Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
July 2014 Feature Article: The Domino’s Effect
Table of Contents
The Domino’s Effect ...................................................................................................................................................3
ESET Corporate News .................................................................................................................................................6
The Top Ten Threats ...................................................................................................................................................6
Top Ten Threats at a Glance (graph) ....................................................................................................................... 10
About ESET .............................................................................................................................................................. 11
Additional Resources ............................................................................................................................................... 11
The Domino’s Effect
David Harley, ESET Senior Research Fellow ESET North America
Small Blue-Green World
The news that the data of 600,000 Domino’s Pizza customers
had apparently been acquired by hackers intending to disclose
the data unless Domino’s paid a €30,000 ransom, while not
particularly amusing for Domino’s or its customers in the
affected countries, did inspire a classic blog title – Domino’s
Pizza hacked: Change your toppings at once! – from ESET
Ireland’s Urban Schrott as well as some sound advice. He said:
“Apparently, hackers have gained access to 600,000 Domino’s
Pizza customer details, including their favourite toppings. ESET
Ireland advises users to change their pizza toppings selection
to stay safe.
I am otherwise a rational and sensible cybersecurity analyst, but
I draw the line when someone messes with my food. And the
hackers behind this latest attack did just that. In a bid to extort
money from Domino’s Pizza, they threatened to publically post
detailed info of 600,000 customers, including their favourite
pizza toppings unless they’re paid a ransom of €30,000. The
hackers aimed at possible lawsuits against the pizza company
for breach of privacy, but a representative of Domino’s said the
ransom will not be paid and that the customers’ financial data
and credit cards were not compromised in the attack.
The servers attacked mainly contained customer info from
France and Belgium so Irish users shouldn’t be affected, but just
to be sure, ESET Ireland recommends you change your toppings
selection, so it doesn’t coincide with the one the hackers may
have, so you will not be offered a fake pizza by them. Ok, we’re
joking here. But only a bit. Because in the age of targeted
attacks, so called spear-phishing, it is not uncommon practice
among cybercriminals to gather as much data on anyone they
can, including such details as food preference, then prepare a
targeted scam which uses bits of this data to convince the
victim it’s legit. Imagine an average Joe receiving an email from
someone pretending to be Domino’s and saying “Hi Joe, you
ordered extra anchovies in your last three orders with us and we
want to give you a prize for being a regular customer. Click here
and fill in the form to claim your prize.” Even though the sender
and email would be fake, the victim would recognise they did
in fact order extra anchovies and would consider the offer real
and would likely click on the link. This could in turn infect their
computer with malware, demand they enter their banking
details to receive the prize, or any other wicked thing
cybercriminals do.
“Apart from changing your toppings, at least for a while, ESET
Ireland therefore seriously advises you are careful with the
personal data you share with companies and services you deal
with. Know that, as in the case of this hack, if the data falls into
the wrong hands, it can be used against you. Only disclose the
minimum of necessary info and if you receive any suspicious
email, claiming reference to some real info about you, double
check if it is legitimate, before you do anything it’s asking you to
do. When unsure, just ring the company in question and check.”
Graham Cluley told us more and also gave useful advice.
“A group of hackers claim to have stolen the personal details of
some 650,000 pizza lovers, and have threatened to release
them to the world if Domino’s Pizza doesn’t cough up a hefty
ransom.
“The hacking group, which is calling itself Rex Mundi, claims to
have breached the network of Domino’s Pizza in France and
Belgium, grabbing customers’ full names and addresses, phone
numbers, email addresses and the passwords. Via their Twitter
account (now suspended) the hackers posted a link to a
statement about the breach:
Dear friends and foes,
Earlier this week, we hacked our way into the servers of
Domino’s Pizza France and Belgium, who happen to share the
same vulnerable database. And boy, did we find some juicy stuff
in there! We downloaded over 592,000 customer records
(including passwords) from French customers and over 58,000
records from Belgian ones. That’s over six hundred thousand
records, which include the customers’ full names, addresses,
phone numbers, email addresses, passwords and delivery
instructions. (Oh, and their favorite pizza topping as well,
because why not).
“Fortunately, there is no indication that payment information
has fallen into the hands of the hackers – but there’s clearly still
plenty to be concerned about for those Domino’s customers
who have had their personal information exposed.
