Techie Feeds

VideoBytes: Ryuk Ransomware Targeting US Hospitals

Malwarebytes - Wed, 12/09/2020 - 16:03

Hello Folks! In this Videobyte, we’re talking about why hospitals are being targeted by the Ryuk ransomware, what tricks they are using to pull this off and what their motivations might be.

Ryuk ransomware is being spread to hospitals using targeted phishing emails that infect systems with the BazarLoader malware, which in turn deploys the Cobalt Strike pen-testing platform, giving attackers greater ability to compromise the network before launching the Ryuk ransomware.

The group has also been observed using the ZeroLogon vulnerability, which allows an attacker to compromise a domain controller server within seconds. That makes lateral infection of corporate endpoints very easy.

According to various law enforcement agencies, attacks are increasing against healthcare organizations:

“‘CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” the advisory states.'”

At the same time, ransomware attacks have been increasing more in the second half of 2020 than the first half, according to a report by Check Point.

The United States saw nearly a 100% increase in ransomware attacks in Q3 compared to Q2.

Overall, this makes for an alarming trend of targeted ransomware attacks that utilize high sophistication and professional tools for attack.  We need to all be on our guard right now.

Links:

The post VideoBytes: Ryuk Ransomware Targeting US Hospitals appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Get a head start on defending against tax scams

Malwarebytes - Tue, 12/08/2020 - 18:01

It may not be tax season in your part of the world right now but you’ll no doubt be pleased to know a prolific tax scammer is on their way to jail for 20 years. If you’re annoyed by tax scam missives, or had the misfortune to hand money over, this is probably satisfying news.

Between 2013 and 2016, Hitesh Patel ran a particularly sophisticated operation. His tax ring called from centers in India, splitting their time between pretending to be the IRS and the US Immigration Services.

Breaking down the scam

Tax scammers typically threaten to revoke a victim’s visa status unless fictitious amounts of money are paid. The scams can range from crude cons, to sophisticated techniques where documents or devices are stolen, and fake websites created.  Those websites then claim to be official Government pages with all the victim’s (stolen) data on them. If the victim doesn’t pay the fake “fine”, they’re threatened with false deportation and imprisonment.

We can assume the fictional USCIS officers would’ve made similar, tax-centric immigration style threats to potential victims. However they did it, money from victims found its way into an elaborate fraud network. Victims are told to wire funds or purchase reloadable cards. US based “runners” then set about liquidating/laundering the money in its newfound forms. Reloadable cards are popular, and a great target for scammers generally. See endnote 50 on this article about how workers get paid for more details.

Between 2013 and 2016, the people at the heart of this scam made millions from their victims. 24 of 60 people charged involved in the scam have been found guilty. The guy at the top pleaded guilty to a wide variety of crimes, including access device fraud, money laundering, impersonation of a federal officer/employee, general conspiracy to commit identification fraud, and wire fraud conspiracy.

Avoiding the tax scammers

As above, be very cautious around claims of immigration fraud or money owed no matter what reasons are given. Contact relevant immigration authorities directly using known/trusted details or go through your immigration adviser, should you have one.

Avoid missives in your mailbox mentioning mystery refunds, late payments, or “unlock fees” to re-access your online account. Take a similar approach should the tax organisation you deal with be suddenly asking for your login details. There’s no good reason at all why they’d be asking for these details.

Additional lockdowns

Many government tax services offer online portals, and a fair few of those permit additional security protocols. UKGOV’s HMRC portal, for example, is happy for you to use 2FA to keep details secure. Scammers tend to know this and will rely on potential victims using text-based 2FA. This method is vulnerable to “SIM swap” attacks, where scammers trick support staff into porting your mobile number to their own SIM. This means the next time a 2FA code is sent, it’ll go to the fraudster and not the potential victim.

If you’re using an authentication app instead of text codes, this is no longer a problem. Even if someone has grabbed your logins by some other method, they won’t be able to do anything with them. You can go change everything without the imminent threat of someone checking out the nitty-gritty of your account.

