TIME Security

New Malware Infecting Telecom, Energy, Airline Industries

Laptop, speed typing, screen glowing in the dark
Dimitri Otis—Getty Images

A new piece of malware called Regin is spying on people across industries. Why? Researchers aren’t exactly sure

The cyber security firm Symantec on Sunday revealed that a malicious new piece of software is collecting information on individuals, companies, and government entities without their knowledge.

The malware, called Regin, is considered to be a mass surveillance and data collection tool (sometimes referred to as “spyware”). Its purpose and origin is still unclear, Symantec said, but researchers believe that the program is the work of a nation-state.

“We believe Regin is used primarily for espionage,” said Liam O’Murchu, a security researcher at Symantec. “We see both companies and individuals targeted. The ultimate goal is to listen in on phone calls or something like that. [Regin's operators] target individuals and spread the attack to find whatever it is they’re looking for. All of these things together make us think that a government wrote it.”

Symantec said Regin (pronounced “re-gen,” as in “regenerate”) monitors its targets with a rarely-seen level of sophistication. Internet service providers and telecommunications companies make up the bulk of the those that are initially infected, researchers said. Regin then targets individuals of interest—in the hospitality, energy, research, and airline industries, among others—that are served by those ISPs. Regin’s operators continue to use infected companies as a springboard to gain access to more individuals. Once they gain access, they can remotely control a person’s keyboard, monitor Internet activity, and recover deleted files.

More than half of observed attacks have targeted Russia and Saudi Arabia, Symantec said. The rest are scattered across Europe, Central America, Africa, and Asia. The initial infection can come from a wide variety of sources, such as copies of popular websites or web browsers and USB drives that have been plugged into contaminated systems.

Regin has five attack stages. It begins with an initial “drop,” also called a Trojan horse (or “backdoor”) breach, that allows it to exploit a security vulnerability while avoiding detection. The first stage deploys what is called a loader, which prepares and executes the next stage; the second stage does the same to complicate detection. The third and fourth stages, called kernels, build a framework for the fifth and final stage, called the payload. That’s when it can wrest control of a computer or leap to a new victim.

Each stage prepares and executes the next, rather than deploy from a common framework. It’s similar in concept to Russian nesting dolls. Regin’s distributed structure makes it difficult for cyber security researchers to identify it without capturing information about all five stages.

The malware is made up of a system of customizable modules so that it may collect the information it needs across a number of different victims. For example, one Regin attack might capture a password from a hotel clerk’s computer while another attack may obtain remote control of another computer’s keyboard for purposes unknown. Each module is customized for one task or system, making detection and prevention of a comprehensive Regin attack difficult.

“One of the problems we have with analyzing is we don’t have all the components,” O’Murchu said. “You only get the modules set on that [particular] victim. But we know there are far more modules than what we have here. We don’t have enough information to understand. On top of that, it’s coded in a very advanced way to leave a small footprint. Anything they leave behind is encrypted. Each part is dependent on having all the parts.”

This kind of operational complexity is typically reserved for a state or a state-sponsored actor, Symantec said. Only a handful of malware programs to date have demonstrated such sophistication. In 2012, the Flamer malware used the same modular system to hit targets in the West Bank of Palestine, Hungary, Iran, and Lebanon, among other countries. Regin’s multi-stage attack pattern operates similarly to the Duqu malware and its descendent Stuxnet, the malware responsible for the disruption of Iranian nuclear facilities in 2010. O’Murchu said Regin is part of a disquieting trend of government-written and government-enacted malware.

“We often say that Stuxnet opened Pandora’s box,” O’Murchu says. “Whether that is because we know what to look for now or because there has been a genuine increase since Stuxnet is up for debate, but what we can say is that yes, we now know about a lot more scary government malware than before. It is far more pervasive, it is embedded in more organizations than we have ever seen, it is more organized than ever, and it is more capable than ever. I would say there has been an explosion in government related malware, and it doesn’t seem to be going away anytime soon.”

