Viry a Červi

A pair of recent campaigns aim to lift credentials and other personal information under the guise of Amazon package-delivery notices.

CryptBB becomes more inclusive by inviting less experienced hackers to learn from expert cybercriminals and one another.

And who's that in the background? Just Oracle and its *cough* 443 bugs

Cisco has emitted 33 security bug fixes in its latest crop of software updates, five of those deemed critical.…

Cyber threats aren’t relegated to the world of big businesses and large-scale campaigns. The most frequent attacks aren’t APTs and massive data breaches—they’re the daily encounters with malware and spam by everyday users. And, one of the areas where we’re most vulnerable is entertainment—particularly when we’re so used to finding everything and anything we want to watch or play for little or no money online. That’s why, last year, we took a look at how cybercriminals use popular shows to spread malware. This year we turned to a no less popular entertainment sector: streaming platforms.

2019 was officially the year the Streaming Wars kicked off, as nearly all major networks—no matter the cost—hurried to profit from consumers’ new, preferred method of consuming content: streaming platforms. It began with Apple TV +. Then Disney +. And then—the most recent addition—HBO Max—a project the network developed in an effort to make use of an $85.4 billion acquisition of Time Warner. Not to mention the slew of different local platforms that have popped up in various regions around the world. In fact, the global video streaming market is expected to be worth $688.7 billion by 2024.

For cybercriminals, the switch to streaming means a new, lucrative attack channel has opened up. In fact, just hours after Disney + was launched, thousands of users’ accounts were hacked and their passwords and emails changed. The criminals then sold these accounts online for $3-$11.

And not only new streaming services are vulnerable. Popular services launched years ago, like Netflix and Hulu, are prime targets for distributing malware, stealing passwords, and launching spam and phishing attacks. Their appeal has only increased given the spike in subscribers in the first half of the year, as many people lost their jobs and/or were relegated to staying at home. In the first quarter of 2020, Netflix added 15 million subscribers—more than double what was expected. That means at least 15 more million people are vulnerable to cybercrime against streaming services. In fact, recent research from Flixed, a service that helps you find the best cable replacement, found that more than 1 in 10 people have had their streaming account hacked.

Not only are millions of account purchasers susceptible, but so are the millions more who receive access via relatives or friends that share their passwords and an unknown number of people who attempt to gain access to these platforms at a discount or are relegated to finding other methods of viewing their content in areas where the services aren’t available.

To help make users around the world become aware of the threats—and stay protected—we’ve taken an in-depth look at the cybercrime landscape of streaming services.

Methodology

In this report, we analyzed several different types of threats—malware associated with streaming platforms and the original content they release, as well as phishing emails and fake websites/login pages.

For this purpose, we utilized results from the Kaspersky Security Network (KSN) – a system for processing anonymous data related to cybersecurity threats shared voluntarily from Kaspersky users. The results display those users (mobile or PC) that encountered various threats from January 2019 until April 8, 2020.

The streaming platforms analyzed for the purposes of this report are the following:

1. Netflix: This was the first service of its kind. Launched in 1997, it was originally the first online DVD rental store before switching to streaming in the mid-2000s. It remains the most popular online streaming platform with 183 million paid memberships in over 190 countries.
2. Hulu: This US service was launched in 2008 and offers subscribers not only a library of shows and movies to stream (original and non-original), but also a chance to watch recently released episodes of shows currently airing on the major US broadcast networks. It currently has 32.1 million subscribers in the U.S.
3. Amazon Prime Video: This video streaming service was launched in 2006 and is offered to all Amazon Prime subscribers (this subscription includes free two-day shipping, free music, and free books). Amazon Prime Video offers access to a catalogue of videos and TV shows—original and not. You can also pay for add-ons, which provide you with access to content on other Channels, such as Starz and HBO. Amazon Prime has over 150 million subscribers worldwide. Of course, this number includes all Prime members—some of whom may not use the video streaming service.
4. Disney +: Launched in November 2019, Disney + offers access to the entire library of content from Pixar, National Geographic, and Disney. It also offers all titles related to the Star Wars franchise and several original series. It currently has 54.5 million subscribers worldwide.
5. Apple TV Plus: This service was launched in November 2019, shortly before the release of Disney Plus. It primarily consists of original programs and is available in more than 100 countries. The number of subscribers is unclear, but outside sources estimate the number to be between 10 and 33 million. However, anyone who had purchased a new Apple TV, iPod, iPad, iPhone or Mac from September 10, 2019 were given a free, one-year subscription.

Malware for streaming platforms

When it comes to streaming platforms, malware and other threats (like adware) are most often downloaded when users attempt to gain access through unofficial means—whether by purchasing discounted accounts, obtaining a “hack” to keep their free trial going, or attempting to access a free subscription. Many times, these unofficial links or files come bundled with other malicious programs, such as Trojans and backdoors.

Using KSN, we searched for malicious programs bundled with files that contained the name of the five streaming platforms above in the context of obtaining login credentials, a subscription, or downloading the platform for viewing. The results display those users (mobile or PC) that encountered various threats while attempting to gain access to Netflix, Hulu, Amazon Prime Video, Disney +, and Apple TV Plus through unofficial means.

We also looked specifically at account checkers—tools used to check leaked credentials (often from data breaches) in bulk across different sites. Because many people reuse account login information, leaked passwords and usernames can provide access to multiple online accounts, and account checking tools let cybercriminals determine exactly which accounts, so that they can sell access to them (or steal the financial/personal information affiliated with them).