“Domino’s France responded to the security breach with a
series of tweets, claiming that although it used “cryptage”
(encryption), the company believed the hackers to be
experienced criminals, and it was deemed likedly that
passwords would be cracked:
Domino’s Pizza utilise un système de cryptage des données
commerciales. Toutefois les hackers dont nous avons été
victimes sont des professionnels aguerris et il est probable qu’ils
aient pu décoder le système de cryptage comprenant les mots
de passe. C’est la raison pour laquelle nous vous recommandons
de modifier votre mot de passe, par mesure de sécurité. Nous
regrettons fortement cette situation et prenons cet accès
illégitime très au sérieux.
“Sadly, there’s no mention of whether the sensitive information
was salted and hashed.
“André ten Wolde, who heads up Domino’s Pizza in the
Netherlands, told De Standaard that there were clearly security
problems with the firm’s server. At the same time he confirmed
that the company would not be paying any ransom to the
hackers. Good for him, and good for Domino’s Pizza.
“Clearly any hack is very bad news – both for the thousands of
potential innocent victims, and for the corporation which has
been hit by a criminal hack. It’s easy to point the finger of blame
at the corporation for not protecting its customers data
properly, and there are no doubt a lot of angry people in France
and Belgium writing now ordering an Indian takeaway as a form
of protest.
“But we have to make a stand against criminals who attempt to
blackmail and extort money out of the corporations they are
attacking via the internet. We saw a fine stand made by Feedly
the other day when hackers attempted to extort money, and
I’m pleased to see Domino’s Pizza not bowing to the hackers’
demands either. If companies cave in and pay ransoms to
internet attackers the only thing that is certain is that there will
be more internet attacks.”
Graham asked ESET security expert David Harley whether he
felt the Feedly and Domino’s attacks were the sign of a new era
of cyber-extortion. Here’s what he had to say:
The Feedly story appears to have been just a DDoS attack, not a
credentials breach. There’s nothing new at all about that: even
in the early 2000s, UK agencies were quietly cooperating with
private companies to deal with extortion attacks based on “pay
up or we’ll keep on DDoS-ing you”.
Historically, online casinos and similar sites have been
persistently targeted, but there’s no reason why an attacker
wouldn’t consider any site dependent on keeping its online
services available a likely target for extortion.
Extortion based on the threat of data release is a little more
unusual, but not unknown.
Since stolen data can’t usually be ‘given back’ in such a way that
you know the attacker can’t make further use of it, it makes
sense to look at other means of mitigation rather than relying
on the attacker’s ‘good faith’. I.e., alerting customers, advising
them to change passwords, improving database security.
Similarly, it’s almost a given that paying up under threat of
DDoS is unlikely to be a permanent solution.
Graham went on to advice:
“If you’re the victim of cyber-extortionists, don’t give in to the
blackmailer’s demands.
“Even though you might be at risk of personal or commercial
embarrassment, or potential financial loss, it’s always better to
contact the crime-fighting authorities than get into bed with the
criminals. Of course, you should also put some serious
resources into exploring what security holes might exist in your
company’s operations – and making sure you are better
defended in the future.
“And, if you’re a customer of Domino’s and fear that your
details may have been exposed by this attack, make sure that
you are not using your pizza-ordering password anywhere else
on the net. After all, if the hackers manage to extract your
password from Domino’s database they might attempt to use it
to unlock your other online accounts too.
“It’s good practice to always use different passwords that are
hard-to-crack for different websites. Reusing passwords is a
recipe for disaster. Anything less than proper password
practices could end up with hackers getting their hands on your
hard-earned dough.”
ESET Corporate News
ESET provides Cyberoam Technologies with Secure Authentication
ESET has announced its new partnership with Cyberoam Technologies, a leading global provider of network security appliances. The
partnership will allow Cyberoam Technologies to integrate ESET’s Secure Authentication - a mobile solution relying on two-factor, one
time passwords (2FA OTP) for remote access - into Cyberoam Technologies‘ Unified Threat Management and Next Generation Firewall
appliances. This additional layer of protection will secure both end-users and enterprise networks. The partnership is currently being
deployed in South Africa.
ESET scores high in brand-awareness by German magazine PC Welt
ESET continues to rise in Germany. In business segment, ESET won silver medal as the Brand of the Year in the Security software category.
Brand-awareness survey was conducted by German computer magazine PC Welt. As well, readers of PC Welt prefer ESET as the security
software for their business. ESET scored silver medal as the Technology Winner in the category of Security software.
The Top Ten Threats 1. Win32/Bundpil Previous Ranking: 1 Percentage Detected: 2.3% Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files
from the address. The files are then executed and the HTTP protocol is used. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.
2. JS/Kryptik.I Previous Ranking: 2 Percentage Detected: 1.82% JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a
malicious URL or implements a specific exploit.
3. Win32/RiskWare.NetFilter Previous Ranking: n/a Percentage Detected: 1.73%
Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted
behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install
other malware.
4. LNK/Agent.AK Previous Ranking: 3 Percentage Detected: 1.55%
LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the
background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was
one of four that threat vulnerabilities executed.
5. Win32/Sality Previous Ranking: 4 Percentage Detected: 1.38%
Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system
and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah
6. HTML/ScrInject Previous Ranking: 8 Percentage Detected: 1.37%
Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware
download.
7. Win32/Adware.MultiPlug Previous Ranking: n/a Percentage Detected: 1.28% Win32/Adware.Multiplug is a Possible Unwanted Application that once it's present into the users system might cause applications to
displays advertising popup windows during internet browsing.
8. INF/Autorun Previous Ranking: 5 Percentage Detected: 1.24%
This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains
information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by
a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless
it is identified as a member of a specific malware family.
Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to
the number one spot clearly indicates. Here’s why it’s a problem.
The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of
removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the
program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional
infection technique.
While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by
default, rather than to rely on antivirus to detect it in every case.
9. Win32/Conficker Previous Ranking: 6 Percentage Detected: 1.15%
The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating
system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials.
Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility
enabled at present by default in Windows (though not in Windows 7).
Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download
additional malicious components. Fuller descriptions of Conficker variants are available at
http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.
While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft
patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on
the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped
the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The
Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.
It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with
system patches, disable Autorun, and don’t use unsecured shared folders.
10. Win32/TrojanDownloader.Zurgop Previous Ranking: n/a Percentage Detected: 1.14%
Win32/TrojanDownloader.Zurgop it a family of malicious codes that once they infect a vulnerable system will downloder other malware
from the Internet. Variants of this family use different techniques to avoid detection such as run-time compressed packers like PEncrypt
or PECompact.
http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.AB/description
Win32/TrojanDownloader.Zurgop.AB is a Trojan which tries to download other malware from the Internet. The file is
run-time compressed using PEncrypt .
http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.AZ/description
Win32/TrojanDownloader.Zurgop.AZ is a Trojan which tries to download other malware from the Internet. The file is
run-time compressed using PECompact.
http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.BI/description
http://www.virusradar.com/en/Win32_TrojanDownloader.Zurgop.BI/description
Top Ten Threats at a Glance (graph)
Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this
month, with 2.3% of the total, was scored by the Win32/Bundpil class of treat.
About ESET
ESET®, the pioneer of proactive protection and the maker of
the award-winning ESET NOD32® technology, is a global
provider of security solutions for businesses and consumers.
For over 26 years, the Company continues to lead the industry
in proactive threat detection. By obtaining the 80th VB100
award in June 2013, ESET NOD32 technology holds the record
number of Virus Bulletin "VB100” Awards, and has never
missed a single “In-the-Wild” worm or virus since the inception
of testing in 1998. In addition, ESET NOD32 technology holds
the longest consecutive string of the VB100 awards of any AV
vendor. ESET has also received a number of accolades from AV-
Comparatives, AV-TEST and other testing organizations and
reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET
Cyber Security® (solution for Mac), ESET® Mobile Security and
IT Security for Business are trusted by millions of global users
and are among the most recommended security solutions in
the world.
The Company has global headquarters in Bratislava (Slovakia),
with regional distribution centers in San Diego (U.S.), Buenos
Aires (Argentina), and Singapore; with offices in Jena
(Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET
has malware research centers in Bratislava, San Diego, Buenos
Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland),
Montreal (Canada), Moscow (Russia) and an extensive partner
network for more than 180 countries.
More information is available via About ESET and Press Center.
Additional Resources
Keeping your knowledge up to date is as important as keeping
your AV updated. For these and other suggested resources
please visit the ESET Threat Center to view the latest:
ESET White Papers
WeLiveSecurity
ESET Podcasts
Independent Benchmark Test Results
Anti-Malware Testing and Evaluation