Techie Feeds

Cybersecurity New Year’s resolutions, you say? Why not.

Malwarebytes - Fri, 01/19/2018 - 16:00

It’s mid-January, and oh, how time flies. It wasn’t long since we bid farewell to 2017 and welcomed the new year with renewed hope and vigor. Of course, with such positivity comes a sense of an equally favorable outlook for the year ahead. However good that may sound, being faced with a tabula rasa may pose a challenge equivalent to writer’s block: We simply don’t know where to begin.

This is where resolutions come in.

It’s no surprise that our resolutions are usually about health, finances, relationships, and self-improvement. They’re the things that matter to us the most. As all of us live digital lives, too, why not think up cybersecurity New Year’s resolutions that concern our online health and safety as well?

10 cybersecurity resolutions for 2018

Exercise more. Learn a new skill or hobby. Save (more) money.

What most of us probably don’t realize is that these are actually goals, not resolutions. Resolutions are firm decisions you make to do or not do something for your benefit. Here’s a bonus: They are never time-oriented.

Without further ado, below are some New Year’s resolutions that we urge you, dear reader, to start doing in 2018.

(1) I will use two-factor authentication for all my online accounts. 2FAs are awesome. Not only do they add security to your accounts by further verifying that you are who you say you are, but they also protect you from those unlawfully attempting to access your account. So take advantage of these features if they are on offer.

(2) I will back up my files on a regular basis. Believe it or not, your files are in danger. If a strain of ransomware doesn’t hinder you from accessing them, theft, software bugs, or even mother nature would. Because of these, backing up has become an essential security and business continuity practice. Be sure to create multiple copies of personal and work files you can’t live without, and then store them in a number of physical and digital locations, such as an external hard drive or cloud storage.

(3) I will only visit sites that use HTTPS. Not every website on the Internet—even popular ones, sadly—uses HTTPs. Even sadder is that not every one of us seems to mind entering our personally identifiable information (PII) onto HTTP sites in order to use their services. As more and more companies are beginning to realize that security must go hand-in-hand with privacy, it’s important that we start watching which sites we visit and where we enter our information. Opportunely, there are extensions you can install to your browser to automatically connect to HTTPS versions of websites. Take HTTPS Everywhere, for example.

(4) I will routinely review apps on my devices and uninstall those I no longer use or need. What first seems like the must-have app that everyone raves about today is then either abandoned or completely forgotten in the next few days. Unfortunately, out of sight, out of mind actually presents a security risk—this was the outcome of a study by Google a couple of years back. Why is it important to delete unused apps? Not only can unused apps still access and use your sensitive information, but your device could become through vulnerabilities in the apps, especially those that are no longer maintained by the developer. Deleting unused apps will minimize those security risks—not to mention free up some space on your phone.

(5) I will use strong passwords and manage them well. By “strong” we mean long passwords with a combination of lowercase and uppercase letters, numbers, and special characters. And by “manage” we mean not committing all these complicated strings into memory but using software that can help you remember and fill in forms you had been filling in manually in the past. I’m talking about passwords managers. No, paper and Post-Its don’t count. Neither does a master password list you created in Excel.

Read: Why you don’t need 27 different passwords

(6) I will update all my software in a timely manner. Doing this may be inconvenient for some users—particularly when the ill-timed notification pops up while in the middle of defeating that video game boss in hard mode—but think about the inconveniences, headache, hassle, and sleepless nights a vulnerable software could cause if cybercriminals were to successfully exploit it. You may have to retry beating that boss more than once, but there is no going back to how things were if your computing device is compromised.

(7) I will handle emails more carefully. Emails: Can’t live with them, can’t live without them. For some of us, they’re the only means to get in touch with others miles away. Unfortunately, emails are also one of the main avenues cybercriminals can get into your system. In this day and age, clicking a link or opening an attachment can literally turn someone’s life around for the worst. So this year, before doing anything with that email, pause and think things through. Were you expecting an email from someone you know? Does the email seem fishy or “off” somehow? Verify the send by hovering over the email address or going directly to your vendor’s website.

(8) I will think before I post. There’s no harm in posting on social media; however, sharing personal details can be endangering your own privacy. You’re essentially making it easy for online miscreants and persistent threat actors to use your information in crafting a personalized social engineering attack scheme against your system. Not only that, the information you may freely give away can be used to access your accounts or steal your identity.

Do you think you’ve been oversharing? That doesn’t mean you should go cold turkey, but it does mean that you need to tone down on posting stuff about yourself or people close to you. Ask questions: Why am I posting this? If I were the bad guy, what would they get out of this post? Should I really be posting this picture of my bank card?

(9) I will familiarize myself with the latest cybersecurity threats and scams. A long time ago, I overheard someone jokingly say that they don’t watch the news anymore because they’re allergic to bad news. When it comes to news about cybersecurity, we mostly hear or read about the bad stuff. But trust me, no matter how stressful the news can be—take Meltdown and Spectre catching everyone by surprise, for example—the more you know, the more you’re able to protect yourself against new threats. (That said, have you already applied the patches you need for Meltdown and Spectre? If not, this write-up by our very own Jérôme Boursier describes and links to the patches available for various hardware, OS, and software systems.

(10) I will talk to my friends and family about cybersecurity and privacy. It may be a bit awkward at first, or you may be met with glazed over eyes, but you know this is important. These days, politics might dominate the conversation around cybersecurity, but it doesn’t have to be that way. Start off by commenting on a news report about an Internet scam or what some reporters might still call “a new computer virus.” Share any helpful tips you know for protecting against these threats, including any of the resolutions listed above or which cybersecurity program you use that blocks them. Work with what you know. Ask questions, and share your thoughts. They might learn a thing or two from you.

Act now

Making resolutions is one thing. Acting on them is another. In reality, we don’t need to wait for every first day of the year to clean up our computing habits. Resolve to make the small changes now. Whether 2018 may be the year you start building on safe computing habits, reinforcing the good ones you already practice and ditching the old, or not, who knows. Act now and see where it take you.

Have you come up with cybersecurity resolutions of your own? Share them with us in the comments below!

The post Cybersecurity New Year’s resolutions, you say? Why not. appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Chrome and Firefox extensions block their removal to hijack browsers

Malwarebytes - Thu, 01/18/2018 - 16:00

What you don’t see won’t hurt you, must have been the reasoning of the threat actors who created the latest batch of extensions that make these browser hijackers even more difficult to remove. The extensions redirect users away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers.

The extensions, which have been found in both Chrome and Firefox browsers, block users from removing them by either by closing out pages with extensions/add-ons info, or sending users to a different page, such as an apps overview page, where extensions aren’t listed.

In Firefox, this problem is relatively easy to circumvent, but for Chrome it takes a lot of digging—so much so that we suggest the fastest way to resolve the problem is to report it to Chrome or your favorite security solution so they (we) can take care of it. (Malwarebytes Premium and Business users are already protected from these threats by our website protection module.)

However, if you’re not a Premium customer, there are still some, admittedly involved, ways to get around these murky and persistent browser hijackers by recognizing, finding, and removing the extensions. Here’s what you can do.

For Chrome

First, we’re going to look at the Chrome extension called Tiempo en colombia en vivo, which is pushed by the method we previously described as a forced Chrome extension. The extension is detected by Malwarebytes as Rogue.ForcedExtension.

You can find the removal guide for Tiempo en colombia en vivo on our forums.

The extension keep users out of Chrome’s extensions list by redirecting chrome://extensions/ to chrome://apps/?r=extensions, where the offending extension is not listed, as only the installed apps will be shown.

Blocking JavaScript in Chrome doesn’t help in this case, as that setting only applies to sites and not to this (internal) page.


The clean method to disable extensions from redirecting your Chrome tabs is to start Chrome with disabled extensions. You can do this by adding the switch “–disable-extensions” to the command to run Chrome.

But doing this will not offer you the option to remove any extensions, as Chrome will behave as if it has no extensions whatsoever. So this offers us no way to remove the extension from the list as you normally would.

Renaming the file 1499654451774.js in the extensions folder does help, however, and after a restart of Chrome, we can see the extension in the list of extensions. It shows up as corrupted because we renamed their JavaScript to something else, so it can’t find what it’s looking for.

Tip: To escape from a Chrome site that is trying to make you stay there, you can use Ctrl+T to open a new tab. The new tab will have focus, so you can then close the offending tab by clicking the “x” that lights up in red when you hover over the tab.

For Firefox

We also found a Firefox extension that displays similar behavior to the Chrome extension. This one was pushed by ad-rotators as a manual update for Firefox.

Malwarebytes detects this extension as PUP.Optional.FFHelperProtection. A full removal guide for FF Helper Protection can be found on our forums.

This extension blocks about:addons in background.js by looking for that string in the URL and closing the tab if the string is found.

This means that you can’t remove the extension manually.

Firefox, however, can be run in safe mode by holding down the Shift key while starting Firefox. Then confirm that you want to “Start in Safe Mode” in this prompt.

Firefox’ safe mode is most helpful, as you can see all the installed extensions while they are not active. Doing so allows you to manually remove the extension (and any others you might not want) in the same way you normally would. Click the “Remove” button in the extensions description field, and you’re done.

If you are kept on a Firefox tab by JavaScript(s) that keep popping up with prompts, and you are unable to close the window in the usual way, you can terminate Firefox by using Taskmanager. When you restart Firefox, it will not be able to restore the session for that tab.

