back to article Whiffy malware stinks after tracking location via Wi-FI

No one likes malware, but malicious code that tracks your location is particularly unlovable. Case in point, a new piece of nasty code dubbed "Whiffy Recon" by researchers from Secureworks. First spotted being deployed by the venerable Smoke Loader botnet earlier this month, Secureworks said the malware uses scans of Wi-Fi …

  1. Anonymous Coward
    Terminator

    The infection routine turns out to be a polyglot file

    The infection routine starts with social engineering emails that carry a malicious zip archive. That turns out to be a polyglot file containing both a decoy document and a JavaScript file. ref. Whiffy Recon persists on the system by creating the wlan.lnk shortcut in the user's Startup folder.ref

  2. Pascal Monett Silver badge
    FAIL

    Not acceptable

    "T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee's phone number to the threat actor's phone at their request"

    No. Just no.

    I don't care what the sob story was, the fact that T-Mobile accepted to do so means that it is T-Mobile that is guilty of handing out that data to the wrong person.

    I just can't imagine why, in 2023, a communications company would still be able to do so. This is not a new kind of attack. There should be procedures in place preventing this from happening. And, if an employee ignores those procedures, he should be fired, because this is exactly what the procedures are meant to prevent.

    T-Mobile, you are responsible for the proper management of your customers' data, and that includes their SIM data.

    You utterly failed to uphold your responsibility.

    If I were a T-Mobile customer, I'd be reviewing my options for leaving.

    1. Kurgan

      Re: Not acceptable

      Some years ago (maybe 10?) I damaged my H3G sim. Went to a shop, told them my name and number, got a new sim. NO DOCUMENTS NEEDED. Just name and number.

      1. Martin-73 Silver badge

        Re: Not acceptable

        that sounds secure

    2. EricB123 Silver badge

      Re: Not acceptable

      Options? From one inept carrier to another.

      You'd be better off with carrier pigeons.

  3. Doctor Syntax Silver badge

    "Ransomware actors don't like cyber insurance, becuase if their target has a policy it can cover the cost of remediation, therefeore reducing the incneitve to pay a ransom."

    OTOH the victim may be better placed to pay if they can claim on insurance. I'm not sure this is a carefully worked out approach.

    1. sitta_europea Silver badge

      I'm going to side with the insurance companies on this one.

      The criminals might not have done the arithmetic, but I'll wager the insurance companies have.

    2. Clausewitz4.0 Bronze badge
      Black Helicopters

      Dunno about ransomware actors, but I bet for a real-world pentest companies, the aproach to offer pentest services directly to the end client is much more profitable.

      You take out all the "middle man" companies - AV, Microsoft, Google, "Threat Intellgence" companies, etc...

  4. martinusher Silver badge

    Sounds like a homemade kludge

    The big ones, Apple and Google, already hold accurate geolocation information on their users using a variety of techniques. The problem with this information is that its proprietary and so if you or I were to want to access it then it would probably involve paying them some fee. So its natural that wannabes, especially those involved in shady activities, to try to imitate some of A&G's capabilities. Its not anything particularly sinister, just business.

    (....and so I want anyone tracking me wherever I go? That's an entirely different issue altogether. But its a pretty good bet that if a 'state actor' wanted to know where I was that they wouldn't resort to DiY mechanisms unless they were really desperate.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds like a homemade kludge

      1. If a "state actor" wanted your whereabouts, you're toast, unless you are a "state actor" yourself...

      2. Noone is tracking *you*. They are tracking your device. Solution left as a exercise for the more paranoid among us.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sounds like a homemade kludge

        Burner phone, laptop, etc.

        For those more technically inclined, a device with user replaceable storage and WLAN, preinstalled and activated OS. Ideally with a legit Windows key linked to an anonymous email account created on a burner phone.

        Tracking users by Windows key went out with the Stone Age so natch.

        Can you track someone using the smart battery serial number?!

        AC

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like