 307,600 users were attacked. However, 2015 has shown the fairly obvious interest that criminals are showing in Black Friday, Cyber Monday and Christmas.
In October the number was 61,674 users, in November – 81,038, and in December – 154,324 attacked users.

A year before, in 2014, 101,300 users were hit in October, 164,000– in November and 102,900 in December. The pattern is obvious. The dynamics of attacks with help of financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday) As can be seen on the graph above, the number of attacked users started to grow from November 22nd and peaked on November 26th, the day before the Black Friday 2015.

The next visible peak happened on November 30th, which was the day of Cyber Monday that year.

These two peaks were noticeably the biggest since the beginning of the period. The dynamics of attacks with financial malware in Christmas period 2015 The next big rise in the number of attacks and attacked users happened on 24th of December, right before Christmas, followed by a huge two-day spike detected on 28th and 29th, not long before New Year’s Eve. In 2014, the spikes of attacks in the holiday season weren’t that obvious, but still it was clear enough that the Black Friday period is of interest: a visible rise in attacks started on November 24th and peaked on November 27th, which was again the day before Black Friday.

After that another spike was registered on 1st December, which was the day of Cyber Monday. The dynamics of attacks with financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday) Christmas 2014 also has shown correlation between holiday dates and attacks: on 24th and on 28th of December. The dynamics of attacks with financial malware in the Christmas period 2014 Almost the same spikes appear when it comes to Mobile malware. Most of the detections on the graphs below were generated by a few families of malware: Faketoken, Svpeng, Marcher and Acecard.

These four are the main threats when it comes to mobile banking on Android, and the criminals behind them obviously used the holidays to actively propagate these malicious programs.
It was especially visible in 2014: The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday 2014 period 2015 was significantly calmer in terms of the number of detections, but certain spikes were still in place. The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday in 2015 POS malware Another dangerous type of malware which we have already seen and are expecting to see during this season is POS-malware – the type of financial malware which infects the OS of point of sales terminals and then steals the credentials of the credit cards processed by these devices.
So far, due to the specific nature of the devices that this type of malware tends to attack, we don’t yet have relevant statistics on the number of detections during the holiday period. However we can estimate the threat by counting the number of families which our experts added in recent years.
In 2013 only 4 families were added to our collection, but the 2013 Target breach inspired many criminals to attempt to reproduce the “success” of those who hacked the famous retailer, and the next year 12 more families of POS-malware were added. 2015 was the hottest year in terms of POS malware with 14 new families. 2016 is fairly calm so far: 6 new families were added to our collection since the beginning of the year.
In total there are at least 36 families of malware capable of stealing data from POS terminals out there in the wild.

The number is even bigger than the amount of banking malware families, 30 species of which are now in the Kaspersky Lab collection. Expect new attacks The motivation behind attacks that are tied to concrete dates are clear: cybercriminals suggest that the chances that users will be working with their financial accounts online more than usual are higher than on any other day.

Therefore they tend to increase their hacking efforts to raise their own chances of stealing money. Judging by the dynamics of attacks of “holiday” dates from 2014 and 2015, Kaspersky Lab expects that in 2016, the situation may be repeated. News from the Underground While online shoppers are drawing up their wish-lists for the upcoming sales, retailers are preparing their stores for a massive rise in visitors, and financial infrastructure owners – banks and payment systems – are getting ready for a huge increase in the number and value of transactions, criminals are also preparing for the season.

For this report Kaspersky Lab experts have conducted some research into events and discussions taking place on several secret, invitation-only underground forums, where users allegedly involved in different types of financial fraud tend to gather and discuss things. More about Cyber Monday Based on the results of the research, we can say that underground cybercriminals, at least on East European fora, are more excited about Cyber Monday than about Black Friday.

This may be because Cyber Monday is more about online sales.

There will be a lot of online advertising of special deals and it will be easier for them to hide phishing scams inside the stream of legitimate offers. Also, from a logistics perspective, Cyber Monday is more convenient than Black Friday, which is more about offline sales.

Criminals don’t have to deal with physical access to ATMs in order to set up, and later collect a skimmer.
Instead they could use a phishing or malware attack in order to collect credentials and then monetize them in a number of ways. That said, ATM skimming attacks will happen during Black Friday and will continue through other holidays: Christmas and New Year. Example of an online advertisement for skimmers on one of the hacker forums Based on information from the last year, during December 2015 more than 500 skimmers were sold on an East European black market, while “usual” sale rate is 25 – 30 devices per month.

These devices come packed with everything necessary for successful data-stealing, like fake PIN-pads, hidden cameras etc.

The vast majority (around 96.5%) of skimmers mimic the products of four popular vendors, and the rest 3.5% are skimmers that replicate custom models. As a result of the 2015 holiday fraud campaign, criminals experienced certain problems with the cashing out of compromised cards.

Based on conversations on the corresponding web resources, the cash-out projects (groups that undertake the cash-out for other criminals) were heavily overloaded so the cash-out orders took three months to complete.

This was due to a large number of stolen credentials waiting to be cashed-out.

According to Kaspersky Lab data, during December 2015 criminals were able to collect approximately 10 times as many credentials as during a non-holiday period.

Basically this equates to the total number of card details they are usually able to steal during the rest of the year. Example of an advertisement by an online shop selling stolen credit cards credentials Information on several forums suggests that, in 2016, a month prior to the start of the Black Friday, vendors of skimmers were already experiencing an increase in sales, alongside vendors of blank cards that will later be used to clone stolen cards.

Also, some vendors are offering new generations of POS skimmers which are attached to legitimate POS’s. Unlike earlier skimmers, the new generation is placed inside the card reader, which makes them much harder to spot with the naked eye. Another interesting trend is that many criminals are avoiding starting their campaigns with malware, choosing instead phishing attacks because they consider them to be more efficient and safe.

Besides that they are actively utilizing schemes that involve direct contact with the victim.
In these attacks the fraudsters will call the victim, seemingly on behalf of a bank, and try to find out their credit card credentials with help of psychological tricks. Kaspersky Lab experts also expect that more cases of cash-out through Apple Pay and Samsung Pay payment systems will happen during this holiday season.

The recent increase in the list of countries where the systems are supported has brought a certain inspiration to criminal community.

The ability to attach a card to an Apple ID and then use it to pay for real goods creates a relatively convenient way to cash-out for so called “stuffers” – criminals who specialize in cashing out through buying goods from internet and physical shops, as well as for virtual carders – criminals who monetize stolen credentials through virtual goods Another rather interesting conclusion made by Kaspersky Lab researchers during their research of the cybercriminal underground, is that fraudsters expect a lot of profits from attacks during the holiday period, especially the pre- and post- Christmas to New Year period, not only due to the high number of buyers seeking to spend money, but also because (based on their experience, which they share on forums) in this period the anti-fraud departments of banks are weakened.

Due to many employees going on vacation around these dates, banks suffer from a lack of personnel, and it is theoretically easier for criminals to hide fraudulent operations in the stream of legal ones. Example of a fraudster’s website selling a DDoS-attack service Other types of criminal groups – such as those specializing in DDoS attacks, will most likely try to attack online shops for the purpose of blackmailing.

That is a well-known tactic which they use against small and medium retail organizations.

By setting up a DDoS attack they would block access to the attacked store and, until the owner pays a ransom, they would keep it blocked. Not wanting to lose money because of the unavailability of the store the owners will often pay the criminals.

This is likely to happen in the coming holiday season. Conclusion and advice The main purpose of this paper is to raise awareness of the threats that may ruin the upcoming holiday season for regular users and shoppers and owners of online stores and owners of financial infrastructure.

Both Kaspersky Lab telemetry and the analysis of conversations happening on the underground suggest that cybercriminals will pay special attention to the upcoming high sales season.

But this doesn’t mean that the holidays are already doomed. If prepared, each legitimate party of this process: buyers, sellers and financial services providers will end up in profit.

All they have to do is to follow some simple advice. For regular users Do not click on any links received from unknown people or on suspicious links sent by your friends on social networking sites or via e-mail.

They can be malicious; created to download malware to your device or to lead to the phishing webpages aimed at harvesting user credentials. Do not download, open or store unfamiliar files on your device, they can be malicious. Do not use unreliable (public) Wi-Fi networks to make online payments, as hotspots can be easily hacked in order to listen to user traffic and to steal confidential information. Do not enter your credit card details on unfamiliar or suspicious sites, to avoid passing them into cybercriminals’ hands. Always double-check the webpage is genuine before entering any of your credentials or confidential information (at least take a look at the URL).

Fake websites may look just like the real ones. Only use sites which run with a secure connection (the address of the site should begin with HTTPS:// rather than HTTP://) to hinder theft of information transmitted. Don’t tell anybody your one-time password or PIN-code, not even a bank representative.

Cybercriminals can use this data to steal your money. Install a security solution on your device with built-in technologies designed to prevent financial fraud.

For example, Safe Money technology in Kaspersky Lab’s solutions creates secure environment for financial transactions on all levels. And don’t forget about the same rules when using your mobile device for financial transactions, because cybercriminals and fraudsters target them too. For retailers Keep your e-commerce platform up-to-date.

Every new update may contain critical patches to make the system less vulnerable to cybercriminals. Pay attention to the personal information used for registration.

Fraudsters tend to hide their identities but lack of creativity can serve as an indication of fraud. John Smith whose email address reads as 21192fjdj@xmail.com is likely to be a criminal.

Check again and request more details from customers if needed.

Adding captcha might be effective measure against this. Restrict the number of attempted transactions.

Criminals usually make multiple attempts to enter correct card numbers for one purchase. Use captcha and increased time intervals for attempts to re-enter card numbers. Use two-factor authentication (Verified by Visa, MasterCard Secure Code and etc.).
It will dramatically drop the number of cases of illegal card usage. Be careful with suspicious orders.
Several unrelated high-value items for more than $500 and extra payment for fast shipping to another country can be a sign of a criminal hurrying to resell as soon as possible.
In such cases it is recommended to contact the customer on the phone and confirm the order. Use tailored security solution to protect your point of sales terminals from malware attacks and make sure your POS terminals run the latest version of software. Criminals may attempt to DDoS the website of your shop for blackmail purposes. Make sure that your IT security team is prepared for such attacks or, if you don’t have one, ask your hosting provider if it is possible to purchase a DDoS-protection service from them. Educate your clients on possible cyberthreats they may encounter while shopping online and offline For financial organizations Introduce enterprise-wide fraud prevention strategy with special sections on ATM and internet banking security. Logical security, physical security of ATMs and fraud prevention measures should be addressed altogether as attacks are becoming more complex. Conduct annual security audits and penetration tests.
It is better to let professionals find vulnerabilities than wait until they will be found by cybercriminals. Choose a multi-layered approach and techniques against fraud.

Training employees to spot suspicious transactions should be combined with implementation of dedicated fraud prevention solutions.

Financial security software based on innovative technologies helps to detect and fight fraudulent activity beyond human control. Do not leave self-protection to customers.
It is hardly possible to educate all customers – and it is always better to create a multi-layer security architecture that will provide all the services with the necessary level of security. Remember that insiders are usually involved in half or more cybersecurity incidents. Use security approaches that allow for the detection of suspicious and potentially dangerous activity inside your infrastructure. Make sure that your anti-fraud department is fully staffed during the holiday period.
I recently started a new job, which I love. However, since I’m working for a San Francisco startup, of course my work computer is a MacBook Pro. Most people would be very happy about that.

