Monday, May 14, 2012

Update: Travelers alert concerning fake update alert popups

Recently the IC3 released an advisory containing sparse detail that travelers abroad are being infected via fake update alerts for unnamed products that were being delivered over compromised hotel connections.  I wrote a speculative article about this, and wanted to provide some clearer detail about what appears to be happening.

First:  It does not appear that the "real" update mechanisms for any of the likely products are compromised.  I still can't recommend you do *any* updates while traveling.  Do them before, or after.  Besides, who want's to download a large update over what is typically a slow connection at that overseas hotel?

Second: Through either captive portal DNS, or via Javascript injection delivered by the compromised guest connection, these popups are being delivered primarily through the browser - just like "normal" malware popups.  I speculate that there may also be a class of these threats that try to take advantage of unpatched systems -- just like the ones you see from compromised websites or from clicking the wrong spam email link.

In the former case, the sample I recently observed looked like a browser popup, mocked up to resemble (poorly) an actual update alert from Adobe. An unwary traveler might be fooled by this, it scares me to think how many . . .

In the latter case, the attack could exploit known vulnerabilities in either Java, Flash or the OS to deliver a small software stub that does a much better job of presenting the intended victim a realistic looking (but still fake) update alert.  This is much like the numerous examples of fake anti-virus infections that have plagued the Internet for the last few years.  Your best bet to prevent this is -- as always -- to stay on top of your system updates for the OS, Java, Flash, etc.

Third:  Some reminders of safe guest connection usage to prevent ID Theft, infection etc.

  1. Never, ever, click on a popup window while browsing the Internet.  Close it via Task Manager or by using ALT-F4.
  2. Never access secure websites like your bank while on a guest connection unless you are also using VPN or similar safeguards to prevent snooping.
  3. Don't leave your computer unattended while connected to a guest connection.  Let it go to sleep, or hibernate, or disconnect it for localized work, or shut it down when you are done with your session.
  4. Pay careful attention to the guest connections usage instructions (if the hotel or facility provides such) . . .  in particular make sure you are connecting to their actual hotspot, not a fake one with a similar name in range.
  5. When you first connect to a guest connection, Vista and Windows 7 will ask you if this is a Home, Work or Public connection.  ALWAYS select Public - this tells your OS to use a higher security level on its built in firewall.  Other third party software firewall solutions generally also prompt you on the trust level you want to give a guest connection, always choose the most restrictive profile available.
  6. Assume that any guest connection, whether at a hotel, coffee shop, truck stop, conference center, airport, etc, is suspect.  Also don't assume that the IC3's advisory should only be taken for overseas travel.  Similar attack methods have occurred in the past in the US, Canada and elsewhere. They can take place on both wireless and wired connections.


No comments:

Post a Comment

Comments are welcome but moderated to prevent spam links. I usually check them at least once a day in the evenings - so please be patient with me if your comment does not appear quickly.

Thank you.