Security Week 37: Attacks on Distance Learning Systems
The topic is more than relevant: in the second quarter, millions of schoolchildren and students were forced to switch to online classes. Accordingly, the number of attacks both on users of distance learning platforms and on the platforms themselves has grown. In a study by Kaspersky Lab, it is impossible to separate educational services from general conferencing systems, so the report also provides insight into attacks on platforms such as Zoom and Google Meet.
In addition to the Zoom and Google platforms, Kaspersky Lab specialists studied Moodle, Coursera, Blackboard and other educational services. The graph above shows the problem from an interesting angle: this is the number of blocked malware that got on users’ computers under the guise of software for a specific service.
Zoom, with its absolute leadership, breaks the schedule – the number of attacks on its users in the first half of 2020 increased by 1400 times. In addition, the number of DDoS attacks on the services themselves has increased five times. The number of phishing attempts for conferencing passwords and training programs has also increased significantly.
Most of the time, fake Zoom clients install adware on victims’ computers, but there is a chance of getting a Trojan or backdoor. Attackers do not even need to use malware to attack. The study provides examples of plausible phishing pages, including for proprietary online platforms at major universities.
Testimonies from university professors in the full report show that using online platforms is not easy in itself. Not to mention the growing safety risks for students, teachers and educational institutions in principle.
What else happened
It fits well into the canvas of creative phishing study by Cofense. They found a slightly more plausible than usual method of stealing corporate email passwords using a cloud-based system (typically Office 365). The attack starts with a traditional fake email with a link, but clicking on it opens a phishing page, where the organization’s real website is loaded in the background. In some cases, the e-mail of a potential victim has already been inserted into the input field.
Apple moderators accidentally “approved“Intrusive adware Shlayer to run on computers running macOS (see also the news on Habré). Also, from the Google Play app store recently removed six Joker spy programs.
Cyber group Magecart, which specializes in stealing credit card data after an attack on online stores, start use the Telegram messenger as a communication channel with the command server.
Microsoft representatives announced Video Authenticator service for dealing with deepfakes. It will not be available directly to end users – at least not a word about it in the announcement. The service is trained on the DeepFake Detection Challenge dataset. A recent competition of algorithms based on the same dataset showed average results – advanced designs identified a maximum of 65% of fakes.
File Manager WordPress Plugin With 700K Installs Closed vulnerabilitybut attacks on unpatched pages continue.
In the messenger WhatsApp shut down six vulnerabilities. The news of this appeared on a new site, where Facebook developers plan to continue to disclose such information. One of the vulnerabilities allows you to find out the user’s IP address – you just need to send a prepared sticker, which will start downloading a picture from an arbitrary site.
In the messenger Cisco Jabber found a critical vulnerability that allows arbitrary code to be executed on the victim’s computer by sending a special message.
Google increases the budget of the bug bounty program, which should answer the question: “How can attackers use Google services to harm?” Mail, Forms, Disk and other corporate solutions are regularly used to send spam and distribute malware.
