Android users menaced by pre-installed malware

By John E Dunn

How does malware find its way on to Android smartphones and tablets?

By some margin, it’s by way of Google’s Play Store, which despite repeated efforts to clean it up remains a recurring source of dodgy apps that sit somewhere between suspiciously misleading and downright malicious.

But according to a Black Hat presentation by Google Project Zero researcher Maddie Stone, there’s another route that’s nearly impossible for users to defend themselves against – malicious apps that have been factory pre-installed.

It starts with the sheer number of apps that now come with Android devices out of the box – somewhere between 100 and 400.

Criminals only need to subvert one of those, which has become a particular problem for cheaper smartphones using the Android Open Source Platform (AOSP) as opposed to the licensed ‘stock’ Google version that powers better-known brands.

Chamois botnet

She cited several instances encountered while doing her old job on Google’s Android Security team, including an SMS and click fraud botnet called Chamois which managed to infect at least 21 million devices from 2016 onwards.

The malware behind it proved harder to defeat than anticipated, in part because the company realized in March 2018 that in the case of 7.4 million devices the infection had been pre-installed in the supply chain.

Read more at https://nakedsecurity.sophos.com/2019/08/13/android-users-menaced-by-pre-installed-malware/

Don’t let the crooks ‘borrow’ your home router as a hacking server

By Paul Ducklin

We’ve written about the trials and tribulations of SSH before.

SSH, short for Secure Shell, is the probably the most common toolkit for remotely managing computers.

Windows users may be more familiar with RDP, or Remote Desktop Protocol, which gives you full graphical remote control of a Windows computer, with access to the regular Windows desktop via mouse and keyboard.

But almost every Linux or Unix sysadmin out there, plus many Windows sysadmins, use SSH as well as or instead of RDP, because of its raw power.

SSH is more generic than RDP, allowing you to run pretty much any program remotely, so you can administer the computer automatically from afar via pre-written scripts, or open up a terminal window and control the remote system interactively by typing in commands live – or do both at the same time.

As a result, crooks who can figure out your SSH password have their own way into your computer, if not your whole network.

SSH also provides you with a feature called network tunneling, whereby you use SSH to create an encrypted network connection or “tunnel” from computer A to B, and then create an onward connection from B to C to do the actual online work you want.

For security conscious users, that’s good – it makes it easy to “skip over” untrusted parts of the network, such as your coffee shop Wi-Fi router.

Read more at https://nakedsecurity.sophos.com/2019/08/07/dont-let-the-crooks-borrow-your-home-router-as-a-hacking-server/

Scammers recruiting money mules on dating sites is on the rise, says FBI

By Lisa Vaas

There are a lot of boxes to tick off to let a dating site know who you want to get cozy with.

Gay? Hetero? Tall? Short? Left-wing, right-wing, dairy-intolerant, beard-abhorring?

And now, a rising trend: there are more and more suitors looking to tick off a box that would read “mule” if it were that easy to find lovelorn patsies to launder money or run drugs for them. And by “suitors,” I mean romance-scamming crooks, of course.

The FBI’s online crime division – the Internet Crime Complaint Center (IC3) – on Monday issued a warning about the rising number of faux lover-boys and -girls who are turning to online dating sites to run what are known as romance or confidence frauds.

We’ve seen plenty of these scams in past years: FBI numbers show that in 2017, more than 15,000 people filed complaints with the IC3, alleging that they were victims of romance/confidence frauds and reporting losses of more than $211 million. The following year – 2018 – that number skyrocketed by more than 70%: the number of victims filing complaints increased to more than 18,000, and they reported more than $362 million in losses.

Based on the number of victims, this type of fraud was the seventh most commonly reported scam last year. Money-wise, it was the second costliest scam in terms of losses reported by those victims. It’s ensnaring every type of victim, regardless of age, education or income bracket, the FBI says, though the most targeted demographics are the elderly, women, and widows or widowers.

Modus operandi

This is how these swindles go: First, the conman or woman gets their victim’s trust. Then, they try to convince them to send money, whether it’s for an airfare to visit, to ostensibly bail them out when they claim to have gotten arrested en route, to prove they can be trusted, to buy a home for the heartthrob they’ve never met, or for any other of an endless litany of sob stories.

Read more at https://nakedsecurity.sophos.com/2019/08/07/scammers-recruiting-money-mules-on-dating-sites-is-on-the-rise-says-fbi/

Don’t fall for fake Equifax settlement sites, warns FTC

By Lisa Vaas

Two years ago, we asked this question: Will the Equifax pain ever end?

We can now say that the answer is “Nope, probably not”.

The Federal Trade Commission (FTC) last week said that just one week after it put up a site for people to check whether their data was exposed in the 2017 mega-breach, e-scum have put up bogus Equifax settlement claim sites.

At the legitimate FTC site, people can file a claim for benefits available under the settlement that the FTC and others reached with Equifax. An estimated 147 million potential claimants may be eligible for up to $425 million in compensation from the settlement.

The FTC says that in order to make sure you’re not handing over your personal data to crooks, start your claim at the official website: ftc.gov/Equifax.

Important notes from the FTC: You never have to pay to file a claim to get benefits from the settlement, so if somebody tries to call and talk you into filing a fee for a claim, they’re a scammer for sure.

Once you’re on the official settlement website, you can determine if you’re an eligible claimant. You might shudder at having to hand over personal details, but you will have to enter your last name and the last six digits of your Social Security number (SSN). If the site tells you your personal information was affected by the data theft, you can go ahead and file a claim.

Read more at https://nakedsecurity.sophos.com/2019/08/07/dont-fall-for-fake-equifax-settlement-sites-warns-ftc/

Banking PINs exposed in Monzo secure storage slip-up

By Danny Bradbury

When is a secure PIN not a secure PIN? When you accidentally store it in your log files.

That’s what happened to digital native bank, Monzo, which was left groveling to customers over the weekend after its security blunder.

Monzo is one of the new breed of ‘challenger banks’ that uses financial technology (fintech) systems to subvert older, more established banks. One way of doing that is to abandon boring old brick-and-mortar branches in favour of shiny new smartphone apps. This lets them provide online-only services that can adapt quickly to meet customer demands.

UK-based Monzo bank, started in 2015 through a crowdfunding campaign, serves its customers with an iOS and Android app, along with a debit card that is still usable at ATM machines. Unfortunately, its sophisticated software-driven business model let it down last week. On Sunday, it admitted that it hadn’t been as careful as it could have been with the PINs that customers use to access their account.

Engineers had access to customers’ PINs

The bank explained that it stored these PINs in a secure part of its infrastructure. Unfortunately that wasn’t the only place where it was storing them. An oversight meant that it had also been storing the PINs in the log files that its software engineers use to understand what’s happening in its systems.

Although the log files were encrypted, they were still insecure. The company explained:

Engineers at Monzo have access to these log files as part of their job.

Up to 100 engineers had the right to access those log files, meaning that one bad apple could have stolen them and used them to commit fraud.

Read more at https://nakedsecurity.sophos.com/2019/08/07/monzo-sticks-a-pin-in-cybersecurity-slip-up/