Mobile banking security still a barrier for consumers

Customers are increasingly turning to mobile apps to make simple banking transactions, but a significant portion of those who don’t bank using mobile devices cite security concerns as the reason.

In a Deloitte report, referenced by Tripwire, it was found that of the respondents who do not regularly use mobile devices for financial services, 61 percent listed security issues as the prime reason. Meanwhile, a Verizon report suggests that mobile malware is not currently a significant point of attack for cybercriminals.

A number of suspects believed to be responsible for one of the first major banking malware threats – known as Svpeng – were arrested in Russia last month. The malware which spreads via text message is said to have infected more than 350,000 Android devices last year, targeting smartphones and tablets with banking software installed, locking them, and then holding the owners to ransom.

Still, mobile banking security remains a barrier for lots of consumers, as well as experts from publishers including The Guardian and USA Today, which predicted that banking malware could be a threat during the year ahead.

Banks, meanwhile, have been working to reassure their customers by bolstering the security of their mobile apps. Halifax in the UK, for instance, is said to be experimenting with heartbeat authentication via a wristband that confirms customers’ identity. A similar technology is also being trialled by the Royal Bank of Canada, as previously reported by We Live Security.

Whether or not this technology is eventually adopted, those banking online in the meantime can protect themselves by remembering the advice in our video, below;

by Kyle Ellison, ESET

Dissecting Linux/Moose

linux moose 1The Analysis of a Linux Router-based Worm Hungry for Social Networks

Today we are releasing a research paper about a malware family that primarily targets Linux-based consumer routers but that can infect other Linux-based embedded systems in its path: Dissecting Linux/Moose. This blog post will summarize a few elements of the full report.

linux moose 2

Linux/Moose is a standard Linux executable taking the form of a statically-linked ELF binary that was stripped of any debugging symbols. It relies heavily on multithreading for its operation, using as many as 36 threads. This malware can be classified as a worm since most of its threads are used in its attempt to find and infect other devices automatically. Here is a diagram that highlights Moose’s capabilities:

linux moose 3

Our monitoring of the botnet indicates that this threat is used to steal unencrypted HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate “follows” and “views” on the same sites via a SOCKS proxy server built into the malware.

The day username was seen in the tunnel

The day after

Here is an example we captured of an HTTP request going through the proxy operated by the malware:

linux moose 6

Notice how the server upgrades the connection to HTTPS right away. Almost all of the traffic is encrypted via HTTPS so we can’t state precisely what actions were performed by the operators.

We monitored an infected host for about a month and noticed traffic going to the following social network sites:

  • Fotki (Yandex)
  • Instagram (Facebook)
  • Live (Microsoft)
  • Soundcloud
  • Twitter
  • Vine
  • Yahoo
  • Youtube (Google)

We were able to ascertain the domain of the targeted social network using the certificate’s subject field of the TLS handshake of the HTTPS traffic.

Here are the requests going daily to social network sites from a single infected router:

linux moose 7

Below is depicted which social networks were the most targeted during that interval:

linux moose 8

During our analysis we often asked ourselves, “Why so much effort in order to interact with social networks?” But of course there is a market for follows, likes, views and whatnot. The operators of this botnet are generating revenue by performing social network fraud. The consumer routers under attack provide a means to proxy malicious traffic from the operators through to the social network sites leveraging highly reputable Internet Service Providers’ (ISPs) IP addresses.

The threat displays out-of-the-ordinary network penetration capabilities compared to other router-based malware. Moose also has DNS hijacking capabilities and will kill the processes of other malware families competing for the limited resources offered by the infected embedded system. More details are available in the report, including details about the network protocol used to communicate with the Command and Control servers (C&C).

Research Code, Indicators of Compromise (IoCs) and More

Along with our whitepaper, we are releasing some resources to the community. First, we have decided to release on our malware-research github repository all the code we’ve developed in order to monitor this threat. We think that there is little value in keeping these scripts to ourselves. The tradeoff here is that this is code that was produced from a research lab and it isn’t as polished as the code that ends up in our finished products. We hope that our peers in the industry, the Linux embedded community, and future malware analysts will get value out of it.

