Warning: Android Malware Can Empty Your PayPal Account
It’s no surprise that the end of 2018 had its fair share of cybersecurity stories. As ever, there’s so much going on in the world of online privacy, data protection, and cybersecurity that keeping up is tricky.
Our monthly security digest will help you keep tabs on the most important security and privacy news every month. Here’s what happened in December 2018!
1. Android Malware Steals From PayPal Accounts
ESET security researchers released the above video detailing how the malware works.
What you see in that video is the researcher logging into a test account with their 2FA code. As soon as the researcher enters their 2FA code, the account automates a payment to a pre-configured account. In this case, the payment failed because it was a test account without enough funds to process the payment.
The malware poses as a battery optimization app, called Optimization Android. Tens of other battery optimization apps use the same logo, as well as featuring similarly unobtrusive names.
Once installed, Optimize Android requests the user to turn on a malicious access service disguised as “Enable statistics.” If the user enables the service, the malicious app checks the target system for the official PayPal app and if found, the malware triggers a PayPal notification alert prompting the victim to open the app.
“Once the user opens the PayPal app and logs in, the malicious accessibility service (if previously enabled by the user) steps in and mimics the user’s clicks to send money to the attacker’s PayPal address.” The ESET research blog elaborates on the 2FA evasion, too.
“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in,—as they normally would—but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.”
2. Chinese Military Hackers Breach Private EU Diplomat Communications
US security outfit Area 1 detailed how a People’s Liberation Army cyber campaign has had access to private European Union communications for several years.
“In late November 2018, Area 1 Security discovered that this campaign, via phishing, successfully gained access into the computer network of the Ministry of Foreign Affairs of Cyprus, a communications network used by the European Union to facilitate cooperation on foreign policy matters,” Area 1 explained in a blog post.
“This network, known as COREU, operates between the 28 EU countries, the Council of the European Union, the European External Action Service, and the European Commission. It is a crucial instrument in the EU system of foreign policymaking.”
The hack itself appears to have been very basic. Hackers stole credentials from network administrators and other senior staffers. They used the credentials to gain high-level access to the network where they installed the PlugX malware, creating a persistent backdoor to steal information from.
After exploring the network and moving from machine to machine, the hackers found the remote file server storing all diplomatic cables from the COREU network.
The New York Times elaborates on the content of the cables, including EU worries regarding President Trump, as well as European-wide concerns regarding Russia, China, and Iran.
3. Save the Children Charity Hit by $1m Scam
The US wing of the British charity, Save the Children, was scammed out of $1 million through a Business Email Compromise (BEC) attack.
A hacker compromised an employee email account and sent several fake invoices to other employees. The hacker pretended that several payments were required for a solar panel system for a health center in Pakistan.
By the time Save the Children’s security team realized what was going on, the money had been deposited in a Japanese bank account. However, thanks to their insurance policy, Save the Children recovered all but $112,000.
Unfortunately, Save the Children are far from alone in losing money through a Business Email Compromise.
The FBI estimates that businesses lost over $12 billion between October 2013 and May 2018. Charities make a ripe target, too, with many hackers assuming that the non-profits will have basic or lax security practices.
The UK government found that 73 percent of U.K.-based charities with incomes larger than £5 million had been targeted within the past 12 months. Finally, security researchers at Agari uncovered the makings of a massive BEC scam that used commercial lead generation services to identify 50,000 executives to target.
Need some email security pointers? Check out our free email security guide. Sign up right here!
4. Amazon Customers Suffer Pre-Christmas Phishing Campaign
Christmas is a difficult time for consumers. A lot is going on. Cybercriminals sought to exploit the confusion and stress that many people feel in the build-up by launching a massive malicious spam campaign centered around Amazon Order Confirmation emails.
Researchers for EdgeWave discovered the campaign and quickly realized that the end-goal was to trick unsuspecting Amazon customers into downloading the dangerous Emotet banking Trojan.
Victims receive a standardized Amazon Order Confirmation form, containing an order number, payment summary, and an estimated delivery date. These are all fake, but the spammers rely on the fact many people order multiple packages from the shopping giant and won’t pay attention.
The emails, however, have one difference. They do not display the items that are being shipped. Instead, the scammers direct the victim to hit the Order Details button. The Order Details button downloads a malicious Word document named order_details.doc.
You can see the differences in the image above. Also note the misaligned Amazon Recommendation and Amazon Account links in the email.
When the victim opens the document, Word shows the user a Security Warning, advising that “some active content has been disabled.” If the user clicks through this warning, a macro triggers that executes a PowerShell command. The command downloads and installs the Emotet Trojan.
If you think you have downloaded malware, check out the MakeUseOf malware removal guide for tips on how to start saving your system.
5. US Indicts Chinese Hackers
The US has indicted two Chinese hackers with strong links to the Chinese state-backed hacking group, APT10.
The Department of Justice alleges that Zhang Shilong and Zhu Hua have stolen “hundreds of gigabytes” of private data from more than 45 government organizations and other important US-based businesses.
“From at least in or about 2006 up to and including in or about 2018, members of the APT10 group, including Zhu and Zhang, conducted extensive campaigns of intrusions into computer systems around the world,” according to the DoJ release. “The APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy.”
The pair are well known to other Western governments, too. Another series of attacks dating back to 2014 puts the pair hacking into the networks of service providers in 12 different countries.
The day after the Department of Justice announced the indictments, officials in Australia, Canada, Japan, New Zealand, and the U.K. published official statements formally blaming China for state-backed hacking of government agencies and businesses in the respective countries.
“These actions by Chinese actors to target intellectual property and sensitive business information present a very real threat to the economic competitiveness of companies in the United States and around the globe,” said a joint statement released by U.S. Secretary of State, Michael Pompeo, and Secretary of Homeland Security, Kirstjen Nielsen.
“We will continue to hold malicious actors accountable for their behavior, and today the United States is taking several actions to demonstrate our resolve. We strongly urge China to abide by its commitment to act responsibly in cyberspace and reiterate that the United States will take appropriate measures to defend our interests.”
December Security Roundup
Those are five of the top security stories from December 2018. But a lot more happened; we just don’t have space to list it all in detail. Here are five more interesting security stories that popped up last month:
- The extremely destructive Iranian-linked Shamoon malware reappeared in Saudi Arabia and the UAE.
- The Australian government implemented its ridiculous encryption backdoor legislation.
- ESET releases research detailing 21 new malware strains [PDF] for Linux operating systems.
- Cybercriminals post dank memes on Twitter to issue commands to active malware.
- NASA discloses a data breach that took place in October 2018; final details of the affected still unknown.
Whew, what an end to the year in security. The world of cybersecurity is constantly evolving. Keeping track of everything is a full-time job. That’s why we round up the most important and most interesting bits of news for you every month.
Check back at the start of February for everything that happened in the first month of 2019.
Still on holiday? Take some time a read about the five biggest cybersecurity threats coming your way in 2019 .
Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.