Blog Feed
Malvertising: Can It Be Stopped?
Yet another threat to users’ safety is becoming increasingly prevalent — malicious advertising or malvertising. Malicious advertising itself isn’t new, but recently, its use has become alarmingly widespread: last year, there have been almost twice as many instances of malicious advertisements than there were in 2015. Of the 80 million sites analyzed by researchers in 2015, 19,000 pages were found to be infected; in 2016, nearly 30,000 such pages have been found. The total number of pages checked was the same for both periods. So, what exactly is malvertising, and what makes it so dangerous? The history of malvertising The first cases of malvertising were discovered around late 2007 to early 2008. At that time, attackers exploited a Flash vulnerability (and even today, Flash is loved by hackers due to a large number of security “holes” in it). In 2009, after the online version of the New York Times had malware posing as advertisements inserted into its pages, the site was forced to suspend the serving of third-party ads, and even published advice to help readers avoid the threat. By 2010, malicious browser advertisements grew to such proportions that an interdisciplinary group was formed to combat them. Since 2015, in addition to desktop and laptop browsers, malvertising has also begun targeting the browsers of mobile devices. Most frequently, attacks target sites with large volumes of daily traffic, enabling attackers to infect as many devices as possible. For example, Huffington Post, The Daily Mail, NYTimes, LATimes, and other major news portals have fallen victim to malvertising attacks at various times. Attackers’ traditional “favorite” targets have been file-sharing sites and BitTorrent trackers. Problems were seen on large forums and at IT help desks. Not even giants like Yahoo and Forbes have been able to escape malvertising attacks. How it works Malvertising refers to the practice by which an attacker hides malicious software in advertisements. Typically, what appears to be a simple banner or text ad actually triggers an exploit, infecting the user’s computer with various kinds of malware. Specialized scripts can filter out and target users running vulnerable software, redirecting them to pages that distribute malicious software. Sometimes, it’s not even necessary to click an infected advertisement to be affected. Scripts inserted into the page are automatically run when the page loads. Attackers have turned to these methods of viruses spread since the traditional methods involving phishing emails, torrent trackers, and pornographic sites have become problematic. First, these methods have begun to arouse suspicion among users; and second, these methods make it more difficult for the attackers to “catch” employees of major companies in their nets, so to speak. After all, these users are obviously not going to download torrents and watch porn on the company-owned computers they use while on the job. How, then, can attackers reach this “audience”, one which is of such high interest to them? They’ve found a solution in advertisements. Tools already exist to facilitate attacks on specific companies that interest criminals. This possibility exists thanks to the precisely targeted advertising platforms offered by search engines. (In the search, one can specify a particular region of users, a field of interest, and/or advertising section.) When an employee of a particular company visits the site, he/she is shown the “correct” advertisement, containing a built-in malicious payload (usually spyware)...
read moreWhat is Online Skimming and How to Avoid It
Card skimming, implemented through card reading slips on ATM machines, is familiar to many. Nowadays this type of credit card fraud is also appearing on the web. Of course, it is improved and adapted according to its new ‘habitat’. But the crux of the matter remains the same: the theft of credit card information for its use in criminal undertakings. On the web, harmful Javascript code effectively replaces the skimmers on the card slots. In order to introduce this code onto the servers of internet shops (it is precisely online stores that turn out to be the most frequent victims of these frauds), hackers exploit vulnerabilities which exist in the websites’ software. After the installation, the spyware reads the data from the credit cards input by clients while making purchases. The information of every credit card payment conducted in the shop is thereby intercepted and sent off to a server under the assailant’s control. After that the thief is able to either sell the card number (on the black market the average price of one “lot” ranges around ten dollars) or use the other person’s credit card himself. All the while protected HTTPS-connection won’t help to protect the data: since the malware is installed on the shop’s server, information leakage takes place even before the process of encryption. Often a break-in will leave no trace not only for the customer, whose data was abducted but even for the owners of the merchant websites. Online skimming at first attracted serious attention to itself at the end of 2015, when researchers found over 3000 internet shops which were “pouring out” client cards’ information. For most of the identified websites, the skimming code worked over the span of a few months, and in certain places even more than half of a year. You don’t even want to imagine how many credit card numbers were compromised during this period. Since then a year has passed. What are the results? Now the number of merchant sites with online skimming has increased significantly. One of the factors which impact the increase of infected stores was that hackers learned to skillfully mask the harmful code, making its detection quite difficult. If a year ago just one type of online skimmer with a few modifications in the code was generally used, then today nine types of JS-scripts related to three different families are revealed. However, the main reason for the spread of online skimming is that the managers of internet stores are not quite concerned to eliminate it. After the detection of the problem, the owners of the resources were at once informed by researchers about vulnerabilities that the data protection systems on their websites had. Unfortunately, the overwhelming majority didn’t react to that with due attention. Some simply did not respond to the warnings of specialists, some doubted the presence of spyware on their sites, claiming their data protection systems to be all in order. Meanwhile, there are certain means allowing not only to escape these harmful “additions” but moreover to prevent reinstallation. This is a special software for scanning websites for the presence of vulnerabilities and changes in code able to exercise daily monitoring and report arising problems. Insofar as the store owners are clearly not aware of serious problems, it is worthwhile for potential customers to...
