Drive-by – SWITCH Security-Blog

Safer Internet

Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend helped her to install a popular open-source content management system (CMS) for the website, so that she can change the menu every week and perform other updates herself. The parents of the kids were delighted to have access to this information online.

Three months after the website went online, one of the parents called her, telling her that the website was no longer available, and a warning was displayed instead. He also told her that he had a virus on his home PC and had to reinstall his operating system and change all his Internet passwords. When she talked to other parents that day, they told her the same.

What happened? Continue reading “Safer Internet”

Drive-by code and Phishing on Swiss websites in 2014

In 2014, about 1,800 Swiss websites were cleaned from drive-by code, compared with 2,700 in 2013, a decline of 33%. At the same time, the number of phishing cases affecting .ch and .li top-level domains rose from only a handful in 2013 to more than 300.

Drive-by code on Swiss websites in 2014

Last year, 35,796 suspicious drive-by URLs in the .ch and .li top-level domains were reported to SWITCH. Security experts from SWITCH-CERT automatically sent requests to these servers and analysed the responses, looking for malicious code injected into the HTML source code. When an expert identified malicious code, the registrar or domain name holder and the web hoster were notified and asked to remove it within one working day. This was done for 1,839 domain names in 2014. In 1,493 (81%) cases, the code was removed by the web hoster or domain holder within one day. For the other 346 domains, the deadline was not met, and the domain name was temporarily suspended to prevent further damage to website visitors. Some 264 (14%) of the infected websites were cleaned of malicious code, with the remaining 82 domain names having to be reactivated after five days, the maximum suspension time by law. A request for identification was sent to the holders of all 82 domains, resulting in an additional 59 (3.2%) of websites being cleaned. A total of 23 (1.3% of all notified) domain names were deleted after 30 days because the domain holder failed to respond to the identification request.

malware2015_E — Compromised .ch and .li websites used for drive-by infections by quarter

Continue reading “Drive-by code and Phishing on Swiss websites in 2014”

IT-Security-Links #70

Superfish Adware and SSL backdoor preinstalled on Lenovo Laptops: In case you bought a Lenovo Laptop in the last 6 month, you should check it for preinstalled malware and – even worse – a rogue root CA certificate making the system vulnerable to HTTPS spoofing…
…CERT/CC warns in the meantime, that also other (Komodia) software installs this certificate and private keys, like for example the ‘KeepMyFamilySecure’ parental control software.
SIM card encryption keys: According to “The Intercept”, US and British intelligence services have stolen encryption keys of the major SIM card maker Gemalto to spy on mobile voice and data communications worldwide. Gemalto produces some 2 billion SIM cards a year and also makes the chips for ‘next-generation’ credit cards.
Android Malware: Newly discovered Android malware hijacks your (rooted) phones shutdown process. Even though the device appears to be off, it remains functional and the malware can make outgoing calls, take pictures and perform many other tasks.
Kaspersky published information about a threat actor that ‘surpasses anything known in terms of complexity and sophistication of techniques‘. One of their tools: Malware that allows reprogramming of the hard drive firmware of all popular brands.
Kaspersky also published their 31-page Lab Report “Financial cyber threats in 2014“
Drive-by: Anyone who has browsed Jamie Oliver’s site recently should perform a security scan to ensure their computers were not infected. 😉

German:

Die Digitale Gesellschaft Schweiz hat einen 24-seitigen Bericht zum Thema “Massenüberwachung durch die Geheimdienste: Wie ist die Schweiz betroffen, und welche Massnahmen sind notwendig?” (PDF) veröffentlicht.

Mehr Drive-By Exploits auf gehackten Schweizer Webseiten

Als Drive-By Exploit oder Drive-By Download bezeichnet man es, wenn auf dem Computer eines Internetnutzers nur durch das Aufrufen einer Webseite im Browser automatisch und unbemerkt schädliche Software installiert wird.

Nach der Infektion mit schädlicher Software haben Kriminelle meist unbegrenzten Zugirff auf den Computer und die darauf gespeicherten Daten und versuchen damit Geld zu verdienen. Trojaner stehlen z.B. Zugangs- und Kreditkarteninformation des Benutzers oder greifen in sein Ebanking ein. Ransomware versucht durch Einschüchterung des Benutzers und durch Blockade des PCs Geld zu erpressen.

Gemäss eines Berichts (PDF) der “European Network and Information Security Agency” ENISA stellen Drive-By Exploits für 2013 die grösste Bedrohung für Internetnutzer dar. Dies bestätigen auch die Zahlen aus der Schweiz. Continue reading “Mehr Drive-By Exploits auf gehackten Schweizer Webseiten”

More Malware distributing Websites in Q3 2012

In the 3rd quarter 2012, SWITCH-CERT has helped to clean 1260 malware distributing websites under the .ch and .li top level domains. This is more than twice than in the quarters before.

Visiting a hacked website is the most common reason to get infected with malware. Most often these are legitimate websites that are compromised by cyber criminals. The attackers inject invisible elements, such as iframes of javascript into the website. These invisible elements try to exploit vulnerabilities when a visitor opens the website with his browser. When the exploits succeed, the computer of the visitor is most likely infected with a trojan and becomes part of a botnet. The attackers now have complete remote control over the infected system and can use it to steal confidential data, attack e-banking, send SPAM or launch a Distributed Denial of Service (DDOS) attacks from the “bot client”.

The dramatic rise of compromised websites in Q3 2012 is most likely due to a vulnerability in the popular Plesk server admin software, that allowed attackers to access the websites and enabled them to inject their invisible code. Exploit kits were commercially available on the internet.