How to avoid

While the extensions have been around for a few weeks, both are still in use in one form or another. In fact, the Tiempo en colombia en vivo extension was still available in the Chrome Web Store at the time of writing. Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it’s not always possible to avoid getting them. The best we can offer is to stay vigilant as you surf and use an adblocker (that could help with blocking the Firefox extension). Though we’d like add the obvious: Avoid actually downloading these extensions in web stores as well. In fact, it’s a good idea to read the fine print carefully for any browser extension you download.



Chrome extension: gbhodkgjhojjjggokjjlbccecdhkjjgl

Firefox extensions: {eb3ebb14-6ced-4f60-9800-85c3de3680a4}.xpi, {b91fcda4-88b0-4a10-9015-9365e5340563}.xpi

Stay safe out there.

The post New Chrome and Firefox extensions block their removal to hijack browsers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A coin miner with a “Heaven’s Gate”

Malwarebytes - Wed, 01/17/2018 - 16:00

You might call the last two years the years of ransomware. Ransomware was, without a doubt, the most popular type of malware. But at the end of last year, we started observing that ransomware was losing its popularity to coin miners. It is very much possible that this trend will grow as 2018 progresses.

From the point of view of the victim, this is a huge relief, because miners are not as much of a threat as ransomware. They slow down the system, yes, but once you get rid of them you can continue using your computer as before. No data is stolen, or lost as in the case with a ransomware infection.

From the point of view of a malware researcher, miners are so far disappointing. They don’t give enough interesting material for a deeper analysis, mostly because they are based on well-known open source components with little or no obfuscation.

However, from time to time, we find coin miners incorporating interesting tricks. In one recent sample, we observed a technique called “Heaven’s Gate” that allows the malware to make injections to 64-bit processes from 32-bit loaders. This trick is not new—its introduction is dated to 2009—but it’s curious to see it implemented in this new sample captured in wild.

Those who are beginners in malware analysis can read on for a guide about what Heaven’s Gate is and how to approach analyzing it.

Analyzed samples

This sample was found in the continuation of the Ngay campaign (more about it here). A background check on similar samples lead me to the article of @_qaz_qaz, who described an earlier campaign with a similar sample. However, his analysis skipped details on the Heaven’s Gate technique.

Behavioral analysis

To observe the mentioned injection, we must run the sample on a 64-bit system. We can see that it runs an instance of notepad, with parameters typical for mining cryptocurrency:

Looking at the in-memory strings in ProcessExplorer, we can clearly see that it is not a real notepad running, but the xmrig Monero miner:

So, at this moment we’re confident that the notepad’s image has been replaced in memory, most probably by the RunPE (Process Hollowing) technique.

The main dropper is 32-bit, but it injects a payload into a 64-bit notepad:

The fun part is that this type of injection is not supported by the official Windows API. We can read/write the memory of 32-bit processes from a 64-bit application (using Wow64 API), but not the other way around.

There are, however, some unofficial solutions to this, such as the technique called “Heaven’s Gate.”

Heaven’s Gate overview

The Heaven’s Gate technique was first described in 2009, by a hacker nicknamed Roy G. Biv. Later, many adaptations were created, such as a library Wow64ext  or, basing in it, W64oWoW64. In the blog post from 2015, Alex Ionescu described mitigations against this technique.

But let’s have a look at how it works.

Running 32-bit processes on 64-bit Windows

Every 32-bit process that runs on a 64-bit version of Windows runs in a special subsystem called WoW64 that emulates the 32-bit environment. We can explain it as a 32-bit sandbox that is created inside a 64-bit process. So, first the 64-bit environment for the process is created. Then, inside it, the 32-bit environment is created. The application is executed in this 32-bit environment and it has no access to the 64-bit part.

If we scan the 32-bit process from outside, via the 64-bit scanner, we can see that it has inside both 32 and 64 DLLs. Most importantly, it has two versions of NTDLL: 32-bit (loaded from a directory SysWow64) and 64-bit (loaded from a directory System32):

However, the 32-bit process itself can’t see the 64-bit part and is limited to using the 32-bit DLLs. To make an injection to a 64-bit process, we’d need to use the 64-bit versions of appropriate functions.

Code segments

In order to access the forbidden part of the environment, we need to understand how the isolation is made. It turns out that it’s quite simple. The 32- and 64-bit code execution is accessible via a different address of the code segment: 32-bit is 0x23 and 64-bit is 0x33.

If we call an address in a typical way, the mode that is used to interpret it is the one set by default. However, we can explicitly request to change it using assembler instructions.

Inside the miner: the Heaven’s Gate implementation

I will not do a full analysis of this miner because it has already been described here. Let’s jump directly to the place where the fun begins. The malware checks its environment, and if it finds that it’s running on a 64-bit system, it takes a different path to make an injection into a 64-bit process:

After some anti-analysis checks, it creates a new, suspended 64-bit process (in this case, it is a notepad):

This is the target into which the malicious payload is going to be injected.

As we discussed before, in order to inject the payload into a 64-bit process, we need to use the appropriate 64-bit functions.

First, the loader takes a handle to a 64-bit NTDLL:

What happens inside this function get_ntdll requires some deeper explanation. As a reference, we can also have a look at the analogical code in the ReWolf’s library.

To get access to the 64-bit part of the process environment, we need to manipulate the segments selectors. Let’s see how our malware enters the 64-bit mode:

This code seems to be directly copied from the open source library:

The segment selector 0x33 is pushed on the stack. Then, the malware calls the next line: (By this way, the next line’s address is also pushed on the stack.)

An address that was pushed is fixed by adding 5 bytes and set after the retf :

At the end, the instruction RETF is called. RETF is a “far return,” and in contrast to the casual RET, it allows to specify not only the address where the execution should return, but also the segment. It takes as arguments two DWORDs from the stack. So, when the RETF is hit, the actual return address is:


Thanks to the changed segment, the code that starts at the specified address is interpreted as 64-bit. So, the code that is visible under the debugger as 32-bit…

…is, in reality, 64-bit.

For the fast switching of those views, I used a feature of PE-bear:

And this is how this piece of code looks, if it is interpreted as 64-bit:

So, the code that is executed here is responsible for moving the content of the R12 register into a variable on the stack, and then switching back to the 32-bit mode. This is done for the purpose of getting 64bit Thread Environment Block (TEB), from which next we fetch the 64-bit Process Environment Block (PEB) —check the analogical code.

The 64-bit PEB is used as a starting point to search the 64-bit version of NTDLL. This part is implemented in a casual way (a “vanilla” implementation of this technique can be found here) using a pointer to the loaded libraries that is one of the fields in the PEB structure. So, from PEB we get a field called Ldr:

Ldr is a structure of the type _PEB_LDR_DATA. It contains an entry called InMemoryOrderModuleList:

This list contains all the loaded DLLs that are present in the memory of the examined process. We browse through this list until we find the DLL of our interest that, in this case, is NTDLL. This is exactly what the mentioned function get_ntdll does. In order to find the appropriate name, it calls the following function—denoted as is_ntdll_lib—that checks the name of the library character-by-character and compares it with ntdll.dll. It is an equivalent of this code.

If the name matches, the address to the library is returned in a pair of registers:

Once we found NTDLL, we just needed to fetch addresses of the appropriate functions. We did this by browsing the exports table of the DLL:

The following functions are being fetched:

  • NttUnmapViewOfSection
  • NtGetContextThread
  • NtAllocateVirtualMemory
  • NtReadVirtualMemory
  • NtWriteVirtualMemory
  • NtSetContextThread

As we know, those functions are typical for RunPE technique. First, the NtUnmapViewOfSection is used to unmap the original PE file. Then, memory in the remote process is allocated, and the new PE is written. At the end, the context of the process is changed to start the execution from the injected module.

The addresses of the functions are saved and later called (similarly to this code) to manipulate the remote process.


So far, authors of coin miners don’t show a lot of creativity. They achieve their goals by heavily relying on open-source components. The described case also shows this tendency – they made use of a ready made implementation.

The Heaven’s Gate technique has been around for several years. Some malware use it for the purpose of being stealthy. But in case of this coin miner, authors probably aimed rather to maximize performance by using a payload version that best fit the target architecture.

The post A coin miner with a “Heaven’s Gate” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Be wary of Mega Millions winner “giveaway” on social media

Malwarebytes - Tue, 01/16/2018 - 18:12

I don’t do lotteries, but if I did, I’d probably never, ever win in a million years. That’s not a problem faced by 20-year-old Shane Missler, winner of the fourth-largest haul in Mega Millions’ 21 years of handing out large bundles of cash.

He’s on record as saying he wants to “do some good” for humanity, but I suspect he may have to do some good in the identification verification sweepstakes first.

An account has popped up on Twitter claiming to be him, and claiming he’ll be giving away large amounts of money for retweets. I mean, it’s not exactly donating a million to medical science, but it’s definitely going to help random recipients.

Only problem is, the account seems a little too good to be true. In fact, it’s just one of many currently being retweeted into the stratosphere:

Click to enlarge

Shall we take a look?

Click to enlarge

First off: the bio.

Lottery winner of $451 Million. Giving back $5,000 to the first 50k followers that retweet **SIGN UP AND PURCHASE IN LINK BELOW FOR AN INSTANT $2,000**

Well, that’s interesting. You have to “sign up” AND “purchase” via a link to receive $2,000?

