FluBot has built up a community of compromised Android phones in the UK since April and in the past 24 hours has commenced monetising them by sending overlays for British Banks.
FluBot first appeared in 2020, targeting mainly Spanish banks, but recently it has spread its reach, with Australian, German and Polish banks all affected within the last few weeks. UK banks are now firmly in its sights, with HSBC and Santander the first to be affected, and Lloyds and Halifax following shortly after.
The coronavirus pandemic resulted in the closure of many bricks and mortar retail stores, forcing UK consumers to adopt online shopping more than ever before. This trend has largely continued in spite of many stores since reopening, as millions of consumers have become accustomed to the practical benefits of online shopping.
Along with this increased volume of online shopping came a new trend of phishing attacks where cybercriminals impersonate parcel delivery companies in an attempt to steal financial details from their victims. Royal Mail and Hermes were popular targets for these types of attack, but most new attacks now impersonate the Post Office.
These attacks are typically disseminated via text message, informing the victim that they have missed a delivery. Sometimes the messages say up front that the recipient must rebook the delivery by paying a small surcharge. The relatively small surcharge is often sufficient to trick victims into believing the phishing site is legitimate, or at least that any risk is minimal, allowing the phisher to obtain the victim’s details and potentially steal a much larger amount.
As most of the attacks are orchestrated via text message, the phishing sites are usually hosted with purpose-bought domain names that include the targeted company’s name in an attempt to be convincing. Some examples include:
Some messages instead use generic URL shorteners to take victims to the phishing sites, but this would not necessarily be viewed as suspicious by all recipients, as the use of URL shorteners is commonplace even in legitimate text messages.
Most of the phishing kits used in these attacks also attempt to evade detection by blocking unwanted clients such as bots and anti-phishing organisations, but Netcraft successfully circumvents these checks.
After impersonating the delivery company, some of these phishing attacks proceed to also impersonate one of several UK banks. This gives the criminal an opportunity to steal additional credentials that are specific to each bank, such as online banking security codes and other tokens that would likely be used to gain unauthorised access to the victim’s bank account.
Some attacks - particularly those that do not use the phishing site to directly impersonate the victim’s bank - are followed up by a phone call from the cybercriminal, who will use the information stolen by the phishing site to convince the victim that it is a genuine call from their bank regarding the payment they just made. This provides a more interactive opportunity for the criminal to obtain the information required to gain access to the victim’s bank account, including time-sensitive OTP codes.
Posted by Paul Mutton in Security
Netcraft’s research into the Android banking malware FluBot confirms that its operations are expanding rapidly, with a spike in the number of malware distribution pages deployed, and finance applications affected in greater numbers.
In recent days new overlays have been distributed that target a number of Polish and German banks, only days after news that FluBot has begun to target Australian banks.
FluBot is distributed in the first instance using text messages, containing links to so-called “lure” pages: web pages unintentionally hosted by compromised web servers, commonly impersonating parcel tracking services, or voicemail notifications. Lure pages attempt to induce visitors to download the malware.
The FluBot strain of Android banking malware, which was initially observed in Spain in late 2020 before spreading more widely across Europe over the following months, is now targeting Australian banks.
Once installed, FluBot periodically sends a list of apps installed on the device to one of its command-and-control servers. The server responds with a list of apps the malware should overlay. Upon one of these apps being launched, FluBot immediately displays an overlay on top of the legitimate app. The overlays impersonate the legitimate apps and are designed to collect the victim’s online banking credentials, which are sent to the criminals operating FluBot via the command-and-control server.
Netcraft monitors the list of apps targeted by FluBot, and today discovered that FluBot for the first time is serving overlays for Australian banking apps, including Bank Australia, Bank of Melbourne, BankSA, CommBank, Great Southern Bank Australia, HSBC Australia, National Australia Bank, St.George Bank, Suncorp, and UBank.
Over 100,000 Outlook Web Access servers have been rebooted since Microsoft released security updates for the ProxyLogon remote code execution vulnerability. The subsequent flurry of reboot activity is likely indicative of many Microsoft Exchange servers being restarted after having security updates applied.
Around half of all servers running Outlook Web Access (a service included with Microsoft Exchange Server) were rebooted in the five days after the emergency patch was released. Some of these have since been rebooted again, so will appear later in the above graph. Rebooted machines are likely to have been updated, but the absence of a reboot after 2 March does not necessarily indicate vulnerability. Anecdotally, most servers have requested a reboot after being updated, but some may only require services to be restarted – although administrators may have opted to reboot the servers anyway.
Microsoft’s original fixes can only be applied to servers that already have the latest cumulative updates of Exchange Server already installed; however, amidst mass exploitation of the vulnerabilities, Microsoft also released a set of security updates that can be applied to older and unsupported Exchange servers that do not—or cannot—have the latest cumulative updates installed.
The alternative security update path is intended as a temporary measure to protect vulnerable machines. Crucially, installing a later cumulative update that does not include the March 2021 security fixes will make the server vulnerable again, and any machine that uses the alternative security update path must be rebooted even if not prompted. In these cases, the servers will certainly not be protected until after the reboot.
Some of the more recent reboots may have been prompted by Microsoft’s 9 March “Patch Tuesday” collection of software updates, which also includes fixes for the remote code execution vulnerabilities in Microsoft Exchange.
On 6 March, four days after the original security updates were released, Netcraft found more than 99,000 Outlook Web Access servers were still running versions flagged as definitely vulnerable by Kevin Beaumont. However, applying Microsoft’s updates even in a timely fashion could have been like shutting the barn door after the horse had bolted, as more than 10% of all visited Outlook Web Access installations were already compromised with attackers' web shells installed. These provide the criminal with continued administrative access to the compromised servers after the security updates had been applied.
Posted by Paul Mutton in Security
Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight.
More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey — which took place two weeks ago — were no longer responding at 06:00-07:15 UTC this morning.
Thankfully, everybody is safe; but OVH said the fire in its SBG2 datacenter was not controllable and no data is likely to be recoverable. Part of its SBG1 datacenter has also been destroyed. Firefighters were protecting SBG3 throughout the night, and although there was no direct fire impact on SBG4, it was also unavailable due to the whole site being isolated. Consequently, all services in SGB1-4 have been offline.
Websites that went offline during the fire included online banks, webmail services, news sites, online shops selling PPE to protect against coronavirus, and several countries' government websites.
Examples of the latter included websites used by the Polish Financial Ombudsman; the Ivorian DGE; the French Plate-forme des achats de l’Etat; the Welsh Government’s Export Hub; and the UK Government’s Vehicle Certification Agency website, which got a new SSL certificate by 10am and is now back online with a UK hosting company.
Unsurprisingly for a French hosting company, the most affected country code top-level domain (ccTLD) is
.fr, which had 184,000 knocked-out websites spread across 59,600 distinct domain names – these account for 1.9% of all
.fr domains in the world. In comparison, there were only 24,100
.uk websites hosted in the affected datacenters, across just 8,700 unique domains. Most of the affected websites use the generic
.com top-level domain, amounting to 880,000 websites across 180,000 domains.