In addition, users can access or download account checkers available online in an attempt to gain free access to streaming platforms. Of course, using these tools comes with an increased risk of encountering malware. To find out how many users encountered various threats while using accounting checking tools for the five streaming platforms above, we looked at files that downloaded various threats and contained the name of one of the streaming platform plus the keywords “checker”, “brute”, or “cracker”. The results display those users (mobile or PC) that encountered various threats while coming across account checkers for Netflix, Hulu, Amazon Prime Video, Disney +, and Apple TV Plus.

Malware for original series

In addition, we examined malware affiliated with original programming on these platforms for the same time frame. The process was the same as that for malware related to streaming platforms. Using KSN, we searched for malicious programs bundled with files that contained the name of popular original television shows.

Disney +, by April 8, had one major original content release—The Mandalorian. However, the other—particularly Netflix—have wide original content libraries. We therefore selected those most popular/highly reviewed. Since many of these platforms don’t regularly publish viewing numbers, we used public sources, such as Rotten Tomatoes, IMDB, and Metacritic to develop the following list:

Disney +:

• The Mandalorian

Netflix:

• Sex Education
• Ozark
• Stranger Things
• The Witcher
• Love is Blind
• BoJack Horseman
• Orange is the New Black
• Tiger King

Amazon Prime Video:

• Catastrophe
• Fleabag
• Transparent
• Bosch
• The Expanse
• The Marvelous Mrs. Maisel
• The Man in the High Castle

Hulu:

• Castle Rock
• High Fidelity
• Little Fires Everywhere
• Veronika Mars
• The Handmaid’s Tale

Apple TV Plus:

• Servant
• Dickinson
• Ghostwriter
• The Morning Show

The results display those users (mobile or PC) that encountered various threats via malicious files that contained one of the above shows as a lure.

• Our Key Findings:A common phishing scheme involves asking users to confirm or update their payment information for a streaming platform account. Upon doing so, cybercriminals gain access to users’ financial information (credit card info/billing details).
• No Kaspersky users encountered threats while attempting to access Apple TV Plus.
• Netflix is, by far, the platform most frequently used by criminals as a lure to trick Kaspersky users into downloading various threats, either while they attempt to gain access to the platform, modify the application, or gather login info.
• When attempting to gain access to streaming platforms, 5,577 unique Kaspersky users encountered through links that used the name of legitimate platforms—Hulu, Netflix, Amazon Prime, or Disney +—as a lure or while attackers attempted to gain credentials of these platforms’ users.
• There were a total of 23,936 attempts to infect these 5,577 users
• The most frequent threat encountered for all attacks that used the name of one of the five streaming platforms above were different types of Trojans, which made up 47% of all encountered threats.
• The greatest number of attacks registered that contained the name of Netflix as a lure, came from Germany. For Amazon Prime: the United States. For Hulu: Dominican Republic. .
• 6,661 Kaspersky users encountered malware when coming across account checkers while trying to gain access to Hulu, Netflix, Amazon Prime, or Disney +.
• There were a total of 57,784 attempts to infect these 6,661 users
• The five original shows which were most often used by malware creators to attract the attention of potential victims and lure them into installing various threats were The Mandalorian, a Disney + original, followed by Netflix’s Stranger Things, The Witcher, Sex Education, and Orange is the New Black.
• More than half of the attacks (51%) disguised as one of the five shows most frequently used as a lure came from Spain.

Phishing for credentials

One of the oldest—and most effective ways—for stealing account credentials is through phishing. These criminals might not even be after access to your streaming account. Once they have your email address and password, they can use this information for various purposes: launching other spam or phishing attacks, gaining access to your other accounts (many times, people reuse passwords), or retrieving the billing and credit card information associated with the account.

Phishing scams related to streaming platforms include creating imitations of login pages as a way to harvest credentials. And Netflix remains the most popular target. Kaspersky researchers found fake Netflix login pages in four different languages (French, Portuguese, Spanish, and English). They also found imitations of Hulu.

Fake login page for Netflix in Spanish

Fake Hulu login page

With the launch of Disney +, cybercriminals found a new target: they began creating phishing pages to target potential customers.

Phishing page urging users to register for a free Disney + account in Italian

Such phishing scams are not surprising. In 2019, Kaspersky noted that criminals were more frequently exploiting major sporting and entertainment events to launch attacks. Users are baited with offers like free access to the final Game of Thrones season; to proceed, all they have to do is create a free account—and enter their billing information. These criminals used the same scheme when Disney + was launched to try to steal financial information.

A fraudulent offer for a free 1-year subscription to Disney +. If the user continues, they are prompted to input payment details, including the security digits on their credit card 

Another common, financially motivated type of attack revolves around tricking users to confirm their payment details or add their billing info. Of course, once this is done, the criminals gain access to the funds associated with the victims’ credit card and/or bank account. These attacks come both in the form of phishing pages created to look like they are from the actual platform (see below) and emails sent to users’ accounts.

Left: a fake Netflix payment page requesting a new payment method be added Right: a phishing scam asking the user to add their billing info to their Hulu account

The content of emails is similar: users are warned their payment method is either outdated or must be confirmed, and, if not done so soon, their account access or membership will be suspended. Those who fall for such scams are vulnerable to exposing their account credentials, bank account information, and credit card details.

Phishing email asking the recipient to provide a new, valid payment method for their Amazon Prime account

Phishing is an old—and often successful—method for cybercriminals to quickly and easily earn money. Given that the number of streaming service subscribers will only increase, it’s likely the number of phishing scams related to these platforms and the number of platforms targeted will only grow.