The link in question is an Amazon referral link, and for some reason our very rich lottery winner wants you to purchase an Amazon fire stick. If you won $451m, would you be bothering with Amazon referral sales, which would generate tiny amounts of money for the Amazon associate before handing over $2,000? What’s the point?

Click to enlarge

Even better is the claim that $5,000 will be winging its way to 50k followers who retweet the original post. From the BBC article:

He opted to receive a one-time payment of $282m, instead of the full amount over a longer period of time.

Uh oh.

5,000 x 50,000 is $250m, except according to this article after you account for taxes he’ll likely be left with around $211m.

So there’s that, plus the apparently ability to keep giving people $2,000 from a bottomless well of cash for every Amazon stick purchased…somehow.

I don’t know about you, but I think I’ll pass on retweeting this and/or going on an Amazon spree, because there’s no way this guy is planning on re-enacting Catch Me If You Can immediately after scoring the cash windfall of his dreams. It just doesn’t make any sense.

A number of similar accounts are also doing the rounds, all of which are claiming much the same things (along with the claim that his account is being “verified soon”).

I can tell you now, there’s no way anyone can confidently predict their Twitter account will be verified, much less when. After the application is sent off to the verification team, you could be verified the next day, week, month, or never. It’s simply not something you can claim is going to happen, because no timescales are given to applicants by Twitter. Also of note: the above account retweeted the below tweet to make it look as though money was indeed being fired off to people:

Click to enlarge

Some problems with this: neither account is verified. All of these people could be real or playing along or the same individual. Worse, all of the accounts claim the $5,000 will be sent to the “first 50k followers that retweet my pinned tweet.”

Great, except look at the retweet numbers at time of writing:

…and the follower count?

Why has someone been sent money already? Looking at all of the evidence on offer, we feel it’s better to take the stance that without verification this is very, very likely to be a scam. Whatever the winner has planned for his money—and it seems most of what he’s said involves treating his family—there’s a good chance it doesn’t involve giving away all (or, hilariously, more than all) of his recently received winnings. Some of the other accounts floating around don’t even spell his name correctly.

Sorry, Twitter. This isn’t the golden ticket you’re looking for.

The post Be wary of Mega Millions winner “giveaway” on social media appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cookies: Should I worry about them?

Malwarebytes - Mon, 01/15/2018 - 18:16

Starting off the new year, many of us are worried about cookies—how many we ate over the holidays and how we’re going to avoid them in the break room, for example. With so much cybercrime and data theft swirling around like daily bomb cyclones, there’s more than a few folks worried about the kinds of cookies they encounter on the Internet.

But should they be?

Cookies are typically text files that can provide information about your browsing behavior to websites that you visit. On the one hand, cookies are useful for making your Internet experience more efficient. It’s how you automatically get logged in on sites you’ve already visited, even if you closed the browser tab, for example. But on the other hand, cookies are part of the advertising ecosystem that knows which advertisements are most likely to draw your attention—and they serve them up to you wherever you visit.

Why doesn’t Malwarebytes detect cookies?

Cookies in themselves are harmless. They are just data stored by a website in your browser, and they are not malware. It is what sites do with them that determines whether we like them or not. Some cookies are essential to use a site properly, and others might be considered a privacy risk. Since the possible preferences are various and personal, we believe in leaving the choice up to our customers. Of course, we can and do block sites that we know to plant overly intrusive cookies on a user’s machine. But otherwise, we leave it up to you.

How do I delete and control cookies?

At some point, you may want to remove the cookies from your browser. Below, you will see how to do that for a couple popular browsers. But before you get rid of all of them, let me warn you that you may regret doing so. Your favorite sites will forget who you are, and you will have to log in where you normally were automatically accepted.



Unfortunately, Edge (like Internet Explorer) does not have a built-in cookie management tool for specific cookies. It does have a delete all or nothing option, which you can find under Settings. Under Clear Browsing Data click Choose  > Cookies and saved website data. The control is also not very granular. You can find it under Settings > Advanced settings > View advanced settings. You will find three options: block, don’t block, or block only third-party cookies.

Internet Explorer

To clear cookies in Internet Explorer, select Tools > Internet options > General tab. Under Browsing history, hit Delete and put a checkmark in the Cookies box. Think once more, because this is an all or nothing method, before you hit Delete. For a more detailed description, check out Microsoft’s support article on How to delete cookie files in Internet Explorer.


Go to Menu > Settings > Show advanced settings. Under Privacy, click Content settings > Cookies. Click “All cookies and site data” to get an overview. Here you do have a choice on what to delete. You can delete individual cookies separately or all of them in one sweep. For a more detailed description, see Google’s support article: Manage your cookies and site data.


Click on the Firefox button > Options > Privacy > Show Cookies. Here you will see options to Delete all cookies or search for specific ones you want to delete. For a more detailed description, take a look at Firefox’s article: Delete cookies to remove the information websites have stored on your computer.


Click the Opera button > Settings > Delete Private Data > Detailed options > Manage cookies. Here you will see an overview of the stored cookies and an option to delete them separately. For more information, see Opera’s help article: Manage Cookies.

In the links I have provided for Chrome, Firefox, and Opera, you will also find information on how to control which cookies get stored on your computer. Internet Explorer has the controls on the Privacy tab under Tools > Internet options.


Malwarebytes for Mac does not detect or remove cookies either. Like we said before, cookies are just data stored by a website, and not malware. At worst, they can pose a threat to your privacy, in the case of tracking cookies. Further, many cookies are not only legitimate, but also required for normal operation of some websites.

If you feel it necessary to delete cookies from your computer, some of them may be difficult to get rid of. You can use the following techniques to delete these cookies, but you should be aware that they will come right back as soon as you visit a site that sets those cookies.


Safari offers the option to clear all your cookies along with your browsing history. To use this option choose History > Clear History. Click the pop-up menu, and then choose how far back you want your browsing history cleared. Or you can choose to delete only cookies and website data by clicking Preferences > Privacy > Manage Website Data. Select one or more websites, then click Remove or Remove All. For more information, see Safari’s support articles: Manage cookies and website data and Safari help.

Under Privacy, you can also find the settings to control which cookies will be allowed moving forward by choosing “Change which cookies and website data are accepted.”

Adobe Flash Player

When you visit some sites with Adobe Flash Player installed and activated, the software also stores cookie data on your system. The easiest way to control these is to visit the Flash Player Help site and use the Website Storage Settings panel displayed there to delete those that you no longer want. Read the information below the panel to make sure you understand what your options are and how to use them.


Browser plug-in Silverlight can also store cross-browser information in the application cache. To delete the Silverlight Cache, follow this procedure:

  • Close all Microsoft browser windows (Internet Explorer and Edge).
  • Click Start > All Programs > Microsoft Silverlight.
  • Choose the Application Storage tab.
  • Click Delete all.
  • Click “Yes” in the “Delete application storage for all Web sites?” dialog.
  • Click OK.

Evercookies are not just text files. They are Javascript routines that recreate cookies even after they have been removed. Evercookies often rely on the two major streaming video browser plug-ins: Microsoft Silverlight and Adobe Flash. These plug-ins allow their own caching and storage, which can be used across sessions and even across browsers. But they can be hidden in other caches as well. By storing the same data in several locations that a client can access, the data can be recovered and then reset and reused if any of it is ever lost (for example, by clearing cookies).

To actually get rid of evercookies, you would have to delete all the related cookies and clear all the caches of all your browsers and video browser plug-ins, using the information posted above.


These are technically not cookies because they are not stored in browsers or browser plug-ins, but I wanted to mention them here anyway because their name might lead you to think otherwise. Supercookies are unique identifiers that are inserted into the HTTP header by a service provider. Service providers are legally bound to offer you an opt-out option, so it could be prudent to check if your service provider uses supercookies and how to opt out if they do.

The post Cookies: Should I worry about them? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 8 – January 14)

Malwarebytes - Mon, 01/15/2018 - 17:00

It’s very early in the year, yet everyone has already had a complete meltdown (pun intended) over a number of serious vulnerabilities found in legacy and modern microprocessors. Last week, rightly so, vendors released patches for hardware and OSes to help mitigate these threats. However, problems in patching persisted.

As if this wasn’t challenging enough, some online criminals jumped on the bandwagon to take advantage of the hullabaloo to push out the Smoke Loader malware to inconspicuous user systems.

On our blog, we also touched on WPA3, misleading marketing tactics, more 419 scams, and the indictment of alleged Fruitfly creator—a win for the security community.

Lastly, in the realm of cryptocurrency, we saw an increase in malware payloads from the RIG exploit kit.

Other news

Stay safe, everyone!

The post A week in security (January 8 – January 14) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stripchat bot spells block

Malwarebytes - Fri, 01/12/2018 - 23:26

Here at Malwarebytes, we spent a lot of time and effort scouring the Internet looking for malicious websites that we can protect our users from. Sometimes, these websites are pushing malware or some kind of scam. Other times it comes down to bad advertising practices that are used to fool the user into clicking on something.

We used to see a lot of this kind of trick with fake download buttons that redirected users to sites for installer downloads or to surveys. More recently, we found a site using a different type of deception, and it’s shot up to our second-most common detection over the last month. The site is called is an online streaming video service operated by Technius LTD and offered on a number of popular websites. The streaming service targets adult audiences for the purposes of online sexual encounters. The service boasts many active subscribers and a number of channels available for use.


Stripchat has a number of valid channels, feeds, and websites, but one particular subdomain has caught the attention of Malwarebytes for implementing various deceptive tactics and misleading techniques.  The website,, is a domain which is used for advertising purposes. Once opened in a web browser, the website purports to engage the user via a “live” chat window and the ability to chat with a model. This, however, is not the case.

The reported live video feed is nothing more than a video retrieved from the Internet and subsequently looped, or in some cases terminated with a message indicating the model is in a private chat. These messages are deceptive, as the feeds are not live as claimed to be and the responses are pre-programmed, as can be seen from the Javascript code and subsequent chat session.

Malwarebytes blocks the sub-domain for the use of these misleading marketing tactics.

However, if you’d like to continue visiting this sub-domain, you can add an exception. Scroll down to the “How to add an exception” heading of this post on why we block CoinHive to learn how.

The post Stripchat bot spells block appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake Spectre and Meltdown patch pushes Smoke Loader malware

Malwarebytes - Fri, 01/12/2018 - 20:50

The Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their machines with fixes made available by various vendors.

While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

Moreover, the same fraudulent domain has a link to a ZIP archive ( containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.

Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information:

The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.

We immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not resolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour against this malware.

Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer. There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.

Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.

Indicators of compromise

Fraudulent site:


Fake patch (Smoke Loader): CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

Smoke Loader callbacks:

coolwater-ltd-supportid[.]ru localprivat-support[.]ru service-consultingavarage[.]ru

The post Fake Spectre and Meltdown patch pushes Smoke Loader malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WPA3 will secure Wi-Fi connections in four significant ways in 2018

Malwarebytes - Fri, 01/12/2018 - 17:30

CES, the annual consumer electronics extravaganza in Las Vegas, isn’t just a showcase for virtual reality and poorly-timed power outages. It’s also an opportunity to get a peek at the future of network security.

That’s why on the first day of CES, the Wi-Fi Alliance announced the newest security protocol for Wi-Fi devices: WPA3. The new protocol is the most significant upgrade to Wi-Fi security since WPA2 was ratified in 2004.

Details are thin, but the announcement outlined four new security capabilities that will protect wireless connections in the years to come.

1. Protection against brute force “dictionary” attacks

Despite a generation of irritated admins requesting that users choose stronger passwords, the most popular passwords are still common words like “password” or “football.” That makes networks vulnerable to simple brute force attacks that systematically submit every word in the dictionary as a password. Online tutorials of this Wi-Fi hack are trivially easy to find.

WPA3 should make that issue a thing of the past by “delivering robust protections even when users choose passwords that fall short of typical complexity recommendations.” Some security experts have speculated that this refers to a type of key exchange called Dragonfly. According to the Internet Engineering Task Force (IETF), Dragonfly “employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.”

2. Easier Internet of Things (IoT) security

WPA3 promises to “simplify the process of configuring security for devices that have limited or no display interface.” That’s a nod to the growing number of devices that are enhanced by network connections, such as smart door locks, home personal assistants, and (apparently) toothbrushes. Since IoT devices rarely have a graphical interface, it’s difficult to configure them for optimal security. You can’t type a password directly on a toothbrush, after all. This can naturally lead to less secure connections and vulnerable devices. Hackers could, for example, access your smart speakers and play whatever audio they want in your living room.

The Wi-Fi Alliance hasn’t yet offered details on how WPA3 overcomes this challenge. But researchers have successfully enhanced security on IoT devices by configuring them with a smartphone.

3. Stronger encryption

WPA2 requires a 64-bit or 128-bit encryption key. But WPA3 uses a stronger standard: 192-bit encryption and alignment with the Commercial National Security Algorithm (CNSA) Suite. This promises consumers the kind of beefier security that’s currently used to protect governments and corporations.

4. Secure public Wi-Fi

Public Wi-Fi connections, like the kind you might use in a coffee shop or library, are always less secure than private ones. That’s partly due to the inherent security limitations of open wireless networks, and party due to the fact that librarians and coffee shop owners aren’t typically network security masters. The new standards promise to “strengthen user privacy in open networks through individualized data encryption.” Though the announcement doesn’t offer specifics on how that will be achieved.

Curiously, during its CES announcement, the Wi-Fi Alliance made no mention of KRACK, the vulnerability in WPA2 that impacted all Wi-Fi devices. However, Mathy Vanhoef, the researcher who discovered the vulnerability, wrote several enthusiastic tweets about WPA3.

In one, he speculates that WPA3 will include Opportunistic Wireless Encryption. This enables connection on an open network without a shared and public Pre-Shared Key (PSK). That’s important because a PSK can give hackers easy access to the Traffic Encryption Keys (TEKs), thus allowing them access to a data stream. In other words, the new protocol should help prevent hackers from snooping on your web browsing while you’re at Starbucks.

Before we start to see the benefits of WPA3, the Wi-Fi Alliance has to certify hardware that uses the security protocol. So there’s no telling when people can start enjoying the enhanced security protections. But you shouldn’t be surprised if you start seeing devices that use the new protocol later this year.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

The post WPA3 will secure Wi-Fi connections in four significant ways in 2018 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Alleged creator of Fruitfly indicted for 13 years of spying

Malwarebytes - Fri, 01/12/2018 - 16:43

Way back at the start of last year, we took a look at something called Fruitfly, a Mac backdoor using old code that had been around for a long time and could (deep breath) upload files to computers, record images and video, snoop around in victims’ information, take screenshots, and also log keystrokes. The malware, made up of just two files, was a mixture of “wow, that’s clever,” ancient system calls, and basic persistence techniques. Possessing the ability to download additional files from a Command and Control server, alongside a seemingly overt interest in being able to capture images, we also discovered Windows versions of the files communicating with the same C&C.

At the time, a lot of questions were raised about what it was being used for, alongside the possibility that professional hacking groups were behind its creation.

With that in mind, news has broken that a 28-year-old man, Phillip R. Durachinsky of North Royalton, Ohio, has been charged with using this piece of malware since the age of 15(!) to allegedly:

watch, listen to, and obtain personal data from unknowing victims, as well as produce child pornography.

Very serious allegations. In addition to being charged with 16 counts of charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft, it’s also claimed he’s the creator of Fruitfly, which would be quite the revelation. From the indictment:

…from 2003 through Jan. 20, 2017, [Durachinsky is alleged] to have orchestrated a scheme to access thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy…[he] used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, Internet searches, and potentially embarrassing communications.

The “medical records” reference leaps out. From our linked blog:

The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure…and which seems to be targeting biomedical research centers.

That would definitely appear to sync up with the medical record pilfering, and we’re wondering what else will come out in the wash by the time this one has passed through the courts.

According to the indictment, Durachinsky also used stolen login credentials to access and download information from third-party websites. He’s further alleged to have watched and listened to victims without their knowledge or permission, and intercept oral communications taking place in the room where the infected computer was located. In some cases, Durachinsky’s malware alerted him if a user typed words associated with pornography. He apparently saved millions of images and often kept detailed notes of what he saw.

Reading through the charges paints more and more of a disturbing picture.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” said Acting Assistant Attorney General Cronan. “This case is an example of the Justice Department’s continued efforts to hold accountable cybercriminals who invade the privacy of others and exploit technology for their own ends.”

Getting away with more than a decade of stealing data like this on such a grand scale is quite the feat, and one hopes the victims of the most salacious offenses receive justice.

The post Alleged creator of Fruitfly indicted for 13 years of spying appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Meltdown and Spectre fallout: patching problems persist

Malwarebytes - Thu, 01/11/2018 - 14:00

Last week, the disclosure by multiple teams from Graz and Pennsylvania University, Rambus, Data61, Cyberus Technology, and Google Project Zero of vulnerabilities under the aliases Meltdown and Spectre rocked the security world, sending vendors scurrying to create patches, if at all possible, and laying bare a design flaw in nearly all modern processors.

The fallout from these revelations continues to take shape, as new information on the vulnerabilities and the difficulties with patching them comes to light daily. In the days since Meltdown and Spectre have been made public, we’ve tracked which elements of the design flaw, known as speculative execution, are vulnerable and how different vendors are handling the patching process. By examining the applied patches’ impact against one of our own products, Adwcleaner, we found that they are, indeed, causing increases in CPU usage, which could result in higher costs for individuals billed by Cloud providers accordingly.

What is speculative execution?

Speculative execution is an effective optimization technique used by most modern processors to determine where code is likely to go next. Hence, when it encounters a conditional branch instruction, the processor makes a guess for which branch might be executed based on the previous branches’ processing history. It then speculatively executes instructions until the original condition is known to be true or false. If the latter, the pending instructions are abandoned, and the processor reloads its state based on what it determines to be the correct execution path.

The issue with this behaviour and the way it’s currently implemented in numerous chips is that when the processor makes a wrong guess, it has already speculatively executed a few instructions. These are saved in cache, even if they are from the invalid branch. Spectre and Meltdown take advantage of this situation by comparing the loading time of two variables, determining if one has been loaded during the speculative execution, and deducing its value.

As explained in our post last week, the potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. On cloud environment, these vulnerabilities allow extracting data from the host and other VMs.