read moreHow to Make a Profit out of Voice Call Based 2FA
You thought all hackers are bad? It’s not so simple: in IT circles there has long been a distinction between “black hat” and “white hat” code crackers. The first are easily understood: they are using their skills to deprive users and companies of money, and also prey on other valuable information for the purposes of identity theft. But there are those who engage in hacking, not for gain, but with humanitarian and scientific motives. Such “good guys” are called white hat hackers. The main point of their work is to find vulnerable websites and services, and then notify the administrators of such resources. With the help of white hat hackers, administrators have eliminated a lot of bugs, and data protection in the network space becomes a more tractable problem. Sometimes experts manage to find a “hole” even in those functions that were designed to protect against hacking. That’s exactly what happened with two-factor authentication. The Belgian white hat hacker A. Swinnen has found a clever way to earn extra cash by means of voice call-based 2FA. How can this be possible? One of the main tasks of information security is to establish the legitimacy of the person requesting access to his or her account on a website, online bank, or payment system. To solve this problem, there exist numerous (often quite exotic) ways to authenticate users. The most reliable among them today is recognized as two-factor authentication using one-time passwords. The most common way of one-time passwords delivery is SMS authentication. But some companies use its modified version – voice calls to the number tied to the user’s account. This is the option used by A. Swinnen. He set up experimental accounts in Instagram, Microsoft Office 365 and Google using phone numbers, calling and messaging which are not free. Unfortunately, the systems of these services could not determine that these were paid numbers. As a result, after each call, the companies were billed. The researcher found a way to make the robots used by Google, Microsoft and Instagram make calls to premium rate numbers as often as possible. Swinnen calculated that for a year he would have been able to get somewhere between 2000 to 670 000 dollars, depending on the service targeted (the least promising was Instagram, and the most – Microsoft). The white hat hacker told developers about the problems he found at the end of 2015. Admittedly, all three companies have taken steps to eliminate the bugs that had been found in their two-factor authentication. Such problems could be avoided altogether if companies used more robust and modern methods instead of SMS and phone calls. One of such solutions can be hardware or software OTP tokens, which generate one-time passwords offline. These devices do not use the Internet or telephone networks for the transmission of OTP passwords, which eliminates the possibility of fraud or one-time passwords interception. Businesses relying on dual-factor authentication in their interaction with customers should remember that, though this is an excellent tool, it in itself is not a panacea against all threats. To make 2FA truly effective, its implementation should be well thought out. The developers should take into account all possible risks (which are often hidden in the most unexpected places). Don’t want fraudsters to find another loophole in your two-factor...
