July 2014 Feature Article: The Domino's Effect
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
July 2014 Feature Article: The Domino’s Effect
Table of Contents The Domino’s Effect ...................................................................................................................................................3 ESET Corporate News .................................................................................................................................................6 The Top Ten Threats ...................................................................................................................................................6 Top Ten Threats at a Glance (graph) ....................................................................................................................... 10 About ESET .............................................................................................................................................................. 11 Additional Resources ............................................................................................................................................... 11
attacks, so called spear-phishing, it is not uncommon practice
The Domino’s Effect among cybercriminals to gather as much data on anyone they
David Harley, ESET Senior Research Fellow ESET North America can, including such details as food preference, then prepare a
Small Blue-Green World targeted scam which uses bits of this data to convince the
victim it’s legit. Imagine an average Joe receiving an email from
The news that the data of 600,000 Domino’s Pizza customers someone pretending to be Domino’s and saying “Hi Joe, you
had apparently been acquired by hackers intending to disclose ordered extra anchovies in your last three orders with us and we
the data unless Domino’s paid a €30,000 ransom, while not want to give you a prize for being a regular customer. Click here
particularly amusing for Domino’s or its customers in the and fill in the form to claim your prize.” Even though the sender
affected countries, did inspire a classic blog title – Domino’s and email would be fake, the victim would recognise they did
Pizza hacked: Change your toppings at once! – from ESET in fact order extra anchovies and would consider the offer real
Ireland’s Urban Schrott as well as some sound advice. He said: and would likely click on the link. This could in turn infect their
computer with malware, demand they enter their banking
“Apparently, hackers have gained access to 600,000 Domino’s details to receive the prize, or any other wicked thing
Pizza customer details, including their favourite toppings. ESET cybercriminals do.
Ireland advises users to change their pizza toppings selection
to stay safe. “Apart from changing your toppings, at least for a while, ESET
Ireland therefore seriously advises you are careful with the
I am otherwise a rational and sensible cybersecurity analyst, but personal data you share with companies and services you deal
I draw the line when someone messes with my food. And the with. Know that, as in the case of this hack, if the data falls into
hackers behind this latest attack did just that. In a bid to extort the wrong hands, it can be used against you. Only disclose the
money from Domino’s Pizza, they threatened to publically post minimum of necessary info and if you receive any suspicious
detailed info of 600,000 customers, including their favourite email, claiming reference to some real info about you, double
pizza toppings unless they’re paid a ransom of €30,000. The check if it is legitimate, before you do anything it’s asking you to
hackers aimed at possible lawsuits against the pizza company do. When unsure, just ring the company in question and check.”
for breach of privacy, but a representative of Domino’s said the
ransom will not be paid and that the customers’ financial data Graham Cluley told us more and also gave useful advice.
and credit cards were not compromised in the attack.
“A group of hackers claim to have stolen the personal details of
The servers attacked mainly contained customer info from some 650,000 pizza lovers, and have threatened to release
France and Belgium so Irish users shouldn’t be affected, but just them to the world if Domino’s Pizza doesn’t cough up a hefty
to be sure, ESET Ireland recommends you change your toppings ransom.
selection, so it doesn’t coincide with the one the hackers may
have, so you will not be offered a fake pizza by them. Ok, we’re
joking here. But only a bit. Because in the age of targeted“The hacking group, which is calling itself Rex Mundi, claims to de passe. C’est la raison pour laquelle nous vous recommandons
have breached the network of Domino’s Pizza in France and de modifier votre mot de passe, par mesure de sécurité. Nous
Belgium, grabbing customers’ full names and addresses, phone regrettons fortement cette situation et prenons cet accès
numbers, email addresses and the passwords. Via their Twitter illégitime très au sérieux.
account (now suspended) the hackers posted a link to a
statement about the breach: “Sadly, there’s no mention of whether the sensitive information
was salted and hashed.
Dear friends and foes,
“André ten Wolde, who heads up Domino’s Pizza in the
Earlier this week, we hacked our way into the servers of Netherlands, told De Standaard that there were clearly security
Domino’s Pizza France and Belgium, who happen to share the problems with the firm’s server. At the same time he confirmed
same vulnerable database. And boy, did we find some juicy stuff that the company would not be paying any ransom to the
in there! We downloaded over 592,000 customer records hackers. Good for him, and good for Domino’s Pizza.