If 2FA isn’t available at all, then you’ll need to follow the usual best practices regarding passwords. Perhaps ask the relevant organisation when 2FA may be implemented. Not ideal, but it’s something proactive to get on with while you wait for them to fill the 2FA void.

Forewarned is forearmed

As you may be aware, tax season is almost upon us in many places. Whether it begins in January, April, or another month altogether? It’s worth digging into the online portion of your tax services. See what’s secure, what isn’t, and where the organisation you deal with could perhaps stand to make some improvements.

Scammers are out there making big bucks, and they don’t care who gets crushed in their dash for cash. It’s inevitable that plenty more groups are gearing up for tax time in the few weeks’ quiet before the storm. Start laying down some plans and ground-rules now.

It’s just possible you may help keep both yourself and others safe when the scam wave breaks.

The post Get a head start on defending against tax scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep21: Lesson planning your school’s cybersecurity with Doug Levin

Malwarebytes - Mon, 12/07/2020 - 14:10

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Doug Levin, founder of the K12 cybersecurity resource center and advisor to the K12 Security Information Exchange, about how schools can plan for a cybersecure 2021.

Education faced a crisis in the US this year, as the looming threat of the coronavirus forced schools across the country to develop new strategies for teaching. At Malwarebytes, we wanted to discover how these shifts impacted education cybersecurity.

Revealed for the first time in our newest report published today, “Lessons in cybersecurity: How schools coped in the shift to distance learning,” what we found concerned us.

Tune in to hear about how schools fared in transitioning to distance learning models, what cybersecurity precautions they did not adopt, and how they can prepare for the second half of the school year, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on: Other cybersecurity news

Stay safe, everyone!

The post Lock and Code S1Ep21: Lesson planning your school’s cybersecurity with Doug Levin appeared first on Malwarebytes Labs.

Categories: Techie Feeds

50 percent of schools did not prepare for secure distance learning, Labs report reveals

Malwarebytes - Mon, 12/07/2020 - 14:05

Education in the United States faced a crisis this year. The looming threat of the coronavirus—which spreads easily in highly-populated, enclosed rooms—forced schools across the country to develop new strategies for education.

The dramatic stress of this transition is known. Teachers are working more hours than ever and parents are pulled between their jobs and 24/7 childcare. But perhaps for the first time, Malwarebytes has revealed how this transition has stressed the cybersecurity posture of schools and school districts.

Our full report, “Lessons in cybersecurity: How education coped in the shift to distance learning,” shows how schools across the United States are suffering, sometimes through inaction of their own.

Nearly half of all schools did not change anything about their cybersecurity preparations in transitioning to distance learning. The end result is that schools have faced a number of cybersecurity and IT issues that are dramatically increasing IT workload and putting undue strain on teachers’ lives. Some schools have even suffered cyberattacks that have delayed their distance learning plans for a day. More individuals learned that a colleague suffered a malware attack on a school-owned device.

Our report also reveals that cyberattacks do not just threaten the safety of teachers, students, and administrators, though—they also dramatically impact students’ perceptions of schools. Malwarebytes found that many students themselves said a cyberattack would significantly impact their decision to either apply to a school or transfer to that school. Cyberattacks also significantly impacted these students’ trust in their own schools.

Crucially, our report shows that the more cybersecurity best practices that a school put into place, the fewer cybersecurity and IT issues they suffered.

For all of these findings, we went straight to the source.

We conducted two, parallel surveys, the first of which targeted IT decision-makers at schools across the United States. The second survey targeted students enrolled in K–12; students working on obtaining a bachelor’s degree, associate’s degree, or attending trade school; and students enrolled in any post-graduate program.