What makes Regin different is who it attacks. Instead of going only after high-worth targets, Regin attacks many different targets in an attempt to piece together contextual information. Of the 9% of Regin attacks in the hospitality industry, 4% targeted low-level computers, presumably for this information.

“The average person needs to be aware,” O’Murchu says. “A lot of the infections are not the final target. They are third parties providing some extra information to get to a final target. Lot of people think, ‘I don’t have anything of importance, why would anyone get on my computer?’ Ordinary people who may not think they’re targets in fact are.”

TIME Security

These Are the Top 10 Telemarketer Area Codes

158808462
Young man in call center Richard Drury—Getty Images

You're most likely to get spam calls from these area codes

Do you get a little pang of anxiety whenever your phone gets called from an unfamiliar, unlisted phone number? Personally, I always do. These calls could be from an important business contact, so I try to answer them when I can. But more often than not, they’re just nuisance spam calls.

Thankfully, there are ways to spot a spam call before you pick up the phone. Recently, the folks at Whitepages analyzed the 2.5 billion calls and texts routed through its Caller ID app to look for patterns that might identify telemarketers. They found that some area codes are home to far more spam callers than others, and came up with a listing of the top 10 spam area codes in the United States.

Aside from the popularly used toll-free number exchanges (800, 866, 877, 888, 855), the top spam area code is Detroit’s 313. Houston’s 713, Fort Lauderdale’s 954 and Atlanta’s 404 are also popular homes to telemarketer phone banks. The full list is as follows:

1. 313 – Detroit
2. 713 – Houston
3. 954 – Fort Lauderdale
4. 404 – Atlanta
5. 484 – Eastern and Southeastern Pennsylvania
6. 407 – Orlando
7. 214 – Dallas
8. 202 – Washington, D.C.
9. 972 – Dallas
10. 205 – Birmingham

These cities aren’t necessarily home to more spammers and scammers than others — just their phone exchanges are. These days, it’s easy for people to register and use phone numbers in virtually any area code regardless of location, so long as numbers are left available. A shrinking city like Detroit has a large number of unused phone numbers in its 313 bank, so there are plenty of lines for spammers to access. An established area code like New York City’s prestigious 212, meanwhile, has no phone numbers left to be registered and is thus is an unlikely source for telemarketing calls.

There are a wide number of technological solutions for stopping telemarketers beyond avoiding calls from a certain area code. Registering your phone numbers with the National Do Not Call Registry at donotcall.gov is the best place to start. Smartphone owners can also download the Truecaller app, which automatically flags calls from known spammers. You should check out our How to Block Telemarketers guide for more tips, apps and carrier options. And, of course, the best offense is always a good defense, so be aware of the top 7 ways telemarketers get your cell phone number.

This article was written by Fox Van Allen and originally appeared on Techlicious. More from Techlicious:

T-Mobile Offering Unlimited International Calls for $5
Android ‘Trusted Locations’ Brings Location-based Unlock
Fitbit Data to Be Used as Evidence in Court

TIME Security

What To Do When Your Email Gets Hacked

171110589
Person typing on a laptop. Benjamin Howell—Getty Images

First thing's first: Change your password

Last week, I got an email from a friend urging me to check out an amazing page. Between the grammatical errors and a link obviously pointing to a server somewhere in Russia, it was obvious that my friend’s email account had been hacked.

When I checked in with her another way, she already knew about the problem—the hacker’s message had gone out to her entire address book—and she was quite concerned. So I walked her through the steps for getting everything back in order.

Step #1: Change your password.

The very first thing you should do is keep the hacker from getting back into your email account. Change your password to a strong password that is not related to your prior password; if your last password was billyjoe1, don’t pick billyjoe2—and if your name is actually BillyJoe, you shouldn’t have been using your name as your password in the first place.

