Cybercriminals Learn to Love Extensions like Toolbars in Recent Targeted Attacks

In the late 90s and early 2000s, most web browsers came with small, add-on programs to enhance browsing. Most of these programs were toolbars, which added functionality like search, bookmark management, local weather forecast and more in an easy to access area of the browser. All-in-all, they were harmless, albeit annoying. That is no longer the case. Ask.com, purveyor of the somewhat well-known Ask.com toolbar, has fallen victim to two very specific and targeted attacks.

The first attack, according to BleepingComputer.com, took place at the end of October. Third-party security vendors detected the attack and alerted the toolbar’s creator, Ask Partner Network (APN). APN quickly flushed the intruders out of their network, but only temporarily. The cybercriminals returned in December, specifically re-infecting the Ask.com toolbar with potentially unwanted programs.

So why are these small, innocuous and potentially unwanted programs (PUPs) bad for end users? Simple: they offer cybercriminals more opportunities to compromise networks and users. They, in the parlance of the cybersecurity industry, expand the attack surface for hackers.

The cybercriminals responsible for this attack managed to compromise APN’s network at least twice. By doing so, they were able to take advantage of the company’s digital certificates—essentially little strips of code proving APN is who they say they are—to push malicious updates to end users. These strips of code essentially act as an I.D. card for companies, allowing them to issue trusted, verified updates for their programs to end users.

Compromised digital certificates can cause a lot of damage. In this case, cybercriminals used the certificates to trick end users into updating their Ask.com toolbar. By doing so, they unknowingly downloaded a corrupted file that enabled the attackers to both unpack a Remote Access Tool/Trojan (RAT) and steal credentials that would allow them to target other computers on the network.

The good news here is that the attack appears to be highly manual in nature. The security report even details typos in the attacker’s code, and suggests that a human—not an automated bot—may be issuing the attack in real-time. This means the attack is slow-moving and unlikely to hit a lot of users at once, giving security firms the time they need to detect the attack.

This does not, however, mean it’s impossible for crooks to pull off. To head off this potential exploit and protect your devices, follow these tips:

  • Watch what you install. There are a lot of programs out there that are available for downloading. Do yourself a favor and limit yourself. While most programs are safe, some can pose problems. Only download programs from trusted app stores or directly from developers you trust.
  • Stay up to date with updates. Installing updates when they’re available is one of the most sure-fire ways of staying safe online today. Yes, this attack occurred with a bad update, but attacks like this are extremely rare. Install updates when they’re available to ensure the latest security patches are in place.
  • Use comprehensive security. Comprehensive security solutions are key to living a safe digital lifestyle. Security suites, like McAfee LiveSafe™, can help protect your devices with the latest, up-to-date security technology, and are essential to cross-device security today.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and ‘Like’ us on Facebook.

Leave a Comment

5 − 3 =