Trove of RubyGems malware highlights software supply chain issues

Ruby developers beware: a would-be cryptocurrency thief is out to get at your digital wallet, and they’re using typosquatting code to do it.

Typosquatters use misspellings of popular names to misdirect victims into using the wrong thing. It’s been a problem for websites for years, but it’s becoming an increasing issue for software developers too. Rather than reinventing the wheel by writing their own code to handle common tasks, they write it once as a software package and upload it to repositories. These repositories contain thousands of packages for developers to download. The upside is that it accelerates software development. The downside? Developers don’t often known exactly what those packages are doing.

Security researchers at threat detection company Reversing Labs found typosquatters had uploaded a malicious package in RubyGems, which is a repository serving the Ruby programming language.

You can install a RubyGems package – known as a Gem – by typing gem install followed by the package’s name on the command line. Attackers take advantage of this by copying a legitimate package, inserting some malicious code, and then uploading it again with a similar name to target fat-fingered programmers. In this case, the author had engineered the package to steal victims’ cryptocurrency.

Reversing Labs is no stranger to malicious packages, although they’ve tended to be in the Python package repository PyPi and the NPM Node.js repository. It found a typosquatting package after analysing the entire PyPi repository in July 2019. It also found a password stealer in the NPM repository last year after a similar scan.

This time it honed its approach by finding the most popular Ruby gems and then monitoring the RubyGems repository file for new files that used misspellings of the legitimate packages, it flagged those for further analysis and dug into their code. It found over 700 packages containing a file with executable code using the same name: aaa.png. This was suspicious, because .png extensions indicate image files, not executable ones.

The most downloaded Gem in this group was atlas-client, which had been downloaded about a third as much as the legitimate atlas_client Gem.

The booby-trapped Gem includes a script that activates if it’s running on Windows. If so, the script renames the file aaa.png to a.exe and runs it.

The a.exemalware file monitors the Windows clipboard for text that looks like a cryptocurrency address, something that is very likely to appear in the clipboard via Ctrl-C just before the user performs an online cryptocurrency transaction.

The sniffed-out cryptocoin address is then replaced in the clipboard itself with one belonging to the attackers, so that if a user subsequently pastes the address into the “send the money here” field on a cryptocurrency transaction page, then the crooks will receive the payment instead.

The malware also adds an entry to the Windows registry to make sure it gets reloaded when Windows starts up, for what’s known as persistence, meaning that the malware survives a logout or a reboot.

Although we’ve seen cryptocurrency crimes carried out via the clipboard before, this attack is pretty niche, according to Reversing Labs. It only works against Ruby developers using Windows machines making bitcoin transactions. Perhaps that’s why the address used in the attack had no transactions at the time of writing.

The attacker is persistent, though. Judging by the use of just two user accounts in RubyGems and the common filename, they were probably responsible for most of the malicious gems, said Reversing Labs. It also noted that the file names had turned up in other attacks on RubyGems in the past.

The RubyGems security team has removed all the affected packages from its repository, but Ruby developers should check the list of malicious packages to ensure that they’re not running dodgy code.

These supply chain attacks have been a perennial problem for other repositories too. Another researcher also discovered a cryptocurrency-stealing package that used typosquatting in the Python PyPi repository in October 2018, and ten packages cropped up in 2017. Attackers have also targeted NPM repeatedly over the years, most recently in January.


Latest Naked Security podcast

Password-free database of exercise app Kinomap leaks 42m user records

Sick of staring at your quarantine-inflicted four walls? Wouldn’t you rather work out on your rowing machine with a professional, live rower as he zips along Boston’s Charles River?

You can, with an immersive, paid subscription service called Kinomap that will plop you into any of its 134,589 miles of cycling, running or rowing courses with videos taken of real-life athletes working out in areas around the world. It hooks up to your smart exercise machine so it can automatically adjust resistance and will show you glorious shots of the outdoors as you work out by yourself, with teams or with friends.

It sounds great, doesn’t it? Unfortunately, this isn’t an advertisement, which of course means that Kinomap has fallen flat on its workout-app face with a huge leak of users’ personally identifiable information (PII).

Security researchers at vpnMentor found Kinomap’s dribbly database during the firm’s ongoing web-mapping project. Its research team, led by Noam Rotem and Ran Locar, use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities, then examine each weakness for data leaks.

The project has uncovered all sorts of leaks: private photos from a photo app, people’s plastic surgery photos, and inmate and jail staff data spilled by a leaky prison app, to name a few examples.

On Tuesday, the vpnMentor researchers said that Kinomap’s database was lying around starkers, completely unsecured and unencrypted. You might have to pay for the subscription service to immerse you in forest greenery, but if you knew where to look, you wouldn’t need to pay anything at all to get at the 42 million Kinomap users’ records that the researchers found.

This is prime time for cybercrooks to be targeting exercise apps like Kinomap, they suggested, given that millions of people are staying at home due to the coronavirus pandemic.

Unable to access their usual forms of exercise, many people will be turning to apps like Kinomap to stay fit and upbeat during the crisis. Hackers will be aware of this and looking for opportunities to exploit the increased user numbers on apps without adequate data security in place.

The records seem to pertain to all Kinomap users, given that the data originated in countries across the world. Some of those countries prioritize citizens’ privacy, the researchers noted. That includes France, which is Kinomap’s home country and which has a vigilant watchdog for a data regulator.

Indeed, Kinomap users can most likely thank France’s National Data Protection Commission (CNIL) for getting this leaky database to shut up. That’s what vpnMentor figures, at any rate, given that Kinomap didn’t respond to its multiple contact attempts. It first found the babbling database on 16 March, tried to reach Kinomap on the 18th and again on the 30th, and reached out to CNIL on 31 March. vpnMentor didn’t hear back, but somebody fixed the leak around 12 April.

Before it got fixed, these are some of the types of data found in the plume of PII the database was exhaling:

  • Full names
  • Home country
  • Email addresses
  • Usernames for Kinomap accounts
  • Gender
  • Timestamps for exercises
  • The date they joined Kinomap

The researchers said they also found personal data leaking more indirectly:

Many of the entries contained links to Kinomap user profiles and records of their account activity. Similar to social media accounts, Kinomap profiles can reveal considerable personal details about a user.

The leak could have enabled attackers to craft fraud schemes and other forms of online attack, they said. Phishing and identity fraud come to mind. So does potential account hijacking, given that many of the exposed records included access keys for Kinomap’s API. That access could have enabled attackers to take over Kinomap accounts and lock out the rightful owners.

What to do?

Kinomap users should keep an eye out for emails or text messages from scammers who might know your account history and your identity. They might use that info to craft a phishing campaign in which they imitate Kinomap and try to trick users into providing credit card info or access to their bank accounts

Attackers might also send an email with a rigged link that leads to malware if you click on it, thus infecting your phone, tablet or whatever device to which you’ve downloaded the Kinomap app.

Kinomap, being under General Data Privacy Regulation (GDPR) jurisdiction, should report the leak, vpnMentor says. The company told me that it’s been notified about a vulnerability that was “immediately fixed.” It’s asked for a third-party audit “to make sure everything is cleared and compliant with GDPR.”

Anybody with an internet-facing database should secure their servers, implement proper access rules, and slap some authentication on it before opening it to the internet.


Latest Naked Security podcast

Porn scammers making $100,000 a month from sextortion emails

Did you receive one of those “porn scam” emails in the past week or so?

Millions of people did – in fact, the number was probably more like tens or even hundreds of millions, with some Naked Security readers reporting phlegmatically that they’d had two, three and even five different flavours of scam in the past few days.

Even if you’ve never had a sextortion email sample of your own, you’re probably familiar with the “porn scam” scenario, where cybercrimals send a message out of the blue that says something along these lines:

  • ATTENTION! We implanted malware on your computer, which means we have been keeping tabs on you, including grabbing your passwords and getting access to your accounts.
  • We also used this malware to film you via your webcam and to take screenshots of your browser.
  • We made a video of you on a porn site with the screenshots and the webcam footage side-by-side.
  • Oh, and the clock is ticking, so pay us some money pretty darn quickly or we’ll send the video to your friends and family. (We know who they are, because we have your passwords, remember?)

The extortion demand is typically somewhere from $700 to $4000, payable to a Bitcoin address provided in the email.

The good news is that it’s all a bluff, because the crooks behind this scam don’t have malware on your computer, don’t have a video of you doing anything, don’t have screenshots of your browsing habits, and haven’t just stolen a list of your friends and family to send their non-existent video to.

The bad news is that this sort of email is extremely confronting, even if you don’t watch porn and don’t have a webcam, because blackmail is an odious and unsettling crime under any circumstances.

What makes it worse is that the crooks often include a password in the email as “proof” of their claim to have malware on your computer…

….and that password very often really is a password you once used, even if it’s a few years old now or for an account you’ve already closed.

In truth, the passwords sent out in these scams have typically been dredged up from old data breaches.

Although the password you see may have been your password once, the crooks didn’t get it from your computer recently. (Word of warning: if you are still using that password, or anything like it, on any online account, change it now!)

As you can imagine, once recipients of these emails realise it’s all a cruel and criminal hoax, and that some crook is simply preying on their fears, the pressure is off and they can relax.

Unanswered questions

But where do all these emails come from? Why can’t they be stopped? How many people end up paying? Where does the money go?

Our researchers at SophosLabs decided to find out.

By combing through five months’ worth of sextortion-spam data, they came up with some intriguing answers that you can read about in the latest SophosLabs report.

SophosLabs found that a very small proportion of recipients actually paid the blackmail demands, for what looks like just a few hundred victims worldwide over the five months of the research; but with the demands typically being in the range of $1000 to $2000 each, the crooks nevertheless made just shy of half a million dollars during this period.

Simply put: as well as intimidating and unnerving many millions of people around the globe with the offensive and scary nature of the email content, the crooks managed to pull in a cool $100,000 a month.

As to where the money went, you can find out more of the gory details in the report, but this diagram gives you an idea of how and where the crooks “reinvested” their ill-gotten gains:

As to where the emails came from, the answer is, for the most part, that these huge sextortion spam surges came from innocent users whose computers were infected with spam-sending malware known as bots (short for “computer robots”).

These infected “zombie computers” can be fed remotely by the crooks with lists of email addresses. Each bot in the so-called “robot network”, or botnet, will then send out its own burst of spam, independently of all the others.

That means that there is no single source of the spam; no single server that can be blocked; no country that is an obvious culprit; and that the spam blasts happen in parallel from all over the world at the same time, as the report reveals:

So if you’ve ever wondered why spam blasts are hard to shut down, and why there isn’t one service provider or email sender that can be identified and taken down to bring the problem under control, it’s because zombie networks present an ever-changing mix of countries, computers and IP numbers – as well as a dynamic supply of what is essentially free bandwidth to the crooks.

The best way you can help to stop these porn scammers from sending so much spam is to make sure that you aren’t infected with zombie malware yourself.

Remember: when it comes to spam, if you aren’t part of the solution, you’re part of the problem!

You may also find this video useful:

[embedded content]

By the way, if you’re looking for free anti-virus tools of the type we recommended in the video, you’ll find links in our Free Tools section below, from Sophos Home for Windows and Mac all the way to Sophos Antivirus for Linux.


Latest Naked Security podcast

309 million Facebook users’ phone numbers found online

Over the weekend, researchers at cybersecurity intelligence firm Cyble came across a database with 267m Facebook user profiles being sold on the Dark Web.

Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it … for the grand total of £500.

That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.

Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.

How did the data get leaked? In a blog post, Cyble said that it doesn’t know, but its researchers suspect that the records could have either come from a leak in Facebook’s developer API or from scraping: the automatic sucking up of publicly available data (like the kind people often publicly post on Facebook and other social networks).

It keeps popping up

The story doesn’t stop there, however. In fact, it doesn’t begin there, either. It turns out that this same database had been posted before; spotted by security researcher Bob Diachenko; taken down by the ISP hosting the page; reappeared, fattened up with another 42 million records in an Elasticsearch cluster on a second server; and then been destroyed by unknown actor(s) who replaced personal info with dummy data and swapped in database names labelled with this advice: “please_secure_your_servers”.

Exposed database after breach by unknown actors. IMAGE: Comparitech

Diachenko partnered with the tech comparison site Comparitech on this work last month. Comparitech said that the database was exposed for nearly two weeks, available online with no password protection, before it was taken down.

The timeline

This is what happened when, Comparitech says:

  • 4 December 2019: Database first indexed by search engines.
  • 12 December 2019: The data was posted as a download on a hacker forum.
  • 14 December 2019: Diachenko discovered the database and immediately sent an abuse report to the ISP managing the IP address of the server.
  • 19 December 2019: Access to the database was removed.
  • 2 March 2020: A second server containing identical records plus an additional 42 million was indexed by search engine BinaryEdge.
  • 4 March 2020: Diachenko discovered the second server and alerted the hosting provider.
  • 4 March 2020: The server was attacked and destroyed by unknown actors.

The initial breach exposed 267,140,436 records of what were mostly Facebook users in the US. Diachenko said that all of the records seemed to be valid. The same 267m records were exposed on the second server in March 2020, but this time, the exposure included an additional 42 million records, hosted on a US Elasticsearch server.

Comparitech said that 25 million of the new records contained similar information: Facebook IDs, phone numbers, and usernames. But 16.8 million of the new records had even more, including gender, email address, birth date and other personal data.

What data was exposed in exposure of fattened database. IMAGE: Comparitech

How did they get this data?

Both Cyble researchers and Diachenko aren’t sure how the breach happened, but both suggest that it could have been a hole in Facebook’s third-party developer API that existed before the platform restricted access to phone numbers. … or which lets crooks get at our user IDs and phone numbers even after Facebook restricted that access in the API.

Both Cyble and Diachenko say that alternatively, the records might have been harvested by scraping, which is a good reason why you might want to rethink how much data you’re publicly sharing on Facebook. In other words …

Stop exposing yourself!

The less PII you spread around, the less ammunition you give scammers to lure you into clicking on something dangerous in email or SMS text, or into telling them more than you should on the phone. The more scammers know about you, the more convincing they sound. All too often, the thinking of a would-be victim goes like this: “Hey, they know my birthdate and/or phone number and/or home address and/or fill in the blank. They must be legit!”

Be careful of unsolicited emails and texts — they might be phishing attempts. Here’s how to limit how much these con artists can glean about you from Facebook:

  1. In Facebook, go to Settings & privacy.
  2. Select See more privacy settings
  3. Set all relevant fields to either Friends or Only me.
  4. Set “Do you want search engines outside of Facebook to link to your profile?” to No.

There were no passwords involved in this breach, but it’s still a good opportunity to ensure you have a strong password on Facebook, and that you’re not reusing it (or any other passwords) on any other site.

This breach has already given attackers one piece of the authentication puzzle they need to hijack your accounts: namely, it exposed Facebook users’ email addresses. Once they know the email you use on Facebook, they can use it to search through lists of breaches that have included passwords. Then, they’ll plug login name/password combinations into other sites to see where else you’ve (re)-used those credentials. … All of which adds up to it being a truly bad idea to use a password twice.

Finally, if you’re not already securing your Facebook account with two-factor authentication (2FA), now is a good time to turn that on. It will keep your account from being hijacked if your credentials do get hacked, via this or other breaches. Even if attackers get your username and password, 2FA can prevent them from taking over your accounts. In Facebook, you can turn on 2FA by going to Settings > Security and login.


Latest Naked Security podcast

go top