Key takeaways
  • 50.7 percent of IT decision-makers said that no one—not students, teachers, staff, or guests (including parents)—were required to enroll in cybersecurity training before the new school year began
  • 46.7 percent of IT decision-makers said their schools developed “no additional requirements”—no distanced learning policy read-throughs, no cybersecurity training, no antivirus tool installations—for the students, faculty, or staff who connected to the school’s network
  • 46.2 percentof students said their schools suffered a cyberattack
  • 61 percent of students said a cyberattack resulted in a significant or strong impact on their trust in their school
  • Schools that engaged in a variety of cybersecurity best practices before transitioning to a distance learning model reported zero school-wide cyberattacks, and zero instruction days lost because of a cyberattack
    • 63.6 percent of these schools said they suffered “sustained, excess IT workload” compared to the 72.0 percent of all respondents
    • 18.2 percent of these schools said “teachers or students have suffered a Zoom-bombing attack” compared to the 29.3 percent of all respondents
  • With distance learning in full swing, concerns remain with device shortages:
    • 28 percent of IT respondents said their schools are missing laptops, computers or tablets for teachers
    • 40 percent are missing those tools for parents and students
    • 38.7 percent worry that teachers or students are too quickly using up the data on school-provided WiFi hotspots
Study hard

Though we’re halfway through the school year, it is never too late to improve a school’s cybersecurity. In fact, there are several best practices that a school can implement to protect itself from a cybersecurity incident. Not only that, but some of those same practices can help a school’s faculty focus on what matters most—educating students.

Cybersecurity, it turns out, is a lot like school. You’ve got to do your homework. 

To learn more about the increasing risks uncovered in today’s distance learning environment, and about tips and advice that all schools can act on during 2021, read our full report:

Lessons in cybersecurity: How education coped in the shift to distance learning

The post 50 percent of schools did not prepare for secure distance learning, Labs report reveals appeared first on Malwarebytes Labs.

Categories: Techie Feeds

File-sharing and cloud storage sites: How safe are they?

Malwarebytes - Fri, 12/04/2020 - 16:30

There it is again—that annoying message that pops up when your email client informs you that a file is too big to attach. Those of us that are confronted with this problem on a regular basis—and those of us that want to attach files that could get picked up by anti-malware scanners along the way—have probably resorted to using file-sharing sites to help solve this issue. But is file-sharing secure?

How do file-sharing sites work?

The procedure for such file-sharing sites is simple enough. You upload the file, copy the download link, and send that link to the person you want to have the file. Some sites offer you a range of options to prevent your files from falling in the wrong hands like encryption, password protection, and others.

Closely related and more than a few times used for the same purpose are cloud storage sites. These could be ideal to backup those files you can’t do without should your hard-drive fail. Personally, I prefer a physical hard drive to backup my more personal files, but I would have no reservations about storing my installers and configuration files online.

Follow the money

It’s not hard to imagine that it will cost money to run such a site. So, when this service is provided to you for free you would be wise to ask yourself how they pay the bills. As in many other online services, when they are offered for free there is a good chance that your data are used to pay the bills.

But there are other means for these sites to earn revenue:

  • Advertising: Sometimes it’s easy to see how the bills are paid. It is hard to find the controls between the advertisements, though.
  • Web push notifications: A special form of advertising that can be very annoying. Often used in conjunction with regular advertising. Depending on the advertising network these can vary from slightly annoying to downright malicious.
  • Altered files: The file you download is not the same as the file that was uploaded. This can be very embarrassing. You don’t want to send your business relations a link that gets them infected with adware or some potentially unwanted program.
  • Not the requested file at all: Some file-sharing sites simply replace the requested files with malware. This often happens on sites that are notorious for sharing cracks and keygens. Sometimes they don’t replace all the files to give the visitor the idea that he could “get lucky.”
  • Some sites require you to register and provide an email address, social media account, or to install a program that enables the usage of the site. All these options could result in additional advertising.
  • Some file sharing sites offer free accounts for small files but will ask a fee if you want to store bigger files. Or they will offer an improved user experience for paid users, for example higher speeds, simultaneous uploads, or an ad-free site. This seems like a fair deal and a good alternative for the users that only need this occasionally.
Inform yourself beforehand

To keep your data and computer secure, before you decide on which site to use for sharing files or storing online for yourself, follow these pointers:

  • Look at reviews about the site and skip the ones that are all good

Even with an outstanding product people will find flaws and complain about them. If you can’t find any negative reviews, there is a good chance these will be barred or removed, or in some cases buried by good reviews posted by the people running the site.

