Week in review 7 November 2014
Free pizza always sounds good, but not when it’s code for download a zip file and become a member of a botnet instead. Neither is having malware destroy data on your PC and make it unbootable. Bitcoin has potential to be the next big target of phishing attempts. Finally, a new type of phishing website was observed. Spam emails promising free pizza appeared this week. The reason for the free pizza is ostensibly to celebrate Pizza Hut’s 55th anniversary; the attackers made a slight mistake, as Pizza Hut is actually 58 years old. Apart from that, the emails were a convincing facsimile of a real Pizza Hut email. The emails contained a link; the user is invited to click on the link to receive a free coupon for a pizza. Unfortunately clicking on the link downloads malware to the victim PC and adds the PC to the Asprox botnet. The malware performs other nasty actions too, such as attempting to steal bank login credentials, or downloading other malware (including ransomware).
Bitcoin a new frontier for phishing
There are plenty of new phishing campaigns in 2014. Recently, a new threat has started to emerge in the form of bitcoin phishing emails. In one particularly well publicised case this year, an employee of a Melbourne based bitcoin company lost around USD$60,000 (the equivalent of 100 bitcoins). The attack followed the normal route; the scammers sent a phishing email. An unfortunate sequence of events then led to the criminals gaining access to the victim’s login credentials. The criminals were then able to transfer the money (in bitcoins) to themselves.
BlackEnergy malware destroys PC data
BlackEnergy malware’s target of choice are Industrial Control Systems (ICS), particularly those used in the energy sector (hence the name). A new version of BlackEnergy came to light this week; this version can download plugins in order to launch specific attacks on a victim. Some of the extra capabilities provided by the plugins include port scanning, stealing of login credentials, and destruction of data on a PC. The last action was observed by Kaspersky lab; the PC became unbootable. BlackEnergy is spread predominantly via spear phishing campaigns.
New method of phishing observed
A new phishing technique was observed this week. This method departed from the orthodox method of wholesale copying of a genuine website. The new technique instead utilises many elements of the genuine website, before stealing the victim’s details at checkout. The new technique still uses a fake site, but the fake site acts as a proxy for the real site. A user browsing on the fake site simply has their requests to view a page sent back to the real site, which then sends the reply back to the user. The only bogus site used by the attackers is the checkout site. This method means far less work for attackers; moreover, the checkout site is very realistic; email confirmations of orders are sent to the customer. This type of attack is likely to become widespread, due to the ease with which a phishing site can be setup; all the attackers need to do is duplicate the checkout page.