read moreThe Risks and Perils of Pokemon GO
This summer it seems the world has gone crazy over Pokemon. The characters who first gained fame in the animated series from the early 2000s have returned triumphantly and are again earning millions – now in the form of the game Pokemon GO. Its popularity is such that even serious IT-themed internet publications are writing articles about the rules of the game and advice about how to download and install it in countries where the app is not officially released yet. However, the game has drawn more than just praise. Even though it is a very recent phenomenon, the app has already caused several incidents. In some, it has played the role of victim, and in others, that of villain. For example, on Google Play there have been three viruses masquerading as Pokemon GO. Of particular concern was one called “Pokemon GO Ultimate”. This “app” from hackers promised access to the game in countries where it had yet to be officially released, but then completely paralyzed smartphones, frequently without the possibility to reboot them. Even after hard reboots, the virus would continue to work in the background. It would also redirect browser traffic to pornographic websites. Two more pieces of malware displayed ads on the screens of the affected devices or threatened the owners of the smartphones into signing up for paid services. The offending apps were detected and removed from the store, but a large number (more than 50 thousand) of users managed to download the app before that and infect their gadgets. And this happened in the official Google play store! Imagine what is taking place in less regulated app repositories, where there are practically no checks on the available programs. It turns out that these are not the only problems one can encounter after downloading Pokemon GO. Widely circulated posts worry about the game’s capability to spy on gamers and pass their personal data on to third parties. Few apps have drawn so much criticism for violating the confidentiality of their users. Some talk of the dirty PR tactics of the company (to attract interest in its product), others hint about a conspiracy of the “hidden world” or about the direct participation of the surveillance state in making the game. Whether or not to believe these extreme versions is a private choice. However, there is a perfectly official source that makes it possible to find out exactly which information is being collected. On the website of the company Niantic in the section dedicated to Pokemon GO, one can find the publicly-available confidentiality policy. It’s a shame that people rarely read the EULA – such agreements are not always as boring and useless as they seem. Let’s Refer to the Source Writing this article, we used the most recently published Pokemon GO confidentiality policy. We provide here a short summary of the contents of this document: To register for the game, in addition to going directly through the service, you can use a Facebook or Google account. All users will need to provide an email address. You also need to provide your age and a name (not necessarily your real one). For children 13 years and younger, the permission of a parent or guardian is required in order to register for the game. If a child is discovered to...
read moreWhich messaging apps are trustworthy?
Last time we analyzed the question of what makes for secure messaging apps. Now we’ll take a look at the level of security provided by several of today’s popular message exchange programs. Facebook Messenger and Google Hangouts These apps are built into their respective social networks. For this reason alone, they’re certainly not in the running to win “most secure messaging apps of 2016”. The lion’s share of these companies’ profits comes from targeted advertisements. As such, these companies are always trying to gather more data about their customers. It would be naive to think that they don’t use the same methods with their own messaging apps. In short: it’s inadvisable to discuss business or confidential information through Google Hangouts or Facebook Messenger. Viber Viber is rich in functionality – besides the usual options, it even allows users to send money through Western Union. In the past, Viber has had weak security, but recently its developers have been working hard to turn it into a real, secure messaging app by, for example, adding hidden chats and end-to-end encryption. However, this is not yet available in all countries. Another issue is that messages are stored on company servers (which means they can be read by people other than their sender and intended recipient). The app also lacks password protection. Skype The reputation of this truly mighty yet warmly loved communications juggernaut is somewhat compromised by its belonging to Microsoft, which, naturally, collects users’ data. The elderly among us internet users might remember a time when Skype was an independent program and was, if not the most secure messenger, then certainly among the best. Telegram Pavel Durov’s project was fated for success: it came out at the same time as Edward Snowden’s revelations showed people that privacy online isn’t a luxury, but a necessity. Telegram has always supported end-to-end encryption, but for some reason this function isn’t enabled by default. It also supports automatic deletion of messages. Data that has not been destroyed is stored on company servers in an encrypted format. Every cluster is encoded with a separate key. Many experts, however, have questions about the encryption protocol this company uses. It was developed in-house and is not used by anyone else. Who knows whether it’s adequate? Signal Secure messengers for iOS are old news. Apple has always placed a large, and from a user’s point of view, perhaps excessive, emphasis on security. This secure messenger was first designed for iPhones and iPads. It now has an Android version too. The best testimony for Signal comes from Edward Snowden – he stated on his Twitter account that he prefers it. Everything is as it should be: end-to-end encryption, impossibility of server side access, and open-source. The only thing lacking is that messages can’t self-delete after being read by their addressee. WhatsApp This is the world’s most popular messenger, for many reasons. One of them is its security. Although WhatsApp belongs to Facebook, it’s developed by a separate, independent entity. It’s based on an open-source code base, supports end-to-end encryption as of this year, and does not allow the service provider to read messages. It uses the same encryption protocol as Signal – Open Whisper Systems. This can be safely called a secure messenger. Threema This app is little known but...
read moreWhat Makes for a Secure Messaging App?
The pace of modern life leaves no time for long, thought-out messages. Perhaps that’s why today’s answer to the wordy correspondences of yesteryear is text messaging. Practically everyone has at least one messaging app on their smartphone, and many of us use several. But what factors do people consider when choosing messaging apps? Is security one of those factors? Recently a team of experts led by a group of Google employees surveyed more than 1500 users to discover what causes them to choose different apps. Unfortunately, the security of messaging apps was the least important feature for most users. The greatest factor turned out to be how many of the user’s friends themselves used the app. The survey also showed that users value free messengers — especially those preinstalled on their devices. Very few respondents said that they care about secure messaging apps. However, the problems of privacy and online security remain urgent. In fact, they’ve grown ever more serious with the mass adoption of smartphones, which are more prone to hacking than stationary computers and laptops. A large number of vulnerabilities in Android devices is especially well-known, but hackers actively target iPhones as well. Taking into consideration that messaging apps are widely used for the transmission of confidential data in both personal and professional spheres, attackers who have gained access to such apps can quickly find interesting information. We often think that hackers only want logins, passwords, and bank account numbers. But any information can be of use for fraudsters, for example, for phishing, or for social engineering. Government agencies also attempt to monitor private communications. The recent scandal over the FBI’s attempt to break into an iPhone is an example of this. But how can we tell that one program or another can actually provide privacy online? Experts look for a few particular functions, the presence or absence of which is important to consider when choosing “your” secure messaging app. End-to-end encryption Clearly, any secure messaging app must rely on the encrypted exchange. But there are different types of encryption. Typically, messengers send texts in an encrypted format, so they cannot be compromised while in transit. End-to-end encryption includes not only messages, but all information exchanged by users – files, photos, video, and music. Secure messaging app is open source app The majority of popular messaging programs rely on closed proprietary architecture. So even tech savvy users have a tough time verifying whether the encryption and security are really as good as the developers claim. Access to messages for the service provider Last February’s scandal between Apple and the FBI, when federal agents demanded that the company unlock the smartphone of a suspected terrorist, is a vivid, memorable example. But one doesn’t need to be a criminal to interest the FBI. Information about completely law-abiding citizens might also be of interest to government agencies for a variety of reasons. To obtain such information, the government most often subpoena service providers – not all of which can offer opposition as strong as giants like Apple. It’s much simpler if the developers of a messaging app don’t have access to their users’ data in the first place. There are two ways to accomplish this: either the app must use an encryption algorithm that cannot be decrypted from the server, or simply the...
read moreProtectimus’ 2FA Solution Compatible with Citrix NetScaler Gateway
The Protectimus Solutions LLP team is happy to announce that our two-factor authentication solution has been successfully integrated with Citrix NetScaler Gateway and that Protectimus has been certified as a Citrix Ready Partner. The Citrix Ready program exists to verify the compatibility of third-party software solutions with Citrix products. This allows users of Citrix to be confident in the reliability and compatibility of third-party software solutions with their existing systems. Protectimus’ two-factor authentication solution has demonstrated its compatibility with Citrix NetScaler Gateway 10.1, NetScaler Gateway 10.5, and NetScaler Gateway 11.0. Citrix Access Gateway is a program used for secure remote connection to key applications and data, and for detailed control of these applications. More often than not, software like this is used in large enterprises with many employees and, sometimes, numerous affiliates. Such companies store large sets of data, such as documentation, important corporate documents, and users’ personal information. Thus, they require hardened security systems. One crucial element of an advanced and reliable data protection system is two-factor authentication. Protectimus is an expert in this area, offering complex 2FA solution available as both a cloud service and a stand-alone platform, as well as the ability to implement custom solutions at clients’ demand. Protectimus can generate one-time passwords using software or hardware tokens, as well as by distribution through SMS or e-mail. We offer physical tokens working on the TOTP and OCRA algorithms, and also reprogrammable TOTP NFC-compatible tokens. Protectimus offers its clients additional functionality that may be of interest: data signing or CWYS (Confirm What You See), temporal and geographical filters, and intelligent identification. These possibilities enable us to reach a high level of reliability and protect our clients’ systems from most of today’s known threats – phishing, Trojan viruses and other malware, data breaches, and “man in the middle”...
read moreSelf-Driving Cars: New Cybersecurity Challenge
Sometimes there is a feeling that we live in a science fiction novel. Kitchen appliances cook dinner when we return from work. TVs remember viewers’ preferences. Smart cars suggest a way to bypass traffic jams and adjust the temperature in the cabin… Yet people have a place in this high-tech chain. We manage smart devices – give orders and monitor their execution. But it seems that very soon smart devices will be able to do without our participation. And one of the first areas where we will see these changes may be transport. Self-driving cars are already passing the “field” testing. Cars that drive themselves are a new idea. Google launched the first driverless vehicles in 2009 and since 2014 its self-driving cars are being tested in a real urban environment. Several traffic accidents have been recorded with the participation of the Google self-driving cars. But as it turned out in the course of investigations these are cars driven by people to blame for these accidents, not the driverless cars. This fact proves a fairly high level of driverless car technology achieved by the smart cars’ developers. Other leading companies are not far behind. Moreover, not only the traditional leaders of the automotive industry but also large IT companies are involved in the creation of fully computer-controlled cars. Along with such companies as Volvo and Daimler, East Asian giants Samsung and Baidu are also working on their own self-driving cars. If to consider the speed of economic and technological development of Asian countries, it is not clear now who will be the first to release a fully efficient self-driving vehicle. It seems that the first field to use the self-driving vehicles will be cargo transportation. Driverless vehicles will naturally fit into the production chain of dispatch and transfer of goods from the warehouse to the customer. Many links in this chain have already been automated: the release of the goods is managed by the warehouse programs; many companies already have computer-controlled loading machines. If we add self-driving trucks, connected to a certain centralized network, to this system, we will get a fully automated production cycle. Such organization of work can significantly reduce the costs of cargo transportation, as well as simplify the delivery and calculations. The US transport concern Daimler is working on a practical implementation of these ideas. The company’s fully computer-controlled trucks have recently been allowed by law to drive in the state of Nevada. The Russia’s company KamAZ is also working on the same project. Company’s experts promise to release an efficient version of the self-driving truck by 2020. However, the benefits from the use of self-driving cars may be nullified by the risks they incur. And it’s not just about traffic safety, as it is only one of the vulnerable points. Another major cause for concerns may be data protection. When driving a modern car (not driverless yet) we use not only the control computer system of the car but also different radars, onboard computers, media centers, GPS systems, stereo cameras, etc. What is especially dangerous in this situation is that data exchange is carried out via existing platforms and communication channels (Wi-Fi, GSM, and so on). Any of these components can be hacked and compromised. Today we already have the precedents of successful cyber...
read moreDo we need multi-factor authentication in social networks?
No one tries to contradict that multi-factor authentication is very important for corporate and personal accounts – especially those relating to financial assets turnover. But for many users, strong authentication in social networks seems an excessive caution. Usually, people use social networks for entertainment, socializing with friends, and following the news. The majority of social networks profiles have no relation to money or corporate secrets. What can awake the hackers’ interest? But, network fraudsters are interested in every Internet user. The recent events have perfectly confirmed this truth. Since the beginning of the year, a real epidemic of users’ confidential information leaks has been raging. And it has already affected data protection systems of several major social networks We have already written about the scandal with LinkedIn. Just a couple of weeks after the incident, a hacker under the nickname Peace_of_mind, who previously was selling the data from LinkedIn, Tumblr, and MySpace on the “black market”, unveiled new “commercial offers”: more than 100 million VKontakte accounts, and following them – 379 million Twitter accounts (according to statistics, every month, Twitter has 310 million active users, but, apparently, even those who have not entered their Twitter accounts for a long time also hit the database…) Leakage aggregator LeakedSourse received a dump with databases on sale from an anonymous well-wisher and reported that the databases contain full names, e-mail addresses, passwords, and phone numbers linked to the accounts. LeakedSourse website gives an opportunity to check whether your account is among those compromised. But this procedure is not free. All recent incidents have one thing in common: data leaks did not occur today, most of them happened in 2011-2013. It would seem that you can take a breath of relief: after such a long period of time, the old secrets have lost their relevance and account passwords have been already changed. Though the reality is not so comforting. The specialists tested 100 random e-mails of those compromised and found out that 92 of them are still bound to the accounts. A father-founder of Facebook Mark Zuckerberg also fell victim to social networks hacks. The hackers took over his Twitter and Pinterest accounts. To prove it they even posted an appeal to Zuckerberg on his own page. It was also alleged that the hackers even cracked into his Instagram account. (The irony is that this service is owned by Facebook.) But this information has not been confirmed. Hacking became possible since Zuckerberg’s password was among those stolen LinkedIn passwords. Zuckerberg used the same password on Twitter and this helped the scammers to compromise this account as well. But it turned out that Zuckerberg has not been using his Twitter account since 2012. Perhaps this explains the fact that the owner did not care about the regular password change and other measures that ensure user’s data protection. As you can see, the Facebook creator made the same mistakes as the ordinary people: one and the same password for many accounts and avoiding the use of multi-factor authentication. Conclusions that can be drawn from a series of hacks of the largest social networks are not new, but still relevant. More attention to passwords The ratings of the poorest and most predictable passwords can be found on many sources – and on our blog, as well....
read moreSocial Engineering Against 2FA: New Tricks
In the digital age, data protection is important for every Internet user since today people entrust network with too much information: passport data, electronic and physical addresses, payment cards information, and social security numbers. There are various authentication scenarios used to protect the user’s confidential information. And two-factor authentication has been recognized as one of the most reliable. All information security experts, and Protectimus as well, strongly recommend enabling 2FA on all accounts where it is possible. However, hackers constantly invent new tricks to bypass the existing data protection systems. Recently the network was stirred up with the message about a new form of social engineering attacks used to compromise 2FA. This time, the victim is SMS authentication – the most popular 2-factor authentication form as of today. The newness of this method is that to intercept one-time passwords it is not necessary to infect a victim’s computer or smartphone with the Trojan virus, as it was before. It has turned out that a little of cunning in combination with social engineering is enough to get the necessary OTP password. Let’s recall how two-factor authentication works on the majority of resources. Often, they activate smart identification to improve the ease of use. Thus, the one-time password is requested only when the user enters his account from new device or browser. And this is a possible loophole the hackers have found. First of all, the potential victim receives a phishing SMS message on behalf of a service (in this case we are talking about Google, but the same thing can happen with any other site supporting 2FA) about an attempt of unauthorized access to his/her account. Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC — Alex MacCaw (@maccaw) 4 июня 2016 г. The SMS also reports that in the nearest future the user will receive another message with the OTP password in it. He/she has to send this OTP password back in the response message if he or she wants the account to be temporarily blocked. At the same time scammers are trying to enter the victim’s account (of course, from another computer), and the system sends a temporary password to the real owner of the account with the aim to confirm authorization. Whereupon the naive user sends the OTP password straight to the hackers’ greedy hands – at the specified phishing address or phone number. Is it possible to avoid such a threat? It is, and the same 2FA can help you in it. A higher level of data security can be achieved if to use hardware tokens to generate one-time passwords. We have already written on the advantages of the hardware tokens in the article – “Hardware or software token – which one to choose.” You can get some information here on different kinds of OTP tokens – hardware, software, and SMS. Hardware OTP tokens are not connected to any network (Internet, GSM, etc.), and that’s why the one-time passwords generated with the help of the hardware token cannot be intercepted. In addition, the users who opted for the hardware tokens, do not need to worry about the social engineering of the sort described earlier. After all, the hackers simply won’t know the phone number and won’t be able to send an SMS...
read more