Video: Meltdown-Spectre: A reminder to the IT industry that security is a mirage
PC users already have to contend with buggy Meltdown and Spectre patches. But now they also need to be wary of cybercriminals exploiting uncertainty about the fix and where to get them.
Germany's equivalent of the NIST, the Federal Office for Security and IT (BSI), has issued an alert over spam that impersonates the agency. The spam warns the public about the Meltdown and Spectre attacks, including links to pages where supposed patches can be obtained. According to BSI, the link leads to a fake BSI website that hosts malware which can infect a computer or smartphone.
"The Federal Office for Information Security (BSI) is not the sender of these emails. Recipients of such or similar emails should not click on links or any attached documents, but instead delete the email. Users who have opened the fake website should never download the alleged security update linked there," it says.
The office has published real advisories regarding the two CPU attacks, including links to patches from Microsoft and details about antivirus compatibility.
BSI did not provide details on the URL that was hosting the fake Meltdown-Spectre patches, but security firm Malwarebytes has identified at least one of the likely pages the spam was linking to.
As with many phishing sites these days, the fake BSI page was SSL-enabled, meaning victims could be duped by seeing the secure padlock symbol in their browser's address bar next to the HTTPS address. The attackers had registered part of BSI's German name at the .bid generic top-level domain.
Jérôme Segura, a researcher at Malwarebytes, says the phishing site's link leads to the installation of malware known as Smoke Loader, which can install other malware.
The fraudulent BIS site has a link to a ZIP archive suggestive of a fix for the two bugs called 'Intel-AMD-SecurityPatch-11-01bsi.zip'. If the executable inside is run, the victim will unwittingly install Smoke Loader, which then calls a number of Russia-hosted domains.
The phishing site is no longer reachable. "We immediately contacted Comodo and Cloudflare to report on this abuse and within minutes the site did not resolve anymore thanks to Cloudflare's quick response," noted Segura.
However, Segura said other sites linked with the .bid domain hosted a German template for a bogus Flash Player update -- another common ruse to trick victims into installing malware.
"Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns," wrote Secura.
"This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise."
He added that HTTPS links aren't necessarily trustworthy. A recent report from security firm PhishLabs showed that HTTPS adoption by phishing sites is actually increasing faster than the general web.
In the third quarter of 2017, a quarter of all phishing sites used HTTPS, up from three percent a year ago. Phishers are adopting HTTPS, even though it's not necessary for the task, but rather because the additional security gives the impression of legitimacy.
Previous and related coverage
Industrial companies are being told to avoid some Meltdown and Spectre fixes after reports of problems.
Google wants the whole industry to adopt its Retpoline fixes for Variant 2 of the Meltdown-Spectre bugs.
Older Broadwell and Haswell chips have been taking a hit from Intel's CPU patch.
Now Linux distributions get hit by Meltdown patch issues.
Antivirus firms are playing patch catch-up, as Microsoft releases Meltdown firmware updates for Surface devices.
We asked major storage array vendors what they're doing to protect customers from the Spectre and Meltdown bugs. Here is what they said.
Patches that fix the security flaws also make the processors run slower in some circumstances, according to Intel.