Example of speculative execution

Using the Project Zero example below, the process will evaluate the condition if(untrusted_offset_from_caller < arr1->length) at a later time, and start a speculative execution of both branches, leading to two different index2 values. This example corresponds to variant 1 of Spectre (CVE-2017-5753) and works on most Intel, AMD, ARM, and IBM CPUs.

struct array { unsigned long length; unsigned char data[]; }; struct array *arr1 = ...; /* small array */ struct array *arr2 = ...; /* array of size 0x400 */ /* >0x400 (OUT OF BOUNDS!) */ unsigned long untrusted_offset_from_caller = ...; if (untrusted_offset_from_caller < arr1->length) { unsigned char value = arr1->data[untrusted_offset_from_caller]; unsigned long index2 = ((value&1)*0x100)+0x200; if (index2 < arr2->length) { unsigned char value2 = arr2->data[index2]; }

If the processor predicts that the condition is true, value will load:

unsigned char value = arr1->data[untrusted_offset_from_caller];

Based on value, it’s possible to load index2, which can be 0x200 or 0x300 due to the bitwise operation:

unsigned long index2 = ((value&1)*0x100)+0x200;

The second condition is then executed and the last instruction loads value2 as arr2->data[0x200] or arr2->data[0x300].

Once the initial condition has been evaluated and the processor notices that the execution flow above is wrong, the value of value2 stays in the L1 cache. It’s then possible to compare the loading time of arr2->data[0x200] and arr2->data[0x300], and deduce which one has been evaluated during the speculative execution. From there, it’s easy to figure out related variables: Here the value of arr1->data[untrusted_offset_from_caller] is a value that shouldn’t be possible to retrieve according to the expected code flow, since it allows to leak out-of-bound memory.

In order to exploit this behaviour, the code pattern above has to be present on the victim’s machine. As detailed in Jann Horn’s writeup, a locally installed software, a JIT (Javascript is a particularly interesting candidate), or an interpreter (he used eBPF) meet the requirements.

Four variants

While it was initially reported that Spectre and Meltdown correspond to three vulnerabilities, four variants actually exist:

Variants 1 and 2 of Spectre impact Intel, IBM, ARM, and AMD CPUs. Meltdown appears to be exclusive to Intel CPUs, and allows attackers to read privileged memory from an unprivileged context, still using the speculative execution feature. Its variant 3a is exploitable on a few ARM CPUs only.

The fact that these vulnerabilities impact the CPUs themselves make them difficult to patch. A software-only solution may bring important performance issues, as would a hardware-only fix. Thus, various hardware vendors have been working together in the past months working on fixes. However, while major players like Amazon and Microsoft got early access to the vulnerabilities reports, other providers did not. They discovered the vulnerabilities at the same time as the disclosure on January 3.

Vendors band together

Those who weren’t in on the secret formed a task group with other providers in order to exchange information and to pressure hardware manufacturers. Scaleway, OVH, Linode, Packet, Digital Ocean, Vultr, Nexcess, and have been part of it, later joined by Amazon, Tata Communications, and also parts of the RedHat and Ubuntu teams. On January 9, part of the researchers (Moritz Lipp, Daniel Gruss, Michael Schwarz from the Graz University of Technology) who discovered the vulnerabilities also joined in.

Some Open-Source developers also explained that they had not received any information prior the public disclosure, but were actively working on providing patches.

We have received *no* non-public information. I’ve seen posts elsewhere by
other *BSD people implying that they receive little or no prior warning, so
I have no reason to believe this was specific to OpenBSD and/or our

Mitigations began to land upstream in the Linux kernel shortly after the public disclosure to address the vulnerabilities separately. Some require a hardware-vendor-issued microcode to be applied to the processor in order to make the software patch effective. Most of these patches are simply workarounds, however, to avoid making the CPU behave as explained above. We may expect some hardware change in future generations of processors at some point, but there’s no easy, quick fix for now.

Available patches for hardware and OSes

The upstream Linux patch for Meltdown (variants 3 and 3a) takes advantage of KPTI (Kernel Page Table Isolation) and has been backported to Linux 4.14, 4.9 and 4.4. It’s is available in most distribution’s official kernels. Debian has shipped it in most releases, as RedHat has done. Ubuntu published theirs a few hours ago, although some critical issues have been discovered and quickly addressed. Tails published an update, too. The patches for ARM64 haven’t been merged yet but are expected to be merged later.

Variant 1 (Spectre) requires changes to compilers behaviour and Intel suggests adding LFENCE (see 3.1 Bounds Check Bypass Mitigation; other vendors have other suggestions) as a barrier to stop speculation in specific places. This means that the kernel and software has to be recompiled in order to avoid making the processor use the speculative execution when it’s problematic. Again, although we may expect hardware changes in future generations of Intel chips, we can’t expect this to happen for a long time.

Variant 2 (also Spectre) requires both a microcode patch from CPU vendors and a patch from the kernel to leverage IBRS (Indirect Branch Speculation Feature), STIBP, and IBPB. Another suggestion called “retpoline” has been introduced by Paul Turner from Google and is also being implemented in various compilers, including GCC and LLVM, even though some questions still remain about its efficiency on certain CPU models.

Vulnerability (Linux) Software mitigation Hardware mitigation Meltdown (3 & 3a)
KPTI Not needed Spectre 1 n/a n/a Spectre 2 IBRS / Retpoline Microcode

Proprietary vendors have also published several updates:

  • Apple addressed the two Meltdown variants in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Spectre is being mitigated in iOS 11.2.2 and the macOS 10.13.2 Supplemental Update, even though only recompiled software are an effective mitigation for variant 1.
  • Google has included some mitigations for the three variants in its Android Security Bulletin on January 5. Note that further mitigations are expected in next month’s updates, especially a kernel with KPTI.

Regarding Microsoft, the process has been bumpier. They’ve released various fixes for the platform, but made several requirements for the patches for Spectre and Meltdown to be effective:

  1. If an antivirus solution is register in the Windows Security Center, it needs to set the following registry key:
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000”

Only then can the January Patch Tuesday patch be applied. Note that Malwarebytes users have been able to successfully receive the patch since its publication.

2. As pointed out by Kevin Gaumont, a specific manipulation must be done on Windows Server to apply the patch and enable it. After creating the following keys and restarting the host, the mitigation should be in place:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

A few moments later, users began to report computers running with AMD processors becoming unbootable after applying the patch. Microsoft has stopped delivering the patch to those configurations while working with AMD to find a solution.

Available software patches

Apart from hardware manufacturers and OS vendors, software editors have also been quick to mitigate the exploitation of Spectre. Browser vendors and virtualization solutions are particularly exposed to these vulnerabilities and have been the fastest to respond.

  • Xen published an advisory sharing details about the vulnerabilities in its hypervisor’s scope alongside a documentation page explaining how to mitigate.
  • Mozilla released Firefox 57.0.4 soon after publishing an article explaining how they managed to exploit Spectre remotely using Javascript and WebAssembly. This update makes time source less precise, thus making the exploitation a lot more unreliable while more in-depth fixes are engineered.
  • Google Chrome followed shortly after with an explanatory article about how Spectre could be exploited using WebKit’s JavascriptCore and listing the upcoming mitigations in Webkit.

Numerous Proof of Concepts have been published to demonstrate the exploitation of the different variants, from reconstructing an image to applying it against a specifically-crafted Intel SGX enclave. It’s also possible to test if mitigations are in place: Microsoft released a solution that can be used remotely based on the new PowerShell SpeculationControl module, and several solutions are available on Linux-based OSes.

Patches impact on AdwCleaner’s infrastructure

Disclaimer: The following is not a benchmark, but feedback based on what we have observed in our hardware environment and software stack. The observed behaviour is highly dependent on the workload, and there may be no changes observed in yours.

As part of our security process, we’ve applied fixes as soon as they were made available by our distributions and hosting providers. We were expecting some performance increase, especially on AdwCleaner storage backend, but it was hard to quantify.

CPU load before and after KPTI patch on AdwCleaner storage backend.

After applying the new Linux kernel with the KPTI backport, we’ve observed a 10 to 15 percent increase of CPU usage. (We applied the patch slightly before 00:00 UTC on January 6). These servers do not take advantage of PCID, which could make the difference in performance less visible. As this usage increase appears to be the new baseline for some time, this is likely to at least temporary lead to important cost increases for users of providers billing based on CPU usage, although some providers are reported working with severely impacted customers.

As the situation still evolves quickly every day, some updates may be added to both the original story and this blogpost.

Particularly interesting literature:

The post Meltdown and Spectre fallout: patching problems persist appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Of princes and perpetrators: Beware of getting ensnared in 419 scams

Malwarebytes - Wed, 01/10/2018 - 18:44

We’ve mentioned before that 419 scams don’t always originate from Nigeria. It’s a very simple and popular scam that can be attempted by pretty much anyone with a flair for social engineering. Indeed, 419 scams are so associated with the region that many scammers in non-Nigerian countries know they have an additional layer of “It wasn’t me” potentially obfuscating their identity.

This may help the non-Nigeria based criminal better hide once life savings have been stolen. Law enforcement and the victims themselves are probably going to make assumptions about who’s doing the money swiping, which simply helps the actual criminal go deeper underground.

