Techie Feeds

Stolen security logos used to falsely endorse PUPs

Malwarebytes - Tue, 01/30/2018 - 16:35

To gain the trust of users, many websites and companies feature the logos of reputable firms who endorse their products. Unfortunately, some unseemly companies do the same, using logos of companies who have not, in fact, endorsed their product in order to trick people into thinking that what they are about to install is legitimate. Potentially Unwanted Programs (PUPs) are masters in this trade of building false trust.

The most popular logos to used by criminals achieve this false trustworthiness are:

  • McAfee SECURE
  • Norton Secured Seal
  • Microsoft Partner Network/Microsoft Technologies

Below is an example of a website that has all three of them, so it must be the safest site imaginable. (Wrong.)

In fact, it is a fake online scanner that will try to scare you into thinking that your computer is infected with some nasty viruses and that their solution can take care of it. Actually, they will try to sell you a PUP like Master PC Cleaner that will inform you about even more problems with your system. To compound matters, they’ll then offer to help you get rid of them—for a price. Should you need assistance, many of these so-called “system optimizers” are not afraid to get involved in tech support scams either. Their support numbers are displayed prominently in their GUI.

So how do programs that can scam people out of money in three different ways get these badges of authentication on their sites? Likely, they are used without authorization. In fact, it is no harder than copying one of these logos from a Google image search and inserting the image onto the site.

What do these logos actually mean?

First of all, if the logos are used without authorization, they mean nothing. Nada. Niente. Putting a picture on a website does not change the way the site or product it offers behaves.

But even if the logos are real and authorized, they may not mean what you think they mean. To help suss out whether a site is trustworthy or not, it’s not a bad idea to learn what these logos actually stand for.

McAfee SECURE

The McAfee SECURE logo is free for websites with up to 500 visitors per month. If you find the real logo on a site, it will be visible as a small “M” in the bottom right-hand corner. You can expand that logo to read about what it means.

In a nutshell, a McAfee SECURE logo indicates the following:

  • There is no malware hosted or linked to on the site.
  • The site has a valid SSL certificate, which means traffic to and from is encrypted.
  • There is no phishing detected.

Which is all well and good. It means the website has been checked for all these points, but it doesn’t mean that the product advertised on the site is endorsed by McAfee. And if you see the logo displayed without an option to see the number of reviews, chances are high that the site owner just pasted that image on their site and didn’t actually earn in. As was the case for our fake online scanner.

Norton Secured Seal

The Norton Secured Seal is included at no cost with all Symantec certificates. If installed on a website not using a Symantec certificate, the seal will not display. Please note that this doesn’t mean it will stop someone from using an unauthorized image on their site. But again, even if the seal is real, it doesn’t mean the product advertised on the site is secure. It just tells us the site has a Symantec SSL certificate.

Microsoft Partner Network

The Microsoft Partner Network (MPN) is designed to help qualified technology companies build, sell, provide, service, and support solutions for their customers with Microsoft technologies. To qualify for the MPN, a technology company must sell or provide more than 75 percent of its IT solutions and services, or derive 75 percent or more of its total revenue through the external monetization of their intellectual property solution(s) to unaffiliated third parties. Nothing in the MPN agreement restricts a company from working with and using non‑Microsoft technologies.

Basically, companies pay a fee for which they get Microsoft tools, training, and software in return—and the right to display a Microsoft partner logo on their product and site. The only “check” that Microsoft performs for the exchange of their tools and logo (that I could find) is to verify that partners derive 75 percent of their business from third parties (non-affiliates). That could be anyone. And it doesn’t guarantee the safety of the products sold on the site.

How can I check the authenticity of the logo?

If you see a McAfee SECURE or Norton Secured Seal on a website, you can check to see if they are real by clicking on the logo. The real logos are clickable and include additional information about their meaning. Fake McAfee and Norton logos will not be clickable or might include incomplete information.

The Microsoft Partner Network is searchable, but unfortunately knowing the name of the product alone is not always enough to find out if that company is a legitimate partner. And the name of the product is not necessarily the same as the name of the company.

Summary

As we have learned, it is easy to abuse logos of trust on websites, who use them to fake the appearance of an endorsement of a product or site. It’s also easy to confuse those logos, even when used legitimately, for a blanket statement on the security of the product or site. And since most fraudulent companies change names and sites almost as often as their socks, they don’t care if someone finds out.

That means the best thing you can do to guarantee a safe online purchase or surfing experience is to never assume that a logo automatically makes a site legitimate. Put on your cynical caps, take a closer look, and remember that if it seems too good to be true, it probably is.

Be careful out there!

The post Stolen security logos used to falsely endorse PUPs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 22 – January 28)

Malwarebytes - Mon, 01/29/2018 - 19:00

Last week on Labs, we analyzed a rogue app outbreak on Twitter, took a look at how Singapore’s government is faring with network defense, and rolled out our 2017 State of Malware report. We also became visionaries in Gartner’s Magic Quadrant report and explored a VR data mishap.

Other news

Finally, a tip of the hat and a shout out to the very awesome Hasherezade, who’s been included on a Forbes Europe list of 30 under 30—a fantastic achievement!

Stay safe, everyone!

The post A week in security (January 22 – January 28) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to remove adware from your PC

Malwarebytes - Mon, 01/29/2018 - 17:54

“Close. Close. Close. Close,” my mother mumbles as she aggressively clicks her mouse over and over.

“What’s wrong, Ma?” I’m home for the holidays, and cozy, cold evenings are often spent in front of the fireplace. This night, however, my mom is stuck at her computer.

“This stupid thing won’t stop showing me ads.”

“Looks like a job for Malwarebytes!” I joke, but come over to examine. Her screen is loaded with advertisements. Upon closing one, another pops up.

So many pop-ups, so little time.

Looks like mom’s got adware.

What is adware?

Adware is short for advertising-supported software. It’s well-known for being a major Mac nuisance and has made itself ubiquitous on Android OSes, finding its way into the Google Play Store as Trojanized apps.

But adware is a PC problem, too. It delivers ads and other browser-cluttering junk most often in the form of pop-ups, tabs, and toolbars. Beyond simply bombarding you with ads, adware can hijack your browser, redirecting you to sites you weren’t planning on visiting (and showing you ads there) or delivering random, back-alley search engines results. It can slow down your computer and is often frustratingly difficult to remove.

Have some toolbars, courtesy of Mindspark adware.

Why would anyone knowingly install a program that behaves this way? The answer is: They wouldn’t. When legitimate software applications use online advertising, the ads are typically bundled within the program and designed and displayed in ways that the developer specified—and a good developer knows not to piss off customers with overbearing ads. Adware, in contrast, is specifically designed to be a nuisance, sneaking its way onto people’s systems by bundling up with legit programs or disguising itself as something else.

Whether you download adware without full knowledge of what you’re getting or whether it hides in the EULA of another software program like a stowaway, it’s behaving in a way that neither you nor the software it latches onto wants. This is what makes adware a type of potentially unwanted program, or PUP.

How is adware different from PUPs?

Adware is, essentially, a type of potentially unwanted program. PUPs also include other borderline malicious programs, such as spyware, browser lockers, dialers, and junkware. Security companies flag these programs as “potentially” unwanted, but the reality is, any sane person would not want this crap on their computer. Unfortunately, since most people aren’t paying close attention to what they download, they essentially agree to install the programs without realizing it.

Even more unfortunately, any attempts by security companies to fully block these programs as malware can get legally hairy. Thankfully, the cybersecurity industry is making strides in courtroom battles and in public opinion against software providers whose programs cross the line from slight bother to major asspain.

How do you get adware?

The most common ways for adware to infect PCs today are through toolbars/browser extensions, bundled software, and downloads offered by pop-ups.

A Trojan containing adware may pretend to be something you want, such as a plug-in or video player, but what you really end up downloading is an adware installer. Adware may also hide inside a legitimate download from an unethical site. Often, it shows up in downloaded files from torrents or piracy sites. It’s even making its way into the Google Play Store—with more frequency these days—and blessing Android devices with its garbage content.

The common theme among these delivery methods is deception. Adware makers trick users into willfully downloading programs they won’t like by pre-populating check boxes, greying out or minimizing options to skip, or plastering “recommended” next to a preferred option one-too-many times. Half the battle in avoiding adware intrusion on your device is reading install wizards and EULAs with hawk-eyed precision.

A pre-checked box and a tiny EULA screen spells adware

But let’s be real. No one does that.

