July 2014 Feature Article: The Domino's Effect

Page created by Lawrence Evans
 
CONTINUE READING
July 2014 Feature Article: The Domino's Effect
July 2014
Feature Article: The Domino’s Effect
July 2014 Feature Article: The Domino's Effect
Table of Contents

The Domino’s Effect ...................................................................................................................................................3
ESET Corporate News .................................................................................................................................................6
The Top Ten Threats ...................................................................................................................................................6
Top Ten Threats at a Glance (graph) ....................................................................................................................... 10
About ESET .............................................................................................................................................................. 11
Additional Resources ............................................................................................................................................... 11
attacks, so called spear-phishing, it is not uncommon practice
The Domino’s Effect                                                   among cybercriminals to gather as much data on anyone they
David Harley, ESET Senior Research Fellow ESET North America          can, including such details as food preference, then prepare a
Small Blue-Green World                                                targeted scam which uses bits of this data to convince the
                                                                      victim it’s legit. Imagine an average Joe receiving an email from
The news that the data of 600,000 Domino’s Pizza customers            someone pretending to be Domino’s and saying “Hi Joe, you
had apparently been acquired by hackers intending to disclose         ordered extra anchovies in your last three orders with us and we
the data unless Domino’s paid a €30,000 ransom, while not             want to give you a prize for being a regular customer. Click here
particularly amusing for Domino’s or its customers in the             and fill in the form to claim your prize.” Even though the sender
affected countries, did inspire a classic blog title – Domino’s       and email would      be fake, the victim would recognise they did
Pizza hacked: Change your toppings at once! – from ESET               in fact order extra anchovies and would consider the offer real
Ireland’s Urban Schrott as well as some sound advice. He said:        and would likely click on the link. This could in turn infect their
                                                                      computer with malware, demand they enter their banking

“Apparently, hackers have gained access to 600,000 Domino’s           details to receive the prize, or any other wicked thing

Pizza customer details, including their favourite toppings. ESET      cybercriminals do.

Ireland advises users to change their pizza toppings selection
to stay safe.                                                         “Apart from changing your toppings, at least for a while, ESET
                                                                      Ireland therefore seriously advises you are careful with the

I am otherwise a rational and sensible cybersecurity analyst, but     personal data you share with companies and services you deal

I draw the line when someone messes with my food. And the             with. Know that, as in the case of this hack, if the data falls into

hackers behind this latest attack did just that. In a bid to extort   the wrong hands, it can be used against you. Only disclose the

money from Domino’s Pizza, they threatened to publically post         minimum of necessary info and if you receive any suspicious

detailed info of 600,000 customers, including their favourite         email, claiming reference to some real info about you, double

pizza toppings unless they’re paid a ransom of €30,000. The           check if it is legitimate, before you do anything it’s asking you to

hackers aimed at possible lawsuits against the pizza company          do. When unsure, just ring the company in question and check.”

for breach of privacy, but a representative of Domino’s said the
ransom will not be paid and that the customers’ financial data        Graham Cluley told us more and also gave useful advice.
and credit cards were not compromised in the attack.
                                                                      “A group of hackers claim to have stolen the personal details of
The servers attacked mainly contained customer info from              some 650,000 pizza lovers, and have threatened to release
France and Belgium so Irish users shouldn’t be affected, but just     them to the world if Domino’s Pizza doesn’t cough up a hefty
to be sure, ESET Ireland recommends you change your toppings          ransom.
selection, so it doesn’t coincide with the one the hackers may
have, so you will not be offered a fake pizza by them. Ok, we’re
joking here. But only a bit. Because in the age of targeted
“The hacking group, which is calling itself Rex Mundi, claims to       de passe. C’est la raison pour laquelle nous vous recommandons
have breached the network of Domino’s Pizza in France and              de modifier votre mot de passe, par mesure de sécurité. Nous
Belgium, grabbing customers’ full names and addresses, phone           regrettons fortement cette situation et prenons cet accès
numbers, email addresses and the passwords. Via their Twitter          illégitime très au sérieux.
account (now suspended) the hackers posted a link to a
statement about the breach:                                            “Sadly, there’s no mention of whether the sensitive information
                                                                       was salted and hashed.
Dear friends and foes,