By the same token, 419 scammers seek to obfuscate their location further by making use of so-called money mules: innocent victims tangled up in scams, sending stolen money to and from a variety of bank accounts. More often than not, they’re enticed by the prospect of too-good-to-be-true job adverts posted online, typically in the field of remote work administration or “payroll management.”

A fancy-sounding title, the promise of big money for little work, and an awful lot of “we’ll explain how that thing works later,” and you have yourself a money mule.

What’s so good about having an army of disposable web flunkies at your disposal?

When the cops come calling, they make a beeline for the point of least resistance (the scammer pulling strings is supposed to be based in Nigeria, remember?) In practice, this probably means your recently retired grandfather looking for a bit of extra pocket cash, or your penniless friend at University is going to jail. If you’re a money mule, you’re engaged in illegal activity and can be prosecuted for it. “I didn’t know” won’t save you.

Take this individual, recently charged with no less than 269 counts of wire fraud and money laundering.

From the Slidell Police department Facebook page:

Slidell Police financial crimes investigators arrested , 67-year-old, Michael Neu (Slidell,LA), for 269 counts of Wire Fraud and Money Laundering. Neu is suspected to have been the “middle man”, and participated in hundreds of financial transactions, involving phone and internet scams, designed to con money from victims across the United States. Some of the money obtained by Neu was subsequently wired to co-conspirators in the Country of Nigeria. The investigation is on-going, but is extremely difficult as many leads have led to individuals who live outside of the United States. Slidell Police Chief Randy Fandal hopes this arrest serves as a reminder for Slidell residents to be leery of such scams. Chief Fandal said, “If it sounds too good to be true, it probably is. Never give out personal information over the phone, through e-mail, cash checks for other individuals, or wire large amounts of money to someone you don’t know. 99.9 percent of the time, it’s a scam.”

Reports are a little confused, as some articles claim he’s the mastermind while others (including the police statement up above) plainly state he’s the middleman. Additional details are thin on the ground, so we don’t really know at this stage if he was “merely” responsible for wiring money, or if he was physically typing out “Hello, I’m a Prince” emails to hoodwink potential victims.

Either way, he’s in a whole lot of trouble with law enforcement and though some of the pieces mention “co-conspirators in Nigeria,” it’s unlikely any of them will be caught. In effect, whether unaware of what was really going on, or an active participant (and it’s entirely possible some money mules will happily get involved for a bigger cut of the proceeds), what we have here is a fall guy within easy reach of the police.

Wait, did I just say “active participant?” I sure did. And guess what? It’s not just retirees wandering into trouble. Younger folks are also getting in on the act, often due to lack of cash and the idea that this might be a safe, fast way to make some money. Data from 2017 suggests that more than 8,500 people aged between 18 to 24 had their bank accounts used by criminals.

Given that a lot of money muling can tie directly into crimes such as drug distribution and people trafficking, those individuals will probably have a short, sharp dose of reality when the police come knocking. As Cifas, a UK fraud prevention service, points out, loans, contracts, and other financial services may be hard to come by should your bank account be closed due to laundering—and that’s before you get to the part where you could spend up to 14 years in prison for it.

All things considered, not a sensible career choice. If you’re approached by strangers offering too-good-to-be-true job opportunities—especially for remote work and handling money/sending said cash through various bank accounts—give it a wide berth. You’ll probably be very glad that you did.

The post Of princes and perpetrators: Beware of getting ensnared in 419 scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RIG exploit kit campaign gets deep into crypto craze

Malwarebytes - Tue, 01/09/2018 - 17:11

There isn’t a day that goes by without a headline about yet another massive spike in Bitcoin valuation, or a story about someone mortgaging their house to purchase the hardware required to become a serious cryptocurrency miner.

If many folks are thinking about joining the ‘crypto craze’ movement, they may be surprised to learn that they already have. We’ve documented in-browser miners before on this blog, or what we call drive-by cryptomining, but drive-by download attacks such as those via the RIG exploit kit want a piece of the action, too. While the latter is not a new trend, we have noticed an increase in malware payloads from EKs that are coin miners, and we think this is going to be something to follow for 2018.


Today, we take a look at a prolific campaign that is focused on the distribution of coin miners via drive-by download attacks. We started to notice larger-than-usual payloads from the RIG exploit kit around November 2017, a trend that has continued more recently via a campaign dubbed Ngay.

What happened is that the initial dropper contained additional binaries that contributed to its oversized nature as depicted below. Droppers from this campaign have contained one or more coin miners consistently, for at least Monero and lesser known but still popular other currencies such as Bytecoin.

One payload leads to two different coin miners.

For the same attack, these two processes will mine for the well-known Monero and Electroneum cryptocurrencies. When both executables are running, the CPU usage on the victim’s computer is maxed at 100 percent.


The Ngay campaign, identified as such by Nao_Sec, is one of several malvertising chains that relies on the RIG exploit kit to distribute its payloads. Recently, we observed a more complex redirection chain involving bestadbid and various XML feeds upstream, eventually trickling down to the more familiar redirect to RIG.

Infection flow showing redirection to RIG EK, followed by coin miner payloads

iframe to RIG EK is inserted in Ngay’s template page

The dropped binary from RIG EK contains two other artifacts that each lead to a different coin miner and are launched in a rather unusual procedure. In the following sections, we will study their deployment mechanism.

Monero miner

Monero is one of the most well-known digital currencies that, contrary to Bitcoin, does not require special hardware and provides additional privacy benefits. Threat actors have jumped on it in via large-scale drive-by mining attacks, with the help of coin miner-purposed malware.

Here the Monero miner is downloaded after a convoluted process that also aims at registering it permanently as a running service. The extracted binary from the RIG EK payload (3yanvarya.exe) is an installer that drops several .NET modules:

.NET modules extracted from one of the two artifacts contained in RIG EK’s payload

starter.exe uses an exploit (Invoke-MS16-032) copied from this GitHub repository (It even re-uses the original license!) to elevate privileges:

Code snippet showing PowerShell code designed to elevate privileges

foxcon.exe contains two sub-modules inside: Hydra and Hand, which purport to protect and manage services:

Hydra and Hand: two modules in charge of miner services

services.exe is a service to download and manage the miner:

Miner is downloaded from a remote IP address

Finally, the Monero miner (series64.exe) is retrieved and can start the mining activity. The overall process can be summarized in the diagram below.

“C:\Windows\TEMP\series64.exe” -o -u x -p x -k -B –max-cpu-usage=30 –safe

Overview of the Monero miner deployment

Electroneum miner

Electroneum, the “mobile friendly” digital currency, has only been recently introduced but became popular almost immediately. The Android app allows anyone to mine and manage their wallet, but miners running desktop platforms can also participate.

Malware authors are abusing it via a malicious coin miner binary that is dropped from dp.exe in yet another unusual redirection chain. Indeed, it involves the URL shortener to retrieve a fake PNG image containing instructions for the download and eventual launch of the miner itself.

“C:\Users\[username]\AppData\Roaming\bvhost\bvhost.exe” -o -u etnkKc…

Overview of the Electroneum miner deployment


As cryptocurrencies become more and more popular, we can only expect to see an increase in malicious coin miners, driven by the prospect of financial gains and increased anonymity. As the mining process has become cross-platform and achievable using regular computers, this has opened new possibilities for threat actors. Indeed, they can put hundreds of thousands of compromised machines to work mining for the latest and hottest digital currency around.

For end users, the threat of a coin miner infection may seem less impactful than, say, a banking Trojan, but perhaps that is only true in the short term. Not only can existing malware download additional payloads over the course of time, but the illicit gains from cryptomining contribute to financing the criminal ecosystem, costing billions of dollars in losses.

This particular RIG EK campaign is noteworthy for its focus on cryptominers and the way it unconventionally and at times inefficiently loads them. We will keep monitoring the drive-by download landscape to report on any change in payloads from other threat actors.

Many thanks to @hasherezade for help studying the binaries.

Indicators of compromise

RIG EK dropper


Redirections to downloader script *.lolkekss[.]us bit[.]ly/2lXCGUy

Downloader script for Electroneum miner (fake PNG)


Electroneum miner (bvhost.exe) 115776615-884492032168661957.preview.editmysite[.]com/uploads/1/1/5/7/115776615/be 13CE8C6C8E9E4A06880A5F445A391E9E26BB23FCD0C6F4CC495AA5B80E626C0B

Monero miner (series64.exe) F651B1C5AE7B55B765994EB6630C45A0A7F1E43EBABD801CB8B3B26BDDB09D17

Additional miner loaders via RIG EK (SHA256, size in bytes, date found):

24ff04ef166cbc94d88afd0c7a3cba78dfe2f2d9e02a273a60fcc45ced5cb484,1732969,2017-12-29 d68c5095bd7b82e28acd4df5514a54db6d6d340ada860b64b932cb014fe1ecb3,1513983,2018-01-02 5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f,1732965,2018-01-02 2876ceb760c5b37e03ebb3cabbfb25a175e8c3556de89af9dd9941fda183bc79,1840725,2018-01-03 bba35503156eee0aa6ecef7aa76bbe3e6d26791585aac328f895278cd1c09cb2,2819600,2018-01-04

The post RIG exploit kit campaign gets deep into crypto craze appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 1-8)

Malwarebytes - Tue, 01/09/2018 - 15:48

New year, new threats, as 2018 gets underway.