That means you need a way out when you rush through an install agreement to download the free version of Bejeweled only to be dazzled by a flurry of ads all but ruining your screentime.

How to remove adware

Your way out is relatively simple. If you think you’ve got an adware problem on your PC, you can manually remove it in a few easy steps.

Back up your files. Always a good first precaution when you’re faced with a potential infection. Grab an external hard drive or save your most important data to the cloud.

Download or update necessary tools. To get your computer sparkly clean, you’ll need to download or run updates to a scanner that specializes in removing adware and PUPs (such as Adwcleaner or the free version of Malwarebytes). If you suspect your computer is heavily infected and you don’t have these tools, you’ll want to install them on a friend’s machine and transfer them to yours via CD or USB.

Uninstall unnecessary programs. Before scanning with a security product, check to see if the adware program has an uninstaller. To do this, go to the Add/Remove Programs list in the Windows Control Panel. If the unwanted program is there, highlight it and select the Remove button. After removing the adware, reboot the computer, even if you’re not prompted to do so.

Run a scan with an adware and PUPs removal program. Once the program has scanned and found adware, it will likely quarantine the stuff so you can take a look and decide whether or not to delete it. Our recommendation is delete, delete, delete. This will get rid of adware and any other residual files that could bring the adware back.

Read: How to remove adware from Macs

How to avoid adware infection

While the above steps can rid PCs of most adware, there are a few belligerent forms that are difficult to remove—and these more aggressive adware programs are popping up more and more (pun intended). The makers of adware today have adapted their techniques in order to skirt around more comprehensive ad-blocking tools introduced by major browser developers, including Google, Mozilla, and Microsoft. Their formerly grey tactics have turned to black.

The bad guys bundle their adware and PUPs programs with tools that act as protection against their removal by blocking security software from running or even being installed, or by stopping users from taking measures to remove the adware themselves. The only known way to protect against these attacks right now is to prevent them from happening in the first place. Thankfully, you can do just that with an adware- and malware-blocking security solution like Malwarebytes.

The post How to remove adware from your PC appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IMPORTANT: Web Blocking / RAM Usage

Malwarebytes - Sat, 01/27/2018 - 19:53

Earlier this morning, we published a protection update that caused connection issues for many of our customers. As a side effect of the web protection blocks, the product also spiked memory usage and possibly caused a crash.

We have triaged this issue and pushed a protection update that resolves it.

For our consumer solutions

Please follow the steps below on how to update to the latest database:

1. Open Malwarebytes
2. Turn OFF web protection by Clicking on “settings”, click to turn web protection OFF
3. Under Scan Status (right side), click next to “Updates” to have Malwarebytes download the latest database
4. Restart PC
(Note it may take up to 2 restarts after the update to stabilize the system)

To confirm that you are on the latest database please follow the steps below:

1. Open Malwarebytes
2. Click on Settings
3. Click on the About tab
4. Next to “Update package version” if you see version 1.0.3803 or higher you are on the latest database which addresses the issue.

If the above doesn’t resolve the issue, please reach out to support at support@malwarebytes.com.

For our business solutions

Please follow the appropriate steps below to update to the latest database:

Malwarebytes Endpoint Security (On-premises)

First step to get the update is to disable the real-time protection. To do this in the Management console:

1. Open up the policy the clients are on and go to the protection tab.
2. From here, disable the ‘enable protection module’ option.
3. Once this is done click OK. When your clients check in they will get this new policy update.
4. Once real-time is protection is disabled and your clients can communicate, highlight the endpoints on the client screen and click the update database button at the top.
5. After the update is applied, a reboot of the machine may be required.

Note: If your client cannot resolve internal addressing, then re-installing the agent manually on the machine will need to be done. The client will not be able to reach out to the server for a policy update and will never be able to turn off the real-time protection.

Malwarebytes Endpoint Protection (Cloud)

1. From the Malwarebytes Cloud console, go to the endpoints pane and select all the endpoints.
2. In the action drop-down, choose the ‘check for protection updates’ option to force an update on all endpoints to database update 1.0.3803.

This should fix the problem for the vast majority of Endpoint Protection endpoints.

If endpoints are still affected after applying this, please reboot the machine.

If the remote agent is unable to reach out and get this update, then we must disable the web protection:

1. In the Malwarebytes Cloud console, Go to the settings> policies> and open up the policy the clients are on.
2. From here, go to the endpoint protection policy and turn off the “Web Protection” portion of the policy. Then:

a. If the machine is unresponsive, reboot the machine and log in.

b. Once in, right click on the tray icon and start a scan. This will force a database update and fix the issue.

c. Once updated, cancel the scan and reboot the machine.

3. When the computers are all online and updated, please turn back on the web protection again in the Endpoint Policy.

The root cause of the issue was a malformed protection update that the client couldn’t process correctly. We have pushed upwards of 20,000 of these protection updates routinely. We test every single one before it goes out. We pride ourselves on the safety and accuracy of our detection engines and will work to ensure that this does not happen again.

Getting your computer or business back up and running is our utmost priority, as is rebuilding your trust.

If the above doesn’t resolve the issue, please reach out to support at corporate-support@malwarebytes.com

 

The post IMPORTANT: Web Blocking / RAM Usage appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Plugging a virtual leak: insecure VR app exposes customer data

Malwarebytes - Fri, 01/26/2018 - 22:00

I’ve been giving talks on the possible problems raised by virtual/augmented/mixed reality for a while now, and sure enough, we have what may be one of the first potentially major security issues thrown up by an in-the-wild application. Until a recent fix was applied, users of the pornography app SinVR could have found their subscriber information up for grabs.

Researchers over at Digital Interruption discovered names, email addresses, and device names for anyone with an account alongside those paying for content using PayPal. This information would be great for social engineering, fake SinVR emails, or just plain old blackmail/embarrassment antics should any attacker be so inclined.

They figured this out because while reversing the app, they realised they could make unauthenticated calls to endpoints, thanks to a function which looked as though it allowed SinVR to download a list of all users. Though they would have had to modify the binary to do this via the app, their web API meant it wasn’t necessary thanks to the previously mentioned endpoints.

If we cast our minds back to around the time of the SONY hack, games companies became popular targets, with company hacks, compromised databases, tampered game servers, and all sorts of other shenanigans. At the time, it was clear that many organisations weren’t doing as much as they could for security stakes; although now you don’t see quite as many game developers being compromised in such fashion these days.

VR, however, is a brave new world, and there are many new companies who may be in a similar place more traditional games firms were in a few years ago. While my primary interest in VR is seeing how in-game features can be affected, especially with the slow rise of VR ad networks, it’s clear that customer data—or just reversing the apps themselves—is also going to be a big deal.

The barrier to entry for VR development is lowering all the time, with reasonably priced “DIY” kits available online which allow anyone to start coding games. How many of those bedroom coders, who will no doubt release many of these projects with a price tag attached, will understand the complexities of securing both their games and their databases?

This is sadly likely to be the first of many such accidental VR data reveals. The only good news for the developer is that responsible individuals were the first to catch wind of this particular error, rather than someone up to no good. Of course, we’re only hoping they were the first. Realistically, we have no way of knowing if someone with mischief in mind has already figured it out.

Talk about a virtual catastrophe.

The post Plugging a virtual leak: insecure VR app exposes customer data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Gartner recognizes Malwarebytes as a “Visionary” in the Magic Quadrant

Malwarebytes - Fri, 01/26/2018 - 19:14

I’m proud to announce that Gartner has recognized Malwarebytes as a “visionary” in the 2018 Gartner Magic Quadrant for Endpoint Protection Platforms. Malwarebytes was selected for its completeness of vision and ability to execute.

Our goal is to give every user a malware-free experience and empower them to navigate safely across devices at work and at home now and well into the future. With threats increasing in both size and scale, it’s clear that traditional solutions have been insufficient at protecting the endpoint. Enterprises are realizing the need to re-evaluate their approach to defending the endpoint and have come to Malwarebytes because of our demonstrated understanding of the threat landscape and execution toward a vision of a unified solution to manage the entire threat life cycle: protection, detection, and response.

The Gartner EPP MQ report notes that Malwarebytes offers strong protection capabilities at an attractive price point. As proof, organizations are deploying the full portfolio of Malwarebytes endpoint protection and remediation security software widely across their operations. During the past 12 months, Malwarebytes experienced a seven-fold increase of large enterprise customers.

