The UK and other European countries are being targeted by a massive wave of junk emails spreading Locky and other ransomware, say researchersComputer security researchers have warned of a massive wave of junk emails affecting accounts primarily in Europe, but also in North America and Asia, that distribute an attachment designed to install a ransomware variant known as Locky.At the same time, the developers behind Locky have begun using increasingly sophisticated measures to evade security systems, researchers said.ESET considers ransomware one of the most dangerous cyberthreats at present, a fact that seems unlikely to change in the foreseeable future, the company said in an advisory.The JavaScript attachment arrives in a .zip file attached to an email, and if triggered the file attempts to download ransomware programs such as Locky, ESET said.The firm recommended user vigilance and the use of multiple layers of security to help stop ransomware infections.The centre, known as Mantralaya, carries out the administration of the state of Maharashtra in western India.
The cybercrooks behind ransomware Dridex and Locky have started distributing a new file-scrambling software nasty dubbed Bart.This precursor malware is distributed as script code in email attachments, says security firm Proofpoint."If opened, these attachments download and install the intermediary loader RockLoader previously discovered by Proofpoint and used with Locky , which in turn downloads the new ransomware called 'Bart'."Prior to creating documents explaining how to pay the ransom and unscramble the encrypted files, the malware determines the user's system language."This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, it is unlikely that Bart will remain this localized," according to Proofpoint.More details of the threat – including screenshots – can be found in a blog post here.
Your browser does not support HTML5 videoPlayPausePlayPauseMute0%00:00 / 00:00FullscreenSmallscreen Close Embed Feed Hacking your money: Cloning credit cards, stealing bitcoin and spoofing Verified by Visa IBTimes UKCanada has been hit by several major banking Trojans targeting businesses and citizens alike.Six different malware variants have been uncovered by security researchers, including Dridex, Zeus, Kronos, Gootkit, Ursnif and Vawtrak.Security firm Proofpoint detected the surge in banking Trojans directed at Canada, adding that while it was not uncommon for threat actors to target Canadian businesses and residents, the "volume and diversity" of the recent campaigns indicate a notable rise.Hackers are believed to be using mainly malicious Microsoft Word documents in spam emails to infect users' systems.Proofpoint Threat Operation Centre VP Kevin Epstein told IBTimes UK: "Like the other major industrialised nations, Canada is a wealthy country with a robust banking system and widespread adoption of automation and online services for banking, social media, productivity, and many other activities.
A security firm says it's already discovered a version of the game containing malwareThe Pokemon Go game on Google Play.The new smash-hit game "Pokemon Go" could become bait for hackers wanting to take over your phone.Researchers at security firm Proofpoint have already found an Android version of the game containing malware.Once installed, it uses a remote access tool called DroidJack that can give a hacker full access to the phone, Proofpoint said Thursday.The company hasn t yet seen the infected game in the wild, but it shows that hackers are already hard at work targeting it.
AdGholas malvertising campaign closes after pulling in at least a million victim computers a dayA massive malvertising operation has closed down after security researchers Proofpoint discovered it utilised highly sophisticated techniques to remain undetected for over a year.Proofpoint researchers revealed in a blog post that the AdGholas campaign utilised sophisticated techniques filtering and steganography to help it operate in the shadows for over a year.But it now has been closed down, after Proofpoint teamed up with Trend Micro to work out the technique behind steganography.This is a method of hiding code inside images, and is thought to be the first time this technique has been used in a malvertising campaign.While AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint, the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising, warned Proofpoint in its blog.
CryptFile2 lures victims with a link to cheap flightsA large-scale ransomware campaign is targeting US government agencies with hundreds of thousands of emails containing embedded malicious URLs instead of the more common method of attaching infected files to the message.Originally discovered by cybersecurity researchers in March, the CryptFile2 ransomware campaign behaved like others, spreading via exploit kits downloaded from infected files.But now Proofpoint researchers have observed that the ongoing campaign has adapted its technique to deliver ransomware via embedded URL links, opening up a degree of targeting not available before.The new variant of CryptFile2 began appearing this month, using convincing-looking faked emails claiming to be from a legitimate travel website and offering deals on flights.But if a recipient clicks on the email link, they're directed to download Microsoft Word documents which then use social engineering techniques to trick the user into enabling malicious macros.