  • Check out the security options you can use as a free user.

The more the better, obviously. Look for encryption, limited number of downloads, password protection, or anything else you would like to see. There are many providers out there and it’s worth looking for the one that is ideal for you.

  • Try the service out yourself before sending someone else a file.

Upload a file and then download it again, preferably from a different computer and other IP address. Sites may treat the uploader different from other downloaders. Don’t embarrass yourself by using an untested service and getting someone you know infected.

Finally, when you download something uploaded by another user, there are some pointers to minimize the privacy and security risks involved:

  • Make sure to click the correct button on the site. PUPs love using those big green buttons that tell you to “start here” when in fact that’s not where you want to go at all.
  • Check the file extension, does the filetype match with what you are expecting? When you were promised an mp3 and get a file with the .exe extension that should raise all kinds of alarms? In fact, executable files are best avoided entirely unless you know and trust the sender.
  • Check the file size. A movie with a size of 8 MB is not likely to be what it claims to be.
  • Scan the downloaded file with a trusted antimalware solution before running it.
  • Should you decide to run a file, read the installation or download screens carefully. Sometimes there are additional surprises announced in small print.
So, what’s the end verdict on file-sharing?

We feel it’s not our place to make recommendations about which ones are the best, but we feel it is our duty to make you aware of the risks and pitfalls that are very common in this area, most of which you can spot easily by doing a test round or two.

Basic services for limited use are available for free if you are willing to look for them. With an ad blocker or Browser Guard you can navigate the sites that would normally be full of advertisements a lot easier.

Further, web push notifications can easily be controlled and managed form within the browser. If you want to know how, you should read our blogpost about web push notifications.

Also, a quick inspection of the downloaded file can save you some occasional grief as well.

All in all, we think it is possible to share files or use online storage for non-professional purposes without paying for these services. For more regular and professional usage there are many paid options available. The only thing we do want to warn about is downloading desirable files from “unknown” sources. Sites offering cracks, keygens, movies, music, and other desirable files do have a bad reputation for a reason.

Stay safe everyone!

The post File-sharing and cloud storage sites: How safe are they? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

VideoBytes: Is it goodbye forever to Maze ransomware?

Malwarebytes - Thu, 12/03/2020 - 16:30

Hello Folks! In this Videobyte we’re talking about Maze ransomware and whether or not its shutting down, and what that means for the cybercrime world.

The notorious Maze ransomware group, known for its corporate targeting and data leaking extortion schemes is, apparently, shutting down operations.

Rumors began months ago that Maze was shutting down, as many affiliates who helped distribute Maze have been spotted switching to a different, new ransomware family called Egregor.

Then, on November 1, the group behind Maze released a statement claiming that it was closing its doors. The author also went on a rant about how the future will entirely be lived online and Maze ransomware attacks were meant to help prepare companies by forcing them to increase their security.

Typical rhetoric among delusional criminals who want to see their effort as beneficial rather than something which hurts lives.

We will have to wait and see if Maze is truly gone. After all, we thought Ryuk had vanished earlier this year, only to see it return. At the same time, the affiliate shift to Egregor ransomware is somewhat like the shift away from GandCrab to Sodinokibi in 2018-2019.

Unfortunately, history has shown us that when a crime group decides to close their doors, it’s rarely because they have seen the error in their ways and it’s more often due to a new, more powerful threat that these actors would prefer to use.

Links:

The post VideoBytes: Is it goodbye forever to Maze ransomware? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The many ways you can be scammed on Facebook, part I

Malwarebytes - Wed, 12/02/2020 - 20:53

Scams can be found anywhere, and Facebook is no exception. And, with the holiday season just around the corner, and the world still weathering a pandemic, it pays to know what Facebook scams you, those close to you, and those you have professional relationships with could potentially encounter.

We’ll look at those that pose a notable risk to either your banking account or your personal information in this two-part series.