Second, we are looking for help in confirming which vendors and models are affected. We provide instructions on how to confirm whether Linux/Moose could infect your own devices. We will keep this list of affected vendors updated.

Finally, Indicators of Compromise (IoCs) are also available. They include all hardcoded C&C IP addresses, the current list of dynamic C&C IP addresses, instructions on how to confirm infection, the hashes of malicious files, and Yara rules. Instructions are also provided if you want to verify whether some arbitrary files are Linux/Moose binaries.


Reboot the affected device then change its password as soon as possible. Keep in mind, however, that the compromised system was accessible via credentials that the operators knew, that they were aware of its IP address and they had means to access its interactive console. They might have had manual access, which means that further infection is possible, including permanent firmware modifications (the link is in German). A factory reset, firmware update or reinstall and password change is probably best.


Change default passwords on network equipment even if it is not reachable from the Internet. Disable Telnet login and use SSH where possible.

Make sure that your router is not accessible from the Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). If you are unsure about how to perform this test, when you are at home, use the “common ports” scan from the ShieldsUP service from Make sure that the ports mentioned above receive a Stealth or Closed status.

Running the latest firmware available from your embedded device vendor is also recommended.

The white paper with all the technical details is available for download on WeLiveSecurity.

by Olivier Bilodeau, ESET

Moose – the router worm with an appetite for social networks

ESET researchers have issued a technical paper today, analysing a new worm that is infecting routers in order to commit social networking fraud, hijacking victims’ internet connections in order to “like” posts and pages, “view” videos and “follow” other accounts.

The malware, dubbed Linux/Moose by researchers Olivier Bilodeau and Thomas Dupuy, infects Linux-based routers and other Linux-based devices, eradicating existing malware infections it might find competing for the router’s limited resources, and automatically finding other routers to infect.

Instagram account

However, the Moose worm does not rely upon amy underlying vulnerability in the routers – it is simply taking advantage of devices that have been weakly configured with poorly chosen login credentials.

Unfortunately, this means that devices other than routers can be impacted by the worm in the form of accidental collateral damage. ESET’s team believes that even medical devices, such as the Hospira drug infusion pump, could be infected by the Linux/Moose worm.

But the principal victims are likely to be routers – with devices from Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone already identified as vulnerable.

ESET’s detailed technical report provides an indepth analysis of the Moose worm, methods by which users can determine if they might have had their routers compromised, and cleaning instructions. Importantly, the technical report provides prevention advice to avoid reinfection.

Perhaps most interesting of all, however, is to try to understand the purpose of the Moose worm.

In their investigation, ESET’s team observed the worm creating bogus accounts on sites such as Instagram, and automatically following users. In many cases the rise in followers was carefully staggered over some days, seemingly to avoid raising alarms in automated systems built by the social networks to identify suspicious behaviour.

The sad truth is that there are many individuals and companies out there who are keen to manipulate their social media standing, and have no qualms about hiring third-parties who claim to have methods to bump up the number of views of a corporate video, boost the followers on a Twitter feed or get you more Facebook fans.

Often these third-parties will themselves contract the work out to other companies, and the danger is that one of these might – perhaps unwittingly – hire criminals with access to the botnet of Moose-compromised routers to conduct the social media fraud on their behalf.

The fact that these aren’t *real* fans, or *real* views of the video is likely to go unnoticed or be swept under the carpet by marketing teams keen to impress their bosses.

As well as social networking fraud, ESET’s paper considers that the malware could potentially be used for other activities – such as distributed denial-of-service attacks, targeted network exploration (where it works hard to dig deep past firewalls) and eavesdropping and DNS hijacking (which could lead itself to phishing and further malware attacks).

