Rogue E-Books Could Pose Threat to Amazon Accounts

Posted: September 16, 2014 by Christopher Boyd
Last updated: March 30, 2016

It seems there’s an issue for Amazon Kindles owners should be aware of and take appropriate steps to avoid.

A security researcher discovered malicious code that could potentially be injected – and cookies stolen – via a stored cross site scripting attack on the Manage your Kindle page located on the Amazon website.

According to the researcher, malicious code can be injected via e-book metadata such as the book title. Once the book is added to the victim’s library, the rogue code will trigger once they open their Kindle library web page, leading to the cookies being accessed by – and transferred to – the creator of the e-book in question.

Here’s a writeup by someone demonstrating the researcher’s proof of concept test on themselves, passing with flying colours.

The advice given is to be very wary of pirated e-books and other shady looking downloads – especially if you’re going to make use of the Send to Kindle feature, as this is the most likely way you’ll end up placing an e-book from outside the Kindle store into your Amazon Kindle page.

We’ve taken a look at the Kindle before, and here’s some things you should be aware of:

* Kindle Apps: Look before you leap

Unfortunately apps which aren’t all they claim to be do appear on the Kindle Apps store, and buyers of apps should always check before committing to a purchase. Here’s some advice from the above blog entry to steer you in the right direction:

Tips for Avoiding Kindle App Shenanigans

1) Read the reviews. While these apps are in circulation, the only real chance you have of avoiding a stinker is to see what horrors have befallen those brave souls who have gone before you.

2) Check the developer name. If it’s a horrible mashup of words associated with various titles, there’s a good chance some alarm bells may be ringing.

3) Take a good look at the “screenshots”. The majority of the 100% fake apps – the ones which claim to be amazing, mind-blowing games and disclose nowhere that they’re just some terrible tile sliding effort – use lots of pre-renders / promotional art from real games. Google Image Search will probably come in handy here.

* Sideloading apps is a dangerous game

On a similar note, many titles in the gaming realm tend to show up on the Amazon Kindle store a while after they’ve already appeared on Android (Google Play) and the iOS stores.

For many impatient individuals, this means a quick treasure hunt in a search engine for unofficial copies, quickly followed by lots of “Aargh what have I done” type complaints once dubious app x has been installed on unsupported device y.

As per the advice in that particular blog:

Looking for that movie you really like but don’t want to pay for? Malware.
Looking for an album you really wanted to listen to but out of cash? Malware.
Looking for that new game that all your friends are playing but you can’t afford? Malware.

It spans from the desktop to the mobile space and any device that might fall in between.

Misleading E-Book advertisements install PUPs

The above blog isn’t so much a threat to your e-Book reader or Amazon account as it is to your PC in general, with popular lists of e-Book titles used as a front for PUP (Potentially Unwanted Program) installs.

On the other hand, it is a useful example when talking about how there is no subject a scammer won’t touch to make some money in the side. E-Books? Sure, why not. And you can bet your finest digital copy of 1984 that somebody, somewhere would happily set up a wide range of booby-trapped e-Books to swipe some Amazon accounts – or any other accounts they can get their hands on, for that matter.

E-Book readers are wonderful things, but as with all the bits and pieces of tech we carry around with us on a daily basis they can provide an inroad for people harbouring bad intentions – and the occasional rogue e-Book.

Christopher Boyd

COMMENTS

Bacchatus

I hit this article after installing Malwarebytes Anit-Malware Premium. One of the biggest sins in the mobile community is advertising in a paid application. For the sake of solid security advice, I would refrain. But in this case… I can’t really do that.

This article is carefully crafted PR. I appreciate the effort and I appreciate the intention, but it’s blatantly wrong in basically every aspect. It’s a scare tactic. People should not be pirating things. But everything you see on the internet isn’t malware. It’s best if you approach it that way, but it’s just not true.

Reviews mean nothing. They’re easy to fake. Dev names mean nothing. They can be legit or they can be someone with really poor creative skills, but a mashup of names or words is *NOT* a malware flag.

The average consumer has zero way of comparing screenshots with the name/genre/description/intent of the game and making an educated decision as to whether something is malicious. Much the same as the average consumer can’t go to a gas pump and be reasonably expected to know whether it’s been tampered with to replace it with something that’s gong to swipe (no pun intended) their card number.

