Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Google Security Advertising Android Cellphones Communications Network Operating Systems Privacy Software The Almighty Buck The Internet News Hardware Technology

Malware That Fakes Bank Login Screens Found In Google Ads (fastcompany.com) 120

tedlistens quotes a report from Fast Company: For years, security firms have warned of keystroke logging malware that surreptitiously steals usernames and passwords on desktop and laptop computers. In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers. Such malware has even found its way onto Google's AdSense network, according to a report on Monday from Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it "a gratuitous act of violence against Android users." "By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," according to the company. "There you are, minding your own business, reading the news and BOOM! -- no additional clicks or following links required." The good news is that the issue has since been resolved, according to a Google spokeswoman. Fast Company provides more details about these types of attacks and how to stay safe in its report.
This discussion has been archived. No new comments can be posted.

Malware That Fakes Bank Login Screens Found In Google Ads

Comments Filter:
  • by Anonymous Coward on Tuesday August 16, 2016 @08:08PM (#52717133)

    In order to view this post, please reply to it by logging into your slashdot account. Please enter your username and password in the reply box and press the "preview" and "submit" buttons.

  • as the old movie said: the only winning move is not to play
    • by Anonymous Coward

      Install AdBlock Plus.

      The "obligated to see ads to pay for content" argument does not hold up when the risk of receiving malware from ads is this high.

    • by Z00L00K ( 682162 )

      “Certainly the game is rigged. Don't let that stop you; if you don't bet you can't win.”
        Robert A. Heinlein, Time Enough for Love

      • “Certainly the game is rigged. Don't let that stop you; if you don't bet you can't win.” Robert A. Heinlein, Time Enough for Love

        Best quote I've read this month. KUDOS!!

  • >> Fast Company blah blah...

    I thought that place folded in the late 1990's. Did somebody buy the rights or has Fast Company just been quietly publishing to some invisible niche for the past 16 years?
    • Fast Company popped when the bubble popped. The zombie has been limping along for the last 15 years somehow.

      I do miss Fucked Company, though. Those were some wild days back in the early aught's.

  • Ad blocker!! (Score:4, Insightful)

    by Futurepower(R) ( 558542 ) <MJennings.USA@NOT_any_of_THISgmail.com> on Tuesday August 16, 2016 @08:20PM (#52717173) Homepage
    This Slashdot story is a very effective advertisement for ad blockers.
    • Good ads (Score:5, Insightful)

      by fyngyrz ( 762201 ) on Wednesday August 17, 2016 @01:56PM (#52720969) Homepage Journal

      Ads can be good. They can enable commerce and content. Responsible advertising contains a combination of three things: a still image, and/or text, and a link. IOW: an HREF element, and within that, an IMG element and/or perhaps (preferably) some textual content. No scripts other than what's required to actually serve the ad, no videos, no animations, no scraping of user-specific information.

      Anything/everything else is abuse.

      Remember when Google was all about text ads?

      Google's ethics cancer took care of that. For myself, I don't see many ads any longer. The status quo is to attempt to abuse me; fine. The status quo on this end is to block ads.

  • "It then prompts users for administrative rights..."

    Why would you give admin rights to something you didn't explicitly download?

    • Re:WTF???? (Score:5, Insightful)

      by duke_cheetah2003 ( 862933 ) on Tuesday August 16, 2016 @09:24PM (#52717379) Homepage

      "It then prompts users for administrative rights..."

      Why would you give admin rights to something you didn't explicitly download?

      You're talking about end users. Something pops up they just click whatever makes it go away. You think they pay attention to that?

      • by Tom ( 822 )

        You're talking about end users. Something pops up they just click whatever makes it go away. You think they pay attention to that?

        They would if Microsoft hadn't spent 10 years training them otherwise.

        Confirmation dialogs are a good thing that has been destroyed by overexposure.

        • You're talking about end users. Something pops up they just click whatever makes it go away. You think they pay attention to that?

          They would if Microsoft hadn't spent 10 years training them otherwise.

          Confirmation dialogs are a good thing that has been destroyed by overexposure.

          I think ads have contributed heavily to this training, too. People see something pop up they just want it to go away. As much as some of us would love to blame Microsoft for all our woes, the ads themselves bear a heavy responsibility for that training.

  • by Solandri ( 704621 ) on Tuesday August 16, 2016 @08:22PM (#52717179)
    It's because your ad business model is broken. How long will it take before you admit to yourselves that accepting random scripted ads from an insecure third party ad farm totally out of your control is stupid? Either vet the ads yourself (and accept responsibility if you let a malicious ad get through), or contract it out to a third party security service which does it for you.

    Too hard you say? Here's a hint: If the only ads you allow are a static JPEG which clicks through to the advertising site, you've done your job. Newspapers and magazines got along just fine for over a century with static ads. Advertisers don't need scripting, and in fact they've demonstrated they're too immature to be given the power of scripts.
    • by dohzer ( 867770 ) on Tuesday August 16, 2016 @09:58PM (#52717499) Homepage

      Malvertising is the RESULT of ad-blockers.
      If some of us weren't blocking their ads they wouldn't have to stoop to stealing money from the few people who still see them.

    • by houghi ( 78078 )

      The ad business model was broken from day one.
      I remember when they started to apear and people started blocking them, even when they were a banner size and did not move and ther was only one on a page.
      People do not like ads. I do not want them on my computer, I do not want them in the streets or on TV, I do not want them on my underwear.

      There is also no reason to justify why they exist. They exist to sell you stuff and to make money for the people who place them. So is insurance from the Mafia. Just becaus

  • by Anonymous Coward

    And I don't exempt anyone, not even "safe" vendors like Google. No ad network is truly safe, they all deliver malware sooner or later.

  • by Anonymous Coward on Tuesday August 16, 2016 @08:35PM (#52717205)

    would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements

    Can we please stop pretending that computers "automatically" do things, as if they are some magical entity that is not subject to understanding? They do what they are programmed to do, and configured to do within that programming.

    Ads do not "automatically" download jack shit. They download things if you are allowing unknown remote sites to run scripts without your explicit approval. Almost always that happens because Javascript was enabled by default, which we have seen about 1000000 times is a security clusterfuck. Almost all such events happen only because someone said, "Sure! I don't care who the other party is, I'm just fine with them running code I haven't seen on my computer, automatically, by default. No no, really, it's fine! Go right ahead. I don't care what you want to do. Behavioral tracking, malware downloading, anything you want! Go for it! Door's wide open."

    This is no smarter than letting anyone, at any time, use your house for any purpose they might want, "as long as they promise to stay in the living room". Drug cartels? Mafia? Human traffickers? It's all good! No, I don't need to approve the uses of my house, I'm willing to let literally anyone in the world use it for any reason. Later on, I'm going to act mystified about why the SWAT team just showed up, my house is on fire, there's a dead body in the kitchen, and the neighbors are running around screaming. There can't possibly be any connection between that, and my default-allow policy.

    If you wouldn't do that with your house, why would think it's any smarter to do it with your computer?

    • It's pretty easy to start a drive by download without javascript - just use an iframe that requests a file with an attachment content-disposition. If the whole world stopped using javascript tomorrow malware writers would simply find an alternative delivery method. It's a bit like saying "stop people from buying petrol will mean no more road deaths"

      There's already a very simple way to stop this being effective. You still actually have to run the apk (which you don't remember downloading), and enable 3rd par

  • Would a host blocker written in Delphi help here?
  • by melting_clock ( 659274 ) on Tuesday August 16, 2016 @08:55PM (#52717289)

    Unfortunately for sites that rely on advertising to survive, malware delivery through ads is nothing new and this forces many people to block ads as part of their online security. This is not because the sites they visit are not trustworthy. It is simply due to the fact that not every advertiser can be trusted and the companies serving ads have failed to effectively prevent malware getting on to their networks. Criminals distributing their malware through ads are able to reach legitimate web sites that they would be unable to compromise, expanding their reach to a larger audience and making it an attractive option.

    Many of us would be happy to view ads to support our favourite sites but are unwilling to take the risk. Antivirus software can only protect against known threats so, when new malware is constantly being discovered, their success rate of detection can never be 100%. Antivirus software forms part of a sensible online security plan but it does not replace ad blocking or blocking third party scripts.

    • by wickerprints ( 1094741 ) on Tuesday August 16, 2016 @10:38PM (#52717615)

      Precisely. Your point is proven by the fact that these trojans are finding their way onto Google AdSense: it definitively shows that the only remedy is to block all ads because the content providers, ad networks, and other facilitators, cannot be trusted to not serve malware to the end user.

      But, a little context is also worth mentioning. The original web ads used to be things like banners, or animated GIFs, usually with cheesy flashing graphics. These are still around of course. They used to be nothing more than static content that would serve a link if clicked. But as they became ubiquitous, users quickly to ignore them. So advertisers resorted to increasingly intrusive ads, like the dreaded pop-ups, which users quickly learned to close, followed by pop-unders or persistent pop-ups powered by scripting that would simply load another pop-up if the original window was closed. These resulted in browser-side blocking of pop-ups. Advertisers then escalated to overlays and interstitial ads, intercepting or obscuring the desired content. Of course, in all of this, there was always some share of shady ads, things that tried to trick the user in some way by pretending to be something it was not. But the trend has always been an arms race of increasingly intrusive and difficult to block advertising, versus increasingly more sophisticated methods to block.

      This is why we are where we are today. Online advertising has a long and consistent history of being untrustworthy, malicious, and disrespectful of user preferences. Blocking is the natural reaction to such tactics. On the other hand, when people follow certain kinds of online content--product reviews on YouTube, Facebook, and Twitter--this is the way online advertising must evolve. It must evolve away from advertisers attempting to force-feed ads to users whether they wish to see it or not. Even when I know what I'm watching or reading is a paid endorsement or sponsored content, if I *choose* to look at it, that is worth far more than being forced to click through an overlay. If I cannot unblock the content without running some shady JavaScript, I simply move on.

      • by phantomfive ( 622387 ) on Wednesday August 17, 2016 @01:07AM (#52717949) Journal

        it definitively shows that the only remedy is to block all ads because the content providers, ad networks, and other facilitators, cannot be trusted to not serve malware to the end user.

        I'll go beyond that: if you browse the net without adblock, you are irresponsible. If you help someone with their computer, and don't set up adblock, you are irresponsible. If you are a sysadmin and don't have adblock on your computers by default, you are irresponsible and should be fired.

      • by AmiMoJo ( 196126 )

        The problem sellers face is that, for the most part, they are shovelling shit. Sure, if you have a great new phone you want to advertise, send it to some YouTube reviewers (MKBHD is good) and watch the sales roll in. But most stuff is crap, and they want to sell it to you anyway. The only way they can do that is my misleading you, tricking you into wasting your money.

        Most advertising will never be able to rely on reviews or even paid endorsements, because even with paid endorsements people soon start to rea

  • Ad Blocking (Score:5, Insightful)

    by duke_cheetah2003 ( 862933 ) on Tuesday August 16, 2016 @09:18PM (#52717361) Homepage

    And once again, Ad Blocking is justified. Those darn ads can be outright dangerous, which computer people have been saying for years.

    Simply put, if companies can't be bothered to vet the ads they're serving, we can't be bother viewing any ads at all. Clean it up, already.

  • Really?

  • By updating the Host file (yes, it will be a back and forth thing) the ability to block the web sites and keep this crap from coming in - or going out. Great, they can capture all the key strokes they want. HOWEVER: if the data can't make it out, it is useless to them.

    Also - for those of us who use a different computer for bank activities: how can we block entire countries?
    • n/t

    • By updating the Host file (yes, it will be a back and forth thing) the ability to block the web sites and keep this crap from coming in - or going out.

      It doesn't do that. You will need an egress firewall to do what you think you're doing. And it's going to have to somehow be stateful and understand the difference between a legitimate outgoing connection, and one which isn't. Good luck!

      • by Bomarc ( 306716 )

        It doesn't do that. You will need an egress firewall to do what you think you're doing. And it's going to have to somehow be stateful and understand the difference between a legitimate outgoing connection, and one which isn't. Good luck!

        You understand it does do that...

        With an entry such as:
        127.0.0.1 ads.yahoo.com

        all traffic that would be routed to ads.yahoo.com is blocked. replace ads.yahoo.com with an ip address, and that ip address is blocked.

        I'm surprised that the people here at /. are that naive about such a simple method of blocking hacking/attempts to hack.

        • Hummm... no.

          Text from a "#" character until the end of the line is a comment, and is ignored. Host names may contain only alphanumeric characters, minus signs ("-"), and periods ("."). They must begin with an alphabetic character and end with an alphanumeric character.

          Source: every hosts manpage.

          • by Bomarc ( 306716 )
            Sorry ... in conjunction with route command:
            route add 192.168.1.5 127.0.0.1

            The base concept of blocking DNS entries
        • With an entry such as:
          127.0.0.1 ads.yahoo.com
          all traffic that would be routed to ads.yahoo.com is blocked.

          I'm going to share a really astonishing piece of information with you now: You are utterly, completely wrong. First, and I know this is shocking, it is possible to access hosts by IP. That's right, the program can simply connect to a hardcoded IP, and not use DNS at all. But wait! There's more! They can also just ignore your name resolution system entirely, and do a DNS (or some other protocol!) lookup to a server of their choice — also potentially using a hardcoded IP. Thus, without an egress firewal

          • by Bomarc ( 306716 )

            simply connect to a hardcoded IP

            didn't you read my follow up ... use host in conjunction with route command:
            route add 192.168.1.5 127.0.0.1

            So, who is wearing the udder now?

            So... if a list of IP address is/are known, it is possible to block them, even using your mule, er multi-point system - that is if they can't get the first point, they can't get an update. If they hard-code an IP address, route-block it. If they hard code a DNS, host block it.

            • didn't you read my follow up

              I did. But the problem with your idea is that you're not explaining how the user is supposed to keep up.

              If they hard-code an IP address, route-block it. If they hard code a DNS, host block it.

              So your solution is to close the barn door after the horses have got out?

              • by Bomarc ( 306716 )
                "Yes"

                Just as a virus must be out before AV can detect it, someone has to get the problem before it can be guarded. The new version of AV (or stopping a fake bank); a list of IP address (host) / scripts (route) that will block bad addresses/domains.

                Spybot [safer-networking.org] does this exact (well, all but "route") all the time.
      • correct. a hosts file (or even better a proxying dnsmasq running on your home router) won't block malicious traffic. but, in this case at least, it will stop the malicious scripts from being delivered to you in the first place.
        it also has the added benefit that you don't see any ads.

  • would fall for such a cheesy trick? Certainly none of the brainiacs here at /. right? ;-)

  • And my family wonders why I refuse to use my phone as anything other than a phone.
    If it isn't obnoxious ads, it's poorly preforming apps, and if it's not those two, it's the bill at the end of the month.

    One way or the other, if you have a cell phone in the US, you're going to get "got".

    Ever notice how they call it a "cell" phone? You keep prisoners in cells. Just sayin'.

  • When are Google going to wake up and take security of their mobile OS seriously?

    Their security model is broken - completely. They just need to start over.

  • by Tom ( 822 ) on Wednesday August 17, 2016 @02:56AM (#52718155) Homepage Journal

    And with that, all the "good advertisers" bullshit is dead. Not just scammy and shady ad networks deliver malware. Advertisement is evil and needs to die, at least the way it is handled right now. The whole thing needs to be made illegal and restarted fresh with a clean slate and the first question should be "what do we, the users, want from advertisement?".

    I like product information, for example. I'm a big fan of sites that compare products. These days, there are a thousand mobile phones, or printers, or vacation destinations, or chairs or cars or really anything, and it's not easy to find the one that's perfect for you.
    There's also new and interesting stuff coming out all the time, and most of us miss most of it. Something that focusses on these aspects, on the customer desires, that would be wonderful.

    • The whole thing needs to be made illegal and restarted fresh with a clean slate and the first question should be "what do we, the users, want from advertisement?".

      I want it to go away. I want whatever is left to be restricted to statements of fact. If the people currently advertising want their identity associated with something, they can sponsor some content.

      I don't know that there ought to be a law, though. I only think there ought to be a law regarding advertising to captive audiences. Putting advertisements on public transportation is flat-out wrong, for example, whether inside or outside.

      • by Tom ( 822 )

        Putting advertisements on public transportation is flat-out wrong

        On anything owned by the public, in fact. Roads, bridges, busses, anything.

  • Does this Google malware weapon work on anything else except Microsoft Windows ?
  • The articles don't seem to say, or I missed it. But I assume for this to work you would need to have side loading enabled.
  • Meanwhile, these asshats are trying to force users to stop utilizing tools like Adblocker. "Trust us" they say. Well... BULLSHIT on you.
  • This is why I don't call them "Adblockers" but "Malware Vector Blockers".
  • "Every legitimate app is going to be on Google Play or on iTunes" Then where are the adblockers and F-Droid on Google Play?

You mean you didn't *know* she was off making lots of little phone companies?

Working...