Download Your Favorite Streaming App — And Some Malware

Streaming services not only provide a prime target for spam and phishing scams, they also come in handy when trying to deliver malware. Of course, those who subscribe to streaming services through official channels and only use approved versions of the apps can, in most cases, avoid accidentally downloading malware or other threats. But those that look to receive access—by “hacking” accounts, downloading free versions, or collecting free subscriptions—are far more susceptible to downloading various threats in addition to access. Subscribers, too, are not immune. They can encounter malware when attempting to download any unofficial or modified version of the app (say, Netflix with a black, instead of a red, background). They can also fall victim to malware if cybercriminals attempt to steal their account credentials.

The number of unique Kaspersky users that encountered various threats containing the names of legitimate platforms as a lure while trying to watch popular streaming platforms through unofficial means are as follows:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting the number of unique users that encountered various threats containing the names of popular streaming platforms while trying to gain access to these platforms through unofficial means between January 2019 and April 8, 2020 (download)

Netflix was the most common platform used by criminals as a way to lure users into downloading various threats by far, with Hulu being the second most popular and Amazon Prime the third. Only 28 users encountered various threats while trying to watch Disney + through unofficial means and none when trying to watch to Apple TV Plus.

Disney + is a newer service, which partially explains the low numbers. In addition, it’s available in far fewer countries than both Amazon Prime and Netflix—15 as opposed to more than 100. On the other hand, because Hulu is only available in the United States, anyone outside the country who wants to watch it has to do so via unofficial means—increasing their chances of encountering threats.

Apple TV Plus’ virtual absence may be due to the fact that many people received a free yearly subscription: all they had to do was buy new Apple TV hardware or any Apple device no earlier than September 10, 2019. Since most malware is downloaded when users try to gain access without a paid subscription, the more people with access to the service, the less malware that’s downloaded. While users may encounter malware while trying to convert DVD content or videos to a format that works on Apple TV, if they already have an Apple TV, they don’t need to scour unofficial sources for a way to watch Apple TV Plus.

In addition, Apple TV Plus has struggled to gain a foothold in the streaming battle. Research suggests that fewer than 10% of the users eligible for the free one-year subscription actually took advantage. And, while being available in more than 100 countries, there could be as little as 10 million subscribers. Given its relatively low popularity, it’s not surprising that it’s not a source of significant malware activity.

The total number of attempts to infect users trying to gain access to popular streaming platforms via unofficial means by using the names of these platforms as a lure was 23,936.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting number of attempts to infect users trying to gain access to popular streaming platforms by using the names of these platforms as a lure between January 2019 and April 8, 2020 (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percent distribution of different types of threats disguised under the name of popular streaming platforms encountered by users between January 2019 and April 8, 2020 (download)

The most common threat encountered by users while trying to watch streaming platforms through unofficial means (47%) is also the most dangerous—Trojan. These types of malicious files allow cybercriminals to do everything from deleting and blocking data to interrupting the performance of the computer. Some of the Trojans distributed were Spy Trojans—particularly dangerous malicious files that track the users’ actions on the infected device. With spyware, users are susceptible to having their personal files and photos collected, as well as login and password information for their financial accounts.

The second most common threat encountered was “not-a-virus“—either riskware or adware. Riskware can range from download managers to remote administration tools and adware does exactly what it sounds like—bombards users with unwanted ads.

Somewhat alarming is the sizable percentage of users that encounter backdoors. These malicious files allow criminals to gain remote control over the device and carry out nearly any tasks they desire, including making the computer part of a botnet or zombie network.

Threats Encountered Per Region

Countries with the Greatest Number of Registered Attacks: Hulu

Dominican Republic 10.5% United States 10.4% Indonesia 5.6% India 4.9% China 4.5%

Threats spread using the name Hulu as a lure while trying to watch the platform through unofficial means are distributed worldwide. The second greatest number of attacks came from United States, which isn’t surprising. Given that it’s a US service, it’s well-known in the country, meaning it would be popular target for cybercriminals.

Countries with the Greatest Number of Registered Attacks: Netflix

Germany 11.2% Algeria 8.2% India 7.8% Brazil 7.8% France 4.3%

For Netflix, users worldwide encounter various threats. The greatest number of attacks came from Germany. This could be due to the fact Germany is one of the ten most popular countries for Netflix.

Countries with the Greatest Number of Registered Attacks: Amazon Prime Video

United States 36.5% India 17.8% Germany 15.1% Brazil 4.3% Philippines 2.8%

Users around the world encounter threats when attempting to watch Amazon Prime Video through unofficial means, with the largest number of attacks coming from the United States (36.5%)—Amazon’s biggest market. Germany is Amazon’s largest foreign market, which explains the high number of users that encounter various threats, and India became a major focus for Amazon in 2018. 76.5% of all attacks that contained mentions of Amazon Prime came from these five countries.

Countries with the Greatest Number of Registered Attacks: Disney +

Algeria 30% Netherlands 14% Saudi Arabia 8.5% India 7.7% Ireland 7.7%

The greatest number of infection attempts registered that used the name Disney + came from Algeria (30%). The service is not available in Algeria, meaning anyone who tries to watch it must do so illegally—increasing their chances of encountering malicious files. The same is true for Saudi Arabia.

A Closer Look at Checkers:

At the same time Disney + subscribers were finding out their accounts had been hacked and they were locked out, those same accounts started popping up on hacker forums. In fact, selling streaming service accounts on the black market is big business, dating back years. Anyone interested in purchasing a streaming service account can simply search “Free Netflix Accounts” or “Purchase Cheap Hulu Subscriptions” in their Google browser and numerous results pop up.  There are whole websites dedicated to the sale of discounted account logins.

Credentials are harvested in a number of ways. The most common is through phishing emails and fake websites (see above). In 2016, Trend Micro uncovered a scheme where Netflix users were tricked into clicking on malicious links sent via email; once clicked, the attached malware automatically collected their account login information. Using this scam, the attackers collected more than 300,000 passwords that they then sold.

A common attack tool of choice for collecting credentials is what’s called an account checker. Account checkers test passwords that have been uncovered from a breach or dump site at different websites to see if they provide access to an account. Once a matching pair is found (say an email and password for a working Amazon Prime account), then the criminals can take over the account—and any financial information stored within—and sell the credentials online.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting the number of unique users that encountered various threats bundled with account checkers for popular streaming platforms between January 2019 and April 8, 2020 (download)

Not only do professional criminals use checkers, but those simply looking for streaming account access can also encounter them, whether intentionally or unintentionally. Unfortunately, such tools often come bundled with different types of threats, including malware. Between January 2019 and April 8, 2020, 6,661 Kaspersky users encountered various threats when coming across account checkers while looking for ways to gain access to various streaming platforms. In total, there were 57,784 attempts by criminals to infect these users through account checkers. Once again, Netflix was the most targeted platform for account checkers, with 6,292 users being exposed to cyber threats in this way and 52,899 infection attempts registered.

The second most common platform for users to encounter threats when coming across account checkers was Hulu. This could, once again, be attributed to the fact that, currently, Hulu is only available in the United States. That means that, for many, the only way to gain access is by either harvesting credentials or purchasing free subscriptions.

When it comes to Amazon Prime, few users encountered threats associated with account checkers. This might be due to the subscription model of Amazon: Amazon Prime Video comes as part of a bundle for any Amazon account holder that has a Prime subscription. Those looking to gain access to Amazon Prime Video might be looking for credentials for general Amazon accounts, rather than Amazon Prime Video in particular.

No users encountered threats from account checkers associated with Apple TV Plus. Of course, this might be due to the fact that Apple was giving out free one-year subscriptions.

The threat behind original content

Streaming services like Netflix made their name not only from streaming third parties’ movies and TV shows but producing their own content. Some of Netflix’s most popular shows are originals, and it will pay an estimated $17.3 billion for original content this year. Services like Apple TV Plus followed suit; the latter invested $6 billion in its original content for the launch. For those who want to see these original shows but not pay $5-$10 dollars a month on a subscription, the only way to watch them is by downloading them from a third party. This, of course, carries a risk of downloading malware.

In terms of the number of unique users affected, the 10 original shows (among the 25 mentioned in the Methodology section of this report) most frequently used by criminals as a lure to distribute various threats, including malware, were as follows:

The Mandalorian (Disney +) 1614 Stranger Things (Netflix) 1291 The Witcher (Netflix) 1076 Sex Education (Netflix) 420 Orange is the New Black (Netflix) 253 Ozark (Netflix) 177 The Man in the High Castle (Amazon Prime Video) 142 The Expanse (Amazon Prime Video) 119 Fleabag (Amazon Prime Video) 102 Castle Rock (Hulu) 99

The ten original shows from Amazon Prime, Apple TV Plus, Hulu, Netflix, and Disney + most frequently used as a lure to distribute various threats and the number of unique users that encountered various threats

The show most frequently used as a lure was The Mandalorian (1614), an original show launched by Disney + in 2019. It became the platform’s first original hit, and the most in-demand streaming series in November of last year. Stranger Things (1291), followed closely by The Witcher (1076), had the second and third greatest number of users that encountered various threats, respectively. Sex Education was a distant fourth with 420. When it comes to the 10 original shows used as lure where the greatest number of users encountered various threats, 5 came from Netflix, 3 from Amazon Prime Video, 1 from Hulu, and 1 from Disney +.

Netflix has the largest catalogue of original content, so it’s not surprising that its shows would more frequently be used to disguise malicious files. Stranger Things is one of the most popular shows on the platform: the launch of its third season witnessed a record of 26.4 million viewers in just four days. The Witcher was also a huge hit for Netflix, with reportedly 76 million people worldwide watching at least the first two minutes. Sex Education, which has two seasons, had an estimated 40 million viewers for the first season.

A Closer Look at the Five Shows Most Frequently Used as a Lure:

4,502 Kaspersky users encountered malware spread under the guise of the five shows most frequently used as a lure by criminals (The Mandalorian, Stranger Things, The Witcher, Sex Education, Orange is the New Black). The first is a Disney + original, while the other four are from Netflix.

There were a total of 18,947 attempts to infect these users using the above five shows as a lure, with the greatest number of attempts using the name The Mandalorian (5855).

The distribution of the specific threats encountered are as follows:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percent distribution of the different types of threats encountered by users disguised under the name of one of the five most popular shows used as a lure by criminals (download)

Nearly two thirds of the threats encountered (74%) were Trojans. The types of Trojans varied widely and included everything from Spy Trojans, Trojan-Droppers, and Trojan Downloaders, to Ransomware Trojans, banking Trojans (those designed to steal money from your account), and Trojan-PSWs (those designed to logins and passwords). The second most common threat encountered were “not-a-virus” files. A small number of generic malware (Dangerous Objects), backdoors, and exploits were also among the malicious programs encountered.