10 years delivering best-in-class protection

Malwarebytes recently celebrated its 10-year anniversary. For over a decade, we’ve built exceptional trust with our customers, from consumer to enterprise. We’ve been asked to solve the toughest problems—to bail out infected endpoints—when all else had failed. And with that visibility and insight over the years, we’ve honed our craft and developed the most comprehensive protection for the endpoint. We call it Multi-Vector Protection (MVP).

The road to MVP began when we realized that no single approach could be effective against the plethora of techniques the attackers would be leveraging. Some would deliver payloads by exploiting vulnerabilities, others would conduct targeted spying campaigns in order to drop the most effective malware. Some got around all security barriers with the click of a malicious email attachment. We had to provide comprehensive protection by defending against those and a variety of other attack vectors. That’s why MVP features seven layers of threat detecting, blocking, and removing technology.

It’s this approach that enabled us to protect our customers against threats, such as the high-profile ransomware attacks that made headlines throughout 2017.

What’s next

Great technology and advanced features are for naught if they aren’t deployed or used properly. So a big focus here at Malwarebytes is to ensure that while we’re developing best-of-breed technologies, we’re also making them easy to use. Part of that includes keeping our customers aware of the latest developments in malware and in our products’ ability to protect against it. So while this is in an exciting moment for us here at Malwarebytes, there’s no resting on our laurels.

Stay tuned to learn more about our latest developments in the fight against cybercrime.

The post Gartner recognizes Malwarebytes as a “Visionary” in the Magic Quadrant appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Presenting: Malwarebytes Labs 2017 State of Malware Report

Malwarebytes - Thu, 01/25/2018 - 13:00

2017 was a tumultuous year in politics, media, gender, race—and cybersecurity didn’t beat the rap. Last year was full of twists and turns in the cybercrime world, with major outbreaks, new infection methods, and the evolution of the cryptocurrency crime industry.

In aiming to make sense of the madness, we gathered information from our data science, research, and intel teams throughout the year, checking in on trends, the rise and fall of malware families, distribution methods, and more. What we came up with was a more complete picture of the 2017 threat landscape that showed us just how much can change in a year.

In our 2017 State of Malware report, we examined attack methods, malware developments, and distribution techniques used by cybercriminals over the last 12 months. We dove into the exponential increases of malware volume and severity year-over-year, as well as trends in high-impact threats, such as ransomware and cryptomining. Some of our key takeaways include:

Ransomware volume was up in 2017, but trending downward.

Ransomware detections were up 90 and 93 percent for businesses and consumers respectively in 2017, with several splashy outbreaks accounting for the majority of the increase in rates. However, development of new families and tactics for delivery slowed way down, especially in the last quarter of the year.

What they can’t hold for ransom, criminals will steal instead.

With ransomware slowly going out of favor, criminals pivoted to banking Trojans, spyware, and hijackers in 2017 to attack companies instead. We saw an increase of 40 percent in hijackers and 30 percent in spyware detections in 2017. The second half of the year also marked an average of 102 percent increase in banking Trojan detections.

Cryptomining is out of control.

Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.

In addition to looking back at 2017, we looked forward to 2018, analyzing current trends and pontificating on what they point to. We realize making predictions about cybercrime is a bit more art than science, but when we look back over years of patterns and data and experience, we can make some educated guesses about where we think this is all going. With that in mind, some of our 2018 predictions include:

A “slow” year for Internet of Things threats means more attacks in 2018.

Attackers spent a lot of time in 2017 developing new tools to take advantage of IoT with spam-spreading botnets and, likely, more DDoS attacks. It’s not farfetched to think we may see DDoS attacks against large organizations, like airline companies and power utilities, demanding a ransom to call off an army of botnet-infected IoT devices. But rather than encrypt files, the attacks will disrupt businesses and their operations until payment has been made.

Cryptocurrency mining fever will give birth to dangerous new threats.

Drive-by mining and skyrocketing values are driving interest in cryptomining from both users and criminals alike—to the point where retailers are now screening potential graphics card customers for miners. Faced with continued volatility, we are likely going to see an evolution of drive-by mining tools, new mining platforms (such as Android and IoT devices), and new forms of malware designed to mine and/or steal cryptocurrency.

To see our complete analysis of key developments in malware, the most interesting attack vectors of the year, predictions for 2018, and more, read:

the 2017 State of Malware report

The post Presenting: Malwarebytes Labs 2017 State of Malware Report appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Singapore government gets into the network defense game

Malwarebytes - Tue, 01/23/2018 - 22:00

There is a common assumption in the infosec community that enormous breaches like those at Equifax, Anthem, and Target are the new norm. That the next mega breach is simply a matter of time. This is because large companies loathe spending money on things that are not directly profitable like secure infrastructure or quality training for employees. Further, there isn’t really any external pressure on corporations to do better—so they won’t.

Some countries have recognized that these sorts of negative externalities cause significant public harm, and have sought to get ahead of the threat curve with cybersecurity legislation. Singapore currently has a comprehensive cybersecurity bill under consideration that is trying very hard to bring a bit of order to the wild west of technology threats. The bill is exhaustive in covering management of cyberthreats, so let’s look at what it does well and what it does not do well.

The good
  • Appoints a national CISO. US cyberdefenses frequently suffer from an unclear chain of command, as well as competing for agency priorities. The buck needs to stop somewhere to mount an effective defense.
  • Designates critical infrastructure. You cannot prioritize defenses for systems you aren’t looking at.
  • Duty to report. This is a big one. Often fearful of liability, stock impact, or impact to reputation, corporations will often sit on cyberattack disclosure for months—sometimes until an executive can sell his company’s stock. Removing any ambiguity on when and how to report breaches gets everyone on the same page.
  • Designates best standards and obliges companies to follow them. There’s currently no consistent, agreed-upon best cybersecurity practices for companies to follow.
  • Power to investigate and force remediation. In contrast to US defense contractors who handle critical infrastructure, were not obligated to report breaches until 2015, and to date have not lost any contracts due to loss of classified data, Singapore’s draft bill grants the authority for a cybersecurity officer to both investigate a critical infrastructure breach, and compel remediation along industry best practices.
  • Licenses infosec corps. While this could be a little iffy in the implementation, holding companies that audit critical infrastructure to an agreed-upon standard benefits everyone. Infrastructure owners know precisely what services they are paying for, cybersecurity officials can judge the impact of standardized services more accurately, and no one has to deal with a Norse Corp.
The not so good
  • Criminal sanctions for offenses. While seemingly a no-brainer, breaches are rarely due to a single individual’s malfeasance, and much more often the end result of a sick corporate process. A more effective deterrent would be fines leveled at the corporate level, and large enough to hurt. While an ineffective company can lose a handful of employees quite easily, they would feel the loss of a profit percentage much more acutely.
  • Secrecy. Many sections within the bill contain provisions for non-disclosure and corresponding fines and imprisonment for anyone speaking out about a breach in a non-approved way. From a governance perspective, this makes sense. Singapore is deriving their authority to monitor critical infrastructure by classifying breaches as a security threat, and a classic belief of governments is that one does not speak publicly of security threats. Network threats are different. Configurations and applications used by a shipping company can have significant overlap with those used at non-critical corporations. Transparency and information sharing not only pressure a breached company to demonstrate an adequate remediation but also offer lessons learned that can keep hundreds of less critical organizations safe. Sunlight and sharing are proven methods for defenders to propagate best solutions to everyone.
What does it mean?

Traditionally, information security has been viewed as the responsibility of individual companies, and not a particularly important one at that. Efforts of countries like Singapore to centralize cyberthreat defense and vulnerability remediation are an attempt to acknowledge the reality that breached infrastructure affects everyone. A hack might stay within an offshore drilling company, but the knock-on effects to shipping, trade, and the environment can create an impact on millions of citizens.

While the law has not traditionally been responsive to technology needs, that is gradually changing. With input from industry leaders and privacy advocates, technology law has the potential to change for our benefit.

Check out the full text of the bill here.

The post Singapore government gets into the network defense game appeared first on Malwarebytes Labs.

Categories: Techie Feeds

“Who visits your Twitter profile” spam app brings week of chaos

Malwarebytes - Tue, 01/23/2018 - 19:17

Twitter spam has been around forever, and rogue apps asking for installs in return for a cool feature (to be more accurate, spamming your contacts) is a constant thorn in our Twittery sides. Over the weekend, we observed a new Twitter app doing the rounds and causing a lot of congestion on people’s timelines.

What is it?

