Tag Archives: scareware

Researchers spotted a new OS X scareware campaign

Experts at the SANS Technology Institute spotted an OS X scareware campaign that leverages fake Adobe Flash Player installers.

Johannes Ullrich, security expert at the SANS Technology Institute, spotted an OS X scareware campaign that leverages fake Adobe Flash Player installers to trick users into downloading malicious software. The expert discovered the malicious campaign while analyzing Facebook clickbait scams.

“They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update).” states the blog post published by the SANS Technology Institute. “The “Installer” for the fake Flash update will install various scare ware (I observed a couple different varieties when re-running the installer), and it actually installs an up to date genuine version of Flash as well.”

The attackers used a simple and effective trick to deceive victims, the attack starts with a popup window alerting users that their Flash Player software is outdated and providing them the instruction to update it.

Ullrich suspects that the code used to display the popup is injected by an advertisement on the page visited by the victim. If users accept to install the bogus update they will receive a fake Flash Player installer.

The bogus installer is able to bypass the Apple’s Gatekeeper security feature, it appears as a legitimate application and is signed with a valid Apple developer certificate issued to one Maksim Noskov.

“Antivirus coverage was pretty bad yesterday when I came across this (4 out of 51 on Virustotal). On a brand new OS X 10.11 install, the “Installer” appears to install a genuine copy of Adobe Flash in addition to Scareware that asks for money after informing you of various system problems.” continues the post.

The software installs a genuine Flash Player software and attempts to convince users to download applications apparently designed to fix problems on the victim’s machine.

These applications attempt to trick users into calling a “support” line in order to receive instructions for fixing the alleged problems. The security experts published a small video showing what happens when victims install the “update” on a clean OS X 10.11 system:

Pierluigi Paganini

(Security Affairs – Mac OS X scareware, cybercrime)

Underestimate the threat, a serious error

In recent years it has fully understood the offensive capability of the use of cyber weapons, highly efficient tools to move attacks and espionage operations in total coverage.
The effectiveness of the cyber threat is linked not only to its intrinsic characteristics, but also to the choice of channel for its spread and in this social media represent a privileged factor. For this reason, governments and institutions are promoting and supporting the processes of monitoring and surveillance of social networking.

To ensnare the user through the social networks are proposed sensational breaking news, but beware of malware lurking. Recently a huge number of Facebook users have found status messages today claiming that the United States has attacked Iran and Saudi Arabia.
Trying to visit the proposed link the user is redirect to fake website of the main journals that report the news. In this instant the trap begin, incfact clicking on the video thumbnail the page request to the user to install or update components like Adobe Flash player. This kind of message are a really familiar for user that are are misled. Company names like Adobe or Microsoft do not arouse suspicion and cause the user to follow the procedures described in the pop up malicious.

In this way the malware gains the access to the pc of the victim’s pc. Sophos Firm has alerted its customers regarding the threats of the agents Troj/Rootkit-KK that drops a rootkit called Troj/Rootkit-JV onto your Windows systems and also of the malware known as HPsus/FakeAV-J.that create a fake explorer.exe process.

I started this article by focusing on the military scope and I ended up moving to aspects regarded playful social networks. One commits an unforgivable error if the areas are approached separately, the threat is dangerous and in any case deserves the same attention no matter its origin. We have assisted in more than one occasion to accidents caused by improper use of social networks and mobile storage devices, used as vectors to inoculate malware in military areas. Material defense, aerospace stations, and more generally any critical infrastructure is at risk.
The malware polymorphic of the latest generation are able to exploit 0-day vulnerabilities and sometimes to combine mutually accidentally generating a dangerous offensive from which to defend is not simple. These agents, once infected the victim, live by themselves, they can remain silent and steal information, they can in turn be distributed independently user action spreading itself to victim’s contacts, they can infiltrate sensitive systems.
Do not be deceived so that a scareware is a threat to distracted kids playing on social networks … there is much more at stake.
Pierluigi Paganini