                                                                       “André ten Wolde, who heads up Domino’s Pizza in the
Earlier this week, we hacked our way into the servers of               Netherlands, told De Standaard that there were clearly security
Domino’s Pizza France and Belgium, who happen to share the             problems with the firm’s server. At the same time he confirmed
same vulnerable database. And boy, did we find some juicy stuff        that the company would not be paying any ransom to the
in there! We downloaded over 592,000 customer records                  hackers. Good for him, and good for Domino’s Pizza.
(including passwords) from French customers and over 58,000
records from Belgian ones. That’s over six hundred thousand            “Clearly any hack is very bad news – both for the thousands of
records, which include the customers’ full names, addresses,           potential innocent victims, and for the corporation which has
phone numbers, email addresses, passwords and delivery                 been hit by a criminal hack. It’s easy to point the finger of blame
instructions. (Oh, and their favorite pizza topping as well,           at the corporation for not protecting its customers data
because why not).                                                      properly, and there are no doubt a lot of angry people in France
                                                                       and Belgium writing now ordering an Indian takeaway as a form
“Fortunately, there is no indication that payment information          of protest.
has fallen into the hands of the hackers – but there’s clearly still
plenty to be concerned about for those Domino’s customers              “But we have to make a stand against criminals who attempt to
who have had their personal information exposed.                       blackmail and extort money out of the corporations they are
                                                                       attacking via the internet. We saw a fine stand made by Feedly
“Domino’s France responded to the security breach with a               the other day when hackers attempted to extort money, and
series of tweets, claiming that although it used “cryptage”            I’m pleased to see Domino’s Pizza not bowing to the hackers’
(encryption), the company believed the hackers to be                   demands either. If companies cave in and pay ransoms to
experienced criminals, and it was deemed likedly that                  internet attackers the only thing that is certain is that there will
passwords would be cracked:                                            be more internet attacks.”

Domino’s Pizza utilise un système de cryptage des données
commerciales. Toutefois les hackers dont nous avons été
victimes sont des professionnels aguerris et il est probable qu’ils
aient pu décoder le système de cryptage comprenant les mots
Graham asked ESET security expert David Harley whether he            Graham went on to advice:
felt the Feedly and Domino’s attacks were the sign of a new era
of cyber-extortion. Here’s what he had to say:                       “If you’re the victim of cyber-extortionists, don’t give in to the
                                                                     blackmailer’s demands.
The Feedly story appears to have been just a DDoS attack, not a
credentials breach. There’s nothing new at all about that: even      “Even though you might be at risk of personal or commercial
in the early 2000s, UK agencies were quietly cooperating with        embarrassment, or potential financial loss, it’s always better to
private companies to deal with extortion attacks based on “pay       contact the crime-fighting authorities than get into bed with the
up or we’ll keep on DDoS-ing you”.                                   criminals. Of course, you should also put some serious
                                                                     resources into exploring what security holes might exist in your
Historically, online casinos and similar sites have been             company’s operations – and making sure you are better
persistently targeted, but there’s no reason why an attacker         defended in the future.
wouldn’t consider any site dependent on keeping its online
services available a likely target for extortion.                    “And, if you’re a customer of Domino’s and fear that your
                                                                     details may have been exposed by this attack, make sure that
Extortion based on the threat of data release is a little more       you are not using your pizza-ordering password anywhere else
unusual, but not unknown.                                            on the net. After all, if the hackers manage to extract your
                                                                     password from Domino’s database they might attempt to use it

Since stolen data can’t usually be ‘given back’ in such a way that   to unlock your other online accounts too.

you know the attacker can’t make further use of it, it makes
sense to look at other means of mitigation rather than relying       “It’s good practice to always use different passwords that are
on the attacker’s ‘good faith’. I.e., alerting customers, advising   hard-to-crack for different websites. Reusing passwords is a
them to change passwords, improving database security.               recipe for disaster. Anything less than proper password
                                                                     practices could end up with hackers getting their hands on your
Similarly, it’s almost a given that paying up under threat of        hard-earned dough.”

DDoS is unlikely to be a permanent solution.
ESET Corporate News
ESET provides Cyberoam Technologies with Secure Authentication
ESET has announced its new partnership with Cyberoam Technologies, a leading global provider of network security appliances. The
partnership will allow Cyberoam Technologies to integrate ESET’s Secure Authentication - a mobile solution relying on two-factor, one
time passwords (2FA OTP) for remote access - into Cyberoam Technologies‘ Unified Threat Management and Next Generation Firewall
appliances. This additional layer of protection will secure both end-users and enterprise networks. The partnership is currently being
deployed in South Africa.

ESET scores high in brand-awareness by German magazine PC Welt
ESET continues to rise in Germany. In business segment, ESET won silver medal as the Brand of the Year in the Security software category.
Brand-awareness survey was conducted by German computer magazine PC Welt. As well, readers of PC Welt prefer ESET as the security
software for their business. ESET scored silver medal as the Technology Winner in the category of Security software.

The Top Ten Threats
1. Win32/Bundpil
Previous Ranking: 1
Percentage Detected: 2.3%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files
from the address. The files are then executed and the HTTP protocol is used. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. JS/Kryptik.I

Previous Ranking: 2
Percentage Detected: 1.82%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a
malicious URL or implements a specific exploit.
3. Win32/RiskWare.NetFilter
Previous Ranking: n/a
Percentage Detected: 1.73%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted
behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install
other malware.

4. LNK/Agent.AK
Previous Ranking: 3
Percentage Detected: 1.55%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the
background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was
one of four that threat vulnerabilities executed.

5. Win32/Sality
Previous Ranking: 4
Percentage Detected: 1.38%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system
and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

6. HTML/ScrInject
Previous Ranking: 8
Percentage Detected: 1.37%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware
download.
7. Win32/Adware.MultiPlug
Previous Ranking: n/a
Percentage Detected: 1.28%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it's present into the users system might cause applications to
displays advertising popup windows during internet browsing.

8. INF/Autorun
Previous Ranking: 5
Percentage Detected: 1.24%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains
information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by
a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless
it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to
the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of
removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the
program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional
infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by
default, rather than to rely on antivirus to detect it in every case.

9. Win32/Conficker
Previous Ranking: 6
Percentage Detected: 1.15%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating
system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials.
Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility
enabled at present by default in Windows (though not in Windows 7).
Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download
additional malicious components. Fuller descriptions of Conficker variants are available at
http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft
patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on
the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped
the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The
Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with
system patches, disable Autorun, and don’t use unsecured shared folders.

10. Win32/TrojanDownloader.Zurgop
Previous Ranking: n/a
Percentage Detected: 1.14%

Win32/TrojanDownloader.Zurgop it a family of malicious codes that once they infect a vulnerable system will downloder other malware
from the Internet. Variants of this family use different techniques to avoid detection such as run-time compressed packers like PEncrypt
or PECompact.

         http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.AB/description
                    Win32/TrojanDownloader.Zurgop.AB is a Trojan which tries to download other malware from the Internet. The file is
                    run-time compressed using PEncrypt .

         http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.AZ/description
                    Win32/TrojanDownloader.Zurgop.AZ is a Trojan which tries to download other malware from the Internet. The file is
                    run-time compressed using PECompact.

         http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.BI/description
                    http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.BI/description
Top Ten Threats at a Glance (graph)

Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this
month, with 2.3% of the total, was scored by the Win32/Bundpil class of treat.
About ESET
ESET®, the pioneer of proactive protection and the maker of
the award-winning ESET NOD32® technology, is a global
                                                                   Additional Resources
provider of security solutions for businesses and consumers.       Keeping your knowledge up to date is as important as keeping
For over 26 years, the Company continues to lead the industry      your AV updated. For these and other suggested resources
in proactive threat detection. By obtaining the 80th VB100         please visit the ESET Threat Center to view the latest:
award in June 2013, ESET NOD32 technology holds the record
number of Virus Bulletin "VB100” Awards, and has never                      ESET White Papers
missed a single “In-the-Wild” worm or virus since the inception             WeLiveSecurity
of testing in 1998. In addition, ESET NOD32 technology holds                ESET Podcasts
the longest consecutive string of the VB100 awards of any AV                Independent Benchmark Test Results
vendor. ESET has also received a number of accolades from AV-               Anti-Malware Testing and Evaluation
Comparatives, AV-TEST and other testing organizations and
reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET
Cyber Security® (solution for Mac), ESET® Mobile Security and
IT Security for Business are trusted by millions of global users
and are among the most recommended security solutions in
the world.

The Company has global headquarters in Bratislava (Slovakia),
with regional distribution centers in San Diego (U.S.), Buenos
Aires (Argentina), and Singapore; with offices in Jena
(Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET
has malware research centers in Bratislava, San Diego, Buenos
Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland),
Montreal (Canada), Moscow (Russia) and an extensive partner
network for more than 180 countries.

More information is available via About ESET and Press Center.
You can also read