Skip to content

That new ‘privacy icon’ in iOS 11.3 does nothing to prevent password phishing

March 30, 2018

iPhone users are still vulnerable to being tricked into handing over passwords.
Apple knows it — but won’t do anything about it

iPhone or iPad users, if you update to iOS 11.3 now, you’ll have new features and a bunch of security updates.
But you’ll still be just as vulnerable to on-device phishing attacks as you ever were

A long-expected privacy icon debuts in the software update out Thursday which help users identify when Apple requests more of their personal information.
The update doesn’t change how much data Apple collects, but it helps show what data will be collected when Apple apps and features are used for the first time.

You won’t see this icon with every feature since Apple only collects this information when it’s needed to enable features, to secure our services, or to personalize your experience,” a screen says, once you update.

Maybe the timing is a coincidence, but this seems like a way to grab some good headlines amid Facebook’s recent data sharing controversy.

Will Strafach, a security researcher with a focus on mobile, knows iOS better than most. He told ZDNet that the privacy icon will have some benefits.

Although the purpose was misinterpreted as some kind of indicator — it is not — the actual purpose of giving information on how data is used is a very good thing I believe,” he said.
Many people these days wonder about how their data is used and just have no idea, so if Apple is going to ask for something sensitive, it seems very helpful to give information to the user on data management — and users can then hold them to it instead of it being ambiguous.”

The downside is that, contrary to several reports, the privacy icon actually has nothing to do with preventing phishing attacks that try to steal your iCloud password.
For its part, Apple never confirmed that the privacy icon would do anything of the sort.

We reached out to Apple, but a spokesperson would not comment on the record.

Although phishing attacks on the desktop have been around for years, they’re less so targeted to the individual device.
And as widely celebrated for their security as iPhones and iPads are, the device’s weakest link is often a result of tricking the average user into turning over their password.

It’s a problem that Apple doesn’t seem to want to tackle — despite a rash of attention earlier this year, when Felix Krause demonstrated in a blog post how easy it was to trick an iPhone or iPad user into turning over their Apple ID credentials.

In a proof-of-concept, he said users are “trained to just enter” their email address and password “whenever iOS prompts you to do so.”
Any long-term iPhone or iPad user can tell you that their phone or tablet will randomly prompt for your password, but often it’s not clear why.
And that’s something attackers are keen to capitalize on.

One report called the attack a “hacker’s dream.

Showing a dialog that looks just like a system popup is super easy.
There is no magic or secret code involved.
It’s literally the examples provided in the Apple docs, with a custom text
,” said Krause.

He described it as “less than 30 lines of code” that every iOS engineer would know.

Even with two-factor authentication, users aren’t necessarily safe, said Krause.
If you wanted to inflict damage, you only need a user’s Apple ID email address and password to wipe a person’s device without warning.

Apple says in a developer post that it’s difficult to combat phishing — or social engineering as it’s often referred to.

Others say it’s not that difficult.

I would like to see the password requests show up as a banner alert or notification sent by the Settings app, which should send the user to the Settings app when pressed in order to enter their credentials,” said Strafach.

No icon or anything else is sufficient because the running app is able to mess with all user interface elements including status bar,” he said. “Using an alert and redirect to Settings would completely solve the issue.”

It’s a simple solution that Krause — and others — have already suggested.
But Apple won’t budge, and its customers remain at risk.



Android security: This malware will mine cryptocurrency until your smartphone fails

March 29, 2018

Monero-mining Android malware will exhaust your phone in its quest for cash.

A new strain of Android malware will continuously use an infected device’s CPU to mine the Monero cryptocurrency until the device is exhausted or even breaks down.

Security company Trend Micro has named the malware HiddenMiner because of the techniques it uses to protect itself from discovery and removal.

Like most cryptocurrency-mining software, HiddenMiner uses the device’s CPU power to mine Monero.
But Trend Micro said that because there is no switch, controller, or optimizer in HiddenMiner’s code it will continuously mine Monero until the device’s resources are exhausted.

Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail,” the company said.

If the researchers’ concerns are correct, this is not the first cryptocurrency-mining malware to put your smartphone at risk: last year the Loapi Android malware worked a phone so hard that its battery swelled up and burst open the device’s back cover, wrecking the handset within 48 hours.

Trend Micro said the two pieces of malware share similarities, noting that Loapi’s technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner’s.

Researchers at the company identified the Monero mining pools and wallets connected to the malware, and spotted that one of its operators withdrew 26 XMR — around $5,360 — from one of the wallets.
This, they said, indicates a “rather active” campaign of using infected devices to mine cryptocurrency.

HiddenMiner poses as a legitimate Google Play update app, and forces users to activate it as a device administrator.
It will persistently pop up until victims click the Activate button; once granted permission, HiddenMiner will start mining Monero in the background.

It also attempts to hide itself on infected devices, for example by emptying the app label and using a transparent icon after installation.
Once activated as device administrator, it will hide the app from the app launcher.
The malware will hide itself and automatically run with device administrator permission until the next device boot.
HiddenMiner also has anti-emulator capabilities to bypass detection and automated analysis.

It’s also hard to get rid of: users can’t uninstall an active system admin package until device administrator privileges are removed first.
But HiddenMiner locks the device’s screen when a user wants to deactivate its device administrator privileges, taking advantage of a bug found in Android operating systems before Android 7.0 Nougat.

Trend Micro said that HiddenMiner is found in third-party app marketplaces and is affecting users in India and China, but it won’t be a surprise if it spreads beyond these countries.

The emergence of this malware should reinforce the need for mobile security hygiene, said Trend Micro: download only from official app marketplaces; regularly update the device’s OS, and be careful about the permissions you grant to applications.


AVCrypt ransomware attempts to eradicate your antivirus

March 27, 2018

The malware attempts to take your antivirus products out of the equation before locking systems.

A new type of ransomware which tries to uninstall security software on victim PCs has been discovered in the wild.

The ransomware, dubbed AVCrypt, was first discovered by MalwareHunterTeam and later analyzed by security professionals at Bleeping Computer.

According to an analysis of the malware, AVCrypt will attempt to not only remove existing antivirus products before encrypting a compromised computer but will also delete a selection of Windows services.

Researchers Lawrence Abrams and Michael Gillespie say that the ransomware “attempts to uninstall software in a way that we have not seen before,” which marks the malware as unusual.

The true purpose of the malware — which appears to be ransomware due to its capabilities — is also in question, as some elements appear unfinished.
There are elements of encryption, but no true ransom note, and together with AVCrypt’s process deleting, it is possible the malware may also be utilized as a wiper.

It is not yet known how AVCrypt targets victims.
However, when the malicious code executes on a victim’s PC, the malware will first attempt to remove security software by targeting Windows Defender and Malwarebytes, or by specifically querying for other antivirus software before attempting to uninstall the programs.

In order to eradicate AV products, the ransomware deletes Windows services which are required for the protective services to run properly, including MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection.

The malware then checks to see if any antivirus software is registered with the Windows Security Center and deletes these details through the command line.

During tests, however, the researchers say that the malware was unable to delete Emisoft antivirus software through these techniques.

Whether or not the deletion of Windows services to hamper AV protections would work with other solutions is unknown.

The wiper features do not completely destroy Windows builds, but likely will cause service degradation.

Once this stage is complete, AVCrypt then uploads an encryption key to a TOR location together with system information and timezone.
The malware then scans for files to encrypt, renaming them in the process.

The ransom note, saved as “+HOW_TO_UNLOCK.txt,” does not contain any decryption instructions or contact information; instead, there is what appears to be placeholder “lol n” text.

It appears that the ransomware is in development stages, and while there is a tenuous link between AVCrypt and a recent attack on a Japanese university, it is not known whether the malware was responsible.

Microsoft told the publication that only two samples of this malware have been detected and so the company also believes that AVCrypt is not yet complete.

This ransomware is quite destructive to an infected computer, yet at the same time does appear to upload the encryption key to a remote server,” the researchers say.
Therefore, it is not known whether this is a true ransomware or a wiper disguised as one.”


Beware the fake Facebook sirens that flirt you into sextortion

March 23, 2018

Fake Facebook profiles of hot women who invite targets to join them in sexy webcam masturbation sessions – sessions that lead to image capture and extortion – are part of a “three-tiered, industrial process” that allows a sophisticated criminal network to “find, filter and defraud victims, all the while protecting itself,” according to an investigation done by Radio Canada.

We’ve covered plenty of lone-wolf sextortionists: one who targeted underaged girls until he was caught by investigators’ booby-trapped video; the guy who preyed on Miss Teen USA and 150 others; and a former US Embassy worker who sextorted, phished, broke into email accounts, stole explicit images and cyberstalked hundreds of women around the world from his London office. And there are many others.

Not to downplay the suffering caused by such operators in any way – there have been multiple suicides related to such cases – but those lone wolves are rank amateurs compared with the massive network of fraudulent accounts that catfish male victims using stolen photos of young women and adolescent girls.

To find out how the networks spin their webs, Radio Canada journalists Marie-Eve Tremblay and Jeff Yates – an expert in online disinformation who’s found and mapped the connections between fake profiles to learn how they support each other – conducted a months-long investigation into what he believes is a “massive network.”

They knew that the accounts were fake because the photos had been stolen from Instagram accounts or personal Facebook profiles.
Some of the fake accounts are massive: they have 100,000, 200,000, or even 500,000 followers.

Yates believes that the fake profiles are just the first layer of a massive sextortion scheme.

It starts with a friend request from a young, hot babe.
Within minutes of an intended victim accepting the request, the fake account will invite the target to join her in a sexy webcam chat, such as on Skype or Google Hangouts.

What hetero man – or anybody else who likes the attention of young, hot women and is innocent enough to fall for the come-on – wouldn’t jump at the chance?
Once they do, the first step into a sextortion trap has been taken.
If the target can be coerced into taking off their clothes and/or masturbating, images are collected, and the ransom demands soon follow.

Yates, in the Radio-Canada web series Corde sensible, paraphrases a typical sextortion threat:

‘If you don’t give me this or that amount of money, I’m going to tell your girlfriend or your boyfriend or your friends that you’ve been chatting with sexy girls on the internet and that you’ve sent me nude pictures of yourself,’ etc.

To scam the scammers while still protecting Yates from having his photos fall into the crooks’ hands and then getting extorted himself, Radio Canada turned Tremblay into a guy.
Using a facial transformation app, the journalists turned her into “William,” a 24-year-old from France who likes soccer and his BMW.
They opted for France because they’d found evidence that that’s where the network is based.

To attract the network’s attention, “William” liked fake accounts’ photos and wrote a few comments.
That worked quite well, Tremblay said:

Result: friend requests from sexy girls began overloading my inbox.

Private conversations soon ensued.
Within an hour, one fake account asked “William” to add her on Skype.
After six minutes of chatting, she asked him to turn on his camera so they could have video sex.

Radio Canada didn’t get into the steamy details, but it did talk to a real-life victim whose experience paralleled what the media outlet described.

Cédrick said that within 20 minutes, “you’re already in over your head.”
“She” will have taken off her clothes, and/or done a sexy dance, and/or started touching herself, and will have asked her target to do the same.
The point is to get a full-body shot, along with the victim’s face, all the better to extort.

Once they have the images they want, everything cuts, and that’s where the intense stuff begins.
She starts off by showing you the video, she sends you a link on YouTube.

‘If you disconnect, if you leave, if you block me, I’m sending this videotape to everyone.’

It’s too well-organized for there to be only one person running it, Yates says.
To figure out how it was structured, he analyzed around 200 Facebook posts from about 40 fake accounts.
Every time one fake profile tagged another, he recorded the source and its target.

Then, using network analysis software, he mapped accounts according to their relationships.
He also used a network-detecting algorithm that determines which profiles interact with each other more than with the rest of the network.

What he came up with was a structure comprising three categories: feeder accounts, bait accounts and hunter accounts.

Feeder accounts are on the front line, serving as a gateway into the network.
They often have hundreds of thousands of followers, but they themselves don’t share sexy images.
Instead, they publish clickbait: phony contests, dummy IQ tests and lifehacks. Radio Canada says the posts often get hundreds or thousands of likes, shares and comments.

The feeder posts, acting as advertisements, tag other fake accounts belonging to the second layer, which is where the “bait” accounts are.
Given that those bait accounts appear to belong to beautiful women, the titillated will click on the bait accounts and start following them.
That’s how perfect victims self-select: they’re obviously interested in following Facebook profiles of sexy young women and girls, so they venture that much further into the sextortion web.

Bait accounts often share links that purportedly lead to a pornographic video – some of which are promoted as being of underage girls – but Radio Canada says they “invariably” lead to phishing sites where visitors are asked to enter their credit card information.
(Radio Canada didn’t click on links purporting to lead to illegal images of minors.)

The second tier isn’t where sextortion takes place.
Given that they promote porn, the bait accounts are sometimes flagged and removed by Facebook.
It doesn’t matter, though: the gateway feeder accounts stay up, given that no racy material is posted at that initial layer.

Bait accounts entice targets to write comments, either by asking questions such as “Do you think I’m hot?” or by promising to send private photos to those who post a comment.
Radio Canada says that this is an important step that leads to the innermost layer where the sextortion trap is sprung: the layer of fake accounts it calls hunter accounts.

Bait accounts have created a perfect environment for sextortion to happen.
The users who have commented aren’t afraid of publicly signaling their interest in young girls and, moreover, don’t have the wherewithal to realise that they’re dealing with fake accounts.
They are perfect targets for the hunter accounts.
These users receive, by the dozen, friend requests from the hunter accounts.

These hunter accounts often get banned, having triggered Facebook algorithms that spot fake accounts by picking out ones that amass a huge number of followers in a brief amount of time.
That’s why the “women” in the hunter accounts quickly send private messages to intended victims, trying to hustle them off Facebook as soon as possible: once they’re in a web chat, they’re out of Facebook’s reach and can go after the photos they need for extortion.

Beware the fake Facebook sirens that flirt you into sextortion

Fake Amazon ad ranks top on Google search results

March 20, 2018

Dang! Don’t you just hate it when you search for Amazon on Google, you click on the top link (which of course must be legit, right? – it’s from Google!) and then you somehow wind up infected with “Malicious Pornographic Spyware” with a dab of “riskware” on top?

Yep, not for the first time, Google’s been snookered into serving a scam tech support ad posing as an Amazon ad.

This is déjà vu.
Thirteen unlucky months ago, scammers slipped a fake Amazon ad under Google’s nose.
Anybody who clicked on it was whisked to a Windows support scam.

ZDNet reported on that one in February 2017, and it brings us news of the bad ad rebirth once again.
On Friday, ZDNet’s Zack Whittaker reported that for hours on Thursday, the top Google search result for “Amazon” was pointing to a scam site.

Top, as in, it outranked even the legitimate search result for
Users who clicked on the bad ad were whisked to a page that tried to terrify them with reports of malware infection so they’d call a number for “help.”
The ad masqueraded as an official Apple or Windows support page, depending on the type of computer in use.

Then, just as fake tech support ads tend to do, and just as the fake Amazon ad did last February, the bad ad shrugged off users’ attempts to dismiss a popup box that warned them about malicious pornographic spyware and riskware etc.
(What IS “pornographic spyware?” Spyware accompanied by heavy breathing?).

According to ZDNet’s analysis of the code, trying to close the popup would have likely triggered the browser to expand and fill up the entire screen, making it look like a system had been grabbed by ransomware.

ZDNet says it appeared through a proxy script on a malicious domain to make it look as though the link fully resolved to an page, “likely in an effort to circumvent Google’s systems from flagging the ad.”

The malicious domain was registered by GoDaddy, and the apparent domain owner didn’t respond to ZDNet’s inquiries.
A spokesperson for Google told ZDNet that the company doesn’t tolerate advertising of illegal activity and takes “immediate action to disable the offending sources” when it finds ads that violate its policies.

GoDaddy pulled the site offline within an hour of being contacted by ZDNet.
A GoDaddy spokesperson said that its security team found that the ad violated its terms of services, so they removed it.

Google’s swimming in these bad ads.

Last week, it announced that in 2017, it took down more than 3.2 billion that violated advertising policies.

That’s an average of 100 per second, Google said, and it’s up from 1.7 billion removals of bad ads in the prior year.
Google also booted 320,000 online publishers off for violations like showing Google-supplied ads alongside inappropriate or controversial content, according to Scott Spencer, Google’s director of sustainable ads.

What to do?

Google’s working hard to kill bad ads, but they’re obviously still getting through, including those that contain malware.
So to help you stay vigilant, here are some suggestions on what to do if you get hit with one of these fake tech support scams, be it on the phone or as “Riskware! Spyware!” taking over your browser:

  • If you receive a cold call about accepting support, just hang up.
  • If you receive a web popup or ad urging you to call for support, ignore it.
  • If you need help with your computer, ask someone whom you know and trust.
  • When searching for Amazon, remember that you don’t need to use Google. Simply go straight to
  • Source:
    Fake Amazon ad ranks top on Google search results

    Facebook loses control of 50 million users’ data, suspends analytics firm

    March 19, 2018

    Cambridge Analytica – the data-crunching firm with tools so muscular that founder Christopher Wylie has described it as “Steve Bannon’s psychological warfare mindf**k tool” – has been collecting Facebook user data without permission through “a scam and a fraud,” Facebook said on Friday.