On our blog, we had dubious searches aplenty for those hunting for Malwarebytes information, and we also covered the huge Meltdown/Spectre bug, affecting hardware going back to 10 years.

Other news
  • Coin miners are at it again, with a proof of concept for hacking public Wi-Fi and injecting cryptomining code into browsing sessions. (source: The Register)
  • Around 240k people have been tied up in a “privacy incident” over at the DHS. (source: DHS)
  • Browser makers are looking to mitigate risks from Meltdown and Spectre. (Source: Help Net Security)
  • 36 rogue apps wound up on the Google Play store, reminding us to be extra vigilant even when on an official site. (Source: Trend Micro)
  • Yet another cryptominer doing the rounds, this time dragging Linux machines into a cash spinning botnet. (source: F5)
  • Face recognition: nice idea, but being fooled by photographs is a bit much. (source: Naked Security)
  • A well put together phishing mail is causing headaches for those who may have purchased items from retailer Debenhams. (Source: South Wales Argus)
  • Unusually, you may be able to reclaim money lost to wire fraud scams, regardless of where you live. This doesn’t happen often, so check it out if you’ve been stung! (Source: Birmingham Mail)
  • Malware-laden emails laced with more malware are being used to steal data related to the Winter Olympics. (Source: BBC)

Stay safe, everyone!

The post A week in security (January 1-8) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Meltdown and Spectre: what you need to know

Malwarebytes - Thu, 01/04/2018 - 15:53

The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case. 


Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on LinuxmacOS, and Windows 10 Insider Edition.

According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.

Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:

  1. Keep computers up to date.
  2. Install the applicable firmware update provided by OEM device manufacturers.

If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

Cloud providers (AmazonOnline.netDigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:

The post Meltdown and Spectre: what you need to know appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Search engine shenanigans: Malwarebytes mentions aren’t what they seem

Malwarebytes - Wed, 01/03/2018 - 17:22

Thing might be a touch quiet at the moment as we ease into 2018, but that doesn’t mean dubious antics and dodgy dealings aren’t still making waves online. As a matter of fact, should you go searching for some of our researchers, their blog posts, or just a couple of notable quotables from news sources, you may find yourself redirected to all manner of websites you’d really rather avoid.

Here’s how it usually works: Scammers take some keywords, or maybe a few stand out sentences, or even just bits of a blog. They then insert the text into the sourcecode of a website. From there, they either use that as the final destination, or use the word-stuffed HTML as a landing page which redirects to the end website. That site could be harmless, or spam, or something filled with attacks on your computer.

Search engine poisoning used to be quite a problem whenever a major news incident occurred, and you’d regularly find pages of malware, hijacks, and fake antivirus cluttering up genuine search entries.

Search engines worked on their algorithms, and these days it’s surprisingly tricky to wind up on a fake batch of bogus results related to a breaking news story. Should a scammer avoid breaking new and focus on more general search queries, however, they may be able to dodge detection and seed the results they need. Case in point:

That last one, for example, leads to a redirect landing page. Here’s the HTML snippet in question:

Click to enlarge

That site bounces visitors off to what appears to be a page masquerading as a forum. It’s a weird forum, given that every link on page simply leads to more advert URLs and a variety of sign ups.

Click to enlarge

Note that what the program asks for will change depending on how you arrive on the page, and also note that they claim you need to offer up credit card details to prove you’re not a bot.

Click to enlarge

Here’s one of the final destinations we came across from the “forum” link:

Click to enlarge

Other final destinations we’ve seen from some of the URLs floating around in search results include lots of “pay for social media prowess” type efforts:

Click to enlarge

We’ve also seen a few pornography redirects where my own name is concerned. For example:

Click to enlarge

There’s also spamblogs, partly in English, partly in Russian, which contain a mixture of ripped security articles and random porn photographs.

Elsewhere, we even have memes getting in on the action:

There’s nothing wrong with doing a bit of extra digging on content you may have enjoyed throughout the previous year, but please keep an eye on those URLs popping up in recent search results. If the sample text looks a bit like jibberish, or the website URL contains a .php or just looks a little random, you may wish to stick to either our own URL or that of a reputable news source you recognise. While we haven’t seen anything malicious in the sense of drive-by installs or other harmful activity, there’s a whole raft of rotating ad pages on offer here and no real way to know where you’re going to end up before clicking.

Here’s to a safe and secure 2018!

The post Search engine shenanigans: Malwarebytes mentions aren’t what they seem appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IPv6, it’s waiting for you

Malwarebytes - Wed, 12/27/2017 - 16:00

IPv6 is an expression IT professionals are likely to have seen or heard at one time, but what exactly is it? Let us give you a quick introduction, and then try to explain what it does differently by comparing it to its predecessor, IPv4.

IPv4 and IPv6 are both Internet communications protocols designed as an identification and location systems for networked devices. This allows people to direct traffic to a specific address. IPv6 is short for Internet Protocol version 6. Naturally, that means IPv4 is version 4. In case you are wondering, version 5 was so short-lived that it never reached any importance.

Why the change?

One reason to replace IPv4 was the number of possible IP addresses associated, which was at approximately 4.2 billion. The authority that handed out the IPv4 blocks (IANA) ran out of IPv4 blocks in the beginning of 2011. The number of possible addresses was limited because the IPv4 addresses are only 32 bits long. With IPv6, the address is 128 bits long (both types are hexadecimal), so the number of possible addresses went up to 3.4 × 1038. That’s a lot of addresses.

Pros and Cons of IPv6

Using IPv6 means that you don’t need Network Address Translating (NAT), which basically comes down to showing 1 external IP to the outside world. Regardless of which device you are using, others will always see the same IP with NAT. IPv6 gives every device a unique address, although the first 64 bits (the network address) are the same. So if you move the device into another LAN, you will get the first 64 bits of that network.

In the early days of IPv6, the last 64 bits were often based on the devices’ MAC address, but this opened possibilities to track devices across networks—which then posed a privacy issue. The lack of NAT also means with IPv6 you no longer need port-forwarding if you want to relay traffic to a certain node in the network. The contact can be established at the unique IPv6 address.

IPv6 offers data-security at the IP level. With IPv6, it is possible to use Internet Protocol Security (IPsec) during the data transport. This enables the use of encrypted traffic and authentication. The authentication means the receiver can be sure about who the sender is, there is no spoofing, and no man-in-the middle. End-to-end encryption was possible in IPv4, but only as an option (e.g. by using a VPN), and it was added as an afterthought. The Secure Neighbor Discovery (SEND) protocol plays an important role in the authentication part.

IPv6 offers the possibility of mobile nodes. The traffic intended for a node that (temporarily) has a different IP can be forwarded to the current IP.

Latency can be higher when using IPv6. In theory, it could be faster, but in real-world use it is slower because not every peer is able to use IPv6. Packets may have to travel around these peers because of this.

Bigger packet headers are caused by the longer addresses. The sender and receiver have a longer address so the headers grow accordingly.

Firewalls have to be considered at the device level. Since IPv6 addresses open up direct access to devices, not everything can be checked at the network router level. Especially when your servers have IPv6 enabled by default and your firewall is not configured accordingly, malware and breaches are not far away to take advantage.

Take action for a safe transition
  • Be ready for IPv6 before you start using it, as it may require a complete makeover of your network design. Study up on IPv6 before you’re forced to make the change.
  • Consider what needs to be done to maintain or better your current security posture.
  • Research how the transition can help you to improve security.
  • Plan the transition in a way so that your environment stays secure during each step of the process.
  • When purchasing new equipment, make sure it will still be useful after the transition to IPv6. Most new devices will be compatible, but will they still be needed?

Since there is no more room to continue using IPv4, we should get ready for IPv6. Several large ISPs and mobile operators are already migrating to IPv6 along with a lot of other major online services. It’s time It professionals do the same.

The post IPv6, it’s waiting for you appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Facebook phishers want you to “Connect with Facebook”

Malwarebytes - Fri, 12/22/2017 - 16:00

As we edge toward Christmas, scammers are throwing their own party—in the form of Facebook phishing pages linked to and from bogus landing pages hosted on sites(dot)google(dot)com URLs.

These landing pages, adorned with very large and very fake “Login with Facebook” buttons, may be extra convincing to the unwary, due to a combination of the trusted Google name and the fact that the sites are HTTPS rather than standard HTTP.

HTTPS is becoming increasingly popular with scammers as it adds an extra air of authenticity to the whole operation. As a result, you can’t just assume a “secure” site is also a safe one. There could well be a phisher lurking in the distance.

The landing pages are all themed around loss of Facebook access, with potential victims most likely directed there by phishing emails. (We haven’t seen any associated with this particular campaign, but given the messaging on the sites and the typical methods used to steer someone to them, it seems a reasonable bet to make.)

The bulk of the fakeouts look like either of the two examples below, with zero additional content on the page except for a big blue box asking you to “Login to Facebook” to “comfirmation your account!!!” [sic]

Click to Enlarge


Click to Enlarge

…”Connect with Facebook.”