“How do I scam thee, let me count the waysPlain, ol’ data mining schemes

According to Vade Secure, a company specializing in email defense, Facebook ranks second in its list of most impersonated brands in phishing campaigns, which it details more in its annual Phishers’ Favorites Q1 2020 report.

Facebook phishing campaigns can take many forms—including Facebook apps and SMS messages—and can come via many avenues. It could be a link on Messenger from a connection or stranger, an email asking you to verify your “legal ownership” of your Facebook account, or a simple public post designed to either entice or scare recipients to act, which usually involves the handing over of data.

Take, for example, a campaign where recipients are told their account has been reported for abuse, thus in violation of Facebook’s standards. This is then coupled with a link to a page that tells users to enter their credentials to prove that the account in question is theirs.




If you look really close, it doesn’t make any sense for Facebook (supposedly) to alert you of a potential rules violation, and then ask for an account verification. (Courtesy of Vade Security)

One thing to keep in mind is that when it comes to phishing campaigns on Facebook, it doesn’t matter whether it first appeared 10 years ago or 10 days ago. We see similarities in past and present campaigns because phishers find them effective against users as they continue to fall for the same tricks.

Here’s a tip: If you find it difficult to spot a phishing attempt, a password manager could help you by not automatically pre-filling credentials on sites you know it’s supposed to pre-fill. Once this happens, report this to your password manager support team so they can investigate. Meanwhile, avoid manually entering information to the site that your password manager refuses to pre-fill, as it might likely be a phishing page.

Scam ad campaigns

Although this may sound new to the average consumer, those who have established an online business presence on Facebook are quite familiar with scam ad campaigns.

Scam ads are, essentially, false or fake ads designed to reel people in to con them out of their money. This type of campaign has made Facebook their home by hijacking business, community, or “public figure” accounts and buying ad campaigns to run.

Hackers and fraudsters particularly target Facebook accounts that can run ads as everything is already set up for them to use and abuse. And while some cybercriminals deliberately create and leave Facebook accounts to “mature” over time—we’re talking about years here—before they get sold, most scammers just couldn’t wait that long.

Why do they do this? Because Facebook’s system is on the lookout for scammery involving new accounts. Leaving accounts to mature is a way to circumvent the system.

Running scam ads can net fraudsters huge sums of money, even if they only run for a few hours before getting shut down. In fact, a few hours are all they need to see a return on their investment of time and effort.

Last year, Henry Lau, co-founder of Privolta, a company that specializes in privacy focused ads, had his Facebook ads account compromised by hackers via a third-party, who then used it to run a 13-second video campaign of a red toy wagon that was seen by Facebook users in Australia, North America, and Mexico. Interested users who clicked it were taken to a sale site with card skimmer code embedded in it.

The Facebook ad of a red toy wagon for children, which is actually a fake item, had reached more than 60,000 people on Facebook before it was shut down. (Courtesy of CNET)

Although Facebook had raised a red flag on his account when the fraudsters set a campaign budget of 10,000 USD, the social network didn’t notify Lau and allowed the campaign to play out anyway. Wilson said that Facebook’s model is “approve first, ask questions later”.

On the radar: After compromising and installing ransomware on the systems of Campari Group, a well-known Italian beverage maker, the Ragnar Locker ransomware group took to Facebook’s ad campaigns to further pressure the company. The account the group used to run the ad campaign belongs to a deejay based in Chicago. Read more about it in this KrebsOnSecurity post.

Live stream and music festival scam

The current pandemic has pretty much made every form of contact with the outside world virtual—including attending concerts. Yes, live stream concerts are indeed a thing today, but unfortunately, concert tickets scams that have plagued such music gatherings have evolved with the times, too.

There are several types of this scam that have been observed in the wild. According to Celebrity Access, fraudsters have set up several Facebook pages with a list of fake live streaming events to come. This, apparently, is a front for a phishing campaign as those who are interested in attending these streams would have to register with their PII.

This is a Facebook page that lists fake upcoming events. To register, interested fans are asked to hand over their personally identifiable information (PII). (Courtesy of Celebrity Access)

Another flavor of the live stream scam involves fake donation links. Since local musicians have migrated their live performance events online, cybercriminals have bombarded their official pages with fraudulent links in the hope of directing stream attendees to a site where fans are asked for “donations”. This was what happened to Steve Lucky & the Rhumba Bums featuring Carmen Getit, popular mainstays in the Bay Area music scene, when they announced a Saturday live stream in April.

Several music festivals in the UK were also victims of scammers who employ similar tactics. Kevin Tate, the Festival & Events UK editor, has uncovered nearly a hundred fraudulent links to legitimate events, such as the Reading and Leeds Festivals, the Love Saves the Day Festival in Bristol, and the Noisily Festival. These links, Tate said, were created a few days before the event, and charges interested parties with varying amounts to view content that is, essentially, free.

Fake concert ads are also pushed out via ad campaigns on Facebook.

PayPal fund transfer scam

Facebook Messenger is no stranger to messages containing a copious level of fakery. From across the pond, county police in North West England issued a warning in August about a spate of messages sent via Facebook from accounts that were believed to have been hijacked by hackers.

According to detectives, once scammers take over a legitimate Facebook account, they then proceed to contact friends and family of the account owner, asking them to receive payment from a buyer for an item—usually a camera, based on collected reports—they have purportedly sold on eBay.

They then claim they couldn’t receive the payment themselves because their PayPal account isn’t working, or they don’t have one. They instruct the family or friend that once they receive the cash into their own PayPal account, they are to transfer it to their own bank account before forwarding it to an account controlled by the fraudster.

After the family member or friend arranges a money transfer from their bank account to the scammer’s, the scammer then reverses the PayPal transaction. So no money reaches the family member or friend’s PayPal account, and they have just knowingly given part of their savings to fraudsters.

In part 2, we’ll be moving forward with our list and include tips on how to keep yourself and your loved ones safe from these Facebook scams, too. Until then: eyes open, and stay safe!

The post The many ways you can be scammed on Facebook, part I appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Deep learning: An explanation and a peek into the future

Malwarebytes - Tue, 12/01/2020 - 15:36

Deep learning is one of the most advanced forms of machine learning, and is showing new developments in many industries. In this article, we’ll explain the concept and give some examples of the latest and greatest ways it’s being used.

What is deep learning?

There have been many attempts at creating a definition of deep learning.

As we’ve explained in the past, machine learning can be considered as a sort of offspring of artificial intelligence. In the same way, you can view deep learning as a further evaluated type of machine learning.

According to Wikipedia:  Deep learning (also known as deep structured learning) is part of a broader family of machine learning methods based on artificial neural networks with representation learning. Learning can be supervised, semi-supervised or unsupervised.

While that definition does give us some clues on what we are looking at, it deserves an explanation of some of the terms used.

Artificial neural networks (ANNs) are computerized networks that mimic the behavior of biological communication nodes. What makes biological neural networks different from other artificial networks is that they are dynamic and analog. That not only makes them more flexible, but it also makes them harder to mimic in an artificial neural network.

Representation learning or feature learning is a set of techniques that allows a system to automatically discover the representations needed for feature detection or classification from raw data. In other words, representation learning is a way to extract features from unlabeled data by training a neural network

How is deep learning more advanced?

Basic machine learning methods are becoming better at what they were designed for at an impressive speed. But they still need human guidance from time to time. For example, when users notice that the algorithm has accepted a false statement as true. In such a case, the predictions made by the algorithm become worthless and the situation needs to be corrected.

Deep learning uses multiple layers which allows an algorithm to determine on its own if a prediction is accurate or not. As we all know, you can sometimes reach an accurate conclusion based on false facts. A deep learning model will typically be designed to analyze data with a logic structure and do that in a way that’s very similar to how a human would draw conclusions. This layered approach results in a method that is far more capable of self-regulated learning, much like the human brain.

The obvious warning here is that not every human brain is capable of following the rules of logic and while we perfect the mimicry, we may introduce the same weaknesses that exist in biological brains. Of course, deep learning machines are capable of processing a lot more input than humans can at this point, which is why big data and deep learning often go hand in hand.

Examples of deep learning

Machine learning and, more specifically, deep learning already have proven their worth in some use cases and we can expect more improvements in these fields.

Optimizing

Traffic analysis: Predictions about which roads and motorways are acting as a bottleneck and how the flow can be optimized with a minimum of investments. For example, whether it will prove to be useful to add an extra lane to that highway or whether it will just create the same problem a few miles further ahead.

Transportation automation: In transport, the shortest route is not always the fastest. A delivery route can be optimized by time of arrival at certain delivery addresses, which is something that can be done by deep learning.

Finding cures: Deep learning neural networks can help in structuring and speeding up drug design. Researchers have enhanced deep learning for drug discovery by combining data from a variety of sources.

Market analysis: Combining machine learning with your data can provide insight into which leads prove to give you the highest success rate. However, given that you need a relatively big dataset, this may not be interesting for smaller organizations lest it may lead to self-fulfilling prophecies.

Recognizing

Speech recognition: Apps that listen to voice commands can learn to understand their user better over time. This can help to overcome the returning annoyance about voice assistants that misunderstand or not understand the user at all.

Gesture recognition: One of the latest additions in the area of machine learning deals with recognizing gestures. The signals that are emitted from sensors are able to detect emotions by energy, time delay, and frequency shift.

Deepfakes: For good or bad, further analysis of facial expressions and voice patterns can provide the data for the next step in creating more convincing deepfakes. By better understanding human behavior, it will become easier to mimic and provide more convincing results.

Specializing

Smartphone cameras: These small cameras have to make up for the limitations set by their size in order to come close to the picture quality made by dedicated cameras. Machine learning algorithms do several things to improve and enhance the smartphone’s picture quality.

Targeted advertising: To minimize the number of advertisements the public have to watch, and to optimize the effectiveness of those advertisements, deep learning can be used to provide targeted advertising and make sure the aim is at the most suitable demographic for your product.

These are just some examples. You can probably come up with more if you look around you and see how software has taken over a lot of tasks that required human brains in the past.

The use of machine learning has also made things possible that were impossible before. For example, Google built a system to guard the rainforest. The company built a solution based on an open source platform for machine learning that uses audio to detect sounds of chainsaws and logging trucks to understand if any if an illegal activity is occurring. The machine learning solution takes into account various artificial intelligence techniques to ensure it is correctly detecting any destruction taking place.

The cybersecurity industry

We’ve already talked at length in another blog about how artificial intelligence and machine learning may impact cybersecurity. Some of these changes are already taking form and others are well on their way to being developed, but as we move forward there are bound to be changes. Especially in an industry that is involved in an arms race that entices both sides to stay one step ahead of the other.

The post Deep learning: An explanation and a peek into the future appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Baltimore gets hit by ransomware again, the schools this time

Malwarebytes - Mon, 11/30/2020 - 17:50

All Baltimore County Public Schools closed Wednesday after the school system was hit with a ransomware attack, according to officials.

Baltimore County Public Schools superintended Dr. Darryl Williams stated:

“This morning, we decided to close all BCPS schools and offices in order to access and limit the impact of the attack.”

For those unfamiliar with the Baltimore City Schools organization, the attack affected some 175 schools, programs, and centers, over 115,000 students, and over 18,000 employees.

In May of last year a RobbinHood ransomware attack paralyzed Baltimore’s City government, shutting down online systems for paying water bills and other services.

Measures taken by Baltimore City Schools

Since the attack also took down the official website, management is providing updates over social media channels.

Via their Twitter account, Baltimore County Public Schools announced the schools and offices to be closed on Wednesday, November 25. Later they added Monday, November 30, and Tuesday, December 1, to focus on identifying and addressing student and staff device needs so that instruction can continue.

On their Facebook account they urged people not to log into BCPS devices or systems at this time. They also reassured the public that they are doing their best to address the ransomware attack. Local, state, and federal law enforcement agencies are investigating.