We first noticed this when a number of my contacts using the #FBPE (follow back, pro Europe) hashtag to form networks and make new friends started spamming Tweets similar to the below:

 Click to enlarge

The spam reads as follows:

Goooo!! Click for more information: Who visits your Twitter profile 100% safe, 100% working Click here, available for iOS and Android

Here’s another one:

Click to enlarge

Sign in and download this fantastic app – only available today

Regardless of the spam message used, all the tweets directed people to visit a website located at

checkvisitss(dot)tk

How does it spread?

People click the link and are presented with the below website:

Click to enlarge

There’s not a lot to do besides hitting the large “Connect with Twitter” button, and sure enough, doing just that will direct eager clickers to the app install page.

Click to enlarge

It says:

Authorize Recent Visits 24H to use your account?

This application will be able to:

Read tweets from your timeline

See who you follow and follow new people

Update your profile

Find Tweets for you

Will not be able to:

Access your Direct Messages

See your email address

See your Twitter password

In other words, a fairly standard Twitter app permission list.

Tracking the spread

This could have been a bit of a disaster for those on the FBPE hashtag mentioned, which itself is being used to grow follower count and connect with like-minded individuals. Any app claiming to provide information about “profile views” in this situation could have resulted in an accelerated spread, though we doubt they were specifically targeted—it was spreading just fine elsewhere, as we’ll see.

Either way, those on the hashtag quickly figured out it was a scam and took steps to purge it:

One of the other primary drivers of these spam messages was the below message:

Touch the screen and enter the web – You can know who has visited your profile

This was still actually doing the rounds as of yesterday, with a little over 900 results in a simple browser search before it refused to load any more entries:

Click to enlarge

What damage can it do?

As with all things, that depends on the ultimate aim of the scammer. Some just want to spam their website; others will pop an advert or 12, and the worst of the bunch may try to have you download and run some malware. At the time of testing, all this seemed to do was promote the app across timelines and encourage more installs, so the main aggravation here is the knowledge that you installed something useless, and then started beaming said uselessness to all of your contacts. Not a great look, however you stack it.

How do I remove it?

Thankfully, this is an easy one to pull off. Head over to your Applications tab in Twitter via Settings and Privacy, and give your apps list a Spring clean:

Click to enlarge

Some of the apps you may find there could be outdated or no longer updated; if that’s the case, remove them. You don’t want to end up in a situation such as this. Once you’re happy with the end result, simply save and go back to your homepage safe in the knowledge that you won’t be posting any more bad tweets (at least, not automated ones).

Elsewhere…

A similar number of campaigns were tracked and mapped out by Erin Gallagher, one of which was making use of the URL ultimasvisitass(dot)tk, with some amazing graphs mapped out across three days using Gephi, the open source visualization program. At the time of writing, some of the URLs in play don’t load and checkvisitss redirects to lasttvisitss(dot)tk which is fully functional and offering up an app install. All of the sites involved seem to be registered through a number of anonymous registration services so there’s no real way to figure out who’s behind this batch of app installs.

No matter how you come across these sites, we’d advise you not to bother giving these apps permission. The “See who visited you” routine has been around for years on Twitter and Tumblr, and going even further back to Myspace. In all cases, none of these things ever seem to work and only serve to annoy, spam ads, or offer surveys.

While it’s useful to find out who’s been on your page, it’s really not worth the effort involved in installing a spam app and alienating all of your visitors from wanting to interact with you.

Profile viewer apps offer much, but deliver little. Move your hand away from the Install button and go about your day. Your social media profile’s reputation will thank you for it.

The post “Who visits your Twitter profile” spam app brings week of chaos appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 15 – January 21)

Malwarebytes - Mon, 01/22/2018 - 17:53

Last week on Labs, we gave you some background information about cookies, specifically which ones to worry about and why. We also warned you about scams surrounding the Mega Millions winner, who promised to donate his money to good causes.

We analyzed a cryptocurrency miner using a very old technique called Heaven’s Gate to make injections into 64-bit processes from 32-bit loaders. On top of that, we pointed out that there are Chrome and Firefox extensions using “forced installs” that hide from users and hijack browsers. And last but not least, we enticed you to think about some practical New Year’s resolutions related to cybersecurity and privacy.

Other news
  • Google acknowledged a known issue where a bug in the Cast software may incorrectly send a large amount of network traffic, which can slow down or temporarily impact Wi-Fi networks. (Source: Google Support)
  • Soon after, Google announced an update Android phones so an interaction with Chromecast video-streaming devices and Google Home smart speakers won’t whack your Wi-Fi. (Source: CNet)
  • A version of the Satori malware exploits one or more weaknesses in the Claymore Miner,  replacing the owner’s wallet address with an address controlled by the attacker. (Source: ArsTechnica)
  • BlackWallet, another site in the booming cryptocurrency wallet sector, lost their users’ cryptocurrency after what looks like a DNS hijacking attack. (Source: Naked Security)
  • Dark Caracal, a surveillance toolkit-for-hire, has been used to suck huge amounts of data from Androids and Windows desktop PCs around the world. (Source: The Register)
  • A British 15-year-old gained access to intelligence operations in Afghanistan and Iran by pretending to be the head of the CIA. (Source: The Telegraph UK)
  • OnePlus announced that up to 40,000 customers were affected by the security breach that caused the company to shut down credit card payments for its online store earlier this week. (Source: The Verge)]
  • The SamSam ransomware group seems to have gotten off to a “great” start in 2018, hitting several high-profile targets such as hospitals, a city council, and an ICS firm. (Source: Bleeping Computer)
  • GhostTeam adware can steal Facebook accounts and surreptitiously push ads. It was found on 53 apps on Google Play. (Source: Trendlabs)
  • A confusing drop-down menu was the cause of the false missile warning that scared Hawaii. (Source: The Washington Post)
  • Researchers have identified a powerful new Android malware strain called Skygofree capable of eavesdropping on WhatsApp messages and much more. (Source: Threatpost)
  • Lack of authentication was the culprit behind leaks of customer details in an adult VR application called SinVR. (Source: Digital Interruption)

Stay safe, everyone!

The post A week in security (January 15 – January 21) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cybersecurity New Year’s resolutions, you say? Why not.

Malwarebytes - Fri, 01/19/2018 - 16:00

It’s mid-January, and oh, how time flies. It wasn’t long since we bid farewell to 2017 and welcomed the new year with renewed hope and vigor. Of course, with such positivity comes a sense of an equally favorable outlook for the year ahead. However good that may sound, being faced with a tabula rasa may pose a challenge equivalent to writer’s block: We simply don’t know where to begin.

This is where resolutions come in.

It’s no surprise that our resolutions are usually about health, finances, relationships, and self-improvement. They’re the things that matter to us the most. As all of us live digital lives, too, why not think up cybersecurity New Year’s resolutions that concern our online health and safety as well?

10 cybersecurity resolutions for 2018

Exercise more. Learn a new skill or hobby. Save (more) money.

What most of us probably don’t realize is that these are actually goals, not resolutions. Resolutions are firm decisions you make to do or not do something for your benefit. Here’s a bonus: They are never time-oriented.

Without further ado, below are some New Year’s resolutions that we urge you, dear reader, to start doing in 2018.

(1) I will use two-factor authentication for all my online accounts. 2FAs are awesome. Not only do they add security to your accounts by further verifying that you are who you say you are, but they also protect you from those unlawfully attempting to access your account. So take advantage of these features if they are on offer.

(2) I will back up my files on a regular basis. Believe it or not, your files are in danger. If a strain of ransomware doesn’t hinder you from accessing them, theft, software bugs, or even mother nature would. Because of these, backing up has become an essential security and business continuity practice. Be sure to create multiple copies of personal and work files you can’t live without, and then store them in a number of physical and digital locations, such as an external hard drive or cloud storage.

(3) I will only visit sites that use HTTPS. Not every website on the Internet—even popular ones, sadly—uses HTTPs. Even sadder is that not every one of us seems to mind entering our personally identifiable information (PII) onto HTTP sites in order to use their services. As more and more companies are beginning to realize that security must go hand-in-hand with privacy, it’s important that we start watching which sites we visit and where we enter our information. Opportunely, there are extensions you can install to your browser to automatically connect to HTTPS versions of websites. Take HTTPS Everywhere, for example.

(4) I will routinely review apps on my devices and uninstall those I no longer use or need. What first seems like the must-have app that everyone raves about today is then either abandoned or completely forgotten in the next few days. Unfortunately, out of sight, out of mind actually presents a security risk—this was the outcome of a study by Google a couple of years back. Why is it important to delete unused apps? Not only can unused apps still access and use your sensitive information, but your device could become through vulnerabilities in the apps, especially those that are no longer maintained by the developer. Deleting unused apps will minimize those security risks—not to mention free up some space on your phone.

