Malware redirecting visitors found on 2,000 WordPress sites

More than 2,000 WordPress sites have been infected with malicious JavaScript that redirects visitors to scam websites and sets the stage for additional malware to be downloaded at a later time.

The Sucuri team said access is gained to WordPress sites through plugin vulnerabilities, including Simple Fields and CP Contact Form with PayPal. [ed note: None of the sites we manage are subject to these infections, as the security plugins we use protect against exploits of this type. And no sites under our management currently use the known vulnerable plugins. ] A large uptick in this activity was picked up during the third week of January.

Source:  https://www.scmagazine.com/home/security-news/malware/malware-redirecting-visitors-found-on-2000-wordpress-sites/?fbclid=IwAR3dUryf3c0OOK4VGXJsOhTSdPkik70RF0-5Tsg4rfmPgfyl6NLtEie8ViE

10% of All Macs Shlayered

Many people think that malware only targets Windows and that Macs are safe, but a new report shows how a single Apple malware called Shlayer has attacked over 10% of all Apple computers monitored by an antivirus company.

Instead of distributing the Shlayer Trojan via phishing attacks or through other malware, the threat actors focus on trending events or popular shows and then build fake web sites surrounding them.

Apple users visit these fake sites through search results, links in YouTube videos, and even links in Wikipedia articles. When visiting these sites, instead of being greeted with a video to watch, they are told they need to first update Flash Player.

These Flash Player updates, though, are the Shlayer Trojan and when executed will install a malware cocktail onto the computer.

When browsing the web, if any site states that you must install an update to watch a video or perform an activity, immediately leave that site.

Source:  https://www.bleepingcomputer.com/news/security/10-percent-of-all-macs-shlayered-malware-cocktail-served/

More at: https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/

Ring doorbell app packed with third-party trackers, open to password theft

Ring isn’t just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers.

An investigation by Electronic Freedom Foundation (EFF.org) of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII). Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.

The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device. This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it. All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done. Even when this information is not misused and employed for precisely its stated purpose (in most cases marketing), this can lead to a whole host of social ills.

Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system. In the past, EFF has illuminated the mismanagement of user information which has led to data breaches, and the attempt to place the blame for such blunders at the customers’ feet.

This goes a step beyond that, by simply delivering sensitive data to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship. As we’ve mentioned, this includes information about your device and carrier, unique identifiers that allow these companies to track you across apps, real-time interaction data with the app, and information about your home network. In the case of MixPanel, it even includes your name and email address. This data is given to parties either only mentioned briefly, buried on an internal page users are unlikely to ever see, or not listed at all.

More details at:  https://boingboing.net/2020/01/27/ring-doorbell-app-packed-with.html

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using Man In The Middle attacks against other devices connected to the same network.

The smart doorbell needs to be connected to your WiFi network, allowing you to remotely access the device from a smartphone app to perform all tasks wirelessly.

https://thehackernews.com/2019/11/ring-doorbell-wifi-password.html

 

Definition: Brute Force Attack

A brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. This is an old attack method, but it’s often still effective and popular with hackers.

Depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years. In fact, IBM reports that some hackers target the same systems every day for months and sometimes even years.

Guessing a password for a particular user or site can take a long time, so hackers developed tools to do the job faster.

Dictionaries are the most basic tool. Some hackers run through unabridged dictionaries and augment words with special characters and numerals or use special dictionaries of words, but this type of sequential attack is cumbersome.

In a standard attack, a hacker chooses a target and runs possible passwords against that username. These are known as dictionary attacks.

Strong passwords are an important defense. One of the security plugins which ProtectYourWP.com installs on your web site will check your passwords against a database of usernames/email addresses and passwords which have been exposed in breaches (and therefore are available to hackers) and rejects any attempts set them as your new password.  ProtectYourWP.com also uses tools which recognize when multiple login attempts are being made and blocks the abuser’s attempts.

Definition: Phishing and Spear-Fishing

Phishing is when a fraudster sends an email or text message to a user that appears to originate from trusted source, such as a bank. By clicking on a link or opening an attachment in the phishing message, the user can unwittingly load malware onto their device or can be lured into entering their login details on a fake version of the trusted site. They may try to steal your passwords, account numbers, or Social Security numbers.

In the first case, the malware then installs itself on the browser without the user’s knowledge. The malware records the data sent between the victim and specific targeted websites, such as financial institutions, and transmits it to the attacker.

In the second, the user’s login details are recorded by the fake site. The user will often get a generic message indicating that the login failed or that the system is down for maintenance and they should try later.  Meanwhile, the criminals now have the actual login details and can clean out the account.