The countries where the greatest number of various threats distributed under the guise of these five shows were detected are as follows:

Spain 51.2% Russia 17.6% India 2.7% South Africa 2% Belarus 1.9% Ethiopia 1.8% Algeria 1.8% Turkey 1.5% Kenya 1.4% Philippines 1.4%

More than half attacks registered that were disguised under the name of one of the five shows most frequently used as a lure came from Spain. In March, Disney + announced that it would be entering into a strategic alliance with Spain’s Telefónica—one of the world’s largest telephone operators—to launch on the country’s biggest subscription video on demand service, Movistar Plus. Most likely, this means that Disney + has attracted significant attention in Spain, and, thus, it’s not a surprising a large number of people would want to download its most popular show. In addition, Netflix is the second largest pay-TV platform in Spain after Movistar. The ten countries where the greatest number of attacks disguised under the name of one of the five shows most frequently used as lure by criminals were registered (i.e. The Mandalorian, Stranger Things, The Witcher, Sex Education, and Orange is the New Black)

A significant portion of attacks (17.6%) came from Russia, while the third greatest number came from India. Disney + launched as part of India’s local streaming service Hotstar and was reported to have amassed 8 million subscribers by April. Netflix has also expanded significantly in India, as well, over the past several months.

Looking Ahead

The streaming wars have only just begun—and so too has the various cybercrime associated with it. The global pandemic and subsequent surge in subscribers has only provided additional impetus for cybercriminals to target these platforms.

A growing number of platforms also makes users more vulnerable to cyberattacks: the more subscriptions users have, the harder it is to monitor them for suspicious activity, especially if one is no longer used but the subscription remains active. In addition, people tend to reuse passwords, meaning if criminals gain credentials for one account, they could potentially use the same information to access other streaming accounts—and collect the personal and financial information affiliated with them as they go.

What’s more, purchasing streaming content is becoming a big expense. Each individual subscription can range from $6 to $12 a month. In fact, if you wanted access to all five of the streaming platforms analyzed here, that would cost you $36.00 dollars a month—and that doesn’t include subscriptions to any other local channels or local platforms. The more platforms there are, the more subscriptions users will need to purchase to watch all their favorite content, meaning the more they will have to spend—money they might not have. In other words, the more expensive streaming becomes, the more users will be inclined to find less expensive ways to access these services—purchasing discounted accounts, using account checkers, falling for free subscriptions scams, etc. This makes them more vulnerable to malware and other cyber threats.

In terms of the platforms most frequently used as a lure when tricking users into downloading various threats, Netflix is still, by far, the most targeted—whether it’s luring people who are trying to gain access to the platform or watch its original shows. Worldwide, Netflix has the greatest number of subscribers (it’s hard to know how many people watch Amazon Prime Video because Amazon simply counts the total number of Prime members). However, this could change as newer platforms grow their subscriber base. Disney + amassed 54.5 million subscribers in just sixth months—signaling that it could become a huge competitor to Netflix. As certain shows and platforms shift in popularity, so will the prime targets of cybercriminals attacks.

No matter the platform or the show you choose to watch, it’s important to take certain precautions to stay safe.

In order to stay safe from phishing scams related to streaming platforms, Kaspersky experts recommend:

• Look carefully at the sender’s address: if it comes from a free e-mail service or contains meaningless characters, it’s most likely fake
• Pay attention to the text: well-known companies wouldn’t send emails with poor formatting or bad grammar
• Don’t open attachments or click on links in emails from streaming services particularly, if the sender insists upon it. It’s better to go to the official website directly and log into your account from there
• Be wary of any deals that seem too good to be true, such as a “one-year free subscription”
• Do not visit websites until you are sure they are legitimate and start with ‘https’
• Once on a website, check that it is authentic
  • Double-check the format of the URL or the spelling of the company name, as well as read reviews and check the domain’s registration data before starting any downloads
• Use a reliable security solution like Kaspersky Security Cloud that identifies malicious attachments and blocks phishing sites

To protect yourself from malware when trying to watch streaming platforms or their original series:

• Whenever possible, only access streaming platforms via your own, paid subscription on the official website or app from official marketplaces
• Do not download any unofficial versions or modifications of these platforms’ applications
• Use different, strong passwords for each of your accounts
• Using a reliable security solution like Kaspersky Security Cloud that delivers advanced protection on all your devices

BlackRock, based on the Xerxes source code, can steal info not only from financial apps but also TikTok, Tinder, Instagram, Uber and many others.

'Coordinated social engineering attack’ paved the way for miscreants to tweet out Bitcoin scam to millions

Twitter has offered its initial analysis of the Wednesday mass hijacking of prominent twits' accounts – and suggested it all kicked off after its staff fell for social engineering.…

Details start to emerge on real-world impact of Prez-signed secret memo

The CIA is running a secret cyberwar including Russian-style hack-and-leak operations with little or no oversight, US officials have warned.…

Twitter is investigating a rash of fraudulent tweets from prominent accounts - don't fall for these scams!

The Twitter accounts of Bill Gates, Elon Musk, Joe Biden, Apple and Uber have each been hijacked at the same time to push a cryptocurrency scam in an unprecedented breach of Twitter accounts.

Miscreants have already obtained more than $110K from the credulous

Updated  The Twitter accounts of Microsoft co-founder Bill Gates, Tesla CEO Elon Musk, and other celebrities were briefly taken over on Wednesday, along with the accounts of various cryptocurrency businesses and affiliated executives, to promote a Bitcoin scam.…

Agility is a casualty when you own most of the enterprise email market

Sponsored  Microsoft 365 is so ubiquitous these days that it's difficult to avoid. It succeeded in part because it filled a yawning gap in email, adding security to a technology that had little of it in its original form. In spite of the extra controls that it offers, though, customer data breaches keep happening. Why?…

Admins sent scrambling after software mysteriously starts crashing

Updated  Microsoft's desktop email client Outlook has stopped working worldwide for countless users, whether they are using it with an on-premises Exchange server or with the Office 365 cloud.…

The bug can definitely crash your Windows DNS servers, and it could end up being used for much worse than that. Please patch now!

Four sophisticated malware families are ramping up their techniques and actively spreading to new countries, including the U.S.

Sectors such as Education (47%), Energy (40%), and Public Administration (37%) have struggled to implement TLS 1.2 protocols

On June 17, we hosted our first “GReAT Ideas. Powered by SAS” session, in which several experts from our Global Research and Analysis Team shared insights into APTs and threat actors, attribution, and hunting IoT threats.

Here is a brief summary of the agenda from that webinar:

• Linking attacks to threat actors: case studies by Kurt Baumgartner
• Threat hunting with Kaspersky’s new malware attribution engine by Costin Raiu
• Microcin-2020: GitLab programmers ban, async sockets and the sock by Denis Legezo
• The next generation IoT honeypots by Dan Demeter, Marco Preuss, and Yaroslav Shmelev

Sadly, the two hours of the session were not enough for answering all of the questions raised, therefore we try to answer them below. Thanks to everyone who participated, and we appreciate all the feedback and ideas!

Questions about threat actors and APTs

1. How do you see Stonedrill deployment comparing now? Its discovery was based on lucky structural similarities with Shamoon, but do you see it actively used or correlating to the spread of this malware?

   There is some 2020 activity that looks like it could be Stonedrill related, but, in all likelihood, it is not. We are digging through details and trying to make sense of the data. Regardless, wiper activity in the Middle East region from late 2019 into early 2020 deployed code dissimilar to Stonedrill but more similar to Shamoon wipers. We stuck with the name “Dustman” – it implemented the Eldos ElRawDsk drivers. Its spread did not seem Stonedrill related.

   At the same time, no, the Stonedrill discovery was not based on luck. And, there are multiple overlaps between Shamoon 2.0 and Stonedrill that you may review under “Download full report” in ‘From Shamoon to StoneDrill‘ blogpost. You might note that Stonedrill is a somewhat more refined and complex code, used minimally.

   While the Shamoon spreader shared equivalent code with Orangeworm’s Kwampirs spreader, and are closely linked, we have not seen the same level of similarity with Stonedrill. However, several of the Shamoon 2.0 executables share quite a few unique genotypes with both Stonedrill and Kwampirs. In the above paper, we conclude that Stonedrill and Shamoon are most likely spread by two separate groups with aligned interests for reasons explained in the report PDF. Also, it may be that some of the codebase, or some of the resources providing the malware, are shared.

2. Do the authors of Shamoon watch these talks?

   Perhaps. We know that not only do offensive actors and criminals attempt to reverse-engineer and evade our technologies, but they attempt to attack and manipulate them over time. Attending a talk or downloading a video later is probably of interest to any group.

3. Are there any hacker-for-hire groups that are at the top level? How many hacker-for-hire groups do you see? Are there any hacker-for-hire groups coming out of the West?

   Yes. There are very capable and experienced hack-for-hire groups that have operated for years. We do not publicly report on all of them, but some come up in the news every now and then. At the beginning of 2019, Reuters reported insightful content on a top-level mercenary group and their Project Raven in the Middle East, for example. Their coordination, technical sophistication and agile capabilities were all advanced. In addition to the reported challenges facing the Project Raven group, some of these mercenaries may be made up of a real global mix of resources, presenting moral and ethical challenges.

4. I assume Sofacy watches these presentations. Has their resistance to this analysis changed over time?

   Again, perhaps they do watch. In all likelihood, what we call “Sofacy” is paying attention to our research and reporting like all the other players.

   Sofacy is an interesting case as far as their resistance to analysis: their main backdoor, SPLM/CHOPSTICK/X-Agent, was modular and changed a bit over the course of several years, but much of that code remained the same. Every executable they pushed included a modified custom encryption algorithm to hide away configuration data if it was collected. So, they were selectively resistant to analysis. Other malware of theirs, X-Tunnel, was re-coded in .Net, but fundamentally, it is the same malware. They rotated through other malware that seems to have been phased out and may be re-used at some point.

   They are a prolific and highly active APT. They added completely new downloaders and other new malware to their set. They put large efforts into non-executable-based efforts like various credential harvesting techniques. So, they have always been somewhat resistant to analysis, but frequently leave hints in infrastructure and code across all those efforts.

   Zebrocy, a subset of Sofacy, pushed malware with frequent changes by recoding their malware in multiple languages, but often maintain similar or the same functionality over the course of releases and re-releases. This redevelopment in new and often uncommon languages can be an issue, but something familiar will give it away.

5. Have we seen a trend for target countries to pick up and use tools/zero-days/techniques from their aggressors? Like, is Iran more likely to use Israeli code, and vice versa?

   For the most part, no, we don’t see groups repurposing code potentially only known to their adversary and firing it right back at them, likely because the adversary knows how to, and probably is going to watch for blowback.

   Tangentially, code reuse isn’t really a trend, because offensive groups have always picked up code and techniques from their adversaries, whether or not these are financially motivated cybercriminal groups or APT. And while we have mentioned groups “returning fire” in the past, like Hellsing returning spear-phish on the Naikon APT, a better example of code appropriation is VictorianSambuca or Bemstour. We talked about it at our T3 gathering in Cancun in October. It was malware containing an interesting zero-day exploit that was collected, re-purposed, touched up and re-deployed by APT3, HoneyMyte and others. But as far as we know, the VictorianSambuca package was picked up and used against targets other than its creator.

   Also, somewhere in the Darkhotel/Lazarus malware sets, there may be some code blowback, but those details haven’t yet been hammered out. So, it does happen here and there, maybe out of necessity, maybe to leave a calling card and shout-out, or to confuse matters.