Sensationalism is not education. It also doesn’t do a dang thing for business.

Tell people not to pirate software or ebooks because it’s illegal and could compromise their device. That’s all well and good. Good security software is supposed to compensate for the lack of common sense and knowledge. I wanted to include morality, but that’s a stretch.

But don’t feed them some line of bull.

(By the way, I’m a proud owner and vocal supporter of Malwarebytes and Comodo.)
Chris Boyd

If someone wants to avoid being hit with the above exploit, then not downloading pirated ebooks and content from dubious websites is the way to go, as per the researcher who discovered the flaw. It seems perfectly sensible to suggest that ripped books could be an avenue for compromise and so should be avoided until the flaw is corrected. I think we can agree on that – as for everything else…

If someone wants to take a risk after being told “This is a bad idea”, on their own head be it. We’re not here to tell people what may help some of the time, we’re here to tell people what will hopefully work all of the time. From there, they can increase the level of risk if they so desire but that’s up to them.

“The average consumer has zero way of comparing screenshots with the name/genre/description/intent of the game and making an educated decision as to whether something is malicious”

And that’s why we tell how to compare shots, or look for reviews, or be aware of faked screengrabs. If people never advised others what to look for, they’d continue to keep falling for it. Not sure what the starting point for people helping themselves to understand a current threat or issue is if nobody ever tells them about it.

We get plenty of comments and mails saying that they would have been hit with scam x, install y, exploit z only for us giving them advice on what not to do, so I don’t see the problem there.

“Reviews mean nothing. They’re easy to fake. Dev names mean nothing. They can be legit or they can be someone with really poor creative skills”

If a potentially dubious app has nothing but a stream of reviews on Amazon stating that it didn’t work, is a slide tile game (one of the most common fake app issues) or did something else unexpected then that’s a good place to start. Nobody is going to wage a spam campaign of poor reviews on a newly released spam app.

If anything, you’d expect to see a wave of bad reviews on a successful title – but given a genuine program will likely have hundreds or thousands of reviews, you can at least be reasonably confident you’re looking at the real version of the product you’re wanting to purchase.

Number of reviews can be important. Quality of reviews can be important. Being able to click on the names of reviewers and see that they’re verified amazon identities and so actually bought the product, or genuine google plus profiles with a long posting history taking time to comment on Play, is important. These are all relevant pieces of information a consumer can make use of. No spammer ever wrote “this product ripped me off” on their own app. But a stream of reviews saying “this did something bad”? I’d certainly take five minutes to see what they’re saying as part of the purchase process.

Reviews and ensuring dev names are correct and genuine is also important, given that most official dev stores don’t currently give any form of verified publisher status to developers unlike the verified profile seal on Twitter. You wouldn’t hand money to a stranger in real life for a service without a little background checking first and that’s what we’re advising people to do online.

“The average consumer has zero way of comparing screenshots with the name/genre/description/intent of the game”

That’s why we’re literally telling them why they should compare images on products they’re looking at, and provide a link to google image search because it’s a tool they can use to check the images with.

“Much the same as the average consumer can’t go to a gas pump and be reasonably expected to know whether it’s been tampered with to replace it with something that’s gong to swipe (no pun intended) their card number.”

And that’s why security sites, news sites and law enforcement frequently post information and articles on card skimming devices and related technology.

“but a mashup of names or words is *NOT* a malware flag”

We never said a mashup of names on an app was a “malware flag”. We said it was an indicator of a program which was low on threat but high on deception in terms of confusing branding and claiming to be something it wasn’t. From the linked blog the tips are taken from:

“The biggest problem here isn’t the app permissions which are generally fairly standard (and in many cases, often ask for less access to both personal information and the device itself than many of the more mainstream apps out there). The problem is a lack of information as to what the apps actually do, whether they’re games in the sense of “not a terrible sliding puzzle thing” or not and whether the Kindle owner will even get something functional after handing over their money.”

As for sideloading apps obtained for free from less than legitimate sources, you’re playing with fire and install the content at your own risk. I wouldn’t do it on my PC and I wouldn’t do it on any of my mobile devices – it simply isn’t worth it. YMMV on that but it’s not something we advise. If you go downloading random apps which should really only be installed from official app stores, then treating those files without the heavy dose of skepticism they deserve is asking for trouble.

