Definition: Fleeceware

Fleeceware:  Apps which are marketed as “free”, but which then trick the user into subscribing for paid services (which are available free elsewhere), often for excessive fees.

Common examples are horoscope apps, QR code or barcode scanners, and face filter apps targeted at younger users. Publishers of fleeceware target users who may be less cognizant or sensitive to initial fees and reoccurring charges.

Often users are hooked in by free trials, which turn out to be difficult to extricate yourself from after the “free” period has lapsed.

These are currently most common on phone apps (both iPhone and Android), but the same techniques can be found with some desktop applications as well.

COVID-19: Hackers Exploit “Fearware” to Target Victims

We’ve all heard about the guy in Tennessee who bought 17,000 bottles of hand sanitizer, then tried to sell them at highly inflated prices.

Some people are going to try to make a buck off anything that happens, without regard to the rest of society.  Hackers and scammers are some of those kind of people, and they’re playing the COVID-19 fears just like they do any other opportunity they find.

So it’s no surprise that we’re seeing reports of multiple COVID-19 related scams.

One form of attack involves well-crafted phishing emails that appear to come from health authorities but instead contain malicious software that can steal a person’s data or hijack their device. Be sure that the source is real, and are who they say they are.

One hacking attack saw Russian-language criminals share an interactive map of coronavirus infections and deaths, which had originally been created by John Hopkins University to offer real-time information about the pandemic. Anyone opening the map sent by the hackers would be infected by a form of password-stealing malware that had been hidden within the map.

Fake websites, phishing emails, and malware-laden “tools” abound, so be careful where you go and what you open.

https://arstechnica.com/information-technology/2020/03/the-internet-is-drowning-in-covid-19-related-malware-and-phishing-scams/

https://threatpost.com/apt36-taps-coronavirus-as-golden-opportunity-to-spread-crimson-rat/153776/

https://www.independent.co.uk/life-style/gadgets-and-tech/news/coronavirus-hackers-covid-19-china-fearware-malware-a9400141.html

https://www.darktrace.com/en/blog/how-antigena-email-caught-a-fearware-attack-that-bypassed-the-gateway/

https://www.webarxsecurity.com/covid-19-cyber-attacks/

https://threatpost.com/hackers-hijack-routers-to-spread-malware-via-coronavirus-apps/154170/

 

Why You Shouldn’t Use Free Versions of Paid Plugins or Themes!

Full article: An inside look at WP-VCD, today’s largest WordPress hacking operation

According to the folks at WordFence, the worst malware threat out there for WordPress sites comes from a series of sites hawking free versions of premium (paid) plugins and themes.  Here’s their basic modus operandi:

They offer compromised plugins and themes for free to unsuspecting webmaster who think they’re getting a great deal.

Those plugins/themes then insert backlinks and otherwise promote the source sites of the hacked goods, improving their search engine ranking and thus increasing their likelihood of being found and guaranteeing a continuous stream of victims.

They immediately insert malicious code into any other themes the site has available, so even if the pirated theme isn’t in use, the active theme gets infected.

So now they have a self-generating network of infected sites, and they use them to run malware ads (their income source).

WordPress site owners should keep in mind that when something is free, then “you’re the product” — in this case, your site, which has now been corralled into a cybercrime operation.

See also the original WordFence report.

10% of All Macs Shlayered

Many people think that malware only targets Windows and that Macs are safe, but a new report shows how a single Apple malware called Shlayer has attacked over 10% of all Apple computers monitored by an antivirus company.

Instead of distributing the Shlayer Trojan via phishing attacks or through other malware, the threat actors focus on trending events or popular shows and then build fake web sites surrounding them.

Apple users visit these fake sites through search results, links in YouTube videos, and even links in Wikipedia articles. When visiting these sites, instead of being greeted with a video to watch, they are told they need to first update Flash Player.

These Flash Player updates, though, are the Shlayer Trojan and when executed will install a malware cocktail onto the computer.

When browsing the web, if any site states that you must install an update to watch a video or perform an activity, immediately leave that site.

Source:  https://www.bleepingcomputer.com/news/security/10-percent-of-all-macs-shlayered-malware-cocktail-served/

More at: https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/

Definition: Phishing and Spear-Fishing

Phishing is when a fraudster sends an email or text message to a user that appears to originate from trusted source, such as a bank. By clicking on a link or opening an attachment in the phishing message, the user can unwittingly load malware onto their device or can be lured into entering their login details on a fake version of the trusted site. They may try to steal your passwords, account numbers, or Social Security numbers.

In the first case, the malware then installs itself on the browser without the user’s knowledge. The malware records the data sent between the victim and specific targeted websites, such as financial institutions, and transmits it to the attacker.

