The scale of the scheme appears to make it the biggest find of its kind.

The addresses – and in some cases associated passwords – have apparently been gathered to help spread banking malware.

Members of the public can check if their accounts have been affected via the Have I Been Pwned service.
Its operator, Troy Hunt, acknowledged that some of the listed addresses corresponded to non-existent accounts.
But he added that the number that had been collated still totalled a “mind-boggling amount”.

Hidden images
The Spambot discovery was first flagged by a Paris-based security expert who calls himself Benkow.
It was then brought to wider attention by the ZDnet news site.

The database of 711 million user details can be divided in two.

In cases where the attackers know only an email address, they can only target the owner with spam in the hope of tricking them into revealing more information.

But in cases where they also have the user’s login password and other details, they can secretly hijack their accounts to aid their campaign via a spambot known as Onliner.

Benkow acknowledged that it was “difficult to know where [the] credentials had come from”, but suggested that they might have been gathered from previous leaks, a Facebook phishing campaign and illegal sales of hacking victims’ details.

In some cases, the perpetrators had gathered details of the accounts’ simple mail transfer protocol (SMTP) server and port settings.

This information could be used to fool email providers’ spam-detecting systems into letting messages through that might otherwise have been blocked.

“While the list of mailable addresses is quite large, it is probably no larger than any seen previously,” Richard Cox, former chief information officer of the Spamhaus project, told the BBC.

“The lists of compromised accounts are more worrying.

“When compromised accounts are used for spam, they can only be stopped by their providers suspending the account – but when that many are involved, it will severely overload the security/abuse departments of those providers, making it a slow process and that is what keeps the spam flowing.”

Benkow added that the Onliner spambot had been hiding tiny pixel-sized images in the emails it had sent out, which were used to harvest information about recipients’ computers.

This meant that the right kinds of malware attachments required to infect different types of devices could be included when follow-up messages masquerading as business invoices were delivered.

Mr Hunt said that the Spambot lists had been tracked to a Netherlands-based computer server, but it had yet to be shut down.

For now, affected users are able to check only if their email addresses have been targeted, but not if their accounts have been hijacked.

But Benkow told the BBC there were still protective steps affected users could take.

“I recommend you to change your password, and be more vigilant with the emails that you receive, now you know that you’re on malware deliverers’ lists,” he said.

–

Source: BBC

The post Giant spambot scooped up 711 million email addresses appeared first on Citi 97.3 FM - Relevant Radio. Always.

Security firm Eset found the gang controlled its malware, called Turla, by posting comments about images in the singer’s gallery.

The comments looked like spam but once transformed by code in the virus, directed victims to other sites.

Several other compromised websites were also being used to track victims and spread the malware.

Digital detective work

Turla has been active since 2014 and sought to catch out government workers, diplomats and other officials, said Eset researcher Jean-Ian Boutin. It is believed to be run by a hacker group working for the Russian state.

Most often, he said, Turla’s handlers compromised websites that targets would be likely to visit.

One compromised server asked visitors to install a booby-trapped extension for the Firefox web browser.

Digital detective work by Mr Boutin revealed that the command and control (C&C) channel set up between the creators of the extension and victims’ machines was on the singer’s Instagram page.

The malicious extension searched for comments that, when digitally transformed, matched a specific value. These were then converted into a website address that the compromised machine visited to report in or to update the malicious code they harboured.

Very few comments posted to the Instagram account had the key characteristics – suggesting that Turla’s creators were testing or refining the control system.

Mr Boutin said using social media in this way made “life harder for defenders”.

“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic,” he wrote. “Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it.”

Mr Boutin added that he had been in touch with Mozilla, which was working on ways to stop extensions for Firefox being compromised in this way.

–

Source: BBC

The post Malware planted in Britney Spears’ Instagram page appeared first on Citi 97.3 FM - Relevant Radio. Always.

Panic founder Steven Frank admitted in a blog post that it happened after he downloaded an infected copy of the video encoding tool Handbrake.

He said there was no sign that any customer data was accessed and that Panic’s web server was not affected.

Users have been warned to download Panic’s apps only from its website or the Apple App Store.

Panic is the creator of web editing and file transfer apps Coda and Transmit, and the video game Firewatch.

‘Entirely compromised’

On 2 May Handbrake was hacked, with the Mac version of the app on one of the site’s download servers replaced by a malicious copy.

The infected app was discovered and removed on 6 May.

In what Mr Frank called “a case of extraordinarily bad luck”, he downloaded the malicious version of Handbrake and launched it “without stopping to wonder why Handbrake would need admin privileges… when it hadn’t before”.

“And that was that, my Mac was completely, entirely compromised in three seconds or less.”

The attacker then used his password to access other private files and copy the source code for several of Panic’s products stored on the infected computer.

Ransom demand

The theft was confirmed when Panic received an email containing some of the files and demanding a ransom for the return of the complete code.

“We’re working on the assumption that there’s no point in paying,” Mr Frank wrote, saying that “the attacker has no reason to keep their end of the bargain”.

The FBI is investigating the incident and Panic has been working with Apple to make sure that no malicious or fake versions of the apps get into the App Store.

“I feel like a monumental idiot for having fallen for this,” Mr Frank admitted.

“It’s a good reminder though — no matter how experienced you might be with computers, you’re human and mistakes are easily made.”

–

Source: BBC

The post App maker’s code stolen in malware attack appeared first on Citi 97.3 FM - Relevant Radio. Always.

Computers in thousands of locations have apparently been locked by a program that demands $300 (£230) in Bitcoin.

There have been reports of infections in more than 70 countries, including the UK, US, China, Russia, Spain, Italy and Taiwan.

Many security researchers are linking the incidents together.

The UK’s National Health Service (NHS) was also hit by a ransomware outbreak on the same day and screenshots of the WannaCry program were shared by NHS staff.

One cyber-security researcher tweeted that he had detected many thousands of cases of the ransomware – known as WannaCry and variants of that name – around the world.

“This is huge,” said Jakub Kroustek at Avast.

Another, at cyber-security firm Kaspersky, said that the ransomware had been spotted cropping up in 74 countries and that the number was still growing.

There were a number of reports that Russia had seen more infections than any other single country.

Several experts monitoring the situation have linked the infections to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the US National Security Agency (NSA).

A patch for the vulnerability was released by Microsoft in March, but many systems may not have had the update installed.

Some security researchers have pointed out that the infections seem to be deployed via a worm – a program that spreads by itself between computers.

A number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a “cybersecurity incident” but that clients and services had not been affected.

Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.

There were reports that staff at the firms were told to turn off their computers.

–

Source: BBC

The post Ransomware infections reported worldwide appeared first on Citi 97.3 FM - Relevant Radio. Always.