“Good security software is supposed to compensate for the lack of common sense and knowledge”

I disagree. The overwhelming majority of things I’ve covered in the past 10 years have overwhelmingly been social engineering tricks. Almost every major scam you can think of – unless it’s a drive-by exploit – involves fooling somebody into clicking something as the first port of call.

Every security tool on the planet will eventually tap out as the unaware victim continues to hit one link too many, or starts responding to forged emails, or answers the phone to a fake tech support scammer, or replies to a phony “I’m on holiday and need help” facebook message. Layered defence is important, but it isn’t a replacement for education – and I don’t think there’s any sensationalism as a replacement for education on display here.

I don’t think we’re going to agree on much of this, but thanks for commenting.
Mr Tom FTW

“Good security software is supposed to compensate for the lack of common sense and knowledge”

Hnnnnnnnnnnnnnnnngh. The Sys Admin side of me wants to [Mod Edit – general expression of displeasure!]
Bacchatus

“And that’s why we tell how to compare shots, or look for reviews, or be aware of faked screengrabs.”

The problem is that for the unassuming masses, it isn’t easy to tell what’s faked and what isn’t. I have to deal with this on a daily basis. “Don’t click this crap”, I tell my stepfather. “Why the frag are you even on this site?” I tell my kids. Like you said, much of it is social engineering. Convincing the target that something is safe or is the content they were expecting.

“If a potentially dubious app has nothing but a stream of reviews on Amazon stating that it didn’t work, is a slide tile game (one of the most common fake app issues) or did something else unexpected then that’s a good place to start.”

Maybe all the people I know are either … slow… or very impatient, but I can’t think of a single one who reads reviews and attempts to make a sound decision as to whether something is malware based on this. They simply don’t have the experience in the industry to make an educated decision, or even a gut reaction.

“And that’s why security sites, news sites and law enforcement frequently post information and articles on card skimming devices and related technology.”

I could watch the news all day. I could watch intricate explanatory videos on how these things work. Could I identify them if I pulled up to a gas pump or was about to swipe my card at a convenience store? I’m a fairly intelligent and profoundly paranoid guy, but probably only if it were the most basic of setups. It’s just not an industry or technology that I’m familiar enough with to catch on if there is any degree of real sophistication. If they were easy to spot, they wouldn’t work. Law enforcement personnel have admitted repeatedly that it’s unreasonable, if not impossible, for the average consumer to identify a well rigged skimmer.

“We said it was an indicator of a program which was low on threat but high on deception in terms of confusing branding and claiming to be something it wasn’t.”

That’s not malicious. It’s poor taste.

“Every security tool on the planet will eventually tap out as the unaware victim continues to hit one link too many”

I think that’s a little defeatist and technically true only to the point that the developers of security software wait for an exploit to be publicized prior to providing a solution.

To be clear, I’m not disagreeing with anything said here. In my line of work, I deal with the daily struggle of “I’m sorry you aren’t getting the expected results, but this is how I told you to do it.” If my mother wants to download a tile slide game and the screenshots are of laughing clowns and mushrooms (not that this shouldn’t warning enough), she’s going to think they’re some kind of level completion screen. (Seen it happen, but fortunately the app devs were just poor advertisers and not trying anything malicious.

When I think about app security, I think about my parents. I can preach to them all day long about whatever, but they’re not going to read reviews and try to determine if they’re fake, they’re not going to compare screenshots, they’re not going to image search some $.99 app and they’re definitely not going to read a blog on security. They want to log onto their laptops or phones and expect some semblance of security by putting their trust in companies who are supposed to identify these things for them. If it weren’t for users like them, the computer security market would be far more poorly funded.

This entire post should have been distilled to “Only download apps or eBooks from trusted sources, such as Amazon or Google. At least if you get had, you’ve got someone to sue.”
Pingback: A Week in Security (Sept 14 – 20) | Malwarebytes Unpacked()
Stephen Vaile

Bacchatus in English = enraged.

Dictionary source: LATIN- ENGLISH (AZAD)
Always skeptical of “postings compulsive” know it alls.

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 14 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 7 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Christopher Boyd
Lead Malware Intelligence Analyst

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

TOP POSTS