    That statement to the New York Times came from Paul Grewal, a Facebook vice president and deputy general counsel.
    It preceded a day of chaos inspired by big data use and abuse that has raged all weekend and promises to keep playing out as lawmakers pledge to launch investigations.

    On Friday, after a week of questions from investigative reporters, Facebook suspended Cambridge Analytica and parent company Strategic Communication Laboratories (SCL) from its platform.
    The suspensions came late in the game, news outlets are charging, given that Facebook has known about this for three years.
    Facebook, for its part, claims that the parties involved lied about having deleted harvested data years ago.
    At least one of the parties involved has shown evidence that points to Facebook having done very little to make sure the data was deleted.

    The banishment was unveiled a day before the publishing of two investigatory reports – one from the New York Times, another from The Observer.
    The reports both detailed how Cambridge used personal information taken without authorization from more than 50 million Facebook users in early 2014 to build a system that could profile individual US voters in order to target them with personalized political ads.

    Cambridge is owned by conservative Republican hedge fund billionaire Robert Mercer.
    It’s a voter-profiling company that was used by conservative investors during both the Trump and Brexit campaigns.

    The NYT/Observer reports relied on interviews with six former employees and contractors plus a review of the firm’s emails and documents.
    One such source was whistleblower Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data.
    The Observer quoted Wylie:

    We exploited Facebook to harvest millions of people’s profiles.
    And built models to exploit what we knew about them and target their inner demons.
    That was the basis the entire company was built on.

    Cambridge did so, the newspapers reported, because it had a $15 million investment from Mercer burning a hole in its pocket.
    Cambridge wanted to woo Steve Bannon with a tool to identify American voters’ personalities and to influence behavior, but it first needed data to flesh out that tool.
    So it took Facebook users’ data without their permission, according to the newspapers.

    They called it “one of the largest data leaks in the social network’s history” – one that allowed Cambridge to “exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.”

    Not surprisingly, Facebook immediately pushed back against the characterization of a massive data leak in an update to its initial announcement of the suspensions.
    It said that the data got out not through a leak but because some 270,000 Facebook users willingly signed up for a Facebook personality test called thisisyourdigitallife that billed itself as “a research app used by psychologists.”

    The claim that this is a data breach is completely false.
    Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent.
    People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

    Source and more info:
    Facebook loses control of 50 million users’ data, suspends analytics firm

    Windows 7 Monthly Rollup Update KB4088875 Causes Network Adapter Issues

    March 16, 2018

    Ghost NIC might be created after installing the update

    This month’s Patch Tuesday rollout is slowly proving to be quite a fiasco, as more reports seem to be pointing to issues with the updates Microsoft published for Windows devices.

    After Windows 10 cumulative updates KB4088787 and KB4088776 showed signs of failed installs, it’s now the turn of the Windows 7 monthly rollup to cause problems, this time in a pretty different way.

    There are reports that installing KB4088875,and the security-only update KB4088878 remove or break down virtual Network Interface Cards (NICs), and in some cases, they delete the static IP address configuration.
    The update also creates a ghost NIC on some systems, according to this reddit discussion.

    KB4088875 is available for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, and the issues mentioned above are said to be experienced on both OS versions.

    One reddit user says that removing the ghost NICs returns systems to full functionality and adding new ones without first deleting these greyed-out entries would only cause conflicting IPs.

    Meltdown and Spectre fixes

    Delaying KB4088875 and the security-only update doesn’t really seem to be an option since they bring quite critical patches for Windows 7 systems.
    They include new Meltdown and Spectre protections, as well as security updates for Internet Explorer, the Windows Shell, Windows Installer, and the Windows Kernel.

    Microsoft is aware of four different issues with this monthly rollup for Windows 7, including a BSOD occurred when the update is installed on a 32-bit system with the Physical Address Extension (PAE) mode disabled.

    Microsoft is working on fixing this issue, and this update is, therefore, currently made available to machines with the Physical Address Extension (PAE) mode enabled,” the firm says.

    We’re seeing reports that KB4088787 is no longer being offered via Windows Update, but we can’t confirm this just yet. If this is the case, Microsoft could be aware of the problem and the company temporarily halted the update until a fix is released.