Spammers and cybercrooks are big fans of the Republican candidateDonald Trump on stage at the CNBC republican presidential debate in Boulder, Colorado, on Oct. 28, 2015.As the U.S. presidential election nears, Donald Trump is emerging as the clear winner -- at least when it comes to having his name used in spam messages.Spammers and cyber attackers are using Trump's name far more than Hillary Clinton's in emails pushing get rick quick schemes or phishing for personal information, according to an analysis from Proofpoint.The security firm scanned the subject line of emails received by its customers in June and July looking for occurrences of "trump" or "clinton," and found that the Republican nominee appeared in 169 times as many emails as his Democratic opponent.Proofpoint An example of the Trump-themed spam
Zero revenue and a long record of losses is proving no hindrance to bulls on MGT Capital Investments Inc., a stock that has spent almost four months clinging to gains from a 10-fold rally that followed the hiring of John McAfee.Though something less than a megacap with an $87.7 million market value, gone are the days when the Harrison, New York-based company was condemned to a penny stock existence.MGT surged above $3 in May and has barely budged since after saying it planned to bring on the anti-virus guru as chief executive to change it from a video game maker into a cybersecurity firm.Short interest has also proven durable in MGT, which listed no revenue in a quarterly update published Aug. 16 and a net loss of $6.1 million that swelled from less than $1 million a year ago.A day earlier, in a filing with the government, MGT said its history of losses cast doubts on its ability to continue as a going concern and noted that its current CEO doesn t think the company s disclosure controls and procedures are functioning effectively.As is true with many a microcap, a spirited debate is occurring on internet stock sites among fans and detractors of MGT, with bulls pointing to McAfee s hiring and the pending acquisition of something called D-Vasive Inc., a Wyoming company that MGT says is developing anti-spy applications.A statement from McAfee in the press release said the company would move forward on several of the proposed events following a shareholder vote on Sept. 8.Gur Talpaz, an analyst at Stifel Nicolaus, said by phone.He covers bigger industry players such as Symantec Corp. and Proofpoint Inc. MGT is looking at the big themes in the space and trying to latch on to that, but you cannot just overnight become a cybersecurity firm.
Cyber criminals are using the Kelihos botnet to extort Bitcoin payments out of the ransomware s victimsRansomware targeting US government agencies and education institutions, has been discovered by cyber security researchers from Proofpoint.Dubbed MarsJoke, the ransomware was uncovered in late August and found to be hiding behind email that convincingly resembled those from a major yet unnamed national US airline.This is a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware, the researchers said.The messages in this campaign used a convincing email body and had a variety of Subject lines referencing a major national air carrier, adding an air of legitimacy to the lures with stolen branding.The ransomware appears to have used Kelihos, a well-known botnet, for its distribution and spreads an email to its victims about a tracked parcel from the airline carrier prompting them to click on a link in the email to track the parcel.
Cybercrooks are posing as customer support staff from UK banks in a ruse designed to hoodwink gullible customers out of their credentials.The social media phasing scam relies on the creation of bogus Twitter profiles, such as @BarclaysHelpUK real example, now suspended .Customers are already expecting a response from a targeted brand, hence the response rate to so-called Angler phishing attacks can be high, email security firm Proofpoint warns.Cyber criminals create convincing fake customer service accounts with a handle similar to your real customer support account.Then they wait for customers to reach out to your real account with a help request.When your customer tries to contact your brand, the criminal hijacks the conversation by responding with a bogus customer support link sent from the fake support page.
August remains undetected while stealing data.Cybercriminals are using personalized malware campaigns against staff at retailers in order to steal credentials and sensitive documents.A group known as TA530, is distributing the information stealing malicious software through socially engineered emails which encourage victims to download an attachment containing the relatively new 'August' malware lines in the malware's code as well as the control panel for stolen credentials all refer to the month .Cybersecurity researchers at Proofpoint have been monitoring the August campaign and say the lures used in the subject lines of emails make reference to purchases the hackers claim to have made on the targeted company's website, asking the targeted victim to provide support for a false purchase.Subject lines are personalized using the target's company name, with false queries relating to topics including erroneous or duplicate charges, items vanishing from the online cart and help with orders, while the text of the email points the victim towards a document supposedly containing more information.The Word document requires the user to enable macros and using similar sandbox evasion techniques as the Ursnif banking Trojan, the enabled macro will deliver a payload to infect the machine.
Security researchers at Proofpoint have identified a new malvertising attack on internet routers which ensnares networks though legitimate websites.Security researchers at Proofpoint have identified a new malvertising attack on internet routers which ensnares victim networks though legitimate websites hosting unknowingly distributed malicious advertisements.Targeting Windows and Android devices, the DNSChanger Exploit Kit EK preys on vulnerabilities in victims home or small office SOHO routers and attacks via infected web browsers.Although initially limited to Android and Windows, once a router has been compromised all users who then connect to it will be vulnerable to further malvertising attacks, regardless of their browser or operating system.DNSChanger will use webRTC to request a STUN server via .com and determine the victim s local IP address.
p With only four days left until disrupt NY 2017, we are more excited than ever.Our Final Round Judges are Stuart Ellman (RRE Ventures), Annie Lamont (Oak HC/FT), Susan Lyne (BBG Ventures), Deven Parekh (Insight Venture Partners), Matthew Panzarino (TechCrunch) and Reshma Saujani (Girls Who Code.His previous investments include Business Insider, Kroll Bond Ratings, Proofpoint, WatchGuard, and MessageOne.In addition to his professional work, Stuart Ellman is Chairman of the Board of 92Y where he served as President from 2012 to 2015.During his tenure, Stuart was instrumental in launching a number of philanthropic and entrepreneurial initiatives including GivingTuesday, a global day of giving; 7 Days of Genius, a multi-platform, multi-venue festival of ideas; 92Y’s first MOOC, “How to Change the World,” offered in partnership with Wesleyan University; 92YOnDemand, a new content website with more than 103,000 followers; and an expanded partnership with NYCEDC to host the NYC Venture Fellows program, in which Stuart serves as a mentor to promising young entrepreneurs.Annie Lamont is a Managing Partner of Oak HC/FT where she focuses on growth equity and early-stage venture opportunities in healthcare information services and financial services technology.
Diplomats at risk from a new malware dropper disguised as a document associated with a G20 meeting inviteSecurity researchers Proofpoint have issued an alert over a new malware dropper that seems to be aimed at diplomats and bureaucrats associated with the G20.The researchers said that the Turla group, widely believed to be a Russian state-sponsored organisation, has refreshed the KopiLuwak JavaScript backdoor to target those associated with the G20.This group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and in June this year it started using social media site Instagram as a means of staying hidden once they had infected a target network.But now according to Proofpoint, Turla is using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak.A dropper is a programme designed to install a piece of malware.
Security researchers have discovered a new targeted email campaign that uses fake Game of Thrones Season 7 spoilers and video clips to lure curious fans and spread malicious malware.Security firm Proofpoint first came across an email on 10 August with a subject line that reads: "Wanna see the Game of Thrones in advance?"The email features some details of upcoming episodes along with a malware-laced Microsoft Word attachment titled "game of thrones preview.docx" that purportedly lists potential GoT spoilers.Once downloaded and run, the "preview" executes a malicious PowerShell script that installs a diskless "9002" remote access Trojan (RAT) that has previously been used by state-sponsored Chinese hacker group Deputy Dog."Once installed, the 9002 RAT provides attackers with extensive data exfiltration capabilities," the researchers said in a blog post published on Friday (25 August).Additionally, the Deputy Dog actor has been observed utilizing a similar 9002 RAT with an earlier iteration of the 4-byte XOR encoding algorithm in diskless mode."
As malicious groups continue to become more sophisticated in their hacking techniques, cybersecurity efforts are attempting to expand in their reach, and that is leading to some consolidation in the field.Today, cybersecurity firm Proofpoint — which provides SaaS products to protect businesses’ email, social media and other services — announced that it would pay $110 million to acquire Cloudmark, another firm that provides security protection for messaging services, focusing specifically on serving the ISP and mobile carrier markets.“We are excited to welcome Cloudmark’s ISP and mobile carrier customers to Proofpoint,” said Gary Steele, Chief Executive Officer of Proofpoint.“By combining the threat intelligence from Cloudmark with the Proofpoint Nexus platform, we can better protect all of our customers – both enterprises and ISPs – from today’s rapidly evolving threats.”As we have said before, these days big data is the name of the game, and this deal is as much an acquisition to expand products and customer reach as it is to expand data sources to be able to analyse and combat malicious attacks more effectively.Cloudmark’s Global Threat Network sources telemetry data from billions of emails and messages each day to help identify attacks, and as part of the deal, it will be rolled into Proofpoint’s primary product, the Nexus platform.
This research provides a clear warning that everyone must be thorough and diligent when it comes to clicking on links, always be skeptical.There has never been a time when more cybersecurity caution has been required when traversing the online world, with the volume of messages carrying malicious phishing payloads spiking by a massive 300 per cent.Emails and messages are not the only dangerous delivery methods employed by hackers when phishing for unsuspecting users, social media accounts are also being used as vehicles to instigate attacks.In the third quarter of 2017, a 70 per cent increase in phishing links in social media accounts was recorded by security specialist, Proofpoint, also responsible for noting the massive rise in message based attacks.These statistics were provided by Proofpoint as part of its Q4 Threat Report, in which it also revealed that the Trick banking Trojan accounted for 84 per cent of malicious banking spam.Patrick Wheeler, Director, Threat Intelligence, Threat Systems Products, Proofpoint, said: “Malicious email attachments skyrocketed, social engineering techniques sharpened and fraudulent customer support accounts proliferated – all trends we saw in the fourth quarter of 2017 across email, social media and cloud app environments.
Ransomware operators have begun warning their victims to not use the tor proxy sites for making ransom payments.Bitcoin's recent surge in value appears to have ramped up hackers' interest in the digital currency more than ever, with some even resorting to steal from each other.Security experts have observed a new campaign, which involves hackers using a Tor proxy site to steal Bitcoin payments from various ransomware operators.While ransomware operators often demand victims to pay using bitcoins that require them to visit a Tor site, most users often do not have a Tor browser installed.Security researchers at Proofpoint discovered that operators of the Tor proxy domain – "onion[.This appears to be the first scheme of this type affecting both ransomware victims and operators," Proofpoint researchers said in a blog.
Of course this does nothing for victims' encrypted filesCybercriminals are using Tor proxies to divert ransomware payments to their own Bitcoin wallets.Ransomware scammers have long directed victims to payment portals on the Tor network.For those who do not want to or cannot install the Tor browser necessary to pay their ransoms, operators generally direct victims to a Tor proxy such as or, which allows users to access the Tor network via standard web browsers.But, in what appears to be the first such attack of its kind, operators of a proxy are performing man-in-the-middle attacks to substitute their own Bitcoin payment addresses for those originally specified in selected ransomware strains, net security firm Proofpoint reports.Proofpoint learned of the tactic through a message on the LockeR ransomware payment portal urging victims not to use to pay their ransoms.
The BlackTDS malware distribution network automates attacks with ease-of-use inspired by cloud services for legitimate businessesSecurity researchers have uncovered an elaborate crimeware scheme that takes its cues from the latest trends in enterprise computing, offering its range of illegal measures over an automated, cloud-based platform.The BlackTDS traffic distribution system (TDS) allows users to distribute malware using various social engineering techniques, for instance disguising it as an update to Adobe Flash or Java or a fake Microsoft Font Pack.The system makes use of malicious web domains that look similar to well-known ones – a practice known as typosquatting – and uses infected ads and spam to help spread its clients’ wares, according to security firm Proofpoint.Potential BlackTDS customers are assured they will have access to fresh domains with clean reputations and can use the secure HTTPS protocol if need be.Criminals can use the tool to either directly distribute the malware of their choice or lead targets to an exploit kit that handles the infection process for them, Proofpoint found.