Malware That Fakes Bank Login Screens Found In Google Ads (fastcompany.com) 120
tedlistens quotes a report from Fast Company: For years, security firms have warned of keystroke logging malware that surreptitiously steals usernames and passwords on desktop and laptop computers. In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers. Such malware has even found its way onto Google's AdSense network, according to a report on Monday from Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it "a gratuitous act of violence against Android users." "By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," according to the company. "There you are, minding your own business, reading the news and BOOM! -- no additional clicks or following links required." The good news is that the issue has since been resolved, according to a Google spokeswoman. Fast Company provides more details about these types of attacks and how to stay safe in its report.
Please log in to slashdot. (Score:5, Funny)
In order to view this post, please reply to it by logging into your slashdot account. Please enter your username and password in the reply box and press the "preview" and "submit" buttons.
Re: (Score:1)
jsm
portmanpetrified
Re: (Score:1)
Re: (Score:2)
Love it. Obligatory link [bash.org] for anyone who's been living under a rock.
Re: (Score:1)
Boom, indeed (Score:2)
Re: (Score:1, Flamebait)
Good luck with that, just hope you never get targeted by the cops. [endforfeiture.com] Note that you need not do anything wrong or illegal to be a target of civil forfeiture. Just carry around cash...
I have no sympathy for idiots transporting large sums of cash. You're just an idiot if you do this. If you need to make a large transaction, get a frickin' cashiers check. Frankly, you're lucky if the cops are the ones who seize the moolah and let you walk. A criminal would shoot you dead, take your cash, your car and your phone.
Re: (Score:2, Funny)
A criminal would shoot you dead, take your cash, your car and your phone.
NOT MY PHONE!! ANYTHING BUT MY PHONE!
Captcha: horror
Re: (Score:1)
"I have no sympathy for idiots transporting large sums of cash. You're just an idiot if you do this. If you need to make a large transaction, get a frickin' cashiers check. Frankly, you're lucky if the cops are the ones who seize the moolah and let you walk."
And I have no sympathy for the next cop who gets shot by someone whose cash he was about to seize.
Re: (Score:2)
And I have no sympathy for the next cop who gets shot by someone whose cash he was about to seize.
Same here. When police break the law, they're no longer the police- they're gang members with uniforms.
Re: (Score:3)
I have no sympathy for idiots transporting large sums of cash. You're just an idiot if you do this.
So we should avoid doing things that are perfectly legal just because the police are crooked?
We should all try to make sure to live our lives under their boots in a way that appeases them the most?
Fuck you.
Re: (Score:1)
Install AdBlock Plus.
The "obligated to see ads to pay for content" argument does not hold up when the risk of receiving malware from ads is this high.
Re: (Score:2)
“Certainly the game is rigged. Don't let that stop you; if you don't bet you can't win.”
Robert A. Heinlein, Time Enough for Love
Re: (Score:1)
“Certainly the game is rigged. Don't let that stop you; if you don't bet you can't win.” Robert A. Heinlein, Time Enough for Love
Best quote I've read this month. KUDOS!!
Fucked Company (Score:2)
I thought that place folded in the late 1990's. Did somebody buy the rights or has Fast Company just been quietly publishing to some invisible niche for the past 16 years?
Re: (Score:2)
Fast Company popped when the bubble popped. The zombie has been limping along for the last 15 years somehow.
I do miss Fucked Company, though. Those were some wild days back in the early aught's.
Ad blocker!! (Score:4, Insightful)
Good ads (Score:5, Insightful)
Ads can be good. They can enable commerce and content. Responsible advertising contains a combination of three things: a still image, and/or text, and a link. IOW: an HREF element, and within that, an IMG element and/or perhaps (preferably) some textual content. No scripts other than what's required to actually serve the ad, no videos, no animations, no scraping of user-specific information.
Anything/everything else is abuse.
Remember when Google was all about text ads?
Google's ethics cancer took care of that. For myself, I don't see many ads any longer. The status quo is to attempt to abuse me; fine. The status quo on this end is to block ads.
WTF???? (Score:2)
"It then prompts users for administrative rights..."
Why would you give admin rights to something you didn't explicitly download?
Re:WTF???? (Score:5, Insightful)
"It then prompts users for administrative rights..."
Why would you give admin rights to something you didn't explicitly download?
You're talking about end users. Something pops up they just click whatever makes it go away. You think they pay attention to that?
Re: (Score:3)
You're talking about end users. Something pops up they just click whatever makes it go away. You think they pay attention to that?
They would if Microsoft hadn't spent 10 years training them otherwise.
Confirmation dialogs are a good thing that has been destroyed by overexposure.
Re: (Score:2)
You're talking about end users. Something pops up they just click whatever makes it go away. You think they pay attention to that?
They would if Microsoft hadn't spent 10 years training them otherwise.
Confirmation dialogs are a good thing that has been destroyed by overexposure.
I think ads have contributed heavily to this training, too. People see something pop up they just want it to go away. As much as some of us would love to blame Microsoft for all our woes, the ads themselves bear a heavy responsibility for that training.
And publishers complain about ad blockers (Score:5, Insightful)
Too hard you say? Here's a hint: If the only ads you allow are a static JPEG which clicks through to the advertising site, you've done your job. Newspapers and magazines got along just fine for over a century with static ads. Advertisers don't need scripting, and in fact they've demonstrated they're too immature to be given the power of scripts.
Use jpegtran (Score:4, Informative)
A publisher or ad network can still protect users by recompressing advertisers' uploaded files. There are two ways to go about this. One is to use a JPEG optimizer such as IJG's jpegtran, which optimizes JPEG files without additional loss. The other is to require advertisers to upload PNGs or high-quality JPEGs and then transcode them to web quality using mozjpeg [github.com].
Re: (Score:2)
jpegtran
You seriously need to stop with the micro aggressions.
Re: (Score:2)
Can't tell if joke or poe's law in action.
Re: (Score:2)
You're one of those who are against the LJBT* community, aren't you?
*(Lossy JPEGs Bereft of Transparency)
Re:And publishers complain about ad blockers (Score:5, Insightful)
Safe is not a binary yes or no. It's more of a spectrum.
At one end, we have static HTML with no scripting, and a modern browser with robust content interpreters, hardened over the last two decades. We're not likely to get infected with a jpeg file or random HTML parsing flaws anymore (although it's not impossible more flaws will be found - look at Android's StageFright bugs). Besides, you notice that article was written in 2004, right? If you're using a circa 2004 browser or unpatched OS, it's your own damned fault for whatever happens.
On the other end of the web browsing safety spectrum, you have Flash and random ads that may or may not be served from an unvetted server in Bosnia, that have full access to a very powerful interpreted scripting engine, and with one tiny flaw, can infect your computer. Or, they'll bombard the user with scamware or phishing attacks to trick them into giving them access. It ends up the same either way.
Given that allowing ads or running Flash exposes us to significant risk for no gains, it's a pretty simple choice to make for informed folks. Oh, and I'm not vehemently anti-ad. For instance, I don't mind the ads on Slashdot, and have never turned them off. I figure they're safe enough and hopefully make the site a bit of money.
Re: (Score:2)
To clarify, I haven't turned off my ad-blocker on the Slashdot site. Third-party ads are still blocked. I'm talking about the ads Slashdot serves itself, like the Slashdot deal ads. This is actually a method of serving ads I'd like to encourage, and so I don't take any special action to block those ads.
Basically, I agree with everything you said about the dangers of third-party Javascript, especially when used for nothing but serving ads and tracking us.
Re: (Score:1)
Safe is not a binary yes or no. It's more of a spectrum.
No, it's not. You are safe, or you are compromised. The millisecond you get compromised, you change state hard from one to the other.
There are things that are more or less likely to get you compromised. You apparently confuse that. But there is no confusion. An image has a specific purpose. A scripting language does not. If I allow you to send me an image to display, my intention is clear - I want to see an image. If I allow you to run a script on my machine, my intention is not clear.
GP is correct. Ads nee
Re:And publishers complain about ad blockers (Score:4, Funny)
Malvertising is the RESULT of ad-blockers.
If some of us weren't blocking their ads they wouldn't have to stoop to stealing money from the few people who still see them.
Re: (Score:2)
Re: (Score:3)
This is why I use an ad blocker (Score:1)
And I don't exempt anyone, not even "safe" vendors like Google. No ad network is truly safe, they all deliver malware sooner or later.
can we please stop pretending? (Score:4, Insightful)
would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements
Can we please stop pretending that computers "automatically" do things, as if they are some magical entity that is not subject to understanding? They do what they are programmed to do, and configured to do within that programming.
Ads do not "automatically" download jack shit. They download things if you are allowing unknown remote sites to run scripts without your explicit approval. Almost always that happens because Javascript was enabled by default, which we have seen about 1000000 times is a security clusterfuck. Almost all such events happen only because someone said, "Sure! I don't care who the other party is, I'm just fine with them running code I haven't seen on my computer, automatically, by default. No no, really, it's fine! Go right ahead. I don't care what you want to do. Behavioral tracking, malware downloading, anything you want! Go for it! Door's wide open."
This is no smarter than letting anyone, at any time, use your house for any purpose they might want, "as long as they promise to stay in the living room". Drug cartels? Mafia? Human traffickers? It's all good! No, I don't need to approve the uses of my house, I'm willing to let literally anyone in the world use it for any reason. Later on, I'm going to act mystified about why the SWAT team just showed up, my house is on fire, there's a dead body in the kitchen, and the neighbors are running around screaming. There can't possibly be any connection between that, and my default-allow policy.
If you wouldn't do that with your house, why would think it's any smarter to do it with your computer?
Re: (Score:3)
It's pretty easy to start a drive by download without javascript - just use an iframe that requests a file with an attachment content-disposition. If the whole world stopped using javascript tomorrow malware writers would simply find an alternative delivery method. It's a bit like saying "stop people from buying petrol will mean no more road deaths"
There's already a very simple way to stop this being effective. You still actually have to run the apk (which you don't remember downloading), and enable 3rd par
Host blocker (Score:2)
Ads have long been a risk to security (Score:5, Interesting)
Unfortunately for sites that rely on advertising to survive, malware delivery through ads is nothing new and this forces many people to block ads as part of their online security. This is not because the sites they visit are not trustworthy. It is simply due to the fact that not every advertiser can be trusted and the companies serving ads have failed to effectively prevent malware getting on to their networks. Criminals distributing their malware through ads are able to reach legitimate web sites that they would be unable to compromise, expanding their reach to a larger audience and making it an attractive option.
Many of us would be happy to view ads to support our favourite sites but are unwilling to take the risk. Antivirus software can only protect against known threats so, when new malware is constantly being discovered, their success rate of detection can never be 100%. Antivirus software forms part of a sensible online security plan but it does not replace ad blocking or blocking third party scripts.
Re:Ads have long been a risk to security (Score:5, Insightful)
Precisely. Your point is proven by the fact that these trojans are finding their way onto Google AdSense: it definitively shows that the only remedy is to block all ads because the content providers, ad networks, and other facilitators, cannot be trusted to not serve malware to the end user.
But, a little context is also worth mentioning. The original web ads used to be things like banners, or animated GIFs, usually with cheesy flashing graphics. These are still around of course. They used to be nothing more than static content that would serve a link if clicked. But as they became ubiquitous, users quickly to ignore them. So advertisers resorted to increasingly intrusive ads, like the dreaded pop-ups, which users quickly learned to close, followed by pop-unders or persistent pop-ups powered by scripting that would simply load another pop-up if the original window was closed. These resulted in browser-side blocking of pop-ups. Advertisers then escalated to overlays and interstitial ads, intercepting or obscuring the desired content. Of course, in all of this, there was always some share of shady ads, things that tried to trick the user in some way by pretending to be something it was not. But the trend has always been an arms race of increasingly intrusive and difficult to block advertising, versus increasingly more sophisticated methods to block.
This is why we are where we are today. Online advertising has a long and consistent history of being untrustworthy, malicious, and disrespectful of user preferences. Blocking is the natural reaction to such tactics. On the other hand, when people follow certain kinds of online content--product reviews on YouTube, Facebook, and Twitter--this is the way online advertising must evolve. It must evolve away from advertisers attempting to force-feed ads to users whether they wish to see it or not. Even when I know what I'm watching or reading is a paid endorsement or sponsored content, if I *choose* to look at it, that is worth far more than being forced to click through an overlay. If I cannot unblock the content without running some shady JavaScript, I simply move on.
Re:Ads have long been a risk to security (Score:5, Insightful)
it definitively shows that the only remedy is to block all ads because the content providers, ad networks, and other facilitators, cannot be trusted to not serve malware to the end user.
I'll go beyond that: if you browse the net without adblock, you are irresponsible. If you help someone with their computer, and don't set up adblock, you are irresponsible. If you are a sysadmin and don't have adblock on your computers by default, you are irresponsible and should be fired.
Re: (Score:2)
The problem sellers face is that, for the most part, they are shovelling shit. Sure, if you have a great new phone you want to advertise, send it to some YouTube reviewers (MKBHD is good) and watch the sales roll in. But most stuff is crap, and they want to sell it to you anyway. The only way they can do that is my misleading you, tricking you into wasting your money.
Most advertising will never be able to rely on reviews or even paid endorsements, because even with paid endorsements people soon start to rea
Ad Blocking (Score:5, Insightful)
And once again, Ad Blocking is justified. Those darn ads can be outright dangerous, which computer people have been saying for years.
Simply put, if companies can't be bothered to vet the ads they're serving, we can't be bother viewing any ads at all. Clean it up, already.
"Weapon"? (Score:2)
Really?
Can someone provide IP addresses? (Score:2)
Also - for those of us who use a different computer for bank activities: how can we block entire countries?
Re: (Score:2)
n/t
Re: (Score:3)
By updating the Host file (yes, it will be a back and forth thing) the ability to block the web sites and keep this crap from coming in - or going out.
It doesn't do that. You will need an egress firewall to do what you think you're doing. And it's going to have to somehow be stateful and understand the difference between a legitimate outgoing connection, and one which isn't. Good luck!
Re: (Score:2)
It doesn't do that. You will need an egress firewall to do what you think you're doing. And it's going to have to somehow be stateful and understand the difference between a legitimate outgoing connection, and one which isn't. Good luck!
You understand it does do that...
/. are that naive about such a simple method of blocking hacking/attempts to hack.
With an entry such as:
127.0.0.1 ads.yahoo.com
all traffic that would be routed to ads.yahoo.com is blocked. replace ads.yahoo.com with an ip address, and that ip address is blocked.
I'm surprised that the people here at
Re: (Score:2)
Hummm... no.
Text from a "#" character until the end of the line is a comment, and is ignored. Host names may contain only alphanumeric characters, minus signs ("-"), and periods ("."). They must begin with an alphabetic character and end with an alphanumeric character.
Source: every hosts manpage.
Re: (Score:2)
route add 192.168.1.5 127.0.0.1
The base concept of blocking DNS entries
Re: (Score:2)
With an entry such as:
127.0.0.1 ads.yahoo.com
all traffic that would be routed to ads.yahoo.com is blocked.
I'm going to share a really astonishing piece of information with you now: You are utterly, completely wrong. First, and I know this is shocking, it is possible to access hosts by IP. That's right, the program can simply connect to a hardcoded IP, and not use DNS at all. But wait! There's more! They can also just ignore your name resolution system entirely, and do a DNS (or some other protocol!) lookup to a server of their choice — also potentially using a hardcoded IP. Thus, without an egress firewal
Re: (Score:2)
simply connect to a hardcoded IP
didn't you read my follow up ... use host in conjunction with route command:
route add 192.168.1.5 127.0.0.1
So, who is wearing the udder now?
So... if a list of IP address is/are known, it is possible to block them, even using your mule, er multi-point system - that is if they can't get the first point, they can't get an update. If they hard-code an IP address, route-block it. If they hard code a DNS, host block it.
Re: (Score:2)
didn't you read my follow up
I did. But the problem with your idea is that you're not explaining how the user is supposed to keep up.
If they hard-code an IP address, route-block it. If they hard code a DNS, host block it.
So your solution is to close the barn door after the horses have got out?
Re: (Score:2)
Just as a virus must be out before AV can detect it, someone has to get the problem before it can be guarded. The new version of AV (or stopping a fake bank); a list of IP address (host) / scripts (route) that will block bad addresses/domains.
Spybot [safer-networking.org] does this exact (well, all but "route") all the time.
Re: (Score:2)
correct. a hosts file (or even better a proxying dnsmasq running on your home router) won't block malicious traffic. but, in this case at least, it will stop the malicious scripts from being delivered to you in the first place.
it also has the added benefit that you don't see any ads.
Who the hell (Score:1)
would fall for such a cheesy trick? Certainly none of the brainiacs here at /. right? ;-)
Gee (Score:2)
And my family wonders why I refuse to use my phone as anything other than a phone.
If it isn't obnoxious ads, it's poorly preforming apps, and if it's not those two, it's the bill at the end of the month.
One way or the other, if you have a cell phone in the US, you're going to get "got".
Ever notice how they call it a "cell" phone? You keep prisoners in cells. Just sayin'.
Google ads infect Google Android (Score:2)
When are Google going to wake up and take security of their mobile OS seriously?
Their security model is broken - completely. They just need to start over.
advertisement is evil (Score:5, Interesting)
And with that, all the "good advertisers" bullshit is dead. Not just scammy and shady ad networks deliver malware. Advertisement is evil and needs to die, at least the way it is handled right now. The whole thing needs to be made illegal and restarted fresh with a clean slate and the first question should be "what do we, the users, want from advertisement?".
I like product information, for example. I'm a big fan of sites that compare products. These days, there are a thousand mobile phones, or printers, or vacation destinations, or chairs or cars or really anything, and it's not easy to find the one that's perfect for you.
There's also new and interesting stuff coming out all the time, and most of us miss most of it. Something that focusses on these aspects, on the customer desires, that would be wonderful.
Re: (Score:3)
The whole thing needs to be made illegal and restarted fresh with a clean slate and the first question should be "what do we, the users, want from advertisement?".
I want it to go away. I want whatever is left to be restricted to statements of fact. If the people currently advertising want their identity associated with something, they can sponsor some content.
I don't know that there ought to be a law, though. I only think there ought to be a law regarding advertising to captive audiences. Putting advertisements on public transportation is flat-out wrong, for example, whether inside or outside.
Re: (Score:2)
Putting advertisements on public transportation is flat-out wrong
On anything owned by the public, in fact. Roads, bridges, busses, anything.
Re: (Score:2)
Which alternative is flat-out right? Increasing transit costs for the poor, or raising taxes?
Raising taxes, obviously. I have issues with how taxes are spent, but not with the concept. The concept of taxation is not wrong, it's the concept of hands-off government that is. You can't just give your money to the government and then walk away.
Google malware weapon - snorting into my coffee (Score:2)
Sideloading? (Score:2)
Re: (Score:2)
The articles don't seem to say, or I missed it. But I assume for this to work you would need to have side loading enabled.
And thanks to Amazon, this is enabled on many Android devices. http://www.theinquirer.net/inq... [theinquirer.net]
Adblockers (Score:1)
Not Adblockers (Score:1)
inaccuracy (Score:1)
Re: (Score:1, Funny)
By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk
Yeah, right, like I'm going to trust APK to defend me against apks.
Re: (Score:2)
Every once in a while APK is actually relevant. But there is something to be said about horseshoes and hand grenades.