Once again, consumers are advised to be on their guard, ensure that they install the latest security patches and never use default or easy-to-crack passwords on their internet-connected devices.

For much more information about the threat, and how to protect yourself against it, read the technical paper from ESET’s team of experts: “Dissecting Linux/Moose”.

by Graham Cluley, We Live Security

Scareware: Fake Minecraft apps Scare Hundreds of Thousands on Google Play

ESET has discovered over 30 scareware applications available for download from the Google Play store. The malicious applications, which pretended to be cheats for the popular Minecraft game, have been installed by more than 600.000 Android users.

It’s not easy to slip a malicious application into Google’s official Play Store these days. Google’s automated application scanner, Bouncer, helps in reducing the number of malware on the official app store. Yet, some baddies do occasionally get by, as demonstrated by our recent discovery of over 30 scareware applications that have been uploaded to the Play store in the course of the last 9 months

Figure 1 Removed fake applications

Most of the rogue applications pretended to be cheats for the popular Minecraft game. All of the discovered apps were fake, in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a “dangerous virus”. Users were then directed to remove viruses by activating a premium-rate SMS subscription that would cost them 4.80 EUR per week.

All of the identified scareware apps behaved in a similar way, the only differences being in the names and icons of the applications. They were uploaded to the Play store by different developer accounts, but we assume that these were all created by one person.

The first scareware applications were uploaded to the store in August 2014. During the time they were online, they received poor user reviews and negative comments. Yet, according to public data from the Google Play store, several of them were installed between 100.000 – 500.000 times and the total number of installations of all 33 scareware applications lies between 660.000 and 2.800.000.

Figure 2 Cheats For Minecraft

ESET security software detects this threat as Android/FakeApp.AL. After our notification, Google has taken the apps down from the Play store.


After installation, all of the applications looked and behaved in a similar manner. The apps’ icons resembled the official Minecraft game.

Figure 3 Application icons

After launching the application, the whole screen was covered with flashing advertisement banners. The app itself has three buttons – Start, Options, Exit, but none of their functionality was implemented in the code.

The language of the scareware advertisements is based on the geographic location of the device – a common practice in ransomware.

Figures 4,5 Virus was found?

Any user interaction with the application – either clicking the Start, Options, and Exit buttons, or clicking on one of the numerous ad banners – will lead to an alert window popping up, saying that the device is infected with a virus and gives the victim the possibility to remove it.

Clicking on the alert leads to another step of the scam – several websites with more scareware messages. One of these websites tries to appear as if they belonged to the legitimate AV vendor, G-Data.

Figures 6-8 Scareware messages and a fake G-Data Mobile Security webpage

In the endgame of the scam, the scareware prepares an SMS in the system default SMS application. The text of the SMS appears as an activation of the antivirus product. The application does not have permissions to send the SMS itself and solely relies tricking the user to do it manually by social engineering. If the user falls for the scam, it will cost him 4.80 € per week.

Note that the scam webpage has nothing to do with the legitimate G Data security software.


The damage that this recent Android malware discovery can inflict is perhaps less acute when compared to the file-encrypting Android/Simplocker but the seriousness of this threat lies in the fact that it may have been downloaded by almost three million users from the official Google Play store.

Google’s Bouncer has been used since late 2011 on all uploaded applications and it has decreased the percentage of malicious applications in the store by about 40%. In March 2015 Google announced that all applications will also be reviewed by humans. This step should increase security and further lower the amount of malicious applications on Google Play.

Generally, Android users can effectively avoid the installation of malicious or unwanted applications. Refrain from downloading apps from unofficial sources and keep security software on your Android (ESET Mobile Security, for example) up to date. It is also advisable to spend some extra time to read reviews from people who already installed it and to consider what permissions an app requests during installation.

by Lukas Stefanko, ESET

Popular GTA V mods come with unwanted malware

Two popular Grand Theft Auto V modifications have been found to contain unwanted additional malware, according to The Escapist.

Modifications allow fans of games to change the way they play in fundamental ways, and are often done with the blessing of the publishers. The two mods in question are Angry Planes and Simple Noclip. The former spawns aggressive planes which attack the player, while the latter allows players to walk through walls and objects. Although both delivered the promised features, they came up with a nasty surprise exposed on GTAForums.

It seems the downloads come with a keylogger, which sends its data to a remote server. The Escapist also notes that it contains modules for ‘flooding targets with network traffic.”

Although not everyone has reported being able to find evidence of the malware – which seems to come packaged as a file called fade.exe – gamers who have run the mods are warned to take no chances, and to change all their passwords to be on the safe side. It is not unheard of for malware to remove its files to avoid detection, after all. That said, The Independent claims that users who haven’t run the mods may be safe, as “just downloading it is thought not to cause the problems.”

The site has since removed the two mods, and promised a more thorough approvals process in future in order to flush out malicious modifications before they can do their damage. “If you post compiled scripts in .asi, .dll, or .net.dll formats, the approval process will be much lengthier. We recommend avoiding these formats completely and publishing your mods as .lua or .cs source files, these kinds of scripts will be approved very quickly because the source can be verified,” the site owners wrote.

360b /
by Alan Martin, ESET

Monthly Threat Report: April 2015


The Top Ten Threats

1. Win32/Adware.MultiPlug
Previous Ranking: 1
Percentage Detected: 3.57%
Win32/Adware.Multiplug is a Possible Unwanted Application that once it gets a foothold on the users system might cause applications to display pop-up advertising windows during internet browsing.

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 1.81%
Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP is used for communication with the C&C to receive new commands. The worm may delete the following folders:

3. JS/Kryptik.I
Previous Ranking: 7
Percentage Detected: 1.70%
JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

4. Win32/TrojanDownloader.Waski
Previous Ranking: 3
Percentage Detected: 1.67%
Win32/TrojanDownloader.Waski is a Trojan that uses HTTP to try to download other malware. It contains a list of two URLs and tries to download a file from the addresses. The file is stored in the location %temp%\¬miy.exe, and is then executed.

5. LNK/Agent.AV
Previous Ranking: 6
Percentage Detected: 1.35%
LNK/Agent.AV is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

6. Win32/Sality
Previous Ranking: 4
Percentage Detected: 1.27%
Sality is a polymorphic file infector. When executed registry keys are created or deleted related to security applications in the system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature:

7. Win32/Ramnit
Previous Ranking: 9
Percentage Detected: 1.20%
This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability (CVE-2010-2568) found on the system that allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

8. HTML/ScrInject
Previous Ranking: N/A
Percentage Detected: 1.19%
Generic detection of HTML web pages containing obfuscated scripts or iframe tags that automatically redirect to the malware download.

9. Win32/AdWare.ConvertAd
Previous Ranking: N/A
Percentage Detected: 1.17%
Win32/Adware.ConvertAd is an adware used for delivery of unsolicited advertisements. The adware is usually a part of other malware.

10. HTML/Refresh
Previous Ranking: 5
Percentage Detected: 1.14%
HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

Love hurts: Online dating scams are Australia’s top financial fraud

Australians were scammed out of around AUS$82 million (US$66 million) during 2014, with online dating fraud accounting for the biggest losses, reports

The figures courtesy of the Australian Competition and Consumer Commission (ACCC) show that more than 91,000 scam complaints were received last year, with one in ten victims tricked out of more than AUS$10,000 (US$8,000). For 14 victims, the losses were greater than AUS$500,000 (US$400,000).

The report notes that romance-based scams accounted for more than a third of financial fraud, as AUS$28 million (US$22 million) was stolen from victims who sent money to false admirers. This was the top category in the ACCC’s report, followed by get-rich-quick investment schemes, says NDTV Gadgets.

“There is a common misconception that scam victims are only the greedy and gullible,” said ACCC deputy chairman Delia Rickard.

“Anyone can fall victim to a scam and we are all vulnerable at some time in our lives to those unscrupulous individuals willing to take advantage of our better nature or simple mistakes.”

The ACCC report also claims that the actual amount stolen is likely to be higher than the sum of complaints, with some victims either unaware of the crimes or too embarrassed to report them. Surprisingly, most of the frauds that were reported occurred by phone, via calls or text message (53%), while 38% were online. Rickard warns, though, that data for those phone scams may have been captured online.

“Increasingly, scammers are using personal information gleaned from social media profiles to target victims for a fraudulent relationship or investment,” she said.

“Scammers are constantly ‘phishing’ for your personal details such as your name, address and birthdate and this will only increase too as your personal data becomes more valuable to them.”

Internet users looking for love are advised to secure their social media profiles, as well as protecting themselves against online dating scams by following the advice in our video below.

by Kyle Ellison, ESET

How did the Internet change the everyday work of a security researcher?

Every May 17th is World Telecommunication and Information Society Day, which attempts to raise global awareness on how the Internet and new technologies changed our society, and the opportunities they gave to improve our lifestyle. This special date, also known as Internet Day in some Spanish-speaking countries, is an opportunity for us at ESET to celebrate its existence by remembering what it was like to work in security before the Internet appeared.

What do you think it was like to do the everyday work of a security researcher in the 1980’s? What has changed in terms of protection against threats? And, how has the procedure to find and investigate security issues changed?

This and other queries were answered by two of ESET’s respected security researchers, with decades of experience and a lot of stories to tell: Aryeh Goretsky and David Harley.

ESET’s Distinguished Researcher Aryeh Goretsky has been around technology and computers ever since he used a Commodore PET for the first time in the late 1970’s. H having worked now for some two-and-a-half decades in this industry, he has an interesting point of view when it comes to the rise of the Internet:

“We used to say that computer viruses spread at the speed at which courier and postal services could ship and deliver infected floppies.”

I suppose the Internet has been something of a mixed blessing for me. While it has enabled all sorts of means of communication that simply were not possible before (think instant messaging) as well as allowing existing lines of communication to occur at faster rates, it has also allowed malicious code to spread orders of magnitude more quickly than it previously could: before that, network connections often meant computers calling each other with  modems over telephone lines, or overnighting a set of floppy diskettes or CDs by courier, since that was faster than the network communications we had.

In the beginning, we used to say that computer viruses spread at the speed at which courier and postal services could ship and deliver infected floppies. Nowadays, a worm or other malware can become globally pandemic in an hour or two.”

In the early days of malware, floppy disks were the main means of distribution.

Meanwhile, ESET Senior Research Fellow David Harley started his career in information technology in the 1980’s and, ever since, he says industry puts up with him because, well, he’s been around so long –having written a number of Internet FAQs and articles on programming and security back when those were issues that most people didn’t think of as being important to them.

“In the 1980s, when I moved into information technology as a career, the Internet had already existed for a couple of decades – in fact, some of its underlying technologies, notably the telephone system, are far older. Nonetheless, it was a very different environment. There was no World Wide Web as such, though there were protocols and utilities subsequently assimilated into and/or replaced by web browser technology (archie, gopher, veronica).

“I first began to work from home – using a US Robotics modem borrowed from work that cost more than my own PC and occupied almost as much space as a trio of 12” baguettes.”

Access to the handful of machines that were permanently connected to the Internet was usually filtered for home users through services like AOL. Until I left the UK’s National Health Service in 1989, my online communications with the outside world were mostly restricted to services that sidestepped the ‘proper’ Internet – bulletin boards and the UK’s Prestel videotex/Viewdata system (rather like the teletext systems that have been gradually vanishing from television in recent years).

Moving to the Imperial Cancer Research Fund (now merged into Cancer Research UK) gave me direct access to more hardware – one of the (then) new 80386-driven PCs, a Mac IIcx, and a Sun workstation – but even when we got our own permanent connection to the Internet, it was limited to terminal access to a server in the NOC (Network Ops Centre) via telnet, kermit, and FTP. Still, it gave me access to useful resources such as mailing lists, security newsgroups, and vendor web sites.

And when I first began to work from home – using a US Robotics modem borrowed from work that cost more than my own PC and occupied almost as much space as a trio of 12” baguettes – I was able to add those resources to my home access to CIX and Compuserve (which both already gave me email, and access to various useful forums). Indeed, it’s through all these resources that I first met (virtually at any rate) many of the people I work with now (inside and outside ESET), and work I did on Internet FAQs provided a basis for some of my early articles, papers and books.”

Dial up modems were once our main way of accessing the internet.

So how did the Internet change our lives and what new possibilities emerged? Aryeh Goretsky says:

“Most financial crimes use computers instead of guns to accomplish their thefts.”

The Internet changed not just how people did existing things on their computers, like writing letters or drawing pictures, but gave rise to new services as well. Electronic banking existed well before—it was available on some dial-up services like CompuServe, Prodigy and QuantumLink, to name a few—but it was not until ISPs came onto the scene that banking followed, eager to give their customers new conveniences and services.

PayPal emerged as the de-facto standard for person-to-person financial transactions, and even criminals had their own payment systems, like e-gold and Liberty Reserve. With all of this money moving around the web, it wasn’t long before criminals looked for ways to steal it, and today, most financial crimes use computers instead of guns to accomplish their thefts.”


While according to David Harley:

“By 2001, Windows and Mac machines were able to make good use of the Internet and the Web in and out of the office. Indeed, working from home (which I’ve done full-time since 2006) tends to give the computer user more control and wider scope in terms of the services and applications used, at any rate if s/he uses his or her own device and is not reliant on an employer for Internet access.

The flipside is that users were more able to put themselves in harm’s way when the IT unit wasn’t responsible for their connection: by that time there was a lot more to worry about than infected floppy disks, with threats of all sorts capable of traversing the ether almost instantaneously, and keeping up with security news and having good network protection was more important than ever. Of course that hasn’t changed with the onset of BYOD/CYOD.”


And what does this mean for a security researcher? Aryeh Goretsky says there’s a challenge:

“It means that things move much faster, and as a result, we have to respond more quickly.”

It means that things move much faster, and as a result, we have to respond more quickly.  Fortunately, the same Internet which empowers all the positive things allows us to communicate more efficiently as well, sharing threat intelligence and data.

And that means we can do things like leverage the power of the advances in networking, software and hardware that allow the Internet to run at scale not just to distribute things like updates more quickly than before, but reduce false positives, compatibility issues and other types of problems that plagued the old reactive kinds of anti-virus software that were reactive.”

The always-on internet connections mean that it's easier than ever to keep software updated.

That being said, David Harley concludes:

“The interactive nature of today’s web means that there is more information (and misinformation) out there than any one person can ever hope to gather and verify.”

The Internet gives me access to my colleagues at ESET, specialist mailing lists that share threat intelligence (and much else), the media, and a multitude of resources that simply didn’t exist or were impossible to find in the early 90s. Of course it’s easier to publish timely commentary (or papers, manuals, FAQs and so forth) with standard blogging and CMS tools than it was with lynx on a Unix server, and researching the topics for that content is far easier.

However, those advantages also have a flipside. The interactive nature of today’s web means that there is more information (and misinformation) out there than any one person can ever hope to gather and verify, unless it concerns an unusually esoteric topic.

It’s easier for someone who already has expertise in a particular field to select and evaluate information from that field, of course, but what is the everyday user supposed to do when anyone with a laptop – or even a cell phone – can find somewhere to say what they like?”

Rob Wilson /
by Sabrina Pagnotta, ESET


Get every new post delivered to your Inbox.

Join 95 other followers