Try using a meaningful sentence as the basis of your new password. For example, “I go to the gym in the morning” turns into “Ig2tGYMitm” using the first letter of each word in the sentence, mixing uppercase and lowercase letters and replacing the word “to” with “2.”

Step #2: Reclaim your account.

If you’re lucky, the hacker only logged into your account to send a mass email to all of your contacts.

If you’re not so lucky, the hacker changed your password too, locking you out of your account. If that’s the case, you’ll need to reclaim your account, usually a matter of using the “forgot your password” link and answering your security questions or using your backup email address.

Check out the specific recommendations for reclaiming possession of your account for Gmail, Outlook.com and Hotmail, Yahoo! and AOL.

Step #3: Enable two-factor authentication.

Set your email account to require a second form of authentication in addition to your password whenever you log into your email account from a new device. When you log in, you’ll also need to enter a special one-time use code the site will text to your phone or generated via an app.

Check out two-step authentication setup instructions for Gmail, Microsoft’s Outlook.com and Hotmail and Yahoo!. AOL doesn’t support two-factor authentication yet.

Step #4: Check your email settings.

Sometimes hackers might change your settings to forward a copy of every email you receive to themselves, so they can watch for any emails containing login information for other sites. Check your mail forwarding settings to ensure no unexpected email addresses have been added.

Next, check your email signature to see if the hacker added a spammy signature that will continue to peddle their dubious wares even after they’ve been locked out.

Last, check to make sure the hackers haven’t turned on an auto-responder, turning your out-of-office notification into a spam machine.

Step #5: Scan your computer for malware.

Run a full scan with your anti-malware program. You do have an anti-malware program on your computer, right? If not, download the free version of Malwarebytes and run a full scan with it. I recommend running Malwarebytes even if you already have another anti-malware program; if the problem is malware, your original program obviously didn’t stop it, and Malwarebytes has resolved problems for me that even Symantec’s Norton Internet Security wasn’t able to resolve. Scan other computers you log in from, such as your work computer, as well.

If any of your scans detect malware, fix it and then go back and change your email password again. (When you changed it in step #1, the malware was still on your computer.)

Step #6: Find out what else has been compromised.

My mother-in-law once followed the ill-advised practice of storing usernames and passwords for her various accounts in an email folder called “Sign-ups.” Once the hacker was into her email, he easily discovered numerous other logins.

Most of us have emails buried somewhere that contain this type of information. Search for the word “password” in your mailbox to figure out what other accounts might have been compromised. Change these passwords immediately; if they include critical accounts such as bank or credit card accounts, check your statements to make sure there are no suspicious transactions.

It’s also a good idea to change any other accounts that use the same username and password as your compromised email. Spammers are savvy enough to know that most people reuse passwords for multiple accounts, so they may try your login info in other email applications and on PayPal and other common sites.

Step #7: Humbly beg for forgiveness from your friends.

Let the folks in your contacts list know that your email was hacked and that they should not open any suspicious emails or click on any links in any email(s) that recently received from you. Most people will probably have already figured out that you were not really the one recommending they buy Viagra from an online pharmacy in India—but you know, everyone has one or two friends who are a little slower to pick up on these things.

Step #8: Prevent it from happening again.

While large-scale breaches are one way your login information could be stolen—this summer, Russian criminals stole 1.2 billion usernames and passwords—they’re certainly not the only way. Many cases are due to careless creation or protection of login information.

Last year, Google released a study that reveals most people choose passwords based on readily available information, making their accounts hackable with a few educated guesses. Easy passwords make for easy hacking, and spammers use programs that can cycle through thousands of logins every second to identify weak accounts.

Picking a strong password is your best protection from this type of hacking. It also is prudent to use a different password for each site or account, or, at the very least, use a unique password for your email account, your bank account and any other sensitive accounts. If you’re concerned about keeping track of your passwords, find a password management program to do the work for you.

In my friend’s case, her passwords were pretty good and there was no malware on her computer. But she was careless about where she was logging in. On a recent trip overseas, she used the computer in her hotel lobby to check her email. That was a bad idea.

Computers in hotel lobbies, libraries and other public places are perfect locations for hackers to install key-logging programs. The computers are often poorly secured and get used by dozens of people every day who don’t think twice about logging into their email or bank accounts or entering credit card information to make a purchase. The best practice is to assume that any public computer is compromised and proceed accordingly.

This article was written by Suzanne Kantra and originally appeared on Techlicious.

More from Techlicious:

TIME Security

London Police and NYC Prosecutors to Swap Staff in Cybercrime Fight

Cybercrime costs the United Kingdom some $40 billion a year, and the United States more than double that

Leading prosecutors in New York and London police plan to embed staff in each others’ offices, officials said Wednesday, increasing transatlantic collaboration in an effort to combat cybercrime.

The New York County District Attorney’s Office and the City of London Police will exchange one staff member each this spring, with the intention that the program will likely expand in the future.

The New York County District Attorney Cyrus Vance Jr. made the announcement at a Wednesday cybersecurity symposium at the New York Federal Reserve, where Adrian Leppard, City of London’s police commissioner, gave a keynote address.

The goal, officials said, is to expand joint cyber investigations in two of the largest financial centers in the world, where firms are ripe targets for cyber criminals. “The same people that are hitting us in New York are very likely hitting Adrian in London,” Vance said. “A collaboration between our two agencies would make really good sense from an investigative standpoint and also make sense from a security standpoint.”

Leppard said that cybercrime costs the United Kingdom some $40 billion a year, and the United States more than double that.

The two offices worked closely together this summer to break up an international ring of hackers that attacked over 1,600 StubHub users’ accounts and purchased more than $1 million in tickets.

MORE: Here’s How Hackers Stole Over $1 Million From 1,600 StubHub Users

“Our international partnerships, in particular our ongoing collaboration with Commissioner Leppard and the City of London Police, reflect a changing landscape and the understanding that cybercriminal attacks will not be limited by state or national borders,” Vance said.

TIME Congress

Acting Secret Service Director ‘Confident’ He Can Restore Faith in Agency

Joseph Clancy
Acting Secret Service Director Joseph Clancy testifies on Capitol Hill Susan Walsh—AP

Joseph Clancy addressed the House Judiciary Committee on Wednesday, noting the failures that have led to public mistrust in the agency

Acting Director of the Secret Service Joseph Clancy told lawmakers on Wednesday he’s “confident” he can restore the American public’s faith in the agency, in the wake of high-profile security breaches that put the President and First Family in danger.

“We are confident we can fulfill our mission with honor, and restore the secret service’s rightful place as the most respected protection service in the world,” Clancy said Wednesday in front of the House Judiciary Committee.

It has been a little over a month since Clancy took the reigns at the Secret Service, after previous director Julia Pierson stepped down after the public found out that an army veteran named Omar Gonzales had been able to reach the East Room of the White House after jumping a fence and running inside.

Clancy acknowledged the failures of the agency in recent months, saying he is working to adjust training and morale within an agency he notes is stretched thin. He also addressed the Sept. 19 fence jumping, calling it “devastating.”

“What hits me hardest is the range of shortcomings that ultimately allowed Omar Gonzalez to enter the White House practically unencumbered,” he said.

The Washington Post reports Rep. Jason Chaffetz, who will serve as the next chairman of the House Oversight committee, grilled Clancy on whether or not anyone had been punished for misleading the public on when the fence jumper was detained in early reports.

“We’ve cited at least two, I believe three, incidents when the public was misinformed,” Chaffetz reportedly said. “The Secret Service misled us on purpose.”

TIME Security

WhatsApp Is Making Your Messages Way More Secure

New feature makes it harder for law enforcement to access contents

The latest update to the WhatsApp messaging service announced Tuesday includes end-to-end encryption by default, which means the content of a message is only decrypted and readable when it reaches its recipient. Encrypted texts via the TextSecure protocol will now be nearly impossible for law enforcement officials or WhatsApp to access.

The new feature was created using open-source code created by the development community at Open Whisper Systems. For now the feature is only available on Android devices, but in a blog post Open Whisper Systems says it plans to expand to other mobile platforms. The encryption only applies to basic texts right now, and group messages and photo messages don’t get the extra security boost.

The new encryption protocol backs up WhatsApp’s longstanding mantra of valuing people’s security over access to users’ data. CEO Jan Koum famously wrote a missive against using data mining to serve ads on social networks years before selling the company to Facebook for about $22 billion.

TIME Security

G20 Conference Gives Hackers High-Profile Targets

AUSTRALIA-G20-SUMMIT
Germany's Chancellor Angela Merkel (C) is welcomed upon her arrival at the airport in Brisbane to take part in the G20 summit on November 14, 2014. Peter Parks—AFP/Getty Images

Cybersecurity experts warn the global conference of world leaders is a prime target for hackers

At 3:10 a.m. on October 27, 2011, a less-than-diplomatic email landed in the inboxes of attendees at the G20 Summit, an annual gathering of heads of government and other representatives from the world’s top economic powers. “Ladies and Gentlemen,” the email began, “First Lady Nude Photos.” It was followed by a link that promised to open a stash of nude photos of France’s then-first lady, Carla Bruni. The link was also spring-loaded with malicious code that could infiltrate the device of a G20 delegate, opening a pathway to a wider network of devices. The sender needed only one hot blooded delegate to potentially infect an entire delegation.

It’s not hard to imagine the hacker or hackers’ motive. The G20 Summit draws leaders from 20 nations that comprise 86% of the world’s wealth. They bring in their wake some 4,000 delegates from various ministries, businesses and NGO’s, all of whom will converge on Brisbane, Australia Saturday for a weekend of handshakes and hobnobbing. They will also carry in their smartphones and laptops reams of sensitive communications, including agendas, talking points and trade secrets — a cornucopia of state interests that could offer rival nations an edge in future negotiations or standoffs.

It might sound a bit amateurish to send global bigwigs the same crudely-written emails that might turn up in the average joe’s spam folder, but security experts say hackers try every trick in the book to infiltrate the summit.

“Some groups that look spammy are the exact same groups that can send out extremely well-crafted emails,” says Nart Villeneuve, a senior researcher at the California-based security firm FireEye. The crude emails are often just the opening shot in a campaign that can extend to tainted memory sticks and emails that are indistinguishable from official G20 correspondence. FireEye researchers made headlines after last year’s G20 Summit in St. Petersburg, Russia when they exposed a concerted attack against five European foreign ministries. In that case, an email attachment labeled “US_military_options_in_Syria” installed malicious code as soon as the recipient opened the official-looking file.

Villeneuve had a front row seat to the St. Petersburg breach. His team traced the malware back to a command-and-control server in China, where they observed a ring of hackers known as “Ke3chang” in action. For a brief, two week window, Villeneuve’s team saw the hackers issue commands to search for files and open backdoors to other computers of interest.

“The attackers don’t have to compromise a high level diplomat first,” Villeneuve said. “It can begin with anyone on that network.”

The St. Petersburg hack wasn’t the first time such a global gathering had been targeted: During the 2012 Olympics, for example, tainted schedules circulated among the attendees. And in the run up to 2011 G20 Summit, malware-ridden files infected roughly 150 computers in the French Ministry of Finance. “It’s probably the first time it’s been as spectacular as this,” said France’s Budget Minister François Baroin at the time.

But the high-profile hacks could very well get more spectacular until all attendees at sensitive events like the G20 collectively shore up their online security. Each delegation crafts its own security plan, but in an ideal world, says FireEye Threat Intelligence Manager Jen Weedon, attendees would use disposable phones and laptops that can be wiped clean of all content before and after the conference. Still, many attendees come from countries that may not have the interest or resources to take such measures, which many may view as extreme or unwarranted. “You can’t expect them to become security experts overnight,” Weedon says. But G20 delegations ignore the security risks at their own peril: already, Weedon says, Tibetan activists at this year’s conference have been targeted by a malware-infected document related to protest information.

Ultimately, the problem of hackers running amok at global gatherings runs deeper than technology alone. All hacking scams exploit human vulnerabilities — lust, credulity, curiosity — that can’t always be solved with a smarter spam filter. “It takes a human to click on something,” observes Weedon, a warning that this weekend’s assemblage of power players may or may not heed when the promise of official correspondence or other tempting links land in their inboxes. They’re only flesh and blood, after all.

TIME Security

Apple Isn’t Aware of Any iOS ‘Masque Attack’ Incidents Yet

Fackbook Acquires WhatsApp For $16 Billion
The Facebook and WhatsApp app icons are displayed on an iPhone on February 19, 2014 in San Francisco City. Justin Sullivan—Getty Images

Spokesperson downplays the threat posed by malware that can mimic an app

Apple has no knowledge yet of an iOS user suffering from a “Masque Attack,” a company spokesperson said Thursday, responding to recent reports that a malware infected app could open a pathway to user accounts.

Cyber security experts at the firm FireEye disclosed the method of attack on Monday, in which a hacker can email or text message a link to a popular app, such as a “New Flappy Bird” game. The link uploads malicious software that replaces an existing app with an identical looking facade and opens a pathway to login credentials and sensitive data.

“We’re not aware of any customers that have actually been affected by this attack,” Apple said in a statement to the San Jose Mercury News, adding that customers should never download apps from unknown sources outside of the App Store.

The U.S. Computer Emergency Readiness Team, which operates under the Department of Homeland Security, issued a warning Thursday about the attack.

[San Jose Mercury News]

TIME Security

Report: Feds Using Airplanes to Target Criminal Suspects’ Cell-Phone Data

Cessna taxiing
Wellsie82—Moment Open/Getty Images

Devices on planes said to simulate cell towers and trick phones into reporting data

The Justice Department is using equipment on board aircraft that simulates cell towers to collect data from criminal suspects’ cell phones, according to a report Thursday.

The Wall Street Journal, citing unnamed sources familiar with the operations, reports that a program operating under the U.S. Marshals Service is said to use small aircraft flying from five different airports around the country. Devices aboard those planes called “dirtboxes” essentially trick the suspects’ cellphones into thinking they’re connecting to legitimate cell towers from big wireless carriers like Verizon or AT&T, allowing the feds to scoop up personal data and location information about those targeted.

However, the report details those devices could be gathering data from “tens of thousands” of Americans in a single flight, meaning nonsuspects are likely to be included in the data roundup. The new report could shed some light on earlier reports of mysterious “phony” cell towers that security researchers have found around the country.

Read more at the Wall Street Journal

TIME Security

Chinese Hackers Breached National Weather Websites

The breach wasn't acknowledged until after several probes

Officials announced Wednesday that Chinese hackers had gained access to Federal weather data as early as September.

The hack occurred in late September, but was not acknowledged by the the National Oceanic and Atmospheric Administration until Oct. 20, the Washington Post reports. As a result of the hack, some national weather websites were unavailable for as many as two days, including the National Ice Center website. And those sites being offline impacted some long-term forecasts.

NOAA also lagged in its response to the breach. The Post reports the the administration “did not say its systems were compromised” when the problem was first acknowledged on Oct. 20. When NOAA admitted Wednesday that there had been a cyber security breach, they did not say who was responsible either. That information came from Rep. Frank Wolf (R-Va.), who disclosed that the attack had come from China. Wolf blasted the agency saying, “They had an obligation to tell the truth. They covered it up.”

Read more at the Washington Post.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser