Security Week 11: Trojans on iOS without jailbreak, leaked on American Express, stealing uchetok Steam

The following happened this week:
- The researchers of Palo Alto uncovered a rather complicated from a technical point of view, but the current scheme of dragging malware onto iPhones and iPads without using jailbreaking. Although the method is not destined to become massive, it once again shows that Apple’s protection is good, but if it is penetrated after all, then the attacker will have no further problems.
- American Express stole data through a contractor. The company did not disclose the details, but apparently the credit card numbers are also gone. Piggy with stories about hacking contractors already overflowed and will soon burst.
- Experts of the "Laboratory" shared information about the methods of stealing game accounts, primarily on Steam. Despite the seeming frivolity of this direction, the resale of stolen "nishtyakov" earn big money.
Previous issues are available by tag . The bonus of today's release is incredible stock photos of cyber war with the ears.

Malicious software for iOS: jailbreak is not needed, it was in the App Store, attacks the Chinese people
News Palo Alto study .

What features does the owner of an iOS device have if he wants to install an application to bypass the app store? There are not so many options - either a jailbreak of the device (that is, a rather complicated operation that requires minimal technical skills), or the installation of an application using a corporate certificate. As the researchers found out from Palo Alto, there is a third way - installing the application through iTunes. More precisely, a mechanism is used which, in theory, makes it possible to simply buy and download an application from the store to a computer, and then write it to the phone during synchronization. As it turned out, this method was learned to exploit, in order to drag malware onto unbroken iPhones.

The technology turned out quite complicated. Not "complicated as Stuxnet", but in the sense of the need for a large number of steps to achieve the goal. Back in 2014, Chinese iPhone users were asked to install a utility that performs some service tasks: jailbreak, reinstall legitimate firmware, “clean the registry” and all that. Initially, the functionality of the program was limited to this, but last year it began to throw a real Trojan to users. This functionality was implemented as an application for iOS, which, for a moment, the attack organizers managed to pull through to the App Store.
')


How? Very simple: the application was pretending to be a catalog of beautiful pictures, but when launched it sent a request to the server. Depending on the location of the user, different things were shown to him: if he was to any other country except China, then those very pictures were shown. If the user is from China, he was shown a third-party application store, in which it was possible to install pirated programs and games on the device. In the "exchange" of the user stole his personal data, for example - the username and password from his iTunes account. Such a trick allowed Apple to bypass the check when submitting the application: during such a check, the server could always issue a command to show pictures.

Well, ok, found a malicious application, deleted, all is well. Not really. As it turned out, app can be installed without demand when synchronizing with a computer, exploiting the same program transfer mechanism. And it is not necessary that the program be in the App Store, it is only necessary that at least once it was there . This explains a rather strange point that the application was posted by a developer in the American app store, although it seems to be directed at a Chinese audience. That is, in China it was received through other channels.



It turns out that here we are talking not only about the single fact of downloading the Trojan in the App Store. And on the operation of the "workaround" application downloads, which is possible right now, despite the blocking of applications. If you do not live in China or even if you are in China, but do not use dubious software, then there are no problems. The question is that if (or when) there is a really serious hole in iOS, it’s not a fact that Apple will have the technical ability to stop the malware that could use it. IOS protection is good, but it is, in fact, a beautiful and sturdy fence. As you can see, the fence does not necessarily break, just get around. But after this, there is practically no protection.

American Express stole data through contractor
News

Data has been stolen from a credit and debit card issuer! Horrible! Urgently exit the cache. The company American Express this week there was a serious incident, but not such. The news is more about how not to disclose information about leaks. AmEx has distributed a letter to its customers, notifying them of a data breach, but it is impossible to find it on the company's website. In the letter itself, almost no details are disclosed. The unnamed contractor was hacked three years ago, the account numbers, the expiry date of the card, and the names and surnames leaked in the process, in general, is enough for a massive fraud.



It is difficult to assess the scale of the disaster, and AmEx's unwillingness to disclose details is unlikely to add peace of mind to customers. Most likely the outlet was hacked - that is, the story repeated with Target and other large companies, which have increased the data. Hacking contractors or contractors is a new headache for large companies. In almost all cases, partners have wider access to inside information of the company, or at least they have greater confidence, as cybercriminals exploit.

Steam Stealer is distributed through an affiliate program, steals accounts and leads to real losses.
News Research "Lab"



Our researchers conducted a detailed security analysis of the popular Steam gaming platform and found some interesting innovations. According to official figures from Steam, an average of 77 thousand accounts are stolen every month. The purpose of the attackers is clear - access to personal data in the account, including (possibly) credit card data, the possibility of resale of both the game "achievements" and the accounts themselves. According to our estimates, for one account Steam on the black market give up to 15 dollars. How this is done is shown by the example of the Steam Stealer Trojan.



On it you can appreciate some new trends in the virus writing industry. Traditionally, such trojans are distributed on forums, on fake “download the game for free” sites or with legal gaming utilities — various screenshots, conference calls (sorry, timspika) and so on. From the new one, you can add distribution attempts in the form of extensions for browsers, fake gambling sites, distribution via remote access Trojans (first we break the system in general, and then download the tool to steal the account). Theft of gaming uchetok really can be considered the vanguard of technology to attack users. After all, here criminals have to deal with not at all housewives, but with quite advanced users, who are much more difficult to mislead. But nevertheless possible.

What else happened:
Trend Micro's resonant research on hacking intimate toys.

Malwertising or introducing malicious code into banner ads is one of the easiest ways to “infect” a large site that you cannot break directly. As it turned out, the TeslaCrypt Trojan was once distributed on sites like AOL.com and other sites with millions of traffic.

An important patch for OpenSSH, found a vulnerability in the X11 Forwarding function.

Through hacking, the Central Bank of Bangladesh tried to steal a lot of money, but did not manage to steal everything - a typo in the payment order prevented it.

Antiquities:
"Victor-2442"

Very dangerous resident virus. Typically infects .COM and .EXE files. At 9, 11, 13 and 15 hours according to system time, it deletes randomly selected files. Contains texts: "*. *", "COMEXE", "Victor V1.0 The Incredible High Performance Virus Enhanced versions available soon. This program was imported from USSR. Thanks to Ivan. ” Intercepts int 21.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 93.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.