July 2014 Feature Article: The Domino's Effect
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Table of Contents The Domino’s Effect ...................................................................................................................................................3 ESET Corporate News .................................................................................................................................................6 The Top Ten Threats ...................................................................................................................................................6 Top Ten Threats at a Glance (graph) ....................................................................................................................... 10 About ESET .............................................................................................................................................................. 11 Additional Resources ............................................................................................................................................... 11
attacks, so called spear-phishing, it is not uncommon practice The Domino’s Effect among cybercriminals to gather as much data on anyone they David Harley, ESET Senior Research Fellow ESET North America can, including such details as food preference, then prepare a Small Blue-Green World targeted scam which uses bits of this data to convince the victim it’s legit. Imagine an average Joe receiving an email from The news that the data of 600,000 Domino’s Pizza customers someone pretending to be Domino’s and saying “Hi Joe, you had apparently been acquired by hackers intending to disclose ordered extra anchovies in your last three orders with us and we the data unless Domino’s paid a €30,000 ransom, while not want to give you a prize for being a regular customer. Click here particularly amusing for Domino’s or its customers in the and fill in the form to claim your prize.” Even though the sender affected countries, did inspire a classic blog title – Domino’s and email would be fake, the victim would recognise they did Pizza hacked: Change your toppings at once! – from ESET in fact order extra anchovies and would consider the offer real Ireland’s Urban Schrott as well as some sound advice. He said: and would likely click on the link. This could in turn infect their computer with malware, demand they enter their banking “Apparently, hackers have gained access to 600,000 Domino’s details to receive the prize, or any other wicked thing Pizza customer details, including their favourite toppings. ESET cybercriminals do. Ireland advises users to change their pizza toppings selection to stay safe. “Apart from changing your toppings, at least for a while, ESET Ireland therefore seriously advises you are careful with the I am otherwise a rational and sensible cybersecurity analyst, but personal data you share with companies and services you deal I draw the line when someone messes with my food. And the with. Know that, as in the case of this hack, if the data falls into hackers behind this latest attack did just that. In a bid to extort the wrong hands, it can be used against you. Only disclose the money from Domino’s Pizza, they threatened to publically post minimum of necessary info and if you receive any suspicious detailed info of 600,000 customers, including their favourite email, claiming reference to some real info about you, double pizza toppings unless they’re paid a ransom of €30,000. The check if it is legitimate, before you do anything it’s asking you to hackers aimed at possible lawsuits against the pizza company do. When unsure, just ring the company in question and check.” for breach of privacy, but a representative of Domino’s said the ransom will not be paid and that the customers’ financial data Graham Cluley told us more and also gave useful advice. and credit cards were not compromised in the attack. “A group of hackers claim to have stolen the personal details of The servers attacked mainly contained customer info from some 650,000 pizza lovers, and have threatened to release France and Belgium so Irish users shouldn’t be affected, but just them to the world if Domino’s Pizza doesn’t cough up a hefty to be sure, ESET Ireland recommends you change your toppings ransom. selection, so it doesn’t coincide with the one the hackers may have, so you will not be offered a fake pizza by them. Ok, we’re joking here. But only a bit. Because in the age of targeted
“The hacking group, which is calling itself Rex Mundi, claims to de passe. C’est la raison pour laquelle nous vous recommandons have breached the network of Domino’s Pizza in France and de modifier votre mot de passe, par mesure de sécurité. Nous Belgium, grabbing customers’ full names and addresses, phone regrettons fortement cette situation et prenons cet accès numbers, email addresses and the passwords. Via their Twitter illégitime très au sérieux. account (now suspended) the hackers posted a link to a statement about the breach: “Sadly, there’s no mention of whether the sensitive information was salted and hashed. Dear friends and foes, “André ten Wolde, who heads up Domino’s Pizza in the Earlier this week, we hacked our way into the servers of Netherlands, told De Standaard that there were clearly security Domino’s Pizza France and Belgium, who happen to share the problems with the firm’s server. At the same time he confirmed same vulnerable database. And boy, did we find some juicy stuff that the company would not be paying any ransom to the in there! We downloaded over 592,000 customer records hackers. Good for him, and good for Domino’s Pizza. (including passwords) from French customers and over 58,000 records from Belgian ones. That’s over six hundred thousand “Clearly any hack is very bad news – both for the thousands of records, which include the customers’ full names, addresses, potential innocent victims, and for the corporation which has phone numbers, email addresses, passwords and delivery been hit by a criminal hack. It’s easy to point the finger of blame instructions. (Oh, and their favorite pizza topping as well, at the corporation for not protecting its customers data because why not). properly, and there are no doubt a lot of angry people in France and Belgium writing now ordering an Indian takeaway as a form “Fortunately, there is no indication that payment information of protest. has fallen into the hands of the hackers – but there’s clearly still plenty to be concerned about for those Domino’s customers “But we have to make a stand against criminals who attempt to who have had their personal information exposed. blackmail and extort money out of the corporations they are attacking via the internet. We saw a fine stand made by Feedly “Domino’s France responded to the security breach with a the other day when hackers attempted to extort money, and series of tweets, claiming that although it used “cryptage” I’m pleased to see Domino’s Pizza not bowing to the hackers’ (encryption), the company believed the hackers to be demands either. If companies cave in and pay ransoms to experienced criminals, and it was deemed likedly that internet attackers the only thing that is certain is that there will passwords would be cracked: be more internet attacks.” Domino’s Pizza utilise un système de cryptage des données commerciales. Toutefois les hackers dont nous avons été victimes sont des professionnels aguerris et il est probable qu’ils aient pu décoder le système de cryptage comprenant les mots
Graham asked ESET security expert David Harley whether he Graham went on to advice: felt the Feedly and Domino’s attacks were the sign of a new era of cyber-extortion. Here’s what he had to say: “If you’re the victim of cyber-extortionists, don’t give in to the blackmailer’s demands. The Feedly story appears to have been just a DDoS attack, not a credentials breach. There’s nothing new at all about that: even “Even though you might be at risk of personal or commercial in the early 2000s, UK agencies were quietly cooperating with embarrassment, or potential financial loss, it’s always better to private companies to deal with extortion attacks based on “pay contact the crime-fighting authorities than get into bed with the up or we’ll keep on DDoS-ing you”. criminals. Of course, you should also put some serious resources into exploring what security holes might exist in your Historically, online casinos and similar sites have been company’s operations – and making sure you are better persistently targeted, but there’s no reason why an attacker defended in the future. wouldn’t consider any site dependent on keeping its online services available a likely target for extortion. “And, if you’re a customer of Domino’s and fear that your details may have been exposed by this attack, make sure that Extortion based on the threat of data release is a little more you are not using your pizza-ordering password anywhere else unusual, but not unknown. on the net. After all, if the hackers manage to extract your password from Domino’s database they might attempt to use it Since stolen data can’t usually be ‘given back’ in such a way that to unlock your other online accounts too. you know the attacker can’t make further use of it, it makes sense to look at other means of mitigation rather than relying “It’s good practice to always use different passwords that are on the attacker’s ‘good faith’. I.e., alerting customers, advising hard-to-crack for different websites. Reusing passwords is a them to change passwords, improving database security. recipe for disaster. Anything less than proper password practices could end up with hackers getting their hands on your Similarly, it’s almost a given that paying up under threat of hard-earned dough.” DDoS is unlikely to be a permanent solution.
ESET Corporate News ESET provides Cyberoam Technologies with Secure Authentication ESET has announced its new partnership with Cyberoam Technologies, a leading global provider of network security appliances. The partnership will allow Cyberoam Technologies to integrate ESET’s Secure Authentication - a mobile solution relying on two-factor, one time passwords (2FA OTP) for remote access - into Cyberoam Technologies‘ Unified Threat Management and Next Generation Firewall appliances. This additional layer of protection will secure both end-users and enterprise networks. The partnership is currently being deployed in South Africa. ESET scores high in brand-awareness by German magazine PC Welt ESET continues to rise in Germany. In business segment, ESET won silver medal as the Brand of the Year in the Security software category. Brand-awareness survey was conducted by German computer magazine PC Welt. As well, readers of PC Welt prefer ESET as the security software for their business. ESET scored silver medal as the Technology Winner in the category of Security software. The Top Ten Threats 1. Win32/Bundpil Previous Ranking: 1 Percentage Detected: 2.3% Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used. The worm may delete the following folders: *.exe *.vbs *.pif *.cmd *Backup. 2. JS/Kryptik.I Previous Ranking: 2 Percentage Detected: 1.82% JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.
3. Win32/RiskWare.NetFilter Previous Ranking: n/a Percentage Detected: 1.73% Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware. 4. LNK/Agent.AK Previous Ranking: 3 Percentage Detected: 1.55% LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed. 5. Win32/Sality Previous Ranking: 4 Percentage Detected: 1.38% Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system. It modifies EXE and SCR files and disables services and process related to security solutions. More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah 6. HTML/ScrInject Previous Ranking: 8 Percentage Detected: 1.37% Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.
7. Win32/Adware.MultiPlug Previous Ranking: n/a Percentage Detected: 1.28% Win32/Adware.Multiplug is a Possible Unwanted Application that once it's present into the users system might cause applications to displays advertising popup windows during internet browsing. 8. INF/Autorun Previous Ranking: 5 Percentage Detected: 1.24% This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family. Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem. The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique. While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. 9. Win32/Conficker Previous Ranking: 6 Percentage Detected: 1.15% The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).
Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en. While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145. It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. 10. Win32/TrojanDownloader.Zurgop Previous Ranking: n/a Percentage Detected: 1.14% Win32/TrojanDownloader.Zurgop it a family of malicious codes that once they infect a vulnerable system will downloder other malware from the Internet. Variants of this family use different techniques to avoid detection such as run-time compressed packers like PEncrypt or PECompact. http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.AB/description Win32/TrojanDownloader.Zurgop.AB is a Trojan which tries to download other malware from the Internet. The file is run-time compressed using PEncrypt . http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.AZ/description Win32/TrojanDownloader.Zurgop.AZ is a Trojan which tries to download other malware from the Internet. The file is run-time compressed using PECompact. http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.BI/description http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.BI/description
Top Ten Threats at a Glance (graph) Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with 2.3% of the total, was scored by the Win32/Bundpil class of treat.
About ESET ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global Additional Resources provider of security solutions for businesses and consumers. Keeping your knowledge up to date is as important as keeping For over 26 years, the Company continues to lead the industry your AV updated. For these and other suggested resources in proactive threat detection. By obtaining the 80th VB100 please visit the ESET Threat Center to view the latest: award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never ESET White Papers missed a single “In-the-Wild” worm or virus since the inception WeLiveSecurity of testing in 1998. In addition, ESET NOD32 technology holds ESET Podcasts the longest consecutive string of the VB100 awards of any AV Independent Benchmark Test Results vendor. ESET has also received a number of accolades from AV- Anti-Malware Testing and Evaluation Comparatives, AV-TEST and other testing organizations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world. The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. More information is available via About ESET and Press Center.
You can also read