(5) I will use strong passwords and manage them well. By “strong” we mean long passwords with a combination of lowercase and uppercase letters, numbers, and special characters. And by “manage” we mean not committing all these complicated strings into memory but using software that can help you remember and fill in forms you had been filling in manually in the past. I’m talking about passwords managers. No, paper and Post-Its don’t count. Neither does a master password list you created in Excel.

Read: Why you don’t need 27 different passwords

(6) I will update all my software in a timely manner. Doing this may be inconvenient for some users—particularly when the ill-timed notification pops up while in the middle of defeating that video game boss in hard mode—but think about the inconveniences, headache, hassle, and sleepless nights a vulnerable software could cause if cybercriminals were to successfully exploit it. You may have to retry beating that boss more than once, but there is no going back to how things were if your computing device is compromised.

(7) I will handle emails more carefully. Emails: Can’t live with them, can’t live without them. For some of us, they’re the only means to get in touch with others miles away. Unfortunately, emails are also one of the main avenues cybercriminals can get into your system. In this day and age, clicking a link or opening an attachment can literally turn someone’s life around for the worst. So this year, before doing anything with that email, pause and think things through. Were you expecting an email from someone you know? Does the email seem fishy or “off” somehow? Verify the send by hovering over the email address or going directly to your vendor’s website.

(8) I will think before I post. There’s no harm in posting on social media; however, sharing personal details can be endangering your own privacy. You’re essentially making it easy for online miscreants and persistent threat actors to use your information in crafting a personalized social engineering attack scheme against your system. Not only that, the information you may freely give away can be used to access your accounts or steal your identity.

Do you think you’ve been oversharing? That doesn’t mean you should go cold turkey, but it does mean that you need to tone down on posting stuff about yourself or people close to you. Ask questions: Why am I posting this? If I were the bad guy, what would they get out of this post? Should I really be posting this picture of my bank card?

(9) I will familiarize myself with the latest cybersecurity threats and scams. A long time ago, I overheard someone jokingly say that they don’t watch the news anymore because they’re allergic to bad news. When it comes to news about cybersecurity, we mostly hear or read about the bad stuff. But trust me, no matter how stressful the news can be—take Meltdown and Spectre catching everyone by surprise, for example—the more you know, the more you’re able to protect yourself against new threats. (That said, have you already applied the patches you need for Meltdown and Spectre? If not, this write-up by our very own Jérôme Boursier describes and links to the patches available for various hardware, OS, and software systems.

(10) I will talk to my friends and family about cybersecurity and privacy. It may be a bit awkward at first, or you may be met with glazed over eyes, but you know this is important. These days, politics might dominate the conversation around cybersecurity, but it doesn’t have to be that way. Start off by commenting on a news report about an Internet scam or what some reporters might still call “a new computer virus.” Share any helpful tips you know for protecting against these threats, including any of the resolutions listed above or which cybersecurity program you use that blocks them. Work with what you know. Ask questions, and share your thoughts. They might learn a thing or two from you.

Act now

Making resolutions is one thing. Acting on them is another. In reality, we don’t need to wait for every first day of the year to clean up our computing habits. Resolve to make the small changes now. Whether 2018 may be the year you start building on safe computing habits, reinforcing the good ones you already practice and ditching the old, or not, who knows. Act now and see where it take you.

Have you come up with cybersecurity resolutions of your own? Share them with us in the comments below!

The post Cybersecurity New Year’s resolutions, you say? Why not. appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Chrome and Firefox extensions block their removal to hijack browsers

Malwarebytes - Thu, 01/18/2018 - 16:00

What you don’t see won’t hurt you, must have been the reasoning of the threat actors who created the latest batch of extensions that make these browser hijackers even more difficult to remove. The extensions redirect users away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers.

The extensions, which have been found in both Chrome and Firefox browsers, block users from removing them by either by closing out pages with extensions/add-ons info, or sending users to a different page, such as an apps overview page, where extensions aren’t listed.

In Firefox, this problem is relatively easy to circumvent, but for Chrome it takes a lot of digging—so much so that we suggest the fastest way to resolve the problem is to report it to Chrome or your favorite security solution so they (we) can take care of it. (Malwarebytes Premium and Business users are already protected from these threats by our website protection module.)

However, if you’re not a Premium customer, there are still some, admittedly involved, ways to get around these murky and persistent browser hijackers by recognizing, finding, and removing the extensions. Here’s what you can do.

For Chrome

First, we’re going to look at the Chrome extension called Tiempo en colombia en vivo, which is pushed by the method we previously described as a forced Chrome extension. The extension is detected by Malwarebytes as Rogue.ForcedExtension.

You can find the removal guide for Tiempo en colombia en vivo on our forums.

The extension keep users out of Chrome’s extensions list by redirecting chrome://extensions/ to chrome://apps/?r=extensions, where the offending extension is not listed, as only the installed apps will be shown.

Blocking JavaScript in Chrome doesn’t help in this case, as that setting only applies to sites and not to this (internal) page.

 

The clean method to disable extensions from redirecting your Chrome tabs is to start Chrome with disabled extensions. You can do this by adding the switch “–disable-extensions” to the command to run Chrome.

But doing this will not offer you the option to remove any extensions, as Chrome will behave as if it has no extensions whatsoever. So this offers us no way to remove the extension from the list as you normally would.

Renaming the file 1499654451774.js in the extensions folder does help, however, and after a restart of Chrome, we can see the extension in the list of extensions. It shows up as corrupted because we renamed their JavaScript to something else, so it can’t find what it’s looking for.

Tip: To escape from a Chrome site that is trying to make you stay there, you can use Ctrl+T to open a new tab. The new tab will have focus, so you can then close the offending tab by clicking the “x” that lights up in red when you hover over the tab.

For Firefox

We also found a Firefox extension that displays similar behavior to the Chrome extension. This one was pushed by ad-rotators as a manual update for Firefox.

Malwarebytes detects this extension as PUP.Optional.FFHelperProtection. A full removal guide for FF Helper Protection can be found on our forums.

This extension blocks about:addons in background.js by looking for that string in the URL and closing the tab if the string is found.

This means that you can’t remove the extension manually.

Firefox, however, can be run in safe mode by holding down the Shift key while starting Firefox. Then confirm that you want to “Start in Safe Mode” in this prompt.

Firefox’ safe mode is most helpful, as you can see all the installed extensions while they are not active. Doing so allows you to manually remove the extension (and any others you might not want) in the same way you normally would. Click the “Remove” button in the extensions description field, and you’re done.

If you are kept on a Firefox tab by JavaScript(s) that keep popping up with prompts, and you are unable to close the window in the usual way, you can terminate Firefox by using Taskmanager. When you restart Firefox, it will not be able to restore the session for that tab.

How to avoid

While the extensions have been around for a few weeks, both are still in use in one form or another. In fact, the Tiempo en colombia en vivo extension was still available in the Chrome Web Store at the time of writing. Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it’s not always possible to avoid getting them. The best we can offer is to stay vigilant as you surf and use an adblocker (that could help with blocking the Firefox extension). Though we’d like add the obvious: Avoid actually downloading these extensions in web stores as well. In fact, it’s a good idea to read the fine print carefully for any browser extension you download.

IOCs

Domains: socialextensions.top, searchdf.biz, helperprotectionff.biz, helperprotectionext.biz, reliablesurfingext.biz

Chrome extension: gbhodkgjhojjjggokjjlbccecdhkjjgl

Firefox extensions: {eb3ebb14-6ced-4f60-9800-85c3de3680a4}.xpi, {b91fcda4-88b0-4a10-9015-9365e5340563}.xpi

Stay safe out there.

The post New Chrome and Firefox extensions block their removal to hijack browsers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A coin miner with a “Heaven’s Gate”

Malwarebytes - Wed, 01/17/2018 - 16:00

You might call the last two years the years of ransomware. Ransomware was, without a doubt, the most popular type of malware. But at the end of last year, we started observing that ransomware was losing its popularity to coin miners. It is very much possible that this trend will grow as 2018 progresses.

From the point of view of the victim, this is a huge relief, because miners are not as much of a threat as ransomware. They slow down the system, yes, but once you get rid of them you can continue using your computer as before. No data is stolen, or lost as in the case with a ransomware infection.

From the point of view of a malware researcher, miners are so far disappointing. They don’t give enough interesting material for a deeper analysis, mostly because they are based on well-known open source components with little or no obfuscation.

However, from time to time, we find coin miners incorporating interesting tricks. In one recent sample, we observed a technique called “Heaven’s Gate” that allows the malware to make injections to 64-bit processes from 32-bit loaders. This trick is not new—its introduction is dated to 2009—but it’s curious to see it implemented in this new sample captured in wild.

Those who are beginners in malware analysis can read on for a guide about what Heaven’s Gate is and how to approach analyzing it.

Analyzed samples

This sample was found in the continuation of the Ngay campaign (more about it here). A background check on similar samples lead me to the article of @_qaz_qaz, who described an earlier campaign with a similar sample. However, his analysis skipped details on the Heaven’s Gate technique.

Behavioral analysis

To observe the mentioned injection, we must run the sample on a 64-bit system. We can see that it runs an instance of notepad, with parameters typical for mining cryptocurrency:

Looking at the in-memory strings in ProcessExplorer, we can clearly see that it is not a real notepad running, but the xmrig Monero miner:

So, at this moment we’re confident that the notepad’s image has been replaced in memory, most probably by the RunPE (Process Hollowing) technique.

The main dropper is 32-bit, but it injects a payload into a 64-bit notepad:

The fun part is that this type of injection is not supported by the official Windows API. We can read/write the memory of 32-bit processes from a 64-bit application (using Wow64 API), but not the other way around.

There are, however, some unofficial solutions to this, such as the technique called “Heaven’s Gate.”

Heaven’s Gate overview

The Heaven’s Gate technique was first described in 2009, by a hacker nicknamed Roy G. Biv. Later, many adaptations were created, such as a library Wow64ext  or, basing in it, W64oWoW64. In the blog post from 2015, Alex Ionescu described mitigations against this technique.

But let’s have a look at how it works.

Running 32-bit processes on 64-bit Windows

Every 32-bit process that runs on a 64-bit version of Windows runs in a special subsystem called WoW64 that emulates the 32-bit environment. We can explain it as a 32-bit sandbox that is created inside a 64-bit process. So, first the 64-bit environment for the process is created. Then, inside it, the 32-bit environment is created. The application is executed in this 32-bit environment and it has no access to the 64-bit part.

If we scan the 32-bit process from outside, via the 64-bit scanner, we can see that it has inside both 32 and 64 DLLs. Most importantly, it has two versions of NTDLL: 32-bit (loaded from a directory SysWow64) and 64-bit (loaded from a directory System32):

However, the 32-bit process itself can’t see the 64-bit part and is limited to using the 32-bit DLLs. To make an injection to a 64-bit process, we’d need to use the 64-bit versions of appropriate functions.

Code segments

In order to access the forbidden part of the environment, we need to understand how the isolation is made. It turns out that it’s quite simple. The 32- and 64-bit code execution is accessible via a different address of the code segment: 32-bit is 0x23 and 64-bit is 0x33.

If we call an address in a typical way, the mode that is used to interpret it is the one set by default. However, we can explicitly request to change it using assembler instructions.

Inside the miner: the Heaven’s Gate implementation

I will not do a full analysis of this miner because it has already been described here. Let’s jump directly to the place where the fun begins. The malware checks its environment, and if it finds that it’s running on a 64-bit system, it takes a different path to make an injection into a 64-bit process:

After some anti-analysis checks, it creates a new, suspended 64-bit process (in this case, it is a notepad):

This is the target into which the malicious payload is going to be injected.

As we discussed before, in order to inject the payload into a 64-bit process, we need to use the appropriate 64-bit functions.

First, the loader takes a handle to a 64-bit NTDLL:

What happens inside this function get_ntdll requires some deeper explanation. As a reference, we can also have a look at the analogical code in the ReWolf’s library.

To get access to the 64-bit part of the process environment, we need to manipulate the segments selectors. Let’s see how our malware enters the 64-bit mode:

This code seems to be directly copied from the open source library: https://github.com/rwfpl/rewolf-wow64ext/blob/master/src/internal.h#L26

The segment selector 0x33 is pushed on the stack. Then, the malware calls the next line: (By this way, the next line’s address is also pushed on the stack.)

An address that was pushed is fixed by adding 5 bytes and set after the retf :

At the end, the instruction RETF is called. RETF is a “far return,” and in contrast to the casual RET, it allows to specify not only the address where the execution should return, but also the segment. It takes as arguments two DWORDs from the stack. So, when the RETF is hit, the actual return address is:

0x33:0x402A50

Thanks to the changed segment, the code that starts at the specified address is interpreted as 64-bit. So, the code that is visible under the debugger as 32-bit…

…is, in reality, 64-bit.

For the fast switching of those views, I used a feature of PE-bear:

And this is how this piece of code looks, if it is interpreted as 64-bit:

So, the code that is executed here is responsible for moving the content of the R12 register into a variable on the stack, and then switching back to the 32-bit mode. This is done for the purpose of getting 64bit Thread Environment Block (TEB), from which next we fetch the 64-bit Process Environment Block (PEB) —check the analogical code.

The 64-bit PEB is used as a starting point to search the 64-bit version of NTDLL. This part is implemented in a casual way (a “vanilla” implementation of this technique can be found here) using a pointer to the loaded libraries that is one of the fields in the PEB structure. So, from PEB we get a field called Ldr:

Ldr is a structure of the type _PEB_LDR_DATA. It contains an entry called InMemoryOrderModuleList:

This list contains all the loaded DLLs that are present in the memory of the examined process. We browse through this list until we find the DLL of our interest that, in this case, is NTDLL. This is exactly what the mentioned function get_ntdll does. In order to find the appropriate name, it calls the following function—denoted as is_ntdll_lib—that checks the name of the library character-by-character and compares it with ntdll.dll. It is an equivalent of this code.

If the name matches, the address to the library is returned in a pair of registers:

Once we found NTDLL, we just needed to fetch addresses of the appropriate functions. We did this by browsing the exports table of the DLL:

The following functions are being fetched:

  • NttUnmapViewOfSection
  • NtGetContextThread
  • NtAllocateVirtualMemory
  • NtReadVirtualMemory
  • NtWriteVirtualMemory
  • NtSetContextThread

As we know, those functions are typical for RunPE technique. First, the NtUnmapViewOfSection is used to unmap the original PE file. Then, memory in the remote process is allocated, and the new PE is written. At the end, the context of the process is changed to start the execution from the injected module.

The addresses of the functions are saved and later called (similarly to this code) to manipulate the remote process.

Conclusion

So far, authors of coin miners don’t show a lot of creativity. They achieve their goals by heavily relying on open-source components. The described case also shows this tendency – they made use of a ready made implementation.

The Heaven’s Gate technique has been around for several years. Some malware use it for the purpose of being stealthy. But in case of this coin miner, authors probably aimed rather to maximize performance by using a payload version that best fit the target architecture.

The post A coin miner with a “Heaven’s Gate” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Be wary of Mega Millions winner “giveaway” on social media

Malwarebytes - Tue, 01/16/2018 - 18:12

I don’t do lotteries, but if I did, I’d probably never, ever win in a million years. That’s not a problem faced by 20-year-old Shane Missler, winner of the fourth-largest haul in Mega Millions’ 21 years of handing out large bundles of cash.

He’s on record as saying he wants to “do some good” for humanity, but I suspect he may have to do some good in the identification verification sweepstakes first.

An account has popped up on Twitter claiming to be him, and claiming he’ll be giving away large amounts of money for retweets. I mean, it’s not exactly donating a million to medical science, but it’s definitely going to help random recipients.

Only problem is, the account seems a little too good to be true. In fact, it’s just one of many currently being retweeted into the stratosphere:

Click to enlarge

Shall we take a look?

Click to enlarge

First off: the bio.

Lottery winner of $451 Million. Giving back $5,000 to the first 50k followers that retweet **SIGN UP AND PURCHASE IN LINK BELOW FOR AN INSTANT $2,000**

Well, that’s interesting. You have to “sign up” AND “purchase” via a link to receive $2,000?

The link in question is an Amazon referral link, and for some reason our very rich lottery winner wants you to purchase an Amazon fire stick. If you won $451m, would you be bothering with Amazon referral sales, which would generate tiny amounts of money for the Amazon associate before handing over $2,000? What’s the point?

Click to enlarge

Even better is the claim that $5,000 will be winging its way to 50k followers who retweet the original post. From the BBC article:

He opted to receive a one-time payment of $282m, instead of the full amount over a longer period of time.

Uh oh.

5,000 x 50,000 is $250m, except according to this article after you account for taxes he’ll likely be left with around $211m.

So there’s that, plus the apparently ability to keep giving people $2,000 from a bottomless well of cash for every Amazon stick purchased…somehow.

I don’t know about you, but I think I’ll pass on retweeting this and/or going on an Amazon spree, because there’s no way this guy is planning on re-enacting Catch Me If You Can immediately after scoring the cash windfall of his dreams. It just doesn’t make any sense.

A number of similar accounts are also doing the rounds, all of which are claiming much the same things (along with the claim that his account is being “verified soon”).

I can tell you now, there’s no way anyone can confidently predict their Twitter account will be verified, much less when. After the application is sent off to the verification team, you could be verified the next day, week, month, or never. It’s simply not something you can claim is going to happen, because no timescales are given to applicants by Twitter. Also of note: the above account retweeted the below tweet to make it look as though money was indeed being fired off to people:

Click to enlarge

Some problems with this: neither account is verified. All of these people could be real or playing along or the same individual. Worse, all of the accounts claim the $5,000 will be sent to the “first 50k followers that retweet my pinned tweet.”

Great, except look at the retweet numbers at time of writing:

…and the follower count?

Why has someone been sent money already? Looking at all of the evidence on offer, we feel it’s better to take the stance that without verification this is very, very likely to be a scam. Whatever the winner has planned for his money—and it seems most of what he’s said involves treating his family—there’s a good chance it doesn’t involve giving away all (or, hilariously, more than all) of his recently received winnings. Some of the other accounts floating around don’t even spell his name correctly.

Sorry, Twitter. This isn’t the golden ticket you’re looking for.

The post Be wary of Mega Millions winner “giveaway” on social media appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cookies: Should I worry about them?

Malwarebytes - Mon, 01/15/2018 - 18:16

Starting off the new year, many of us are worried about cookies—how many we ate over the holidays and how we’re going to avoid them in the break room, for example. With so much cybercrime and data theft swirling around like daily bomb cyclones, there’s more than a few folks worried about the kinds of cookies they encounter on the Internet.

But should they be?

Cookies are typically text files that can provide information about your browsing behavior to websites that you visit. On the one hand, cookies are useful for making your Internet experience more efficient. It’s how you automatically get logged in on sites you’ve already visited, even if you closed the browser tab, for example. But on the other hand, cookies are part of the advertising ecosystem that knows which advertisements are most likely to draw your attention—and they serve them up to you wherever you visit.

Why doesn’t Malwarebytes detect cookies?

Cookies in themselves are harmless. They are just data stored by a website in your browser, and they are not malware. It is what sites do with them that determines whether we like them or not. Some cookies are essential to use a site properly, and others might be considered a privacy risk. Since the possible preferences are various and personal, we believe in leaving the choice up to our customers. Of course, we can and do block sites that we know to plant overly intrusive cookies on a user’s machine. But otherwise, we leave it up to you.

How do I delete and control cookies?

At some point, you may want to remove the cookies from your browser. Below, you will see how to do that for a couple popular browsers. But before you get rid of all of them, let me warn you that you may regret doing so. Your favorite sites will forget who you are, and you will have to log in where you normally were automatically accepted.

Windows

Edge

Unfortunately, Edge (like Internet Explorer) does not have a built-in cookie management tool for specific cookies. It does have a delete all or nothing option, which you can find under Settings. Under Clear Browsing Data click Choose  > Cookies and saved website data. The control is also not very granular. You can find it under Settings > Advanced settings > View advanced settings. You will find three options: block, don’t block, or block only third-party cookies.

Internet Explorer

To clear cookies in Internet Explorer, select Tools > Internet options > General tab. Under Browsing history, hit Delete and put a checkmark in the Cookies box. Think once more, because this is an all or nothing method, before you hit Delete. For a more detailed description, check out Microsoft’s support article on How to delete cookie files in Internet Explorer.

Chrome

Go to Menu > Settings > Show advanced settings. Under Privacy, click Content settings > Cookies. Click “All cookies and site data” to get an overview. Here you do have a choice on what to delete. You can delete individual cookies separately or all of them in one sweep. For a more detailed description, see Google’s support article: Manage your cookies and site data.

Firefox

Click on the Firefox button > Options > Privacy > Show Cookies. Here you will see options to Delete all cookies or search for specific ones you want to delete. For a more detailed description, take a look at Firefox’s article: Delete cookies to remove the information websites have stored on your computer.

Opera

Click the Opera button > Settings > Delete Private Data > Detailed options > Manage cookies. Here you will see an overview of the stored cookies and an option to delete them separately. For more information, see Opera’s help article: Manage Cookies.

In the links I have provided for Chrome, Firefox, and Opera, you will also find information on how to control which cookies get stored on your computer. Internet Explorer has the controls on the Privacy tab under Tools > Internet options.

macOS

Malwarebytes for Mac does not detect or remove cookies either. Like we said before, cookies are just data stored by a website, and not malware. At worst, they can pose a threat to your privacy, in the case of tracking cookies. Further, many cookies are not only legitimate, but also required for normal operation of some websites.

If you feel it necessary to delete cookies from your computer, some of them may be difficult to get rid of. You can use the following techniques to delete these cookies, but you should be aware that they will come right back as soon as you visit a site that sets those cookies.

Safari

Safari offers the option to clear all your cookies along with your browsing history. To use this option choose History > Clear History. Click the pop-up menu, and then choose how far back you want your browsing history cleared. Or you can choose to delete only cookies and website data by clicking Preferences > Privacy > Manage Website Data. Select one or more websites, then click Remove or Remove All. For more information, see Safari’s support articles: Manage cookies and website data and Safari help.

Under Privacy, you can also find the settings to control which cookies will be allowed moving forward by choosing “Change which cookies and website data are accepted.”

Adobe Flash Player

When you visit some sites with Adobe Flash Player installed and activated, the software also stores cookie data on your system. The easiest way to control these is to visit the Flash Player Help site and use the Website Storage Settings panel displayed there to delete those that you no longer want. Read the information below the panel to make sure you understand what your options are and how to use them.

Silverlight

Browser plug-in Silverlight can also store cross-browser information in the application cache. To delete the Silverlight Cache, follow this procedure:

  • Close all Microsoft browser windows (Internet Explorer and Edge).
  • Click Start > All Programs > Microsoft Silverlight.
  • Choose the Application Storage tab.
  • Click Delete all.
  • Click “Yes” in the “Delete application storage for all Web sites?” dialog.
  • Click OK.
Evercookies

Evercookies are not just text files. They are Javascript routines that recreate cookies even after they have been removed. Evercookies often rely on the two major streaming video browser plug-ins: Microsoft Silverlight and Adobe Flash. These plug-ins allow their own caching and storage, which can be used across sessions and even across browsers. But they can be hidden in other caches as well. By storing the same data in several locations that a client can access, the data can be recovered and then reset and reused if any of it is ever lost (for example, by clearing cookies).

To actually get rid of evercookies, you would have to delete all the related cookies and clear all the caches of all your browsers and video browser plug-ins, using the information posted above.

Supercookies

These are technically not cookies because they are not stored in browsers or browser plug-ins, but I wanted to mention them here anyway because their name might lead you to think otherwise. Supercookies are unique identifiers that are inserted into the HTTP header by a service provider. Service providers are legally bound to offer you an opt-out option, so it could be prudent to check if your service provider uses supercookies and how to opt out if they do.

The post Cookies: Should I worry about them? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 8 – January 14)

Malwarebytes - Mon, 01/15/2018 - 17:00

It’s very early in the year, yet everyone has already had a complete meltdown (pun intended) over a number of serious vulnerabilities found in legacy and modern microprocessors. Last week, rightly so, vendors released patches for hardware and OSes to help mitigate these threats. However, problems in patching persisted.

As if this wasn’t challenging enough, some online criminals jumped on the bandwagon to take advantage of the hullabaloo to push out the Smoke Loader malware to inconspicuous user systems.

On our blog, we also touched on WPA3, misleading marketing tactics, more 419 scams, and the indictment of alleged Fruitfly creator—a win for the security community.

Lastly, in the realm of cryptocurrency, we saw an increase in malware payloads from the RIG exploit kit.

Other news

Stay safe, everyone!

