Beware Apple iOS attacks using ‘Masque Attack’ techniques from uncertified apps

Researchers have discovered a technique that may enable attackers to substitute malware for a legitimate app on Apple iOS devices such as iPhones and iPads.

Although the risk of being subjected to a Masque Attack is low, it is another reminder not to download pirated apps or software from untrusted sources. It is also a reminder that Apple products are increasingly being targeted by attackers.

As many people believe you cannot get a virus/trojans/malware on Apple devices (more so on OSX), this is not true and Apple devices, due to their numbers, will and currently are being targeted. Sterling IT use and recommend Webroot and/or Trend Micro Antivirus to protect Apple Mac.

About Masque Attack

A Masque Attack can occur if a user downloads an app from a rogue source such as a link embedded in a phishing email or from an unofficial app site hosting fake ‘uncertified’ apps.

The Masque Attack takes advantage of a weakness in iOS security which can enable malware to be installed.

If a malicious app can be crafted to use the same ‘bundle identifier’ (an ID Apple uses to identify individual apps) as a legitimate app on your phone, Apple will not check its security certificate. It means that a malicious app can replace a legitimate app on your device.

A criminal using the Masque Attack technique will typically disguise their malware as a popular game or program for you to install. Only install via the APP STORE via your device.

Once installed it may be able to steal information from your device such as passwords or internet banking details and send them to a remote server controlled by criminals. Possible impacts include the malware being able to steal logon credentials; access sensitive data; avoid detection and steal Apple IDs and passwords.

Staying safe

  1. Do not download software or apps from untrusted sources. Sticking with Apple’s AppStore helps protect against downloading malicious software
  2. Do not click ‘install’ from pop ups when viewing a web page. Even if it tells you , that you have a virus. Most of these are traps.
    Sterling IT has posted MANY emails recently with relation to this and unfortunately we are still getting clients infected, even with prior warning.
  3. If your iOS device shows an ‘Untrusted App Developer’ alert when you open an app, click on ‘Don’t Trust’ and uninstall the app immediately.
  4. Use security software for all your computer and mobile devices.
  5. Keep your system up-to-date by downloading software updates as they are released.
  6. Do not connect or ‘pair’ your device with untrusted computers.

For FREE advice or any questions regards to this, please contact Sterling IT. You are better asking as prevention is better than cure!!

 

Are you travelling staying in a hotel or using public wifi? – ‘Darkhotel’ downloads information-stealing malware.

There are a number of articles and warnings about Executives being hacked in shared wi-fi including Luxury Hotels , especially in the APAC regions.

Dubbed ‘Darkhotel’ by Kaspersky, the attackers infiltrate luxury hotels’ wi-fi to steal sensitive corporate data from travelling executives.

Targeted businesspeople connect to the hotel wi-fi and are prompted to download fake updates from programs such as Google Toolbar, Adobe Flash and Windows Messenger. Once downloaded, the backdoor installs an advanced keylogger, an information-stealing module and the Trojan ‘Karba’.

Once these applications are installed, it starts looking for private information, cached passwords and login credentials, the attackers delete these hacking tools and avoid suspicion.

A representative from Kaspersky said the attackers have “operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision”.

This malware can also be spread through peer to peer or file sharing networks. It’s estimated that Darkhotel has been downloaded over 30,000 times in the last six months.

To date, the majority of these infections were identified in Japan, Taiwan, Russia, China and Hong Kong.

Kaspersky principal security researcher, Kurt Baumgartner, said these attacks are becoming more common: “Targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”

To avoid attacks,

1. Never install or accept software you are not sure about. If you are in doubt, call Sterling IT and we will quickly confirm the legitimacy of the application or pop up.

2. Use a phone company internet connection such as Vodafone, Telstra or Optus 3G/4G USB or Pocket wifi cards instead of shared services.

3. Ensure your antivirus is up to date.

4. NEVER open emails that you are not expecting with links or attachments.

 

CRITICAL WARNING VIRUS ALERT – CryptoLocker – Prevention and Clean

Please read and take note
CryptoLocker 14th October 2013

CryptoLocker is the next generation of internet virus that is currently circulating all over the world in large numbers. Once a computer becomes infected it will lock all your files plus any network files it has access to, even your server.
Once the files are locked it will give you a three day countdown to pay the ransom, usually $100 or $300. If the time expires your files are locked with no option to pay the ransom.
It is by far the worst we have experienced so far and virus protection companies are scrambling to catch up with this one, as it changes frequently to elude the virus scanners. In other words: it can affect you if you are not careful even though your firewall and virus protection is active and up-to-date.
Currently there are only two known methods to remove the infection, restoring your files from a backup or paying the ransom.
Please be aware that paying the ransom is not guaranteed to work. We don’t condone paying the ransom and supporting these cybercriminals.

Usually this occurs by these methods:
In the form of attachment, usually disguised in an email appearing to come from your bank, insurance company or courier service or scanner.
A simple safety procedure that works for the majority of email applications or online email services is to “hover” over the link, which means move the cursor to the attachment or “button” or other link in the email, but DO NOT click.  If the domain name that appears has no relation, looks suspicious, or appears as an unintelligible tangle of letters and numbers, it usually means it is not legitimate and should be deleted.
Through Trojan websites, which will ask you to download a piece of software in order to watch video clips or download songs off the internet.
Through exploit kits, specific websites with similar names to popular ones, just waiting for people to miss-type the address and think they are on their favourite website.
Advice for prevention

Do not open attachments if you are unsure of the contents or the email was unexpected.
Look for clues in the email content, usually most legitimate emails will address you by name and not something generic like ‘customer’ with vague wording.
Do not click on website links in emails until you have viewed the link location (do this by hovering over the link, this will display the link right at the bottom of Outlook). Instead of clicking the link, you are best to manually browse to the website via your web browser.
Make sure your anti-virus is updated regularly
Make sure your backups are current and working and backing up ALL critical data
If you get the virus

Stop work
Immediately disconnect any network drives
Contact us
Alert other users of the issue, as most likely any work done will be overwritten when the backup is restored.
Please do forward this email on to your staff, friends and associates.

If in doubt or have any questions, please contact Sterling IT.