Chrome users have lately been targeted with a few unusual malware delivery and scam attempts . The first one comes from Attack.Phishing compromised WordPress sites that have been modified Attack.Phishing to include JavaScript that changes the text rendering . A visitor sees the page as an unreadable mish-mash of symbols , and is prompted Attack.Phishing to update “ Chrome ’ s language pack ” so that the text is rendered correctly and he or she is able to read it : “ The usage of a a clean , well-formatted dialog to present Attack.Phishing the message with the correct Chrome logo – and , more importantly , – the correct shade of blue for the update button . The shape of the update button seems correct , and the spelling and grammar are definitely good enough to get a pass , ” NeoSmart Technologies ’ Mahmoud Al-Qudsi noted . wrong version numbers ) during the download and installation process , but not all will . The bad news is that Windows Defender or Chrome don ’ t flag the file as malware and , at the time of the initial discovery , very few AV engines detected it as malicious ( the situation is much better now ) . Chrome will tell users that “ this file isn ’ t downloaded very often ” as a warning of its potential malicious nature , but that ’ s unlikely to stop users who are accustomed to click through security warnings . The second threat comes in the form of a malicious Chrome extension that is pushed onto visitors of compromised sites . The potential victims are redirected to such sites mostly through malvertising schemes , and they are faced with the request to install the extension in order to be able to leave the site – no other option is given , and the browser is stuck in a never ending loop of fullscreen modes . The extension aims to redirect victims to unwanted software , get-rich-quick schemes , and various scams . “ This extension ensures it stays in hiding by using a 1×1 pixel image as its logo and by hooking chrome : //extensions and chrome : //settings such that any attempt to access those is automatically redirected to chrome : //apps . That makes it much more difficult for the average user to see what extensions they have , let alone uninstalling one of them , ” Malwarebytes ’ Jérôme Segura explains . Victims will have to use a security solution to do it , and likely another browser to search for it and install it . Malwarebytes detects this extension as Rogue.ForcedExtension

A generic wireless camera manufactured by a Chinese company and sold around the world under different names and brands can be easily hijacked and/or roped into a botnet . The flaw that allows this to happen is found Vulnerability-related.DiscoverVulnerability in a custom version of GoAhead , a lightweight embedded web server that has been fitted into the devices . This and other vulnerabilities have been found Vulnerability-related.DiscoverVulnerability by security researcher Pierre Kim , who tested one of the branded cameras – the Wireless IP Camera ( P2P ) WIFICAM . The extensive list of devices affected by Vulnerability-related.DiscoverVulnerability the flaw in the custom embedded web server can be found Vulnerability-related.DiscoverVulnerability here , and includes 1250+ camera models from over 300 vendors , including D-Link , Foscam , Logitech , Netcam , and Polaroid . “ This vulnerability allows an attacker to steal credentials , ftp accounts and smtp accounts ( email ) , ” Kim noted Vulnerability-related.DiscoverVulnerability . He also shared Vulnerability-related.DiscoverVulnerability a PoC exploit that leverages the flaw to allow an attacker to achieve root shell on the device . Other vulnerabilities present Vulnerability-related.DiscoverVulnerability include a RTSP server running on the camera ’ s TCP 10554 port , which can be accessed without authentication , allowing attackers to watch what the camera streams . There is also a “ cloud ” functionality that is on by default , through which the camera can be managed via a mobile Android app . The connection between the two is established through UDP , and will be automatically established to any app that “ asks ” if a particular camera is online . Effectively , the attacker just needs to know the serial number of the device . The established UDP tunnel can also be used by the attacker to dump the camera ’ s configuration file in cleartext , or to bruteforce credentials . “ The UDP tunnel between the attacker and the camera is established even if the attacker doesn ’ t know the credentials , ” Kim noted . “ It ’ s useful to note the tunnel bypasses NAT and firewall , allowing the attacker to reach internal cameras ( if they are connected to the Internet ) and to bruteforce credentials . Then , the attacker can just try to bruteforce credentials of the camera ” . Kim advises owners of these devices to disconnect them from the Internet . A simple search with Shodan revealed Vulnerability-related.DiscoverVulnerability that there are 185,000+ vulnerable cameras out there , ready to be hijacked . The vulnerabilities are not in GoAhead , but the custom version of the web server developed by the Chinese OEM vendor , so EmbedThis – the company that develops GoAhead – can do nothing to fix Vulnerability-related.PatchVulnerability this . Interestingly enough , SecuriTeam revealed Vulnerability-related.DiscoverVulnerability today the existence of an arbitrary file content disclosure Vulnerability-related.DiscoverVulnerability vulnerability affecting Vulnerability-related.DiscoverVulnerability older versions of the GoAhead web server . Discovered Vulnerability-related.DiscoverVulnerability by independent security researcher Istvan Toth , the vulnerability can be triggered by sending a malformed request to the web server , and it will disclose device credentials to the attacker in clear text . “ The GoAhead web server is present on multiple embedded devices , from IP cameras to printers and other embedded devices , ” SecuriTeam explained , and urged owners to remove the device from the network , “ or at the very least not allow access to the web interface to anyone beside a very strict IP address range ”