IT Security Round Up: BlackBerry Attacks and Fake Android App Stores
This week's IT security news roundup features stories on more BlackBerry malware, an international crackdown on the sale of pirated Android apps, a possible second attack on Aramco, and more.
Eye on Microsoft
By Constantine von Hoffman, CIO
: BlackBerry smartphones, which are rarely ever the target of hackers, have been targeted by a new type of malware for the second time this month. According to security firm Websense, the latest effort is beginning to spread via spear phishing emails. Targeted users receive an email with the subject line “Your BlackBerry ID has been created.” The email tells users to follow instructions in the attached file on how to “enjoy the full benefits” of their ID. The attachment is the problem — the e-mail’s text and links are fine — and Websense says it’s copied from a legitimate email from BlackBerry maker RIM. The attached .zip file drops executable files which modify the system registry and start malware programs on machine’s next startup. Somebody get Al Sacco back from his day off, STAT.
FBI shuts down phony Android app markets: Three domains selling stolen Android applications have been seized in an operation by the FBI and international police. Applanet.net, appbucket.net, and snappzmarket.com had allegedly been selling thousands of applications from legitimate developers which had been cracked and then put back on sale. The FBI worked with French and Italian police, who filed nine warrants for arrest and seized local servers to shut down the sites and obtain evidence about those running them.
New attack threatens Aramco: Oil giant Saudi Aramco has been threatened with another attack by hackers wanting to prove their abilities and prove that they’re not relying on help from an Aramco insider. An attack on the company last week forced it to take down Web sites after being hit by a malware infection on some of its workstations. The warning of the new attack – scheduled for Saturday – was posted on Pastebin earlier this week. “What we’re going to do to prove our ability to do more? Well, we don’t really need or even feel like proving anything to anyone and show them that we can, but here is a headline story: we are going to make it, next week, once again, and you will not be able by 1% to stop us,” the group said in its fascinatingly worded post.
DHS warns about flaw in Ruggedcom industrial control devices: Discovery of a high-risk security flaw in the Ruggedcom ROS industrial networking platform has prompted a warning from the Department of Homeland Security telling businesses to tighten security protection on their industrial control devices. An alert from the Industrial Control System Cyber Emergency Response Team says the flaw could be used by an attacker to eavesdrop on SSL traffic. An error in the handling of network keys might let an attacker compromise secure connections by identifying the device’s RSA encryption key, the report said. Once a device is compromised an attacker could intercept traffic being sent between an end user and ROS devices. The weakness was found by Cylance researcher Justin W Clarke.
Old stripper comes out of retirement to spread malware: In Internet terms, 1999 is practically the Stone Age but if you’re an old fogey you may remember Melissa, one of the very first email-aware viruses. It forwarded itself in an infected Word document to the first 50 people in your Outlook address book and was forerunner of email worms like the Love Bug, Anna Kournikova and MyDoom. As Naked Security reports:
“But what many people don’t remember is that David L Smith, the author of Melissa, named his virus after an exotic dancer he encountered in Miami, Florida. And guess what? Melissa is back! No, not the Word macro virus Melissa – Melissa the striptease artiste. Or at least another malware-loving stripper going by the same name.”
This time she’s a Troj/CAPTCHA-A Trojan, which looks like a sexy game. Each time a user unscrambles an image they get to see more flesh on the body of a blonde model called Melissa. The obfuscated image is a CAPTCHA and users are assisting crooks in their efforts to set up phony Yahoo accounts.