When Antivirus Software Fails You: How to Stop (and Defeat!) a Real-World Trojan & Social Engineering Attack
It isn't every day you get to see what a real Trojan or Social Engineering attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop, Get Secure, when I came across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
Whilst traversing The Tubes yesterday doing some research on credit card processing across a host of different sites, I was hit with an old school malware installer technique with a couple of new twists at one of them. (That's what it looks like above.)
What's old school about it, is it's using an old social engineering ruse to trick people into installing it. Make no mistake: it's fake software. Well, it might play media files, but I guarantee there's some sort of unwanted malware / adware payload along with it.
As you can tell from the Finder icon in the top left, and the "Accept and Install" button in the lower right, it's obviously geared for people on a Mac, and here are some telltale signs it's fake.
- Every media type that matters is playable out of the box on a Mac.
- "Media Player" is Windows-only software, and it's built into Windows, i.e. no need to install it like this.
- The Accept and Install button and the Finder icon are the (now very) old Mac interface style.
- Powered by "MediaDownloader," yet the software is called, "Media Player"?
- What the heck is the Finder icon even doing on a an installer for a third-party product?
Curiously, both Bitdefender and Webroot for Mac missed identifying the serving URL as malicious:
(Whether it has a trojan or some other malicious payload or if it's "just" adware, I don't know, and honestly, does it really matter? Its goal is to trick people into installing it.)
So, if you come across this bugger (or something similar in the wild), get the heck out of Dodge and for cryin' out loud, keep your mouse away from the "Accept and Install" button, will ya?
UPDATE: Looks like I'm not the only one getting these emails!
Dancho Danchev with Webroot also has a great blog post on these email. His is called, Spamvertised 'US Airways' themed emails serving client side exploits and malware
One bit of good news/bad news on them: we can be even more certain that the domain owner shown in my post is an innocent victim, too, as Dancho's blog shows many other URLs being used for serving the malware. In fact, his blog post doesn't even mention the domain name that was in the email I received.
Sometimes, you really just have to laugh.
I got a phishing spam today. Really, you might even call it a spear-phishing spam, given that it had my name and email address correct.
It was an email that looked every bit like a legitimate Check-in Confirmation email from US Airways. The problem: I'm not traveling anytime soon, so I know it's a fake.
Here's what it looked like:
Examining the link shows it was destined to go to an Indian website (.in) that's registered with the following info:
Created On:27-May-2011 21:14:29 UTC
Last Updated On:27-Jul-2011 19:20:22 UTC
Expiration Date:27-May-2012 21:14:29 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R101-AFIN)
Registrant Name:ian jamieson
Registrant Organization:perdita & pongo llc
Registrant Street1:po box 2225
Registrant City:manchester ctr.
Registrant Postal Code:05255
Registrant Email:[email protected]
Whether or not the registrant name is legit is anyone's guess, but it's hosted at this IP 18.104.22.168 by GoDaddy.
It's exceedingly rare that anyone uses their real info to host a phishing site--much less one hosted with a legitimate company like GoDaddy, so the domain has probably been compromised. Either that or the registrant name is completely falsified.
The bottom line: don't click on links in emails, even if you think they're legit and from someone you know.
Instead, by doing a "Right Click," you can copy the link out of the email and paste it into Notepad. From there, it doesn't take a rocket scientist to see this link is going to an Indian website (.in) and not to US Airways.
For a quick-and-dirty email, one has to wonder what kind of success rate they're having with this particular email. After all, it is a relatively clever bit of social engineering, some people will, no doubt, fall for.
Even still, if you do get sucked into clicking a link like the one in this phishing email (or click it accidentally), this is where good antivirus software can make all the difference.
Here's what happens when you click this particular link, if you're running the 2012 VIPRE Internet Security Suite:
As you can see, VIPRE 2012 blocked it as a trojan, so there should be little doubt in your mind now that between
- the "US Airways" link mysteriously going to a .in website...
- it being registered to an "ian jamieson..."
- and VIPRE ISS blocking the first thing on the site as a trojan
Now, it's time to contact GoDaddy to get the site yanked before more people get infected.
Oh, and in case you're wondering here are the threat details from VIPRE:
Most of us have been in an airport or other similar public place and seen the free charging kiosks.
And, I'll venture to bet that most of us have used 'em, too.
Looks like the bad guys aren't running out of ideas on ways to get at you and your data, and now it looks like the free ride at the charging kiosk is over since the bad guys can start moving in there, too.
That's what Brian Markus (president of Aires Security) and his colleagues (researchers Joseph Mlodzianowski and Robert Rowley) showed when they built a charging kiosk at the 2011 DefCon hackers convention in Las Vegas.
As crazy as it sounds, charging your smart phone at a free charging kiosk can leave it exposed to data theft or even malware installation.
Brian Krebs always fantastic security blog, Krebs on Security, has a piece called Beware of Juice Jacking that goes into detail about how even some phones with settings to disable USB transfer don't do so reliably enough to be trusted.
'One attendee claimed his phone had USB transfer off and he would be fine. When he plugged in, it instantly went into USB transfer mode,' Markus recalls. 'He then sheepishly said, `Guess that setting doesn’t work.`'
Given that we haven't had any opportunities to test smart phone antivirus software against these types of threats, we can't say if the current batch of antivirus software for phones would be enough to prevent these types of attacks. Given what we've seen from VIPRE Mobile (the version of VIPRE Antivirus for Android Mobile phones), we expect it would.
Regardless, it's clearly safest to avoid these kiosks for charging your phone, and as the piece says,
If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.
'One thing we discovered: On certain devices, if you power them completely off, then charge them, they don’t expose the data,' Markus said.
Fans of Internet Explorer, rejoice!
Well, sort of.
NSS Labs, one of the top independent security research labs in the world, just put each of the top web browsers for Microsoft Windows PCs on their test bench to see how they fared against socially engineered malware.
Long lambasted for being insecure and weak in its ability to thwart malware, Internet Explorer actually landed at the front of the pack in this particular test which included:
Their report, "Web Browser Security, Socially Engineered Malware Protection," looked specifically at social engineering malware (SEM) attacks, which
...remains the most common security threat facing Internet users today.
"Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.
How much better did IE fare? At the risk of editorializing, it was an absolute landslide. (Politicians dream of this kind of lopsided victory.)
|Effectiveness of Top Web Browsers at Blocking Social Engineering Malware Attacks|
|Web Browser||Malware Blocking Efficacy|
|Microsoft Internet Explorer 9||99.2%*|
|Google Chrome 12||13.2%|
|Apple Safari 5||7.6%|
|Mozilla Firefox 4||7.6%|
|* With both URL and Application Reputation enabled during testing, which provided 96% and 3.2% of protection respectively.|
Now for the one caveat: this only measured the efficacy of blocking social engineering malware and didn't test any of the browsers abilities (or likelihood) of being attacked through a security exploit.
What does that mean?
For starters, it means stopping viruses and other malware isn't as easy as running one web browser vs. another.
While Internet Explorer 9 might do very well at blocking social engineering malware, other browsers have historically done significantly better at stopping attacks that come through security exploits.
So, what's the best, most secure web browser?
There's no simple answer. I'd really encourage you to take a close look at the NSS Web Browser Security Report.
Another thing not covered is the effectiveness of antivirus software at blocking these types of threats.
In our tests, we consistently saw the software we tested with the best malicious website filtering giving added protection above and beyond what the web browsers themselves provided.