Information security digest 24.06-12.07

Every fifth attack, every third bank

Every fifth phishing attack over the past year focused on banking and financial institutions. These results come out of a study published by Kaspersky Lab in late June. According to the data from Kaspersky Security Network 20,64% of phishing threats registered between May 2012 and April 2013 were targeted at different kinds of financial institutions.

The fact that the attackers are particularly interested in banks is indirectly confirmed by other studies. According to the global survey by B2B International and Kaspersky Lab, about 37% of all banks suffered at least once from phishing attacks in one way or another over the past twelve months.

Find more on the new study here.

Showdown

Network security experts ambiguously reacted to the emergence of Trojan Carberp’s source code on the Web. Carberp is a banking Trojan used to steal money. In March 2013, Russian police detained a group of hackers who had stolen about 60 million rubles with the help of Carberp and Backdoor.Win32.Shiz. But this arrest does not mean that the “universal bankbot” threat was eliminated for good. Firstly, the offers to buy Carberp did not stop appearing on the Web, and secondly, the “affiliates” that have previously been reported for spreading the Trojan are still working. Furthermore, on the very day the arrest of the criminals was announced three new test servers for Carberp appeared, all of them with German IP addresses.

And then the source code of the infamous Trojan “leaked.” As mentioned above, the reaction to this event was ambiguous. On the one hand, security experts got the opportunity to thoroughly study this malware. On the other hand, the virus writers obviously have continued doing their business, and the new derivatives are expected soon enough.

Facebook hijacked in sixty seconds

The Facebook administration awarded British information security researcher John Whitton (aka fin1te) when he detected a serious vulnerability that could let an attacker access any Facebook account via SMS. John Whitton discovered the bug in late May and immediately notified Facebook about the flaw. A few days later administrators fixed the issue, but until recently there was no word about the $20,000 reward assigned to that bug.

Whitton’s exploit took advantage of Facebook’s mechanism for activating and using mobile texts with the social network. More details on the bug in Whitton’s blog.

Hit and run

The famous video game developer Ubisoft was hit by hackers who managed to steal usernames, email addresses and encrypted passwords from the company’s server.

The company’s official blog assured that personal payment information was safe from the intrusion. Nevertheless, all users were advised to change their passwords on Ubi.com as well as on any other resources where the same or similar passwords could be used.

No spies allowed!

One of the Pirate Bay co-founders Peter Sunde announced that he was raising money for the development of a spy-proof messaging application for iOS and Android. Sunde explained that the application, which his under the working title Hemlis (Swedish for “secret”), would utilize end-to-end encryption to ensure that only the two people carrying on the text conversation would have access to its data.

Sunde got the idea to create such an app because of the NSA scandal with the U.S. global cyber espionage program PRISM. Since the topic of security services surveillance is hyped again, there are going to be many people who would like to take advantage of it. The point is to identify the real purposes of those people and the efficiency of spy-proof applications.

A volley of Microsoft security bulletins

Microsoft released seven security bulletins (MS13-52 – MS13058), describing a number of vulnerabilities in the company’s products. Six of them are assigned “critical”. Serious flaws were found in Internet Explorer and DirectShow.

There was also another problem detected while processing TrueType fonts, affecting Microsoft Office, Visual Studio, .NET, Silverlight, Lync and some components of Windows. Technical details on that vulnerability were described in three bulletins.

More information can be found on our blog at Securelist.

What the misuse costs you

According to surveys from Europe and the United States employees spend up to 30% of their work time on personal issues. By multiplying the spent time with the average cost of a working hour, analysts estimate the amount of damage as millions of dollars a year. Indirect losses may be even larger. Employees use desktops for social networking, sharing links to entertaining content, and downloading files from suspicious sources. At the same time, hackers actively exploit social networks for phishing and malware distribution, many personal blogs, entertainment sites, file sharing sites, torrent trackers and downloaded files are contaminated, and passwords to email accounts get regularly cracked or stolen.

Securelist published an article by Kaspersky Lab’s expert Kirill Kruglov, concerning incidents that may come as a result of the improper use of computers at work, and provided some recommendations.