(including passwords) from French customers and over 58,000
records from Belgian ones. That’s over six hundred thousand “Clearly any hack is very bad news – both for the thousands of
records, which include the customers’ full names, addresses, potential innocent victims, and for the corporation which has
phone numbers, email addresses, passwords and delivery been hit by a criminal hack. It’s easy to point the finger of blame
instructions. (Oh, and their favorite pizza topping as well, at the corporation for not protecting its customers data
because why not). properly, and there are no doubt a lot of angry people in France
and Belgium writing now ordering an Indian takeaway as a form
“Fortunately, there is no indication that payment information of protest.
has fallen into the hands of the hackers – but there’s clearly still
plenty to be concerned about for those Domino’s customers “But we have to make a stand against criminals who attempt to
who have had their personal information exposed. blackmail and extort money out of the corporations they are
attacking via the internet. We saw a fine stand made by Feedly
“Domino’s France responded to the security breach with a the other day when hackers attempted to extort money, and
series of tweets, claiming that although it used “cryptage” I’m pleased to see Domino’s Pizza not bowing to the hackers’
(encryption), the company believed the hackers to be demands either. If companies cave in and pay ransoms to
experienced criminals, and it was deemed likedly that internet attackers the only thing that is certain is that there will
passwords would be cracked: be more internet attacks.”
Domino’s Pizza utilise un système de cryptage des données
commerciales. Toutefois les hackers dont nous avons été
victimes sont des professionnels aguerris et il est probable qu’ils
aient pu décoder le système de cryptage comprenant les motsGraham asked ESET security expert David Harley whether he Graham went on to advice:
felt the Feedly and Domino’s attacks were the sign of a new era
of cyber-extortion. Here’s what he had to say: “If you’re the victim of cyber-extortionists, don’t give in to the
blackmailer’s demands.
The Feedly story appears to have been just a DDoS attack, not a
credentials breach. There’s nothing new at all about that: even “Even though you might be at risk of personal or commercial
in the early 2000s, UK agencies were quietly cooperating with embarrassment, or potential financial loss, it’s always better to
private companies to deal with extortion attacks based on “pay contact the crime-fighting authorities than get into bed with the
up or we’ll keep on DDoS-ing you”. criminals. Of course, you should also put some serious
resources into exploring what security holes might exist in your
Historically, online casinos and similar sites have been company’s operations – and making sure you are better
persistently targeted, but there’s no reason why an attacker defended in the future.
wouldn’t consider any site dependent on keeping its online
services available a likely target for extortion. “And, if you’re a customer of Domino’s and fear that your
details may have been exposed by this attack, make sure that
Extortion based on the threat of data release is a little more you are not using your pizza-ordering password anywhere else
unusual, but not unknown. on the net. After all, if the hackers manage to extract your
password from Domino’s database they might attempt to use it
Since stolen data can’t usually be ‘given back’ in such a way that to unlock your other online accounts too.
you know the attacker can’t make further use of it, it makes
sense to look at other means of mitigation rather than relying “It’s good practice to always use different passwords that are
on the attacker’s ‘good faith’. I.e., alerting customers, advising hard-to-crack for different websites. Reusing passwords is a
them to change passwords, improving database security. recipe for disaster. Anything less than proper password
practices could end up with hackers getting their hands on your
Similarly, it’s almost a given that paying up under threat of hard-earned dough.”
