Beware of Fake Spectre and Meltdown Patches

BBH SolutionsNews

Cybercriminals are now peddling patches that install malware rather than fix the vulnerabilities recently discovered in computer chips. Learn how hackers are conning people into installing these fake patches so that you do not become the next victim.

Cybercriminals did not waste any time after the January 3, 2018, announcement that most of the computer chips in use today have two serious security vulnerabilities. Less than two weeks later, security analysts discovered that some hackers were trying to take advantage of the situation. They were not trying to exploit the chips’ vulnerabilities, though. They were trying to exploit people’s fears. The cybercriminals were offering to fix the Spectre and Meltdown vulnerabilities, but the patch they were peddling was actually a program that infected devices with malware known as Smoke Loader.

While this scam has been shut down, security experts are expecting more like it. By understanding how hackers carried out the scam, you will be better able to spot similar attacks.

How the Scam Worked

To dupe people into installing the fake patch, the hackers used phishing emails and a spoofed website. Hackers initiated the scam by sending well-crafted phishing emails to German citizens. The emails appeared to come from Germany’s Federal Office for Information Security (BSI), the equivalent of the National Institute of Standards and Technology (NIST) agency in the United States. According to the real BSI, the emails had subject lines like “Critical vulnerability – important update”. The body of the email, which included BSI’s logo, warned about the Spectre and Meltdown vulnerabilities. The email recipients were urged to click a link that lead to a website supposedly run by BSI.

Although the website was being run by hackers, it looked like a legitimate BSI web page. It even had an HTTPS address and the padlock symbol to give victims a false sense of security. The fake BSI site urged people to download a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip), which contained a fake patch (Intel-AMD-SecurityPatch-10-1-v1.exe). Victims who downloaded and installed the fake patch had the Smoke Loader malware installed on their computers or smartphones.

Smoke Loader changes settings and installs files on infected devices. Hackers use this malicious program, which is designed to avoid detection, to install other malware (e.g., ransomware, banking trojans) on victims’ devices.

How to Avoid Becoming a Victim

Phishing emails and spoofed websites are often used in cyberattacks, so hackers will likely utilize them again in future patch scams. No matter whether the patch being peddled is for Spectre, Meltdown, or a different security vulnerability, it is a good idea to follow these guidelines:

  • Do not assume an email is authentic because it looks official. In the past, phishing emails were fairly easy to spot. They often looked crude and had spelling and grammatical errors. Nowadays, many cybercriminals take the time to make their emails look authentic. Besides crafting convincing messages that are free from spelling and grammatical errors, they often use visual elements, such as logos. It is easy for anyone to copy a logo from a legitimate website and then paste the logo into an email.
  • Do not assume a URL will take you where it says it will. Hackers often use deceptive URLs. A deceptive URL is one in which the actual URL does not match the displayed linked text or web address. For example, the displayed text might specify a legitimate organization’s name (e.g., NIST) or web address (e.g., https://www.nist.gov), but the actual URL leads to a malicious website. You can check a link’s actual URL by hovering your mouse pointer over it (without clicking it).
  • Do not assume a website is legitimate because it starts with “HTTPS”. Research has shown that many people believe that sites which start with “HTTPS” and have the padlock symbol are legitimate and safe. However, this designation simply indicates a site is using the HTTP Secure (HTTPS) protocol, which means that any data being transmitted between web browsers and the site is encrypted. It does not signify that the site is legitimate or its contents are safe. Hackers like to use the HTTPS protocol on their malicious sites because it can give visitors a false sense of security. In fact, a quarter of all phishing websites are HTTPS sites, according to PhishLabs.
  • Be wary of emails that urge you to install any type of update. Vendors seldom contact customers via email about applying patches or other types of updates. Most vendors either automatically install them or send notifications through the operating system’s or the device’s update service (e.g., Windows Update, HP Support Assistant). If you receive an email about an update from a vendor, you should verify the email’s authenticity.

How to Keep Your Organization Safe

It is important to have newly discovered security vulnerabilities patched. This will prevent hackers from exploiting them to gain access to computers and other devices. Organizations that subscribe to BBH’s Defense in Depth program have peace of mind in knowing that genuine patches are safely applied as soon as they are available.

If someone emails you about installing a patch to fix a vulnerability, you need to make sure the email is from the vendor and not a cybercriminal. If the need arises, the BBH Team can verify whether the email is legitimate or a phishing scam.