Spear Phishing is similar, but is more directed.  While phishing is often performed in a shotgun approach, where the scammer sends email or text to a list of random addresses, spear phishing aims at a particular person or company, and often refers to people or circumstances known to a specific circle of target email addresses.

Spear phishing can be quite convincing, whereas the shotgun style is often more easy to spot – for instance, if you don’t have an account with the bank or other service the scam email uses as bait.

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment.

They may

  • say they’ve noticed some suspicious activity or log-in attempts
  • claim there’s a problem with your account or your payment information
  • say you must confirm some personal information
  • include a fake invoice
  • want you to click on a link to make a payment
  • say you’re eligible to register for a government refund
  • offer a coupon for free stuff

Fighting Phish

  1. Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
  2. Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
  3. Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
    • Something you have — like a passcode you get via text message or an authentication app.
    • Something you are — like a scan of your fingerprint, your retina, or your face.
  4. Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.
  5. Protect your data by backing it up. Back up your data and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.

What to Do If You Suspect a Phishing Attack

If you get an email or a text message that asks you to click on a link or open an attachment, answer this question: Do I have an account with the company or know the person that contacted me?

If the answer is “No,” it could be a phishing scam. Go back and review the tips in How to recognize phishing and look for signs of a phishing scam. If you see them, report the message and then delete it.

If the answer is “Yes,” contact the company using a phone number or website you know is real. Not the information in the email. Attachments and links can install harmful malware.What to Do If You Responded to a Phishing Email

If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.

If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan.

How to Report Phishing

If you got a phishing email or text message, report it. The information you give can help fight the scammers.

Step 1. If you got a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. If you got a phishing text message, forward it to SPAM (7726).

Step 2. Report the phishing attack to the FTC at ftc.gov/complaint.

Hacker Uses NSA-Discovered Vulnerability In Windows To Spoof NSA

As a part of its latest Patch Tuesday update, Microsoft fixed a critical Windows 10 CryptoAPI vulnerability (CVE-2020-0601) that was discovered by the National Security Agency (NSA).

However, a security researcher named Saleem Rashid didn’t take much time to demonstrate the havoc it could have caused – in a funny way, though.

The researcher rickrolled the NSA and GitHub by spoofing their HTTPS-secured websites and showed how anyone could masquerade them. Rickrolling is a familiar gesture used to demo security flaws by playing Rick Astley’s music video “Never Gonna Give You Up,” which Rashid did on the websites of NSA and GitHub.

Affected Windows versions can be secured using the patch that’s already available. So, it’s recommended that you install it if haven’t done it already. At the same time, Google is also in the process of pushing a fix for Chrome that is currently being tested in beta releases.

Full story

Database Reset Plugin Bugs Let Hackers Wipe or Takeover Your Site

Critical bugs found in the WordPress Database Reset plugin used by over 80,000 sites allow attackers to drop all users and get automatically elevated to an administrator role and to reset any table in the database.

The two vulnerabilities tracked as CVE-2020-7048 and CVE-2020-7047, rated as Critical and High severity, were patched with the release of WP Database Reset 3.15, a week after the initial disclosure from WordFence, the WordPress security firm that discovered the flaw.

Successful exploitation of the two flaws on unpatched WordPress sites could lead to full site takeover and/or database reset.

Disclosure Timeline

January 7th, 2020 – Vulnerability initially discovered and analyzed.
January 8th, 2020 – Full details disclosed to plugin developer and custom firewall rule released to Wordfence premium users.
January 13th, 2020 – Developer responds and notifies us that a patch will be released the next day.
January 14th, 2020 – Patch released.
January 16th, 2020 – Public disclosure.

Full details here and here.

Iranian hackers have been “password spraying” the US grid

“…Industrial control system security firm Dragos detailed newly revealed hacking activity that it has tracked and attributed to a group of state-sponsored hackers it calls Magnallium. …Dragos says it has observed Magnallium carrying out a broad campaign of so-called password-spraying attacks, which guess a set of common passwords for hundreds or even thousands of different accounts, targeting US electric utilities as well as oil and gas firms.

A related group that Dragos calls Parisite has worked in apparent cooperation with Magnallium, the security firm says, attempting to gain access to US electric utilities and oil and gas firms by exploiting vulnerabilities in virtual private networking software. The two groups’ combined intrusion campaign ran through all of 2019 and continues today.

Full article: https://arstechnica.com/information-technology/2020/01/iranian-hackers-have-been-password-spraying-the-us-grid/