Update: Travelers alert concerning fake update alert popups
It's come to this, a problem that I first thought of several years ago (that blog is dead or I would link it) has finally come to pass.
Updates for certain common plugins are being spoofed on guest connections at hotels, airports and probably other Wi-Fi hotspots. And you should not assume it's just Wi-Fi, it could also be an Ethernet cable connection in the hotel room, or at the guest services room at the conference center.
Travelers to (for now*) undisclosed foreign countries have become victims to malware being presented in a popup window that claims to be a well known and frequently updated plugin. I would guess Adobe Flash, could also be Adobe Reader or Oracle Java.
It's become serious enough that the IC3 and the FBI have posted a travelers advisory about the issue.
Malware Installed on Travelers' Laptops Through Software Updates on Hotel Internet Connections
Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms.
Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.
* I'm going to extrapolate into the future a bit: It's only a matter of time before this a) spreads to the US and b) expands to include Windows Updates and other popular updates.
What should you do to protect yourself?
Remembering that it's become vitally important to stay patched for all MS products, Adobe products and Java - and that you should be as current in your updates as possible, it may be better to delay patches if they come out during your travel.
Better yet, add system maintenance to your list of things to complete just before you depart for your trip! Do it from a trusted Internet connection: home or work.
And a short reminder of the top four items to check at least monthly:
1) Microsoft Updates: released every second Tuesday of each month.
2) Adobe PDF and Flash updates at www.adobe.com: no set release schedule, but check monthly. (I do this for manual patched systems on the same day I deploy MS patches.)
3) Java (now from Oracle) at www.java.com.
4) Firefox (if you are a fan).
And during the trip? From now on: IGNORE update reminders when connected to a guest Internet service.
Gross. Firefox updates are signed, and the update snippet itself is delivered over SSL, and I'm pretty confident that the user doesn't even get a choice to override certificate errors, so the attack surface there is pretty small. Any update systems that aren't secured like that are a direct route to getting exploited.
ReplyDeleteThis is also true for Microsoft Updates, however . . . part of this "exploit" is social - the popups that I've been researching do not have valid certs - but the system is allowing the user to override the warning about that invalid cert. Not sure about Firefox - but I think you are probably correct.
DeleteSo on the one hand, a savvy traveler could safely update . . . but on the other side I suspect many travelers have been blindly allowing the process - fooled by a realistic (and familiar looking) update notice.
Also keep in mind this is a classic man-in-the-middle attack - someone has infiltrated that host connection. It is possible that even valid update notices might be redirected to a malicious download (captive DNS anyone?) after accepting the prompt. Then when the cert warning comes up, the un-educated user might still allow it thinking they were doing the "right thing."