But I’ve been using Linux as my primary desktop platform since, like, 2008, so a Mac is an adjustment for me.

There are worse possibilities -- at least I don’t have to deal with Outlook or Windows.

Also, there are plenty of people to help me with this painful transition. My ripe relationship with Apple I've had Macs in the past. When I worked for another startup, JBoss, I was the sole PowerBook person. At the time, in the dark ages of the early part of this millennium, I was traveling around the world giving presentations. Most of humanity, having freshly crawled out of caves, used those awful video projectors instead of big-screen TVs.

At the time the PowerBook connected to more of those items than Windows did. (You don’t want to know what you had to do for Linux’s X Windows to connect.) Yet far from being one of the contented masses, I always had Apple-specific issues.

The company decided to hold all Java developers hostage for an OS upgrade right when I needed the new JDK most.

The power coupling used to rip out of the motherboard because it was near a modem, which created a weak point in the case. Later Apple moved the weak point to the CD drive, which was under my wrist while typing, so the drive would jam. Then there were the batteries that swelled up and broke the keyboard.

There were screens that had lots of dead pixels and bright spots that annoyed me, not to mention the power cord that kept shorting out, which had to be replaced for $85. Apple’s response each time was that it was somehow my fault.

Eventually, I’d end up buying a new laptop -- before the bad press would make Apple fix the flaw for the more patient people. My annoyance grew.

Finally, the last straw: That infernal “beg for attention” format of the Apple Store and the “pay to not stand around all day when the hardware is borked” AppleCare fee. I went back to Dell and my beloved Linux.

The laptop isn't as shiny, but Dell comes to you when it breaks. Me and my Apple ID Anyhow, I’m back in Mac.

Central to Apple’s surveillance of me is the Apple ID.

This is my identity to FaceTime, Find My Mac, and all of the tools I use to interact with the new center of my computing existence, Apple.

Google used to be my center. Now I must pray to the ghost of Steve Jobs and kiss the feet of his successor, who has blocked me on Twitter. I tried using my email address with my new work computer.
I didn’t remember the password I used back then. No problem, I could use email validation or my birthday.
I tried my birthday because it's faster, but it didn’t work -- odd, but maybe I fat-fingered it or my ex-wife put in her birthday at some point. No matter, I used email verification and changed the password. Apple and various software on my new Mac kept calling me a female name.
I thought that was odd, so I logged in to appleid.apple.com and figured I’d change my birthday. Now it wanted to verify my favorite elementary school teacher’s name and favorite band in high school.
I wouldn’t have picked either of those because, duh, I reference music in my blog too much.
I was also a terrible student, preferring the library to the classroom and asking too many questions.

Apple rejected both. I called Apple support.

There, I talked to J, who was incredibly helpful and did everything he possibly could with the broken system, but I was at the mercy of a certain "A" from Canada. We tried to change the security questions, but those sent a verification code to “A***’s iPod Touch.” After a few other attempts, we determined this wasn’t actually my Apple ID account. As it turns out, I still had an Apple ID from a time before Apple demanded email addresses. Unfortunately, four years ago, when Apple began asking for them, you didn’t need to verify the email address.
So a young lady ("A," as noted above) with the same last name as me and a different first name used my Gmail address as her Apple ID but didn’t validate it. Apple Support and I tried several different ways to let me recover my email address, but finally, I found A’s number on her Apple ID account and texted her.
Someone else answered and promised to ask A to look into this.

This took four hours.

Apple kindly offered me free accessories once we were done. Invalidated credentials Apple’s often lauded security has been evolutionary -- and often a series of “oops, we’ll fix that” moves. Unfortunately, this goes to show you that failing to follow basic security patterns (like, is this really your email address?) allowed another person to inadvertently compromise my security. When Apple “fixed” the problem, it still had an unvalidated credential it had grandfathered in.

This allowed me to compromise A’s security.
In this case, no one was malicious.

But I don’t want to deal with yet another email address. What Apple should have done was to treat everyone’s not-yet-validated Apple ID email addresses as suspect -- and made people validate them or change them to a validated address.

An unvalidated credential is an unvalidated credential. Which brings us to the moral of our story: Validate credentials! (Also: Linux is easier to use than iOS, and Google is my preferred surveillance and security authority.) If a credential proves invalid, don’t simply change the process, invalidate the credential, and force it to be validated before it's used or even associated.

Failing to do this not only compromises the security of the person with the invalid credential but possibly the security of the person it belongs to as well.
[embedded content] A video demonstration of the vulnerability here, using a temporary password. Kapil Haresh reader comments 36 Share this story This piece first appeared on Medium and is republished here with the permission of the author. It reveals a limitation in the way Apple approaches 2FA, which is most likely a deliberate decision. Apple engineers probably recognize that someone who loses their phone won’t be able to wipe data if 2FA is enforced, and this story is a good reminder of the pitfalls. As a graduate student studying cryptography, security and privacy (CrySP), software engineering and human-computer interaction, I've learned a thing or two about security. Yet a couple of days back, I watched my entire digital life get violated and nearly wiped off the face of the Earth. That sounds like a bit of an exaggeration, but honestly it pretty much felt like that. Here’s the timeline of a cyber-attack I recently faced on Sunday, July 24, 2016 (all times are in Eastern Standard): That’s a pretty incidence matrix Kapil Haresh 3:36pm—I was scribbling out an incidence matrix for a perfect hash family table on the whiteboard, explaining how the incidence matrix should be built to my friends. Ironically, this was a cryptography assignment for multicast encryption. Everything seemed fine until a rather odd sound started playing on my iPhone. I was pretty sure it was on silent, but I was quite surprised to see that it said “Find My iPhone Alert” on the lock screen. That was odd. 3:37pm—My iPhone’s lock screen changes. The screen dims, with the following message, “Hey why did you lock my iPhone haha. Call me at (123) 456–7890.” This was when I realized what exactly was happening. My Apple ID had been compromised and the dimwit on the other end was probably trying to wipe all my Apple devices. Clearly he/she wasn’t very smart (to my benefit), and the adversary had decided to play the sound and kick the iPhone into Lost Mode before attempting to run the remote erase. When you throw a device into Lost Mode, it immediately attempts to get the physical location of the device and shows it to the adversary. Sounds familiar? Of course, this was exactly what happened in August of 2012 with Mat Honan’s massive hack. In his case it happened through a slightly different way, but the end goal was the same—wipe the devices and destroy the data. 3:36pm, first Find My iPhone alert. Apple e-mails you back everytime you make a change with Find My iPhone. Kapil Haresh 3:37pm, second Find My iPhone alert. Kapil Haresh 3:37pm, Lost Mode enabled. Kapil Haresh 3:38pm—Naturally, I go into lockdown mode, and immediately take all my devices offline to stop whatever else the adversary was planning to do. When I knew I was being targeted in the same way as the Mat Honan attack, I expected would soon try to wipe my devices. True enough, I was able to confirm that they indeed attempted to wipe my iPhone and my Mac as well. 3:37pm, adversary now knows where I am right at that moment. Cool. Kapil Haresh 3:50pm, I get back into iCloud and notice the pending erase request. Kapil Haresh Because I managed to take all my devices offline, I was able to make sure all of them didn’t get their erase requests from the server. But this could have been worse, way worse. After the Honan attack back in 2012, I decided to get two-factor authentication (2FA) turned on for my Apple ID to act as a safeguard. 2FA here was my friend to some extent, as in the case of iCloud. 2FA blocks any user attempting to login to your account, not allowing them to go any further than logging in and accessing Find My iPhone, Apple Pay, and Apple Watch settings — I don’t have Apple Pay and an Apple Watch for now, so I am not sure as to the extent of access for those two. But with Find My iPhone, this form of 2FA doesn’t protect it. This was kind of understood — if you lose your iPhone, you can’t get the second factor of authentication to get in to lock your iPhone. One of the benefits of having 2FA was that things like my Mail, Contacts, Calendar and other documents were locked away. Without my 2FA code that comes either through my trusted device (via the Find My iPhone service) or via a text message, there wasn’t any way to get that unless the trusted device or the device that received the text message was compromised as well. Additionally, there was no way for the adversary to reset the password without getting the second authentication code. 2FA via iCloud Kapil Haresh I was able to lock my account with a new password and got all the erase requests cancelled. But herein lies the problems, which if addressed, could have prevented this attack or at least limit the potential damage. Put simply: the lack of 2FA for Find My iPhone and the lack of pattern monitoring on Apple’s servers were the two main reasons this attack took place. Legitimate login by me, on my (then new) MacBook Kapil Haresh The adversary’s login — I did get an e-mail detailing the login attempt Kapil Haresh Pattern monitoring One of the things I did notice was that the login notification e-mails generally originate from the country you login from, especially in this day and age when Apple has a local division in most large, if not all, countries. I noticed this as I was able to check on my older login notification e-mails that I received when I lived in Australia . In that case all of my notifications were addressed from Apple Pty Ltd, while my logins from Canada were addressed from Apple Canada Inc. In this case, the adversary’s login attempt resulted in a login e-mail from Ireland instead, which lead me to suspect they clearly were not in North America at least. Of course this could have beeen spoofed with the help of a VPN, but the location change could have been detected as it would be an outlier from my regular logins from Canada. The other, clearer differentiation of the pattern was the part where the login was done on a Windows computer, instead of a Mac . In my case, this would have been quite an outlier as I normally use a Mac and can probably count the number of times I have logged in using a Windows computer. Ideally, at this point, it would have been reasonable for Apple to check if this was a legitimate login — for example, using one of the secondary accounts nominated in the Apple ID. Microsoft actually does this if you attempt to use your Microsoft account on a new device or a device that isn’t normally used, and the company locks the account and gets you to confirm the login through your secondary accounts. E-mail notification when I tried to login after the attack, once I had it contained Kapil Haresh Microsoft got this bit right. I got this when I signed in on a new Mac. Kapil Haresh Lack of 2FA for Find My iPhone When you sign up for 2FA, Apple disables the secret questions/answers to reset the password — you need the recovery key instead to regain access if you forget the password. I can see why Apple decided against using the same 2FA authentication for Find My iPhone . Ideally, you’d only use Find My iPhone when you lose your device, hence you’d not be able to access your text and on-device authentication. But for there to be no 2FA for Find My iPhone doesn’t quite add up. I can imagine how this could be fixed. Instead of having a one time code for Find My iPhone, it might be better to have a second layer of authentication in the form of a secret question/answer when accessing Find My iPhone if 2FA was on. The legitimate user would know the answer for the question just like in the case of a forgotten password. By nominating a number of question /answer pairs, it can be randomized, too. If such a thing existed, the adversary in this case would have not been able to go further than looking up the location, and ideally he/she wouldn’t be able to play the alert sound or even conduct the remote erase. Enlarge Ramona Leitao What happens next? To be fair, I have not had bad experiences with Apple’s security in the last 10 years of using their products, hence I would say I’m still pretty confident to use its products. At the same time, the viability for such an attack to occur is quite scary considering Apple is moving (like many others) to a cloud focussed future. My experience in this case wasn’t as bad as it could have been. I knew what to do and how to contain, and subsequently neutralize, the attack as I know how Find My iPhone and iCloud works. But to the general population—a large proportion of Apple’s user base—this would have been a very different story. I’ve never revealed this password, and the password itself is pretty random, with capital letters, small letters and numbers. I've also never accidentally signed into a dodgy site with it. I’m going on the basis that the adversary successfully guessed the password somehow, but the important thing here is to reduce the damage should a password be obtained by the adversary. I believe this is a genuine concern, and I think Apple should address this as soon as possible. I can’t imagine having my iPhone randomly wipe out while I’m on the road with CarPlay giving me driving directions or HomeKit controlling my home (especially considering in the next couple of years, we’d likely to see stronger CarPlay integration and HomeKit integration). To the hackers — please take grammar classes. That was quite a pathetic Lost Mode message. Not as bad as the Oleg Pliss attack message in 2014, though interestingly, that attack could have been prevented as well if there was a second factor of authentication for Lost Mode. Back then, just like the situation today, the 2FA that everyone suggested to turn on doesn’t protect Find My iPhone. Kapil Haresh (LinkedIn) is a current CS grad student and TA at the University of Waterloo, where he does cryptography, security and privacy (CrySP), software engineering and human-computer interaction. As a CS undergrad from the University of Wollongong, he specialized in digital security and software engineering, making it into the limited admission Dean’s Scholar program. His cryptography and network security subjects had pretty decent (90 percent) averages on their own, but even he's not immune to 2FA's shortcomings. (Luckily, as you've read, he was able to minimize the damage.) He can be contacted at khvignes (at) uwaterloo (dot) ca. Listing image by Ramona Leitao
New iPhone or GTFO Travelling executives should use modern iPhones with burner SIMs, no PINs, and minimal apps, CloudFlare security boffin Filippo Valsorda says. Valsorda of the anti- distributed denial of service attack firm's London office says his 'paranoid' guide focuses on iOS because he considers it the most secure operating system currently available. The travelling executive should start with a burner Apple ID with Touch ID activated, and a ridiculously long log-in password which will frustrate physical attackers but not the user, thanks to the biometric option. "Use Airplane mode extensively," Valsorda says. "Turn off WiFi when you don't need it." Apple security questions should be passwords, not personal information which can be obtained from Facebook and other leaky sources. 1Password with Touch ID and syncing killed is your best option for handling passwords. Safe travel requires protection, so USB condoms which prevent data theft over the port during charging are a must.

Alternatively the traveller must label their trusted charger and only ever use that. Siri is off.

As is Bluetooth, voice dial, Safari's Javascript, and nine other options. If Javascript is required, use the Brave browser as it uses the HTTPS Everywhere extension and blocks possibly malicious advertising. Do not use your normal email address, but instead set up a temporarily one that contains the emails you'll need, sans anything with the phrases password, reset, recover, or subject:login, all of which can be nixed with a blacklist. After 10 failed password attempts, the modern iPhone should obliterate data held within, while two factor authentication must be used to help protect the burner Apple ID. Valsorda continues; install only essential apps before travelling, refuse updates, slap encryption on the Notes app and avoid writing sensitive things on the first line, which remains unencrypted. A spare SIM card should be taken with the original kept hidden, and PINs set on both. "It's not much, but it's all you can do against a SS7 attack," Valsorda says. Snowden's Signal, and WhatsApp are your communications apps to be tied to the disposable SIM. You'll need to keep an email record of your fingerprint to ensure the people you talk to are who they say, and turn off backups. Valsorda rounds off his paranoia guide recommending execs use auto responders on real email addresses that point people to burner contacts with a note to not blab confidential data. ® Sponsored: Global DDoS threat landscape report
Since the beginning of 2016, FireEye has discovered 240 phishing domains attempting to trick users into thinking they were Apple Inc. Hackers are using fake phishing domains to trick Apple users into giving up their Apple ID credentials, according to a new report from FireEye.Since the beginning of 2016, FireEye has tracked a number of phishing campaigns targeted against Apple users.

The phishing campaigns all include some form of a lure to trick unsuspecting users into entering their Apple ID into a fake login screen.

All Apple device owners use the Apple ID to get access to the company's services, including iTunes, App Store and iCloud data backups.As part of the subterfuge, the phishing campaign emails direct users to seemingly legitimate looking Apple sites that are hosted on domains that have the word "Apple" in them, but are not associated in any way with the company.

Among the domains are various combinations of the words, Apple and iCloud, including iCloud-Apple-apleid.com, appleie-xyw.com and iow-web-Apple.com.Since the beginning of 2016, FireEye has discovered 240 phishing domains attempting to trick users into thinking they were Apple Inc. Of those, FireEye found 86 targeting U.K. customers since January.

Domains specifically going after Chinese users are also common, with FireEye reporting 32 different domains registered in March alone. While FireEye was able to identify the spam domains targeting Apple users, it's not clear how many potential victims may have been exposed to the phishing domain campaigns. "Our system is designed to detect newly registered malicious domains," Fahim Abbasi, principal malware researcher at FireEye, told eWEEK. "We are not able to answer if there are specific targets."Looking across the 240 different Apple spam domains, FireEye found 154 unique email addresses were used to register the domains. Of those email addresses, 64 were on the qq.com email domain in China and 36 registrants had unique gmail.com email accounts.Going a step further to try and determine some form of attribution for the malicious spam domains, FireEye found that the observed Apple spam domains in China were pointing at 13 unique IP addresses found in the United States and China.

All of the U.K. spam domains were pointing to IP addresses in the United Kingdom.Abbasi noted that FireEye observed a peak of Apple spam domain registrations in the first quarter of 2016, but has seen a gradual decrease since then."We are now starting to log this information to get a better breakdown of stats," Abbasi said.From a user protection standpoint, the actual address for a link or a Website is generally viewable by users, either in a browser or when they hover over an email link.

As such, a cautious, informed user should be able to avoid falling prey to the Apple phishing domain campaigns.

That said, Abbasi noted that not all users are informed of the risks of phishing and all the domains listed contain keywords like: "Apple," "iTunes" and/or "iCloud.""Attackers exploit the human trust model, as we tend to trust brand names, and uses that to lure their victims into clicking and interacting with the phishing page," Abbasi said. "The majority of Internet users are not savvy enough to detect these minor variations in legitimate-looking-phishing URLs."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
Firmware update 7.7.3 is recommended for all AirPort Extreme and AirPort Time Capsule base stations with 802.11ac.
It provides security improvements related to SSL/TLS. Other AirPort base stations do not require this firmware update.  AirPort Extreme and AirPort Time Capsule with 802.11ac (June 2013) Note: After updating the firmware, some users may need to re-enable Back to My Mac on their AirPort base stations using AirPort Utility and on their Macs using System Preferences. How to re-enable Back to My Mac on AirPort base stations: 1.

From the menu bar, select Go > Utilities and double-click AirPort Utility.2.
Select the AirPort base station that is configured with Back to My Mac and click Edit.3.
If prompted, enter the base station password. 4.
In the Base Station tab, select the Back to My Mac account you want to re-enable and click Edit.5.

Enter your Apple ID password and click Sign In.

A green status indicator will appear indicating a successful authentication.6.

Click Update to save the changes. How to re-enable Back to My Mac on your Mac computer: 1. On each computer you use with Back to My Mac, choose Apple menu > System Preferences, then click iCloud. 2. In iCloud preferences, deselect Back to My Mac, then select it again.
Spam: features of the quarter Trending: dramatic increase in volume of malicious spam The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million.

At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn. Number of email antivirus detections on computers with a Kaspersky Lab product installed In March, the number of email antivirus detections reached 22,890,956, which is four times more than the average for the same period last year. With the rise of drive-by-downloads, we could have expected malicious email attachments to have long since given way to malicious sites that the user accesses via a link in an email. However, the use of emails has its advantages (for the attackers): the content of the email may encourage the user not only to download a malicious file but also launch it.
It’s also possible that malicious attachments are enjoying a new wave of popularity because in the last couple of years the developers of the most popular browsers have considered adding protection against infected and phishing websites (using in-house developments as well as partnering with well-known anti-virus vendors).

This is something that built-in protection at the email client level does not provide yet.

Therefore, if a potential victim doesn’t use antivirus software, their computer can be easily infected via email. What’s inside? The variety of malicious attachments is impressive.

They include classic executable EXE files and office documents (DOC, DOCX, XLS, RTF) with embedded malicious macros, and programs written in Java and Javascript (JS files, JAR, WSF, WRN, and others). Attachment containing a Trojan downloader written in Java Also worth noting is the diversity of languages used in malicious spam.
In addition to English, we regularly came across emails in Russian, Polish, German, French, Spanish, Portuguese and several other languages. Attachment containing the Trojan banker Gozi Most emails imitated notifications of unpaid bills, or business correspondence. The malicious .doc file in the attachment is a Trojan downloader.
It downloads and runs the encryptor Cryakl using macros written in Visual Basic Attachment containing backdoor-type malware that downloads other malicious programs to the infected machine Particular attention should be paid to emails containing Trojan downloaders that download the Locky encryptor.

The attackers exploited a variety of file types to infect victim computers: at first they used .doc files with malicious macros, then JS scripts.
In order to bypass filtering, the attackers made every malicious file within a single mass mailing unique.
In addition, the emails had different content and were written in different languages.

This doesn’t come as much of a surprise as attacks utilizing this encryptor were registered by KSN in 114 countries around the world. Examples of emails with the Locky encryptor The content of the emails was related to financial documents and prompted users to open the attachment. If the attack was successful, Locky encrypted files with specific extensions (office documents, multimedia content, etc.) on the user’s computer, and displayed a message with a link leading to a site on the Tor network containing the cybercriminals’ demands.

This process was analyzed in more detail in our blog. As Locky is not always contained directly in the message, we cannot estimate its share in the volume of other malicious mail. However, the scripts that download and run Locky (detected by Kaspersky Lab as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR: Trojan-Downloader.Script.Generic) accounted for more than 50% of all malicious programs in email traffic. Spam terrorism Today terrorism is one of the most widely discussed topics both in the media and when political leaders meet.

Frequent terrorist attacks in Europe and Asia have become a major threat to the world community, and the theme of terrorism is widely used by cybercriminals to mislead users. In order to prevent terrorist attacks, security measures in many countries have been enhanced, and malicious spammers have been quick to take advantage.

They tried to convince recipients of mass mailings that a file attached in an email contained information that would help a mobile phone owner detect an explosive device moments before it was about to detonate.

The email claimed the technology came from the US Department of Defense, was easy to use and widely available.

The attachment, in the form of an executable EXE file, was detected as Trojan-Dropper.Win32.Dapato – a Trojan that is used to steal personal information, organize DDoS attacks, install other malware, etc. ‘Nigerian’ scammers also got in on the act, exploiting the theme of terrorism to try and concoct credible stories.

The senders introduced themselves as employees of a non-existent FBI division involved in the investigation of terrorism and financial crime.

Their story revolved around the need for the recipient to contact the sender in order to resolve issues that are preventing the payment of a large sum of money.

Among the reasons given for the delay in transferring the money the scammers cited a lack of confirmation that the money was legal and rightfully belonged to the recipient, or it was claimed third parties were trying to pocket the recipient’s money. Nigerian letters also told stories of money – some of which was offered to the recipient – that had been obtained legally and was not related to drugs, terrorism or other crime.

This was an attempt to dispel any doubts about their honesty and persuade recipients to reply. The theme of terrorism came up again in tales related to the current situation in the Middle East.

For example, some emails were sent on behalf of US soldiers who were fighting against terrorism in Afghanistan and were looking for an intermediary to save and invest money for them. Yet another author claimed that he had not joined ISIS or any another terrorist organization, but as a Muslim he wanted to donate a large sum of money for good deeds.

A mistrust of charities meant the “Muslim” wanted to transfer the money to the recipient of the email. Yet another story was written on behalf of an American businessman who had lost half his business in Syria and Iraq because of the war and terrorism, and was looking for a partner to help him invest the remaining money. Nigerian letters describing the tense situation in Syria also remained popular and were actively used by scammers to trick users. We also came across advertising spam from Chinese factories offering all sorts of devices to ensure public security (for example, special devices for detecting explosives) and other anti-terrorist products. Also trending: significant increase in volume of ‘Nigerian’ spam It seems so-called Nigerian spammers have also felt the effects of the economic crisis, because they have recently increased their activity.
In Q1 2016 we observed a significant increase in the volume of this type of mailing.
In the past, the scammers encouraged recipients to respond to an email by telling a long detailed story that often contained links to articles in the mainstream media; now they send out short messages with no details, just a request to get in touch.
Sometimes the email may mention a large sum of money that will be discussed in further correspondence, but there is no information about where it came from. Perhaps the scammers believe that those who are already aware of the classic ‘Nigerian’ tricks will fall for these types of messages; or maybe they think that such short messages will be more suited for busy people who have no time to read long emails from strangers. Spammer methods and tricks: short URL services and obfuscation In our spam and phishing report for 2015 we wrote about obfuscation of domains.
In Q1 2016, spammers continued this trend and even added some new tricks to their arsenal. Cybercriminals continued to use short URL services, although the methods for adding “noise” to them have changed. First of all, spammers began inserting characters – slashes, letters and dots – between the domain of a short URL service and the final link. Both the link which the user follows and the link to the uploaded image in the email are obfuscated: In addition to letters and dots, spammers even inserted random comment tags between slashes, and the browser continued to correctly interpret the links: Note that the subject of the email contains the name Edward; it is also included in the comment tag used to add “noise”.
In other words, the name is taken from one database while the “noise” tag is unique for each email in the mass mailing. Russian-language spam also used obfuscation and short URL services, but the algorithm was different. For example, to obfuscate links the @ symbol was used.

To recap, the @ symbol is intended for user authentication on the site (it is actually no longer used).
If the site does not require authentication, everything that precedes the @ symbol will simply be ignored.
It means that in the email above, the browser will first open the site ask.ru/go where it will execute the subquery ‘url =’ and then go to the URL specified, which belongs to a short URL service. The link in this emails was also obfuscated with the @ symbol. Noise was also added by additional subqueries including the user’s email address, which made it unique for each email in the mass mailing. Statistics Proportion of spam in email traffic Percentage of spam in global email traffic, Q1 2016 The percentage of spam in overall global email traffic remained stable during the last few months of 2015. However, in January 2016 we registered a considerable increase in the share of unwanted correspondence – over 5.5 p.p.

By February, however, the amount of spam in email traffic had dropped to its previous level.
In March it grew again, though less dramatically.

As a result, the average percentage of spam in Q1 2016 amounted to 56.92%. Sources of spam by country Sources of spam by country, Q1 2016 The US (12.43%) maintained its leadership, remaining the biggest source of spam in Q1 2016. Next came Vietnam (10.30%), India (6.19%) and Brazil (5.48%).

China rounded off the Top 5, accounting for 5.09% of global spam. Russia fell from last year’s second place to seventh (4.89%) in Q1 2016.
It followed closely behind France (4.90%), which was sixth biggest source of spam. Spam email size Spam email size distribution, Q4 2015 and Q1 2016 The most commonly distributed emails were very small – up to 2 KB (79.05%).

The proportion of these emails grew by 2.7 p.p. from the previous quarter.

The share of emails sized 20-50 KB also increased – from 3.02% to 7.67%.

The amount of emails sized 2-5 KB, however, fell significantly compared to Q4 2015 – from 8.91% to 2.5%. Malicious email attachments Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications.
So we have decided to turn to the more informative statistics of the Top 10 malware families. Top 10 malware families Trojan-Downloader.JS.Agent. A typical representative of this family is an obfuscated Java script.

This family malware uses ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files. Trojan-Downloader.VBS.Agent. This is a family of VBS scripts.

As is the case with the JS.Agent family, ranked first, the representatives of this family use ADODB.Stream technology; however, they mainly download ZIP files, from which they extract and run other malicious software. Trojan-Downloader.MSWord.Agent. The representatives of this family are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened.

The macro downloads other malware from the cybercriminal’s site and launches it on the victim’s computer. Backdoor.Win32.Androm.

Andromeda. This is a family of universal Andromeda/Gamarue modular bots.

The key features of these bots include downloading, storing and launching malicious executable files; downloading and uploading a malicious DLL (without saving it to disk); updating and deleting themselves.

The bot functionality is extended with plug-ins that can be loaded at any time. Trojan.Win32.Bayrob. The malicious programs of this Trojan family can download from the command server and run additional modules, as well as work as a proxy server.

They are used to distribute spam and steal personal data. Trojan-Downloader.JS.Cryptoload. A typical representative of this family is an obfuscated Java script.

The malicious programs of this family download and run ransomware on the user’s computer. Trojan-PSW.Win32.Fareit. This malware family was designed to steal data such as credentials for FTP clients installed on an infected computer, credentials for cloud storage programs, cookie files in browsers, passwords for email accounts.

The stolen information is sent to the criminals’ server.
Some members of the Trojan Fareit family are capable of downloading and running other malware. Trojan.Win32.Agent. The malicious programs of this family destroy, block, modify or copy data or disrupt the operation of computers or computer networks. Trojan-Downloader.Win32.Upatre. The Trojans of this family do not exceed 3.5 KB, and their functions are limited to downloading payloads on the infected computer – more often than not these are Trojan bankers known as Dyre/Dyzap/Dyreza.