In the second, the user’s login details are recorded by the fake site. The user will often get a generic message indicating that the login failed or that the system is down for maintenance and they should try later.  Meanwhile, the criminals now have the actual login details and can clean out the account.

Spear Phishing is similar, but is more directed.  While phishing is often performed in a shotgun approach, where the scammer sends email or text to a list of random addresses, spear phishing aims at a particular person or company, and often refers to people or circumstances known to a specific circle of target email addresses.

Spear phishing can be quite convincing, whereas the shotgun style is often more easy to spot – for instance, if you don’t have an account with the bank or other service the scam email uses as bait.

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment.

They may

  • say they’ve noticed some suspicious activity or log-in attempts
  • claim there’s a problem with your account or your payment information
  • say you must confirm some personal information
  • include a fake invoice
  • want you to click on a link to make a payment
  • say you’re eligible to register for a government refund
  • offer a coupon for free stuff

Fighting Phish

  1. Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
  2. Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
  3. Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
    • Something you have — like a passcode you get via text message or an authentication app.
    • Something you are — like a scan of your fingerprint, your retina, or your face.
  4. Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.
  5. Protect your data by backing it up. Back up your data and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.

What to Do If You Suspect a Phishing Attack

If you get an email or a text message that asks you to click on a link or open an attachment, answer this question: Do I have an account with the company or know the person that contacted me?

If the answer is “No,” it could be a phishing scam. Go back and review the tips in How to recognize phishing and look for signs of a phishing scam. If you see them, report the message and then delete it.

If the answer is “Yes,” contact the company using a phone number or website you know is real. Not the information in the email. Attachments and links can install harmful malware.What to Do If You Responded to a Phishing Email

If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.

If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan.

How to Report Phishing

If you got a phishing email or text message, report it. The information you give can help fight the scammers.

Step 1. If you got a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. If you got a phishing text message, forward it to SPAM (7726).

Step 2. Report the phishing attack to the FTC at ftc.gov/complaint.

Holiday shipping confirmation scams

Brian Krebs, a respected authority on security and all-things-cybercrime, wrote a cautionary post earlier this week. “If you receive an email this holiday season asking you to ‘confirm’ an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.”

The trick with any phishing campaign is to make the message or website appear legitimate. Poorly designed scams are often easy to spot, but cybercriminals are getting much better at crafting believable fakes.

“Scammers have become incredibly good at making fraudulent emails look legitimate to the untrained eye,” agrees Craig Young, security researcher with Tripwire. “Attackers will commonly flood the web with spam mail claiming you have a package waiting to be picked up, an order awaiting confirmation, and a plethora of other emails designed to get users to click links.”

InfoSec Tip: Call the number on your card

Interesting (in a bad way) hack here. This guy’s wife got a message from an ATM telling her that her card had been compromised, giving her a number to call. Luckily for them, they were alert enough to not give the account number and credit card number!

 https://twitter.com/RealGeneKim/status/1187756958608027649

Tip: Any time you need to contact your credit card issuer, use the number on the card – not one provided by a 3rd party, even if it’s theoretically from the same bank.

Should this happen to you, report it!  And leave a note on the ATM so the next person doesn’t get scammed.

Malvertising Campaign targets WordPress

In this campaign, known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection.

The plugins currently under attack in this campaign are:

We’re relieved to report that none of our client’s sites are using any of these plugins.  Wordfence Security, which we install on most if not all of our client’s sites, blocks the exploit.  So you and your site’s visitors are all safe for now.

Scam threatens to ruin your website’s reputation

Similar to the sextortion scam I wrote about back in December 2018 (see https://protectyourwp.com/scammer-email-with-commentary/), there’s currently a scam going about that often comes to you through your website’s contact form, threatening to destroy your site’s online reputation (using your domain name to send spam, posting angry and negative reviews, getting your domain listed as a spam source, etc).

In general, it’s probably safe to ignore these emails. Should these or other scammers actually start attacking you (which is doubtful – they’re just looking to make quick cash by instilling fear, without having to go through the effort of actually ruining your reputation) there are ways to clear your reputation, so best to treat them like the annoying mosquitos that they are.

https://www.bleepingcomputer.com/news/security/new-extortion-scam-threatens-to-ruin-a-websites-reputation/

Big Trouble in Plugin Land

A WordPress security company—called “Plugin Vulnerabilities”—has recently gone rogue in order to protest against moderators of the WordPress’s official support forum. They’ve been publishing vulnerabilities in plugins without giving developers a chance to fix the problem before going public.

Doing so can put sites in danger – hackers are listening, and should this company find and publish a security hole in a plugin you’re using, the hackers can attack your site. Backups are critical! If you get caught in a zero-day exploit – so called because there are zero days available for the developer to fix the problem before it is announced to the world – you may need to revert to an earlier version of your site.