There’s a few other designs out there, but they’re nowhere near as common as the two above. Here’s one of the alt-designs:

Click to Enlarge

The word salad on the fake Facebook security page reads as follows:

Dear Facebook users Your account is reported to have violated the policies that are considered annoying or insulting Facebook users. Please confirm your account with accurate data to avoid blocking. Note: if you do not verify your account permanently disabled automatically. Thanks, the Facebook team

Regardless of which landing page you kickstart the process from, the end result is the same—you’ll be directed to a number of secondary websites hosting the pages where user data will be phished. First, scammers will ask for login details:

Click to Enlarge

After that, they go straight for security questions:

Click to Enlarge


The text on the page reads as follows:

We will temporarily lock your account. Please answer a few security questions to ensure that the actual owner of your account. We will provide 1X24 hours, to verify the identity of your account. If you do not confirm, the system will automatically shut down your Facebook account permanently. This information will help us to restore your Facebook account

Upon hitting the “Protect your account” button, victims will be sent to the legit Facebook login page, another common trick to make the victim think all is well—right up to the point the login mysteriously alters and they lose access. We’ve seen Facebook scams a lot less complicated than this also ask for payment information, so we’re a little surprised that none of the sites across both sets of websites— the landing pages, and the sites playing host to data collection—do this.

We’re certainly not complaining, mind.

At time of writing, many of the secondary sites appear to have been taken down, though there’s still a fair few landing pages still up and running. As such, it would be easy for the scammers to set up new phish pages and point the landing URLs to them instead.

URLs you should avoid:

(leads to) help-unblocking-fb(dot)site/contact/2017/index(dot)php

We’re working on having the last of these sites taken offline, but please be careful around any websites claiming they’ll confirm, review, or connect your Facebook account, especially in relation to supposed security alerts or “bad behaviour” on your part. If in doubt, visit the official Facebook site directly and take things from there. There’s a good chance it’s just someone trying to ruin your festive fun, and that definitely doesn’t fall under the season for giving.

The post Facebook phishers want you to “Connect with Facebook” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The seven most colossal data breaches of 2017

Malwarebytes - Thu, 12/21/2017 - 16:00

By Logan Strain

If it seems like the words “leak,” “compromised data,” and “breach” are constantly in the news, it’s not just you. The frequency of major data breaches is increasing. According to the Identity Theft Resource Center, the number of breaches is expected to top 1,500 in 2017. That’s a 37 percent annual increase over 2016, which itself was a record year for exposed personal data.

But while most data breaches are small and contained, this year saw a handful of spectacularly bad security fails. Here are the most massive sets of compromised data and data breaches of 2017.

1. Equifax

Let’s start with the Mother of All Breaches.

Equifax, one of the four major credit reporting agencies, revealed in September that cybercriminals had penetrated their network. The breach exposed the data of 143 million Americans—basically, every single adult in the country. Exposed information included names, social security numbers, birthdates, addresses and, in some instances, driver’s license numbers.

It gets worse. Credit card numbers for about 209,000 consumers and documents related to credit reporting disputes for 182,000 people were also exposed.

In response, Equifax offered a suite of identity theft protection services to all Americans, regardless of whether they were impacted or not. The services, which include up to $1 million in ID theft insurance and social security number monitoring, are free for anyone who signs up by January 31, 2018. (Though we doubt the efficacy of these identity theft protection services and don’t recommend people purchase them.)

2. Uber

This data breach actually occurred in 2016. But due to general shadiness on Uber’s part, we didn’t learn about it until November of this year. Compromised data included the names, email addresses, and phone numbers of 50 million Uber customers. The personal data of about 7 million drivers were also exposed, including around 600,000 driver’s license numbers.

Hackers pulled off the data heist by first getting access to a private GitHub site used by Uber engineers. From there, they learned Uber’s Amazon Web Services login credentials and accessed the personal data. The hackers then used the data to blackmail Uber. In an attempt to keep the incident under wraps, Uber executives paid the hackers $100,000 to delete the data and keep quiet.

The incident only came to light after new Uber CEO Dara Khosrowshahi discovered it and reported the incident to regulatory authorities.

In a blog post, Khosrowshahi said that “None of this should have happened, and I will not make excuses for it.”

3. Edmodo

Adults aren’t the only ones getting their info compromised. In May, Motherboard reported that social learning platform Edmodo was hacked. The service, which is used by educators and students, has around 78 million users—and a hacker named “nclay” claimed that he acquired the account data of 77 million of them.

The data was put up for sale on the Dark Web, but apparently, accounts for a site that is primarily used to assign homework and create lesson plans aren’t particularly valuable. The hacker priced the entire database of data at just over $1,000.

4. Verizon

Did you call Verizon customer service in the first six months of 2017? Then it’s possible your data was inadvertently exposed.

ZDnet reported that Nice Systems, an Israel-based company, failed to secure an Amazon S3 storage server that contained records for 14 million Verizon customers. The compromised records include customer names, cell phone numbers, and account PINs.

Fortunately, Verizon was able to protect the data before anyone else could access it. In a statement to CNBC, a Verizon spokesperson said, “We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”

5. Deep Root Analytics

The data analytics firm Deep Root Analytics, which was contracted by the Republican National Committee, revealed that they the exposed data of 198 million citizens. That means almost two out every three Americans were impacted. Exposed information includes names, birthdates, phone numbers, and, most troubling, voter registration details.

The breach was discovered by security researcher Chris Vickery on June 12. His analysis revealed that the firm’s database was stored on an Amazon cloud server without password protection for about two weeks. Anyone had the ability to download the 1.1 terabytes worth of data.

6. Sonic Drive-In

Millions of customers who only wanted to order a cheeseburger and a shake may have inadvertently gave their credit card info to identity thieves.

The fast-food chain Sonic Drive-In acknowledged that an unknown number of restaurant payment systems were compromised and customer credit card information was breached. Security researcher Brian Krebs revealed that stolen credit card numbers made their way to underground markets where cybercriminals buy and sell sensitive financial data.

7. All WiFi devices

In 2017 we also discovered that essentially all data transmitted over WiFi networks is vulnerable. Computer scientist Mathy Vanhoef announced that a vulnerability in WPA2 encryption protocol made WiFi networks accessible without login credentials. Hackers are able to access WiFi data through a key reinstallation attack, or KRACK. It’s unknown if any data was actually stolen using this method, but the vulnerability has existed since the beginning of WiFi.

Fortunately, tech companies started releasing patches shortly after the problem was discovered. Earlier this month Apple fixed the security hole for all iPhones. And several routers manufacturers have released updated firmware that protects against KRACK attacks.

The growing number (and size) of data breaches indicates that threats are outpacing security measures taken by organizations. Until companies can improve their security posture, the responsibility for keeping data breaches from doing serious damage will fall on individuals.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

The post The seven most colossal data breaches of 2017 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scammers make browser lockers more resilient

Malwarebytes - Wed, 12/20/2017 - 16:29

Tech support scammers have been relying on fraudulent pop-ups for many years in order to scare potential victims into calling for remote assistance. These so-called browser lockers (or browlocks) typically originate from malicious ads (malvertising) that can appear on any website, including trusted online portals.

The purpose of browser lockers is not only to scare but also to create the illusion that the computer has been locked, which is not quite true. What’s happened is simply that the browser is stuck in between a flurry of alert dialogs that won’t seem to go away, no matter how many times they are clicked on.

Google Chrome is often the most-targeted browser because of its dominant market share, but pop-ups come in as many different flavors as browser types, with landing pages specific to those browsers. For example, a particularly vicious technique abused the history.pushState HTML5 API to literally freeze machines while displaying the fake pop-up.

Historically, browser makers have let users down by not being to handle those tricks cleanly. However, they appear to have taken note, fixing many of the issues that have to do with poor user experience, while also suggesting other ways for (legitimate) webmasters to send notifications, for example via the proper Notifications API.

Unfortunately, crooks are adapting as well. Despite browser developers’ best intentions, browlocks are still the best bet to scam innocent folks. The following shows a browser locker that went into full screen mode after the user clicked somewhere on the page. Pressing the Escape key to exit full screen (as instructed by the browser) triggered a malicious loop in the code that prevented closing the fraudulent pop-up (without resorting to Task Manager):

This is a similar technique to what we reported on recently with persistent drive-by mining attacks in that it uses a pop-under as a “helper.” There are actually three different layers in play to make this work:

  • a background window in full screen mode
  • another window that is superimposed (triggered on click or Escape key)
  • the pop-under (triggered on click)

The crooks have positioned and sized the pop-under in such a way that it only displays the “Stay” part of the “Leave” or “Stay” dialog window, leaving users very little choice.

Keep in mind that at the same time the user is trying to close the page, a constant reminder is being played on the computer speakers, to add to the victim’s distress:

From a technical stand point, browser lockers are on the low side of the scale compared to malware such as ransomware. However, they benefit from great distribution channels via malvertising, guaranteeing that millions of people are affected by them. Consider that scammers charge an average of $400 per victim, and you soon realize that this is a highly-profitable business.

On this blog, we have long said that awareness is critical in order to avoid falling for tech support scams, but we also recognize that browsers have a big role to play in how they handle and block such annoying alerts. Unfortunately, scammers try to trick people by abusing regular warnings and creating fake buttons. In the case mentioned above, it would have been possible to close the page from the beginning by clicking on the top window’s X before it went into full screen mode. But if a user can be enticed to perform a certain action, they essentially lock themselves out.

The rule of thumb here is to avoid panicking and simply close the browser via the Task Manager (if all else fails). Remember that the pop-ups themselves are usually harmless. You are safe as long as you haven’t dialed the toll-free number that is being advertised.

The post Tech support scammers make browser lockers more resilient appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds