In April 2012 it was reported that 700,000 Mac OS X computers worldwide were infected by a Flashback Trojan. The infected computers were combined into a botnet, dubbed “Flashfake,” which enabled cybercriminals to install additional malicious modules on them at will. One of these modules was known to generate fake search engine results.
Recently, Kaspersky Lab experts published a detailed analysis of how Flashfake infected users’ computers. The analysis also identified the main sources for spreading the Flashfake infection, which included WordPress blogs that were compromised at the end of February 2012 and into early March. Approximately 85% of the compromised blogs were located in the US.
The key take-away of this malicious campaign was the evolution of the cyber criminals’ attack methods. Rather than solely relying on social engineering to infect computers, the Flashfake cyber criminals also started using exploits that targeted Java vulnerabilities, which accelerated the infection to a mass-exploitation of Mac OS X computers.
New Spam Campaigns using the Blackhole Exploit Kit
Kaspersky Lab reported two spam campaigns that were using the infamous Blackhole Exploit Kit to install malware. The first instance was on Twitter, where more than 500 accounts were compromised. The spam campaign was sending embedded links to users that redirected them to malicious sites hosting the Blackhole Exploit Kit. The sites installed scareware on victims’ computers in the form of fake anti-virus notifications, which prompted the user to scan their system for infection.
The second instance was an email phishing campaign that began at the end of March where people were receiving fake US Airways emails. Cyber-criminals sent the phishing emails in an attempt to trick people into clicking on embedded links inside the email that offered “online reservation details,” which includes flight check-in options. If users clicked on any of the links they’re taken to a fake website containing a Blackhole Exploit Kit that is filled with banking malware. The banking malware installs itself on the user’s computer and steals their banking credentials. These spam messages were sent out in mass quantities, with the cyber criminals anticipating certain people will have flights booked with US Airways (which will get them to click on the links).
Android users in Japan are under attack
In the beginning of April a new type of Android malware was discovered in Japan. Unfortunately in this instance almost 30 different malicious apps were available on Google Play and at least 70,000 users have downloaded one of them. This particular piece of malware is able to connect to a remote server. If the connection is successful, it downloads an MP4 video file. It is also capable of stealing sensitive information from an infected device, including contact names, e-mail addresses and phone numbers of people from victim’s contact list. The malware uploads the stolen data to a remote server. Kaspersky Mobile Security detects this threat as Trojan.AndroidOS.FakeTimer.
Mobile malware which is controlled via SMS messages is gaining more and more popularity. In April, another backdoor named TigerBot was discovered. This piece of malware masks itself after the infection and doesn’t show any kind of existence on the home screen of the device. Various commands to infected phones could lead to cyber criminals recording phone calls, stealing GPS coordinates, sending SMS messages or changing network setups. All of these features may result in serious information leakage for infected users. Fortunately, there was no evidence that TigerBot was (or is) available in Google Play. However, it’s still important for users be careful when installing applications from any source. Kaspersky Mobile Security detects this threat as Backdoor.AndroidOS.TigerBot.
The full version of Kaspersky Lab’s April Monthly Malware Report can be viewed at Securelist.