Connect with us

Cyber Security

The Sneaky Simple Malware That Hits Millions of Macs



The popular misconception that Macs don’t get viruses has become a lot less popular in recent years, as Apple devices have weathered their fair share of bugs. But it’s still surprising that the most prolific malware on macOS—by one count, affecting one in 10 devices—is so relatively crude.

This week, antivirus company Kaspersky detailed the 10 most common threats its macOS users encountered in 2019. At the top of the list: the Shlayer Trojan, which hit 10 percent of all of the Macs Kaspersky monitors, and accounted for nearly a third of detections overall. It’s led the pack since it first arrived in February 2018.

You’d think that such prevalence could only be achieved by comparable sophistication. Not so! “From a technical viewpoint Shlayer is a rather ordinary piece of malware,” Kaspersky wrote in its analysis. In fact, it relies on some of the oldest tricks in the books: convincing people to click on a bad link, then pushing a fake Adobe Flash update. Even the trojan’s payload turns out to be ho-hum: garden variety adware.

Shlayer’s brilliance, it turns out, lies less in its code than its method of distribution. The operators behind the trojan reportedly offer website owners, YouTubers, and Wikipedia editors a cut if they push visitors toward a malicious download. A complicit domain might prompt a phony Flash download, while a shortened or masked link in a YouTube video’s description or Wikipedia footnote might initiate the same. Kaspersky says it counted more than 1,000 partner sites distributing Shlayer. One individual, Kaspersky says, currently owns 700 domains that redirect to Shlayer download landing pages.

“Distribution is a vital part of any malware campaign, and Shlayer shows that affiliate networks are pretty effective in this sense,” says Vladimir Kuskov, head of advanced threat research and software classification at Kaspersky.

While Shlayer is simple, the adware it installs—a wide variety, since Shlayer itself is just a delivery mechanism—can deploy at least a modestly clever trick or two. In an instance of Cimpli adware that Kaspersky observed, the malware first poses as another program, in this case Any Search. In the background, Cimpli attempts to install a malicious Safari extension, and generates a fake “Installation Complete” notification window to cover up the macOS security notification that warns you against doing so. It tricks you, in other words, into granting permission to let it run amok on your device.

Once you do, the attacker can both intercept your search queries and seed the results with their own ads. It’s an annoyance, more than anything. But given that over 100 million people use macOS, and it hits at least 10 percent of those with Kaspersky installed, it’s reasonable to assume that millions of Mac users deal with it every year. Even if only a small percentage of those attempts prove successful, it’s apparently enough to keep the operation going.

“Apple does a great job making their OS more and more secure with every new release,” says Kuskov. “But it is hard to prevent such attacks on the OS level, since it's the user who clicks on a link and downloads Shlayer and runs it, like any other software.”

While Flash might seem like an outdated lure, given the numerous public warnings about its fallibility and the fact that it’s dying off completely this year anyway, it’s actually perversely effective.

“I think the reason why fake Flash Players are so successful, in spite of these facts, is twofold,” says Joshua Long, chief security analyst at Intego, which first discovered Shlayer nearly two years ago. “Force of habit, and lack of awareness of the current state of Flash.”


To the first point, people have been so accustomed to serious Flash vulnerabilities that they’re conditioned to update ASAP to avoid calamity. As for the second, Long says, “the average consumer has no idea that Flash is rarely used by modern sites, that Flash installers are no longer necessary, or that Flash is being terminated this year.”

None of which means Mac owners are especially susceptible. “The techniques used to deceive users to install Shlayer also work fine with users of any other platform and OS,” Kaspersky’s Kuskov says.

The best ways to protect yourself from Shlayer and other malware are similarly universal. Don’t click suspicious links, especially not surprise pop-up windows. Don’t install Flash in the year of our lord 2020, especially not from a site that’s promising a pirated livestream.

Read more:

Cyber Security

This tax season, don’t let your business provide a payday for hackers | Gene Marks



Small accounting firms are particularly at risk from bogus emails designed to steal lucrative personal information

Its not just accountants who are busy this tax season, its online hackers too and theyre preying on both individuals and small businesses.

This is not from the mob or street criminals, writes Jess Coburn, a data protection expert, in CPA Practice Advisor. These criminals are likely sitting behind a desk, glued to computer monitors, chugging energy drinks and developing the most effective ways to steal todays version of gold.

That gold is data, and according to research conducted by the security consulting firm Proofpoint, employees and website visitors at small companies and small accounting firms that have fewer resources for security are being targeted this tax season and the scams usually come in two forms.

The first is through emails sent to individuals and employees that request tax information. These emails include legitimate-looking logos and letterheads from familiar brands or tax authorities and include warnings such as important tax information attached or tax changes that affect your filings and when the recipient clicks on the attachment, malicious code is then released on their device.

The second type of attack occurs when malware (including ransomware) is downloaded on the devices of unwitting individuals that visit a compromised website. These sites are targeted by hackers because they have tax-related keywords, and theyre usually sites of smaller accounting firms who probably havent updated their security. If you have the word tax in your domain name, youre a target this year, said Sherrod Degrippo, senior director of threat research and detection at Proofpoint. But its not just small accounting firms that are exposed. According to Degrippo, tax-themed email attacks are also hitting businesses in all sectors. We saw financial firms and construction industries targeted disproportionately, he says.

Once malware is set loose, its programmed to look for personal information about the user or launch a ransomware attack. Some emails try to fool users into sending their tax forms like a W2 and when this happens, the hackers can alter these documents to request a refund from the IRS thats sent directly to their accounts. The researchers at Proofpoint also found many targets are being sent to fake Microsoft Office 365 login pages in order to capture login information for future data access.

According to Degrippo, attackers are adept at using LinkedIn and Google to conduct reconnaissance on potential individuals that have access to the information they want and are laser-focused on targeting them directly through email.

So what to do? Instruct your employees to be aware of these scams and make sure no one is sending any tax information to anyone particularly the IRS unless youre absolutely sure of the recipient. The IRS does not initiate communication through email or phone calls, Monique Becenti, a product and channel specialist at web security firm Sitelock told Mashable.

Other steps include making sure your anti-malware software is updated on all of your employees devices, having your IT firm monitor your network for any unusual remote connections and asking your web design firm to regularly check your site for any potential malware installed. Also: make sure your employees operation systems on their devices be it Windows, macOS or otherwise are always updated.

Tax season is already painful for many small business owners. Becoming a victim of a tax season hacker only adds salt to the wounds. Most small- and medium-sized businesses dont believe theyre targets, writes Coburn. In fact, they think its only a big business or government problem but thats not the case since two-thirds of all small- and medium-sized businesses are attacked in a 12-month period.

Read more:

Continue Reading

Cyber Security

Security News This Week: A Tiny Piece of Tape Tricked Teslas Into Speeding Up 50 MPH



This week was filled with wide-scale calamity. Hundreds of millions of PCs have components whose firmware is vulnerable to hacking—which is to say, pretty much all of them. It's a problem that's been known about for years, but doesn't seem to get any better.

Likewise, Bluetooth implementation mistakes in seven SoC—system on chips—have exposed at least 480 internet of things devices to a range of attacks. IoT manufacturers will often outsource components, so a mistake in one SoC can impact a wide range of connected doodads. The most troubling part, though, is that medical devices like pacemakers and blood glucose monitors are among the affected tech.

YouTube Gaming, meanwhile, wants to take Twitch's crown as the king of videogame streaming. But its most-viewed channels are almost all scams and cheats, a moderation challenge that it'll have to take more seriously if it wants the legitimacy it's spending big money to attain. In another corner of Alphabet's world, hundreds of Chrome extensions were caught siphoning data from people who installed them, part of a sprawling adware scheme.

WIRED reported exclusively this week that US officials have pinned a wave of cyberattacks against the country of Georgia on Russia's notorious Sandworm hackers. The hack itself was brazen—defacing 15,000 websites and disrupting two TV networks—but the attribution serves mostly as a warning to Russia that it shouldn't attempt the same sort of malarky stateside.

With the firing of director of national intelligence Joseph Maguire this week, Donald Trump has continued his gutting of senior national intelligence positions. Probably not a great strategy in the long run, especially since Russia is actively supporting both Trump and Bernie Sanders this year, just like they did in 2016. (In fairness, they only want Trump to actually win.)

And that's not all! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

Researchers at McAfee have demonstrated a new spin on an old trick. By subtly tampering with a speed limit sign—in this case, literally adding a two-inch strip of black tape—they were able to trick the Mobileye EyeQ3 camera on a 2016 Tesla Model X and Model S into feeding bad information to the vehicles' autonomous driving features, sending both cars into a rapid acceleration. It's a low-tech version of the well-known problem of adversarial examples, image alterations that cause machine learning systems to misinterpret data. (Intel, which owns Mobileye, disputes that it's an adversarial attack, since the tape could have fooled a human eye as well.) The good news is that the problem doesn't affect 2020 Teslas, which no longer use Mobileye technology, and newer versions of the Mobileye camera seem impervious as well. That doesn't help older models, though, which remain susceptible to the shenanigans below:

Ransomware has long targeted victims that have the most to lose. That's typically meant hospitals and governments. But lately hackers have targeted another sensitive field: critical infrastructure. The latest example comes from the US Cybersecurity and Infrastructure Security Agency, which reported this week that a natural gas compression facility went down for two days as they grappled with a ransomware infection. There's not really any good news here, but it certainly could have been worse; the hackers appear not to have targeted industrial control system components specifically. They got lucky with a phishing email, and were only able to impact the Windows-based portions of the victim's network.

If you stayed at an MGM Resorts hotel sometime before 2017, the bad news is that someone hacked one of their servers and stole data relating to over 10 million guests. The worse news is that said data has since been discovered in an online hacking forum, as first reported by ZDNet. The haul includes names, addresses, phone numbers, emails, and dates of birth, and celebrities, politicians, and journalists are among those affected. (Sorry, Jack Dorsey!) It could have been worse—no financial information appears to be involved—but as with any breach, look out for phishing attempts or identity theft.

Adware is like gnats: everywhere, annoying, impossible to get rid of but relatively harmless. But you still have to try, which Google did this week by expelling nearly 600 apps both from the Play Store and its ad networks. That includes 45 apps from a single developer, China-based Cheetah Mobile. Google cited "disruptive ads" as the reason for the removal, framing it as part of a broader crackdown on fraudulent behavior.

In other data compromise news, the Defense Information Systems Agency—which provides secure communications support to the US president and military—informed potential victims this week that their Social Security numbers may have been part of a breach that occurred between May and July 2019. They'll spring for free credit monitoring if you were affected, but honestly you've already got that through Marriott or Equifax or take your pick, right?

Read more:

Continue Reading

Cyber Security

RSAC 2020 Watchlist: Effective CISO Communications And Maturing Data Privacy



In advance of the RSA Conference, we highlight some of the leading trends and provide a glimpse of what will be on the minds of cyber security professionals in 2020.

Data Privacy’s Maturity Takes Center Stage

A logical by-product of GDPR, this year will witness the operationalization of privacy with concerted efforts around frameworks and—consequently—automation. There is a notable shift in the tone and type of privacy-related talks this year, reflecting of some maturation and understanding of the impact of privacy across products, services and organizations. That maturity seemed to also be a driver for more technical submissions, including homomorphic encryption.

Where privacy once was a nice-to-have indication of “good corporate citizenship,” it seems to now be trending as a core business and security conversation as organizations look to capture and protect user intent, not just because of regulatory compliance concerns, but also to provide business differentiation and positive user experience. The “privacy” and “security” functions within organizations are working together in new, positive ways.

See Related: Large Software Companies Using Data Privacy As A Competitive Advantage

The enterprise world is heavily in flux with privacy conversations, and this year’s conversations highlight challenges and unintended consequences of GDPR, a rapidly exploding landscape of regional, national and global privacy regulations (some in conflict with one another), exploration of ethical considerations related to privacy and data security and an overall sentiment of “we can and must do more, better.”

Effective CISO Communications

Another highlight for 2020 is the human need for clear communication. In order to do their jobs effectively, CSOs need to understand all that has moved into the realm of their purview. To that end, many experienced security leaders can offer guidance on how to prepare CSOs for all aspects of the job. There are a variety of ways to help CSOs and CISOs where they need it most: communication up, down, across and throughout their organizations and the organizations that are part of their extensive supply chains. The range of possibilities goes from creating a good cyber security dashboard for the board to how to use metrics in order to create successful presentations to how to help different functions within organizations to really talk to and understand each other, not just in words but in actions (the rise of purple teaming is achieving great things for organizations).

Live From San Francisco

Cyber Security Hub will be in San Francisco and publishing content throughout the week. If you happen to see one of us, please stop and say hello. We would love to meet our readers!

Cyber Security Hub is a marketing partner of RSA Conference 2020

See Related: Six Traits Of Successful Enterprise CISOs


Continue Reading