Emerging Threat Mounts Mass iPhone Surveillance Campaign

From Threatpost

A recently discovered, mass-targeted watering hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware.

The malware specifically targets vulnerabilities in versions 12.1 and 12.2 of Apple’s iOS.

The campaign uses links posted on multiple forums that purport to lead to various news stories that would be of interest to Hong Kong residents, according to a pair of research notes from Kaspersky and Trend Micro. The links lead to both newly created websites set up specifically for this campaign by the operators, as well as legitimate sites that have been compromised. In both cases, a hidden iframe is used to load and execute malicious code.

Continue reading…

Definition: Watering-hole campaigns

Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware.

Tupperware Cyberattack Stores Away Customer Payment Cards

From Threatpost

The food container company’s main website had a card skimmer that scooped up online customers’ payment card data.

Cybercriminals hacked the official website of Tupperware, the popular food container giant, injecting a payment card skimmer into its checkout page in hopes of stealing the credit-card details of online customers.

The attackers targeted the official Tupperware[.]com website, which averages close to one million monthly visits, as well as various localized versions of the site. Researchers said they first identified the skimmer on March 20 — but there’s no indication of how long the site was compromised before that. Though Tupperware never responded to multiple attempts at contact by researchers, as of March 25, after research was publicly disclosed detailing the card skimmer, the malicious code was removed from the homepage.

“Threat actors compromised the official tupperware[.]com site…by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process,” said researchers with Malwarebytes, in a Wednesday post. “This form collects customer-payment data via a digital credit card skimmer and passes it on to the cybercriminals, with Tupperware shoppers none-the-wiser.”

Continue reading…

SSL Security Certificates and https://

What is an SSL Certificate and what does it do for me?

An SSL Certificate allows your site to serve your data – and receive input from visitors – in an encrypted form.  This means that if either side is sending sensitive data, it becomes extremely difficult for anyone else to see what is being sent. It’s an important tool to thwart Man-In-The-Middle attacks.

The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

We’re advised to never send sensitive information to a website which does not have the https:// and a padlock icon on the address line, as pretty much anyone can read it if they know how.

However, security expert Brian Krebs points out that the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

Here’s a sobering statistic: According to PhishLabsby the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates.

The reason Mr. Krebs brings this up is that “many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.”

The problem is that those government sites are misinforming the public, including statements such as “The https:// ensures that you are connecting to the official website….”

No, it does NOT.

All it ensures is that you’re connecting to a site which has an SSL Certificate in place. It’s not particularly difficult to obtain a .gov domain name, and it’s a fairly trivial exercise these days to get a basic SSL Certificate.  So all that the https:// on a .gov site ensures is that someone got a .gov domain name and put an SSL Cert on it – nothing more.

The moral?  Make sure you’re going to the right site!  Both for government anything else you do online.

Original article at Krebs On Security

As Zoom Booms, Incidents of ‘ZoomBombing’ Become a Growing Nuisance

With the recent Stay At Home orders resulting from Covid19, many more people are using Zoom and other video chat ware to keep in touch with their colleagues.  Unfortunately, that means many people who are unfamiliar with the platforms and their protocols, and lots of opportunities for bad actors to take advantage.

From Threatpost:

Numerous instances of online conferences being disrupted by pornographic images, hate speech or even threats can be mitigated using some platform tools.

Officials at Zoom have released tips for users of their video-conferencing platform to help avoid getting “Zoom-bombed” by trolls and even more serious threat actors during online meetings.

The developers of the online video-conferencing service cautioned users to avoid sharing Zoom meeting links publicly and widely on social media and to use some simple management tools within the system to help avoid scenarios in which uninvited participants disrupt meetings in unpleasant and threatening ways.

Read more at the original article: https://threatpost.com/as-zoom-booms-incidents-of-zoombombing-become-a-growing-nuisance/154187/

COVID-19: Hackers Exploit “Fearware” to Target Victims

We’ve all heard about the guy in Tennessee who bought 17,000 bottles of hand sanitizer, then tried to sell them at highly inflated prices.

Some people are going to try to make a buck off anything that happens, without regard to the rest of society.  Hackers and scammers are some of those kind of people, and they’re playing the COVID-19 fears just like they do any other opportunity they find.

So it’s no surprise that we’re seeing reports of multiple COVID-19 related scams.

One form of attack involves well-crafted phishing emails that appear to come from health authorities but instead contain malicious software that can steal a person’s data or hijack their device. Be sure that the source is real, and are who they say they are.

One hacking attack saw Russian-language criminals share an interactive map of coronavirus infections and deaths, which had originally been created by John Hopkins University to offer real-time information about the pandemic. Anyone opening the map sent by the hackers would be infected by a form of password-stealing malware that had been hidden within the map.

Fake websites, phishing emails, and malware-laden “tools” abound, so be careful where you go and what you open.

https://arstechnica.com/information-technology/2020/03/the-internet-is-drowning-in-covid-19-related-malware-and-phishing-scams/

https://threatpost.com/apt36-taps-coronavirus-as-golden-opportunity-to-spread-crimson-rat/153776/

https://www.independent.co.uk/life-style/gadgets-and-tech/news/coronavirus-hackers-covid-19-china-fearware-malware-a9400141.html

https://www.darktrace.com/en/blog/how-antigena-email-caught-a-fearware-attack-that-bypassed-the-gateway/

https://www.webarxsecurity.com/covid-19-cyber-attacks/

https://threatpost.com/hackers-hijack-routers-to-spread-malware-via-coronavirus-apps/154170/