The main aim of this family of Trojan bankers is to steal payment data from users. Trojan-Spy.HTML.Fraud. The Trojans of this family consist of a fake HTML page sent via email that imitates an important notification from a major commercial bank, online store, or software developer, etc.

The user has to enter their personal data on this page, which is then forwarded to cybercriminals. Countries targeted by malicious mailshots There were some significant changes in the ranking of countries targeted most often by mailshots in Q1 2016. Distribution of email antivirus verdicts by country, Q1 2016 Germany (18.93%) remained on top.

China (9.43%), which ended 2015 in 14th place, unexpectedly came second.

Brazil (7.35%) rounded off the Top 3. Italy (6.65%) came fourth in the ranking, followed by the UK (4.81%). Russia was in sixth place with a share of 4.47%. The US (3.95%), which had been in the Top 5 countries targeted by malicious mailshots for months on end, ended Q1 in eighth. Phishing In Q1 2016, the Anti-Phishing system was triggered 34,983,315 times on the computers of Kaspersky Lab users. Geography of attacks The country where the largest percentage of users were affected by phishing attacks was once again Brazil (21.5%), with a 3.37 p.p. increase from the previous quarter.

The share of those attacked in China (16.7%) and the UK (14.6%) also grew compared to Q4 2015 – by 4.4 p.p. and 3.68 p.p. respectively. Japan (13.8%), which was a leader in the previous year, saw its share fall by 3.18 p.p. Geography of phishing attacks*, Q1 2016 * Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country Top 10 countries by percentage of users attacked: Brazil 21.5% China 16.7% United Kingdom 14.6% Japan 13.8% India 13.1% Australia 12.9% Bangladesh 12.4% Canada 12.4% Ecuador 12.2% Ireland 12.0% Organizations under attack The statistics on phishing targets are based on detections of Kaspersky Lab’s anti-phishing component.
It is activated every time a user enters a phishing page when information about it is not yet included in Kaspersky Lab databases.
It does not matter how the user enters the page – by clicking a link in a phishing email, in a message on a social network or as a result of malware activity.

After the security system is activated, the user sees a banner in the browser warning about a potential threat. Distribution of organizations affected by phishing attacks, by category, Q1 2016 In the first quarter of 2016, the ‘Global Internet portals’ category (28.69%) topped the rating of organizations attacked by phishers; its share increased by 0.39 p.p. from the previous quarter.
Second and third were occupied by two financial categories: ‘Banks’ (+4.81 p.p.) and ‘Payment systems’ (-0.33 p.p.). ‘Social networking sites’ (11.84%) and ‘Online games’ (840 p.p.) rounded off the Top 5, having lost 0.33p.p.and 4.06 p.p. respectively. Online stores Attacks on online store users are interesting because they are often followed by the theft of bank card details and other personal information. Distribution of online stores subject to phishing attacks, Q1 2016 Apple Store was the most popular online store with phishers.
In the first quarter of 2016 its share in the ‘E-shop’ category accounted for 27.82%.

Behind it in second place was another popular online store –Amazon (21.6%). Example of a phishing page designed to steal Apple ID and bank card data Steam (13.23%), a popular gaming service that distributes computer games and programs, rounded off the Top 3.
It came 19th in the overall ranking of organizations affected by phishing attacks. Links to phishing pages exploiting the theme of online games and gaming services are distributed via banners, posts on social networking sites, forums and, less frequently, via email. Cybercriminal interest in Steam and gaming services in general is growing – gamers’ money and personal data are often targeted not only by phishers but also by software developers. Top 3 organizations attacked< Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular companies.

These companies have lots of customers around the world which enhances the chances of a successful phishing attack. The Top 3 organizations attacked most often by phishers accounted for 21.71% of all phishing links detected in Q1 2016. Organization % of detected phishing links 1 Yahoo! 8.51 2 Microsoft 7.49 3 Facebook 5.71 In Q1 2016, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top (+1.45 p.p.). Microsoft (+2.47 p.p.) came second, followed by Facebook (-2.02 p.p.). Interestingly, phishing on Facebook is delivered in almost all languages. Facebook is also popular with cybercriminals as a means of spreading malicious content. We wrote about one such scheme in a recent blog. Conclusion In the first quarter of 2016 the percentage of spam in email traffic increased by 2.7 percentage points compared with the previous quarter.

But it is too early to speak about a growth trend.

The proportion of spam grows significantly at the beginning of every year because the amount of normal email decreases over the holiday period. The US remained the biggest source of spam in Q1 2016.

The Top 5 also included Vietnam, India, Brazil and China – all large, fast developing countries with high levels of internet connection. Spam messages are becoming shorter.
In the first quarter, the proportion of emails up to 2 KB exceeded 80% of all spam. Q1 of 2016 saw the amount of spam containing malicious attachments increase dramatically.

The share of malicious attachments in mail reached a peak in March – four times greater than last year’s average.

This rapid growth was caused, specifically by the popularity of crypto-ransomware which was either contained in emails or downloaded to computers via a Trojan downloader. This growth confirms our long-term forecasts on the gradual criminalization of spam that makes it even more dangerous, as well as reducing the overall share of email traffic.

The diversity of languages, social engineering, lots of different types of attachments, text changing within a single mass mailing – all this takes spam to a new level of danger. Moreover, these malicious mass mailings have broad geographical coverage.

The picture of malware distribution by email has changed significantly this year.
In particular, China came an unexpected second in the ranking of countries targeted by malicious mailshots. Another factor confirming the trend of increasingly criminalized spam is the growth of fraudulent, namely ‘Nigerian’, spam in the first quarter of 2016. It is unlikely that the amount of malicious spam will continue to grow so rapidly: the more cybercriminals distribute malicious spam, the more people get to know of its dangers and the more careful they become about opening suspicious attachments.

Therefore, such attacks will gradually fade away after a few months. However, there is the risk they may be replaced by other, even more complex attacks.