The post A week in security (January 8 – January 14) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stripchat bot spells block

Malwarebytes - Fri, 01/12/2018 - 23:26

Here at Malwarebytes, we spent a lot of time and effort scouring the Internet looking for malicious websites that we can protect our users from. Sometimes, these websites are pushing malware or some kind of scam. Other times it comes down to bad advertising practices that are used to fool the user into clicking on something.

We used to see a lot of this kind of trick with fake download buttons that redirected users to sites for installer downloads or to surveys. More recently, we found a site using a different type of deception, and it’s shot up to our second-most common detection over the last month. The site is called creative.stripchat.com.

Stripchat.com is an online streaming video service operated by Technius LTD and offered on a number of popular websites. The streaming service targets adult audiences for the purposes of online sexual encounters. The service boasts many active subscribers and a number of channels available for use.

 

Stripchat has a number of valid channels, feeds, and websites, but one particular subdomain has caught the attention of Malwarebytes for implementing various deceptive tactics and misleading techniques.  The website, creative.stripchat.com, is a domain which is used for advertising purposes. Once opened in a web browser, the website purports to engage the user via a “live” chat window and the ability to chat with a model. This, however, is not the case.

The reported live video feed is nothing more than a video retrieved from the Internet and subsequently looped, or in some cases terminated with a message indicating the model is in a private chat. These messages are deceptive, as the feeds are not live as claimed to be and the responses are pre-programmed, as can be seen from the Javascript code and subsequent chat session.

Malwarebytes blocks the creative.stripchat.com sub-domain for the use of these misleading marketing tactics.

However, if you’d like to continue visiting this sub-domain, you can add an exception. Scroll down to the “How to add an exception” heading of this post on why we block CoinHive to learn how.

The post Stripchat bot spells block appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake Spectre and Meltdown patch pushes Smoke Loader malware

Malwarebytes - Fri, 01/12/2018 - 20:50

The Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their machines with fixes made available by various vendors.

While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

Moreover, the same fraudulent domain has a link to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.

Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information:

The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.

We immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not resolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour against this malware.

Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer. There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.

Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.

Indicators of compromise

Fraudulent site:

sicherheit-informationstechnik[.]bid

Fake patch (Smoke Loader):

sicherheit-informationstechnik.bid/Download/Sicherheitsupdate/Intel-AMD-SecurityPatch-11-01bsi.zip CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

Smoke Loader callbacks:

coolwater-ltd-supportid[.]ru localprivat-support[.]ru service-consultingavarage[.]ru

The post Fake Spectre and Meltdown patch pushes Smoke Loader malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WPA3 will secure Wi-Fi connections in four significant ways in 2018

Malwarebytes - Fri, 01/12/2018 - 17:30

CES, the annual consumer electronics extravaganza in Las Vegas, isn’t just a showcase for virtual reality and poorly-timed power outages. It’s also an opportunity to get a peek at the future of network security.

That’s why on the first day of CES, the Wi-Fi Alliance announced the newest security protocol for Wi-Fi devices: WPA3. The new protocol is the most significant upgrade to Wi-Fi security since WPA2 was ratified in 2004.

Details are thin, but the announcement outlined four new security capabilities that will protect wireless connections in the years to come.

1. Protection against brute force “dictionary” attacks

Despite a generation of irritated admins requesting that users choose stronger passwords, the most popular passwords are still common words like “password” or “football.” That makes networks vulnerable to simple brute force attacks that systematically submit every word in the dictionary as a password. Online tutorials of this Wi-Fi hack are trivially easy to find.

WPA3 should make that issue a thing of the past by “delivering robust protections even when users choose passwords that fall short of typical complexity recommendations.” Some security experts have speculated that this refers to a type of key exchange called Dragonfly. According to the Internet Engineering Task Force (IETF), Dragonfly “employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.”

2. Easier Internet of Things (IoT) security

WPA3 promises to “simplify the process of configuring security for devices that have limited or no display interface.” That’s a nod to the growing number of devices that are enhanced by network connections, such as smart door locks, home personal assistants, and (apparently) toothbrushes. Since IoT devices rarely have a graphical interface, it’s difficult to configure them for optimal security. You can’t type a password directly on a toothbrush, after all. This can naturally lead to less secure connections and vulnerable devices. Hackers could, for example, access your smart speakers and play whatever audio they want in your living room.

The Wi-Fi Alliance hasn’t yet offered details on how WPA3 overcomes this challenge. But researchers have successfully enhanced security on IoT devices by configuring them with a smartphone.

3. Stronger encryption

WPA2 requires a 64-bit or 128-bit encryption key. But WPA3 uses a stronger standard: 192-bit encryption and alignment with the Commercial National Security Algorithm (CNSA) Suite. This promises consumers the kind of beefier security that’s currently used to protect governments and corporations.

4. Secure public Wi-Fi

Public Wi-Fi connections, like the kind you might use in a coffee shop or library, are always less secure than private ones. That’s partly due to the inherent security limitations of open wireless networks, and party due to the fact that librarians and coffee shop owners aren’t typically network security masters. The new standards promise to “strengthen user privacy in open networks through individualized data encryption.” Though the announcement doesn’t offer specifics on how that will be achieved.

Curiously, during its CES announcement, the Wi-Fi Alliance made no mention of KRACK, the vulnerability in WPA2 that impacted all Wi-Fi devices. However, Mathy Vanhoef, the researcher who discovered the vulnerability, wrote several enthusiastic tweets about WPA3.

In one, he speculates that WPA3 will include Opportunistic Wireless Encryption. This enables connection on an open network without a shared and public Pre-Shared Key (PSK). That’s important because a PSK can give hackers easy access to the Traffic Encryption Keys (TEKs), thus allowing them access to a data stream. In other words, the new protocol should help prevent hackers from snooping on your web browsing while you’re at Starbucks.

Before we start to see the benefits of WPA3, the Wi-Fi Alliance has to certify hardware that uses the security protocol. So there’s no telling when people can start enjoying the enhanced security protections. But you shouldn’t be surprised if you start seeing devices that use the new protocol later this year.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

The post WPA3 will secure Wi-Fi connections in four significant ways in 2018 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Alleged creator of Fruitfly indicted for 13 years of spying

Malwarebytes - Fri, 01/12/2018 - 16:43

Way back at the start of last year, we took a look at something called Fruitfly, a Mac backdoor using old code that had been around for a long time and could (deep breath) upload files to computers, record images and video, snoop around in victims’ information, take screenshots, and also log keystrokes. The malware, made up of just two files, was a mixture of “wow, that’s clever,” ancient system calls, and basic persistence techniques. Possessing the ability to download additional files from a Command and Control server, alongside a seemingly overt interest in being able to capture images, we also discovered Windows versions of the files communicating with the same C&C.

At the time, a lot of questions were raised about what it was being used for, alongside the possibility that professional hacking groups were behind its creation.

With that in mind, news has broken that a 28-year-old man, Phillip R. Durachinsky of North Royalton, Ohio, has been charged with using this piece of malware since the age of 15(!) to allegedly:

watch, listen to, and obtain personal data from unknowing victims, as well as produce child pornography.

Very serious allegations. In addition to being charged with 16 counts of charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft, it’s also claimed he’s the creator of Fruitfly, which would be quite the revelation. From the indictment:

…from 2003 through Jan. 20, 2017, [Durachinsky is alleged] to have orchestrated a scheme to access thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy…[he] used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, Internet searches, and potentially embarrassing communications.

The “medical records” reference leaps out. From our linked blog:

The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure…and which seems to be targeting biomedical research centers.

That would definitely appear to sync up with the medical record pilfering, and we’re wondering what else will come out in the wash by the time this one has passed through the courts.

According to the indictment, Durachinsky also used stolen login credentials to access and download information from third-party websites. He’s further alleged to have watched and listened to victims without their knowledge or permission, and intercept oral communications taking place in the room where the infected computer was located. In some cases, Durachinsky’s malware alerted him if a user typed words associated with pornography. He apparently saved millions of images and often kept detailed notes of what he saw.

Reading through the charges paints more and more of a disturbing picture.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” said Acting Assistant Attorney General Cronan. “This case is an example of the Justice Department’s continued efforts to hold accountable cybercriminals who invade the privacy of others and exploit technology for their own ends.”

Getting away with more than a decade of stealing data like this on such a grand scale is quite the feat, and one hopes the victims of the most salacious offenses receive justice.

The post Alleged creator of Fruitfly indicted for 13 years of spying appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds