A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.
Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:
“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”
The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”
“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”
The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.
The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially.
The reader, who asked not to be identified in this story, also pointed to articles about a recent AdSense crackdown in which Google announced it was enhancing its defenses by improving the systems that identify potentially invalid traffic or high risk activities before ads are served.
Google defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources.”
“Pretty concerning, thought it seems this group is only saying they’re planning their attack,” the reader wrote.
Google declined to discuss this reader’s account, saying its contracts prevent the company from commenting publicly on a specific partner’s status or enforcement actions. But in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic threat of sabotage, wherein an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory.
“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the statement explained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”
Google said it has extensive tools and processes to protect against invalid traffic across its products, and that most invalid traffic is filtered from its systems before advertisers and publishers are ever impacted.
“We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”
Johannesburg residents using pre-paid electricity have been left in the dark after a computer virus hit City Power, rendering users unable to purchase electricity.
The utility’s spokesperson, Isaac Mangena, was cited on News24 as saying “the virus had attacked its database and other software, impacting on most of its applications and networks”.
This resulted in City Power customers being unable to upload pre-paid electricity to their meter boxes.
The City Power website is also affected by the virus.
Mangena also stated that City Power hoped to have resolved the problem by midday on Thursday.
By James Pero for DailyMail.com
Malware that replaces victims’ legitimate apps with a malicious doppelgänger has infected 25-million devices across India, the UK and the US, say security researchers.
The virus, named ‘Agent Smith’ after a fictional character from the, ‘The Matrix’ who is able to make others into copies of himself, was highlighted by the security firm Check Point on Wednesday and affects users on Android devices.
Instead of stealing data, the malware covertly replaces apps inside a user’s phone with hacked versions which display ads selected by the hackers, allowing them to profit off their views.
To avoid detection, the malware — under its disguise as popular apps like WhatsApp or Flipkart — is also capable of replacing code in the original program with its own malicious version that prevents an app from being updated.
At least 15-million of the devices infected are located in India and 300,000 have been detected in the U.S. Other infections are spread across Asia as well as the U.K., and Australia.
‘The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,’ said Jonathan Shimonovich, head of Mobile Threat Detection Research at Check Point.
‘Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like ‘Agent Smith”
A malware called ‘Agent Smith’ was found to have infected 25 million device mostly in India.
Malicious code was able to disguise itself as legitimate apps and take over the ads served inside those programs.
Hackers didn’t steal users data but were able to make money off serving up phoney ads.
Many users were unaware that they had been infected.
Code spread via third party app-store 9Apps and unsuccessfully tried to infect users in the Google Play store.
The malware is named after a fictional villain in the 1999 movie ‘The Matrix’ who was able to turn victims into copies of himself.
Researchers say Agent Smith was able to spread to devices through a third-party app store called 9Apps.
Malicious code was embedded into photo apps and sex-related apps which were then downloaded by users.
Once inside a victim’s device, the malware would disguise itself as a legitimate app and then begin replacing code.
As reported by The Verge, creators of the malware also attempted to infect users in the Google Play store through 11 apps containing bits of malicious code.
The foray was reportedly unsuccessful and Google has removed all the apps from its store.
A vulnerability in Android that allowed hackers to include their code was patched several years ago, but developers failed to patch their apps, leaving many open to attack.
To avoid being compromised by malware like Agent Smith, Check Point has some simple words of advice.
‘Users should only be downloading apps from trusted app stores to mitigate the risk of infection as third party app stores often lack the security measures required to block adware loaded apps,’ wrote researchers.
By Corbin Davenport for Android Police
Google Play Protect is just about two years old, as it was introduced at I/O 2017. The tool scans all applications installed on your phone for identified malware – whether they are from the Play Store or from a sideloaded APK. At Google I/O 2019, it was revealed that Play Protect now scans 50-billion applications each day.
The number was announced as part of the focus on privacy and security during today’s keynote presentations. Play Protect has seen a number of improvements since it was introduced, like a new interface added earlier this year, though it mostly remains a silent and unobtrusive component to most people.
OUTA has notified members on its Facebook page that a highly suspicious SMS is doing the rounds with regards to e-tolls.
The organisation notes that before members of the public can appear in any court for any matter, they need to be summonsed.
This SMS is a scam to cash in on people’s fear in light of the current uncertainty around e-tolls. The link contains a link to documents which contain malware. The public is advised not to open the link, and to delete the SMS immediately.
By Alison DeNisco Rayome for Tech Republic
Microsoft Office documents packed with malicious macros are the most common malware loader of the past month, accounting for 45% of all delivery mechanisms analysed, according to a Thursday report from Cofense.
Office Macros were followed in popularity by CVE-2017-11882, malicious batch scripts, malicious PowerShell scripts, and WSC downloaders, the report found.
This demonstrates that threat actors tend to leverage tried-and-tested delivery mechanisms, the report noted. Macros may have a low barrier to entry, but they are not used only by immature or low-impact cybercriminals: Malware delivered via macros is among the worst in today’s threat landscape, including Geodo, Chanitor, AZORult, and GandCrab, according to the report.
Macros remain a popular email attachment method of delivering a malicious payload because they are typically enabled on a machine, or easily allowed with a single mouse click, the report noted—making it very easy to launch the first stage of an attack. When used this way, macros are embedded Visual Basic scripts that are often used to download or directly execute further payloads.
The Microsoft Office Macro feature could be enabled by default in your organisation’s IT environment, according to the report. When this is the case, a user may not receive any warning that something is wrong upon opening a malicious document. Even when an organisation has some kind of protection in place—such as a security warning at the top of the document—it can often be dismissed with just one click, or may be ignored by the user.
IT departments can protect their organisation from macros by disabling them enterprise-wide, the report said. However, many businesses rely on macros for their legitimate usage, in which case IT may want to consider enacting a blanket policy of blocking documents at the gateway, or, perhaps more realistically, combining different policies such as blocking or grey-listing documents coming from unknown senders. Security education is also key, the report said.
The big takeaways for tech leaders
- Microsoft Office documents packed with malicious macros are the most common malware loader of the past month, accounting for 45% of all delivery mechanisms.
- Malware delivered via macros is among the worst in today’s threat landscape, including Geodo, Chanitor, AZORult, and GandCrab.
Google’s numerous safeguards designed to prevent malicious apps from reaching Android users led to the removal of over 700,000 apps from the Google Play Store in 2017, the company said today. That’s a 70% increase over the total removals in 2016.
“Not only did we remove more bad apps, we were able to identify and action against them earlier,” Google Play product manager Andrew Ahn wrote in a blog post.
“99 percent of apps with abusive contents were identified and rejected before anyone could install them.”
Google attributes this success to its improved ability to detect abuse “through new machine learning models and techniques.”
Copycat apps are still a significant problem
Copycat apps designed to resemble popular mainstays remain a popular method of trying to deceive users, according to Ahn. Google removed over a quarter of a million of these impersonating apps last year. The company also says it kept “tens of thousands” of apps with inappropriate content (pornography, extreme violence, hate, and illegal activities) out of the Play Store. Machine learning plays a key role here in helping human reviewers keep an eye out for bad apps and malicious developers.
“Potentially harmful applications” (PHAs) are apps that attempt to phish users’ personal information, act as a trojan horse for malware, or commit SMS fraud by firing off texts without a user’s knowledge. “While small in volume, PHAs pose a threat to Android users and we invest heavily in keeping them out of the Play Store,” Ahn said.
Google Play Protect scans installed apps to monitor for malicious activity. Google
Last year, Google put all of its malware scanning and detection technologies under the umbrella of Google Play Protect. The Android operating system automatically performs scans on installed applications to hunt for anything that’s out of place, and users can also manually trigger scans of their Android smartphones right in the updates section. (I’ve finally managed to stop hitting this button when checking for new versions of apps, but it took some time.)
Still, bad apps do occasionally slip through Google’s defenses. In August, Google discovered and kicked out 30 apps that were secretly using the devices they were installed on to perform DDoS attacks. Just earlier this month, the company removed 60 games from the Play Store — some of them meant for children — that were found to display pornographic ads. Google says it will continue to upgrade its methods and machine learning models against bad actors trying to trick consumers with apps that violate its policies. Those efforts indeed seem to be paying off in helping Android’s security turn a corner.
By Chris Welch for The Verge
The City of Johannesburg has said it suspected that malware has infected one of the servers hosting its Web site, causing major downtime last week.
This is just one in a long string of woes for the city.
The billing system, inherited from the ANC when the DA won the metro, has been in crisis for some months. The City tried to fix it by rolling out a new system, which automatically requires payment on the 15th of the month unless rate payers ask for it to be the 28th, by way of e-mail or the call centre.
As a result of the change in date, as well as a lack of postal notices and SMS notices, many household have unintentionally fallen behind in payment – or worse, have not, but have been cut off anyway. Re-instatement of electricity is a costly and time-consuming exercise, and falling behind on payments can impact credit ratings.
Local councillors instructed their ward members to use the CoJ Web site to ensure they know what they owe and don’t fall behind on payments.