6. If using API-style programming makes it easier to update malware, why don’t more threat actors use it?

   I think here we are talking about Microcin last-stage trojan exported function callbacks. Nobody could tell for sure, but from my point of view, it’s a matter of the programmer’s experience. The “senior” one takes a lot into consideration during development, including architectural approach, which could make maintenance easier in the future.

   The “junior” one just solves the trojan’s main tasks: spying capabilities, adds some anti-detection, anti-analysis tricks, and it’s done. So maybe if the author has “normal” programming experience, he carefully planned data structures, software architecture. Seems like not all of the actors have developers like that.

7. Have you seen proxying/tunneling implants using IOTs for APT operations, such as the use of SNMP by CloudAtlas? Do you think that’s a new way to penetrate company networks? Have you ever encountered such cases?

   We watched the massive Mirai botnets for a couple years, waiting to see an APT takeover or repurposing, and we didn’t find evidence that it happened. Aside from that, yes, APT are known to have tunneled through a variety of IOT to reach their intended targets. IOT devices like security web cams and their associated network requirements need to be hardened and reviewed, as their network connections may lead to an unintended exposure of internal resources.

   With elections around the world going on, municipalities and government agencies contracting with IT companies need to verify attack surface hardening and understand that everything, from their Internet-connected parking meters to connected light bulbs, can be part of a targeted attack, or be misused as a part of an incident.

8. How often do you see steganography like this being used by other actors? Any other examples?

   Steganography isn’t used exclusively by the SixLittleMonkeys actor for sure. We could also mention here such malware as NetTraveller, Triton, Shamoon, Enfal, etc. So, generally, we could say the percentage of steganography usage among all the malicious samples is quite low, but it happens from time to time.

   The main reason to use it from malefactors’ point of view is to conceal not just the data itself but the fact that data is being uploaded or downloaded. E.g. it could help to bypass deep packet inspection (DPI) systems, which is relevant for corporate security perimeters. Use of steganography may also help bypass security checks by anti-APT products, if the latter cannot process all image files.

Questions about KTAE (Kaspersky Threat Attribution Engine)

For more information, please also have a look at our previous blogpost, Looking at Big Threats Using Code Similarity. Part 1, as well as at our product page.

9. What are “genotypes”?
   Genotypes are unique fragments of code, extracted from a malware sample.
10. How fine-grained do you attribute the binaries? Can you see shared authors among the samples?
    KTAE does not include author information per se. You can see shared relevant code and strings overlaps.
11. Are genotypes and YARA rules connected?
    Not directly. But you can use genotypes to create effective YARA rules, since the YARA engine allows you to search for byte sequences.
12. How many efforts do you see for groups to STEAL+REUSE attribution traces on purpose?
    We have seen such efforts and reported about them, for example with OlympicDestroyer
13. How do you go about removing third-party code sharing?
    We incorporated our own intelligence to only match on relevant parts of the samples.
14. Do genotypes work on different architectures, like MIPS, ARM, etc.? I’m thinking about IoT malware.
    Yes, they work with any architecture.
15. What determines your “groundtruth”?
    Groundtruth is a collection of samples based on our 20+ years of research and classification of malware.
16. Can KATE be implemented in-house?
    We offer multiple options for deploying KTAE. Please get in touch with us for more info: https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool.
17. For the attribution engine, would you expect APT-group malware authors to start integrating more external code chunks from other groups to try to evade attribution?
    We see such behavior; please refer to Question 12 above.
18. Do you feel more manufacturers will follow Kaspersky’s suit in letting victims know the threat actors behind malware detections on endpoints?
    At the moment, KTAE is a standalone solution not integrated in endpoints.
19. What is the parameter for looking at the similarity in malware code? Strings? Packer? Code? What else?
    KTAE uses genotypes to match similarities.
20. How do I make a difference, if for example, I am a threat actor and reuse the code form some APT Group? How to define it is really the same actor and not just an impersonator who used the same code or malware, or reused the malware for my operation?
    KTAE handles code similarities for malware samples to provide relevant information on that basis. Further information to be used for attribution may be TTPs, etc. for which you may find our Kaspersky Threat Intelligence Services helpful.
21. I guess the follow-up is,- will they be able to evade the attribution after watching these webinars, learning about the attribution engine?
    It’s known that such techniques can be used to do technical attribution on malware-sample basis. Attempts at evading these would mean knowing all the details and metrics and database entries (including updates) to check against something rather complex and difficult.
22. Can you start taking the samples submitted by CYBERCOM and just post publicly what KTAE says in the future?
    We are posting certain interesting findings, e.g. on Twitter.
23. How do we buy KTAE? Is it a private instance in our own org or hosted by you?
    We offer multiple options for deploying KTAE. Please get in touch with us for more info: https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool.
24. Can you expand on how you identify a genotype and determine that it is unique?
    Genotypes are unique fragments of code, extracted from a malware sample. As for uniqueness, there is a good reference: the Fruit Ninja Game. We played Fruit Ninja and extracted (sliced) genotypes from all good programs that are known to us, then we did the same with malicious samples and samples marked as APTs. After that operation, we knew all genotypes that belonged to good programs and removed them from the databases that belonged to bad ones. We also save the numbers of times genotypes appear in the samples, so we can identify the really unique stuff.
25. How many zero-day vendors do you see with this engine?
    KTAE is not handling vulnerabilities but only code fragments and such, for similarity checks.
26. In the future, do you see a product like KTAE being integrated into security offerings from Kaspersky, so that samples can be automatically scanned when detected as an alert, as opposed to individually uploading them?
    We are planning to do cross-product integration.
27. Have you run The Shadowbrokers samples through KTAE and if so, were there any unexpected overlaps?
    Yes, we did. We found an overlap between Regin samples and cnli-1.dll
28. Could it be easy for a threat actor to change code to avoid KTAE identification?
    Theoretically, yes. Assuming they produce never-before-seen genotypes, KTAE might miss classifying that malware. With that being said, generating completely new genotypes requires a lot of time and money, plus a lot of careful work. We wish threat actors good luck with that. ????
29. When you attribute a campaign, do you also consider some aspects relating to sociopolitical events?
    At Kaspersky, we only do technical attribution, such as based on similarities in malware samples or TTPs of groups; we don’t do attribution on any entity, geopolitical or social level.

Questions about IoT threats and honeypots

If you want to join our honeypot project, please get in touch with us at honeypots@kaspersky.com.

30. Do you have any IoT dataset available for academia?
    Please get in touch with us via our email address listed above (honeypots@kaspersky.com).
31. How does a system choose which honeypots to direct an attack at?
    We developed this modular and flexible infrastructure with defined policies to handle that automatically, based on the attack.
32. Okay, so, soon, IoT malware will do a vmcheck before it loads…. Then what?
    In our honeypots, we use our own methods to defeat anti-VM checks. Depending on future development of malware, we are also prepared to adjust these to match actual vmcheck methods.
33. Do the honeypots support threat intelligence formats like STIX and TAXII?
    Currently, such a feature is not available yet. If there is interest, we can implement this to improve the use for our partners.
34. Can anyone partner with you guys? Or do they need certain visibility or infrastructure to help out?
    Anyone with a spare IP-address and able to host a Linux system to receive attacks can participate. Please get in touch with us at honeypots[at]kaspersky[dot]com.

Questions about Kaspersky products and services

35. What new technology has Kaspersky implemented in their endpoint product? As EDR is the latest emerging technology, has Kaspersky implemented it in their endpoint product?
    Kaspersky Endpoint product contains EDR besides other cutting-edge technologies. There are more details listed here on the product page.
36. What do you think of the Microsoft Exchange Memory Corruption Vulnerability bug? How can Kaspersky save the host system in such attacks?
    We should know the CVE number of the bug the question refers to. From what we know, one of “loud” bugs that was fixed recently was CVE-2020-0688. It is referenced here. We detect this vulnerability in our products using the Behavior Detection component with the verdict name: PDM:Exploit.Win32.GenericAlso, Kaspersky products have vulnerability scanners that notify you about vulnerabilities in installed software, and we also provide a patch management solution for business environments that helps system administrators handle software updates for all computers and servers on the corporate network.
37. How can a private DNS protect the Host System from attacks?
    While DNS is a key component of the Internet, disrupting DNS queries can impact a large portion of Internet users. We know for sure the people running DNS Root servers are professionals and know their job really well, so we are not worried that much about Root servers being disrupted. Unfortunately, attackers sometimes focus on specific DNS resolvers and manage to disrupt large portions of the Internet, as in the 2016 DDoS against the Dyn DNS resolver. Although it is limited in its use, a private DNS system can protect against large DDoS attacks, because it will be private and may be harder to reach by the attackers.

Advanced questions raised

We are not afraid of tough questions; therefore, we did not filter out the following ones.

38. Where can we get one of those shirts Costin is wearing?
    We are about to launch a GReAT merchandise shop soon – stay tuned.
39. Who cut Jeff’s hair?
    Edward Scissorhands. He’s a real artist. Can recommend.
40. Did Costin get a share from the outfits found in the green Lambert’s house when it got raided?
    We can neither confirm nor deny.
41. Who is a better football team, Steelers or Ravens?
    Football? Is that the game where they throw frisbees?

We hope you find these answers useful. The next series of the GReAT Ideas. Powered by SAS webinars, where we will share more of our insights and research, will take place on July 22. You can register for the event here: https://kas.pr/gi-sec

As we promised, some of the best questions asked during the webinar will be awarded with a prize from the GReAT Team. The winning questions are:
“Are there any hacker for hire groups that are at the very top level? How many hackers-for-hire groups do you see? Are there any hacker for hire groups coming out of the west?”
“Can you expand on how you identify a genotype and determine that it is unique?”

We will contact those who submitted these questions shortly.

Feel free to follow us on Twitter and other social networks for updates, and feel free to reach out to us to discuss interesting topics.

On Twitter:

• Costin Raiu: @craiu
• Kurt Baumgartner: @k_sec
• Denis Legezo: @legezo
• Dan Demeter: @_xdanx
• Marco Preuss: @marco_preuss
• Yury Namestnikov: @SomeGoodOmens

 

Marian Rejewski's cyclometer recreated in hardware for first time in decades

A Cambridge post-graduate student has recreated the "cyclometer", the decryption device devised by Polish mathematicians that informed Alan Turing's later code-breaking efforts.…

Says third party holding some business contact information has had trouble but its own infrastructure remains safe

Citrix has taken the unusual step of rebutting dark web discourse that alleges its networks have been compromised.…

You'll want to patch that – and all these other bugs fixed by Microsoft, Oracle, Adobe, VMware, SAP, Google

Mega Patch Tuesday  Microsoft on Tuesday patched a wormable hole in its Windows Server software that can be exploited remotely to completely commandeer the machine without any authorization. It was one of hundreds of security bugs squashed today by Redmond along with Oracle, Adobe, VMware, SAP and Google.…

Eighteen critical bugs, impacting Windows Server, Office and Outlook, were fixed as part of the patch roundup.