Netflix Malware and Phishing Scams Steal Users’ Passwords and Bank Details
Researchers at Symantec discovered two unique attack campaigns targeting Netflix users. Researchers explained that malicious files are posing as Netflix software on compromised computers’ desktops. The files are downloaders that, once executed, open the Netflix home page as a decoy. Once executed, the Infostealer.Banload Trojan also gets installed in the background, which subsequently steals the victim’s bank information.
The trojan is primarily used in Brazil. There is also a phishing campaign targeting mostly Danish users to a fake Netflix website thats trick them into providing their login credentials, personal information, and payment cards details. The phishing emails have been designed to appear identical to the original notification sent to users by Netflix.
Both malware and phishing campaigns are also contributing to the rise of a black market built around the sale of stolen credentials. The most common offers are targeting buyers who wish to access Netflix for free or a reduced price. Another offering includes Netflix account generators, created through these tools may come from stolen Netflix subscriptions or payment card details. The generators’ creators regularly update their databases with new accounts and disabled accounts. Buyers can use this software for themselves or resell the generated accounts on the black market.
Microsoft Releases Azure IoT Hub to General Availability
Microsoft has recently announced that Azure IoT Hub, a foundational service of the Azure IoT Suite, has now reached general availability (GA). The Azure IoT Hub service provides bi-directional communication between devices and the cloud, enabling users to collect and process device data in real time. Devices may connect through a local field gateway when internet connectivity may not be available on the device or when a device only communicates in unsupported protocols such as ZigBee.
Microsoft Will Crack Down on MiTM Adware Starting March 31
Announced in December 2015, Microsoft pledges to enforce policy measures starting March 31 to crack down on restrictions on forbidden software behaviors related to man-in-the-middle (MiTM) adware attacks, including injection by proxy, changing DNS settings, network layer manipulation, etc. Developers who fail to fix their software that is compliant with the new policy measures will be detected and removed.
The announcement is most likely a response to poorly designed support tools from Dell and Lenovo that introduced man-in-the-middle vulnerabilities last year due to hijacked HTTPS certificates, leaving millions of users vulnerable. The most common adware attacks adds a new, fake root authority certificate that lets the adware provider inject their own ads across the web, but some of the adware just approves any certificates, leaving users wide open to a variety of phishing attacks that could have otherwise been prevented.
Corkow Trojan Shifts Ruble Exchange Rate
Group-IB reported to Bloomberg that hackers managed to use Corkow Trojan to artificially move the ruble-dollar rate more than 15 percent after infecting a regional bank with the malware and placing over $500 million in trades last year in February 2015. The orders made the ruble-dollar rate swinging between 55 and 66 RUB/USD, a range far larger than the normal rate. The attack lasted a total of 14 minutes before executing a command to wipe itself from the entire system and eliminating any remaining traces. Corkow was in Energobank’s currency trading platform since September 2014, and Energobank has reportedly tried to claim losses of 244 million rubles ($3.2million) due to the trades.
Corkow contains a module to subvert the iBank2 banking system, used by a number of Russian banks and their corporate customers to facilitate electronic banking and information exchange. Another module can use different plug-ins to augment Corkow’s capabilities including logging keystrokes to steal passwords, capturing screenshots, web injection and form-grabbing to trick users into entering their personal credentials for attackers. It can also evade detection and persist in the infected system unnoticed in its DDL file. form.