However, the city’s website – https://joburg.org.za/ – was inaccessible through browsers like Google Chrome for almost two days last week, due to a malware warning from Google.
When attempting to access the site, Google’s safe browsing warning turns users away, stating that it contains harmful content – including pages that “send visitors to harmful websites”.
The city said it was aware of the issue, and had an investigation underway.
“Preliminary indications suggest that one of the servers hosting the website may be infected with malware. It is also possible that the outage may be a result of corrupted code,” said the City of Johannesburg.
“Fortunately, the city’s customer data has not been compromised as it resides in separate servers.”
According to the ZACR’s records, the City of Johannesburg is the registrant of the domain, while Internet Solutions is the sponsoring registrar.
Although the issues with the site have since been fixed, it leaves many questioning what kind of security is in place for one of the city’s most important databases.
Source: MyBroadband; My Office News
Kaspersky Lab’s Global Research and Analysis Team has discovered a new sophisticated wiper malware, called StoneDrill.
Just like another infamous wiper, Shamoon,it destroys everything on the infected computer. StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal. In addition to targets in the Middle East, one StoneDrill target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild.
Kaspersky Lab experts have detected a new Trojan targeting Android devices that can be compared to Windows-based malware in terms of its complexity. Triada is stealthy, modular, persistent and written by very professional cybercriminals. Devices running the 4.4.4. and earlier versions of the Android OS are at greatest risk.
According to the recent Kaspersky Lab research on Mobile Virusology, nearly half of the top 20 Trojans in 2015 were malicious programmes with the ability to gain super-user access rights. Super-user privileges give cybercriminals the rights to install applications on the phone without the user’s knowledge.
This type of malware propagates through applications that users download/install from untrusted sources. These apps can sometimes be found in the official Google Play app store, masquerading as a game or entertainment application. They can also be installed during an update of existing popular applications and, are occasionally pre-installed on the mobile device. Those at greatest risk include devices running 4.4.4. and earlier versions of the Android OS.
There are 11 known mobile Trojan families that use root privileges. Three of them – Ztorg, Gorpo and Leech – act in cooperation with each other. Devices infected with these Trojans usually organise themselves into a network, creating a sort of advertising botnet that threat actors can use to install different kinds of adware.
Shortly after rooting on the device, the above-mentioned Trojans download and install a backdoor. This then downloads and activates two modules that have the ability to download, install and launch applications.
The application loader and its installation modules refer to different types of Trojans, but all of them have been added to our antivirus databases under a common name – Triada.
A distinguishing feature of this malware is the use of Zygote – the parent of the application process on an Android device – that contains system libraries and frameworks used by every application installed on the device. In other words, it’s a demon whose purpose is to launch Android applications. This is a standard app process that works for every newly installed application. It means that as soon as the Trojan gets into the system, it becomes part of the app process and will be pre-installed into any application launching on the device and can even change the logic of the application’s operations.
This is the first time technology like this has been seen in the wild.
The stealth capabilities of this malware are very advanced. After getting into the user’s device Triada implements in nearly every working process and continues to exist in the short-term memory. This makes it almost impossible to detect and delete using antimalware solutions. Triada operates silently, meaning that all malicious activities are hidden both from the user and from other applications.
The complexity of the Triada Trojan’s functionality proves the fact that very professional cybercriminals, with a deep understanding of the targeted mobile platform, are behind this malware.
The Triada Trojan can modify outgoing SMS messages sent by other applications. This is now a major functionality of the malware. When a user is making in-app purchases via SMS for Android games, fraudsters are likely to modify the outgoing SMS so that they receive the money instead of the game developers.
“The Triada of Ztrog, Gorpo and Leech marks a new stage in the evolution of Android-based threats. They are the first widespread malware with the potential to escalate their privileges on most devices. The majority of users attacked by the Trojans were located in Russia, India and Ukraine as well as APAC countries. It is hard to underestimate the threat of a malicious application gaining root access to a device. Their main threat, as the example of Triada shows, is in the fact that they provide access to the device for much more advanced and dangerous malicious applications. They also have a well-thought-out architecture developed by cybercriminals who have deep knowledge of the target mobile platform,” says Nikita Buchka, junior malware analyst, Kaspersky Lab.
As it is nearly impossible to uninstall this malware from a device, users face two options to get rid of it. The first is to “root” their device and delete the malicious applications manually. The second option is to jailbreak the Android system on the device.
Kaspersky Lab products detect Triada Trojan components as: Trojan-Downloader.AndroidOS.Triada.a; Trojan-SMS.AndroidOS.Triada.a; Trojan-Banker.AndroidOS.Triada.a; Backdoor.AndroidOS.Triada.