DDoS is unlikely to be a permanent solution.ESET Corporate News ESET provides Cyberoam Technologies with Secure Authentication ESET has announced its new partnership with Cyberoam Technologies, a leading global provider of network security appliances. The partnership will allow Cyberoam Technologies to integrate ESET’s Secure Authentication - a mobile solution relying on two-factor, one time passwords (2FA OTP) for remote access - into Cyberoam Technologies‘ Unified Threat Management and Next Generation Firewall appliances. This additional layer of protection will secure both end-users and enterprise networks. The partnership is currently being deployed in South Africa. ESET scores high in brand-awareness by German magazine PC Welt ESET continues to rise in Germany. In business segment, ESET won silver medal as the Brand of the Year in the Security software category. Brand-awareness survey was conducted by German computer magazine PC Welt. As well, readers of PC Welt prefer ESET as the security software for their business. ESET scored silver medal as the Technology Winner in the category of Security software. The Top Ten Threats 1. Win32/Bundpil Previous Ranking: 1 Percentage Detected: 2.3% Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used. The worm may delete the following folders: *.exe *.vbs *.pif *.cmd *Backup. 2. JS/Kryptik.I Previous Ranking: 2 Percentage Detected: 1.82% JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.
3. Win32/RiskWare.NetFilter Previous Ranking: n/a Percentage Detected: 1.73% Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware. 4. LNK/Agent.AK Previous Ranking: 3 Percentage Detected: 1.55% LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed. 5. Win32/Sality Previous Ranking: 4 Percentage Detected: 1.38% Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system. It modifies EXE and SCR files and disables services and process related to security solutions. More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah 6. HTML/ScrInject Previous Ranking: 8 Percentage Detected: 1.37% Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.
7. Win32/Adware.MultiPlug Previous Ranking: n/a Percentage Detected: 1.28% Win32/Adware.Multiplug is a Possible Unwanted Application that once it's present into the users system might cause applications to displays advertising popup windows during internet browsing. 8. INF/Autorun Previous Ranking: 5 Percentage Detected: 1.24% This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family. Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem. The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique. While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. 9. Win32/Conficker Previous Ranking: 6 Percentage Detected: 1.15% The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).
Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download
additional malicious components. Fuller descriptions of Conficker variants are available at
http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.
While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft
patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on
the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped
the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The
Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.
It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with
system patches, disable Autorun, and don’t use unsecured shared folders.
10. Win32/TrojanDownloader.Zurgop
Previous Ranking: n/a
Percentage Detected: 1.14%
Win32/TrojanDownloader.Zurgop it a family of malicious codes that once they infect a vulnerable system will downloder other malware
from the Internet. Variants of this family use different techniques to avoid detection such as run-time compressed packers like PEncrypt
or PECompact.
http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.AB/description
Win32/TrojanDownloader.Zurgop.AB is a Trojan which tries to download other malware from the Internet. The file is
run-time compressed using PEncrypt .
http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.AZ/description
Win32/TrojanDownloader.Zurgop.AZ is a Trojan which tries to download other malware from the Internet. The file is
run-time compressed using PECompact.
http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.BI/description
http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.BI/descriptionTop Ten Threats at a Glance (graph) Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with 2.3% of the total, was scored by the Win32/Bundpil class of treat.
About ESET
ESET®, the pioneer of proactive protection and the maker of
the award-winning ESET NOD32® technology, is a global
Additional Resources
provider of security solutions for businesses and consumers. Keeping your knowledge up to date is as important as keeping
For over 26 years, the Company continues to lead the industry your AV updated. For these and other suggested resources
in proactive threat detection. By obtaining the 80th VB100 please visit the ESET Threat Center to view the latest:
award in June 2013, ESET NOD32 technology holds the record
number of Virus Bulletin "VB100” Awards, and has never ESET White Papers
missed a single “In-the-Wild” worm or virus since the inception WeLiveSecurity
of testing in 1998. In addition, ESET NOD32 technology holds ESET Podcasts
the longest consecutive string of the VB100 awards of any AV Independent Benchmark Test Results
vendor. ESET has also received a number of accolades from AV- Anti-Malware Testing and Evaluation
Comparatives, AV-TEST and other testing organizations and
reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET
Cyber Security® (solution for Mac), ESET® Mobile Security and
IT Security for Business are trusted by millions of global users
and are among the most recommended security solutions in
the world.
The Company has global headquarters in Bratislava (Slovakia),
with regional distribution centers in San Diego (U.S.), Buenos
Aires (Argentina), and Singapore; with offices in Jena
(Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET
has malware research centers in Bratislava, San Diego, Buenos
Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland),
Montreal (Canada), Moscow (Russia) and an extensive partner
network for more than 180 countries.
More information is available via About ESET and Press Center.You can also read
