Most of us are pretty web-savvy: when an email arrives saying we need to enter our bank details, we think, “Oh, please!” – and don’t click. But cybercriminals don’t rest – and new techniques can sometimes fool even veteran PC users.
From legitimate companies delivering software with a “side-order” of malware, to PC attacks that persuade you to infect your own phone, here are some of the latest traps laid by cybercriminals.
As ever, you don’t have to become a victim. Ensure all your software is up to date – from Windows to Flash to Java to your browser – think carefully before installing anything, whether it’s an app or a browser plug-in, and use good AV software for maximum security.
The poisoned plug-in
Browser plug-ins are something many of us install without even thinking – but this year has seen a surge in plug-ins with hidden, malicious functions. Orbit Downloader, one of the most popular video downloaders for YouTube, was found to have a hidden “dark side” – working to attack other websites with DDoS attacks, using unwitting users’ PCs.
Given the age and the popularity of Orbit Downloader (it is listed as one of the top downloads in its category on several popular software web sites) this means that the program might be generating gigabits (or more) of network traffic, making it an effective tool for Distributed Denial of Service (DDoS) attacks.
After ESET’s report, Orbit was withdrawn from several sites. To stay safe, use plug-ins only when absolutely necessary, only install plug-ins from reputable stores – and check the reviews first.
The PC attack that poisons your phone
Persuading Android users to download malware is not hard – but cybercriminals have also created PC malware that “poisons” phones connected to it. Win 32/KanKan silently installs mobile applications to Android phones connected to the computer via USB debugging.
More sinisterly, the Hesperbot Trojan attempts to bypass banking security by persuading them to install fake bank apps. The aim of the attackers is to obtain login credentials giving access to the victim’s bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone.
Your bank will never ask you to “update” an app in this way – any necessary updates will be done via an official store such as Google Play – so if you see your bank’s website offering a link, beware. If new apps do appear on your phone without warning, delete immediately, consider a factory reset on your phone- and check your PC.
The Bitcoin burglar
Bitcoin made the news this year – with ATMs allowing users to withdraw their cryptocurrency as real currency, and bars that would accept payments in Bitcoin. But sites such as the online drug mart Silk Road also highlighted the “dark side” of such cryptocurrencies – and cybercriminals tried to cash in. Gaming company ESEA discovered an employee had secretly installed Bitcoin-mining software in the company’s game client. “It becomes obvious that digital currency is currently a trending topic, among malware writers as well as amongst gamers,” says ESET Malware Researcher Robert Lipovsky. “Recently we’ve happened upon a new Trojan that attempts to steal virtual cash in the form of the alternate digital currency, Litecoin.”
In general, it’s best to have two wallets for cryptocurrencies, one for spending, and one offline wallet for larger sums.
The good website gone bad
Even “good” websites can turn bad – witness the long-running “Home Campaign”, which has infected thousands of websites, and in turn delivered malware to their visitors. How did the cybercriminals manage to exert control over so many IPs and domains? By compromising the CPanel and Plesk panels used by many web hosting companies to manage their networks and sometimes control hundreds or thousands of websites. The malware inserts the Blackhole “exploit kit” into sites, so users with vulnerable versions of programs such as Java will be infected. To stay safe, ensure all your PC’s software – particularly your operating system, browser and software such as Java and Flash – are up-to-date.
The banking malware that steals money right under your nose
Shylock – detected by ESET as Win32/Caphaw, is one of the few pieces of financial malware that can steal money while a user watches. It is one of the few that has autoload functionality for automatically stealing money when the user is actively accessing his banking account. An infected user can’t recognize that his money is being stolen, because he sees fake data on the banking web page based on the webinjects’ rules. The malware was recently detected attacking North American users, targeting login credentials for 24 banks. Shylock has advanced “stealth” capabilities, but appears to spread via a Java vulnerability – ensure software such as Java is up to date on your PC, and always exercise caution around online banking. If anything appears slightly wrong, call your bank immediately.