Also via Twitter they asked students learning virtually on Wednesday to only use City Schools-issued laptops or devices. Those without those issued devices were granted an excused absence. BCPS-issued Chromebooks were not impacted by the cyberattack.

The Teachers Association of Baltimore County is telling parents to leave computers off and not turn it on until they hear back from BCPS.

Superintendent Darryl Williams said there is no timeline for when school will resume. According to school officials, the network issue has affected the district’s website, email system and grading system. Until the problem is resolved, students will be unable to attend school.

Investigation

The county police have been in contact with the FBI Baltimore field office. Baltimore County Police Chief Melissa Hyatt declined to provide any specifics of the criminal probe, since they still are in the preliminary steps of that investigation.

Hyatt did not reveal whether the authorities have communicated with the hackers and the school system said it has had no direct or indirect contact with the hackers.

While it is important to investigate ransomware attacks, most of these investigations may not lead to the apprehension of the attackers. They could, however, reveal how the attackers got in and whether they left any backdoors for future use behind.

Ransomware and education

The educational system and many of its elements are targets for cybercriminals on a regular basis. While education is a fundamental human right recognized by the United Nations, the financial means of many schools and other entities in the global educational system are often limited.

You’d think there are more profitable targets for cybercriminals than education. Technology and finance, for example, have exponentially bigger budgets that could be tapped into via large ransom demands. But cybercriminals are opportunistic: If they see an easy target ripe with valuable data, they’re going to take advantage. Why spend the money and time developing custom code for sophisticated attack vectors when they can practically walk through an open door onto school networks?

With some ransomware gangs now creating extra leverage by threatening to publish exfiltrated data, criminals may well see schools as an easy target—expecting them to pay the ransom through fear of finding students’ and teachers’ personally identifiable information (PII) published online.

The timing for an attack to take out the network information systems, could not have been worse while the school system continues to operate online only, with all in-person classes delayed, as a result of the coronavirus pandemic. Possibly these circumstances could have provided the way in for the attackers. Hopefully the investigation will reveal how it happened.

Stay safe, everyone!

The post Baltimore gets hit by ransomware again, the schools this time appeared first on Malwarebytes Labs.

Categories: Techie Feeds

German users targeted with Gootkit banker or REvil ransomware

Malwarebytes - Mon, 11/30/2020 - 16:00

This blog post was authored by Hasherezade and Jérôme Segura

On November 23, we received an alert from a partner about a resurgence of Gootkit infections in Germany. Gootkit is a very capable banking Trojan that has been around since 2014 and possesses a number of functionalities such as keystroke or video recording designed to steal financially-related information.

In this latest campaign, threat actors are relying on compromised websites to socially engineer users by using a decoy forum template instructing them to download a malicious file.

While analyzing the complex malware loader we made a surprising discovery. Victims receive Gootkit itself or, in some cases, the REvil (Sodinokibi) ransomware. The decision to serve one or the other payload happens after a check with the criminal infrastructure.

Gootkit attacks observed in Germany

Security researcher TheAnalyst was the first to publicly identify an active campaign in November using a sophisticated loader that was eventually attributed to Gootkit, a banking Trojan not observed in the wild for some time. Germany’s Computer Emergency Response Team CERT-Bund later confirmed that German users were being targeted via compromised websites.

Around the same time, we started receiving reports from some of our partners and their ISPs about Gootkit-related traffic. We were able to confirm Gootkit detections within our telemetry that were all located in Germany.

Figure 1: Gootkit infections in Germany in the wake of the campaign

After a couple of days, we remediated over 600 unique machines that had been compromised.

Fake forum template on hacked websites

The initial loader is spread via hacked websites using an interesting search engine optimization (SEO) technique to customize a fake template that tries to trick users to download a file.

The template mimics a forum thread where a user asks in German for help about a specific topic and receives an answer which appears to be exactly what they were looking for. It’s worth noting that the hacked sites hosting this template are not German (only the template is); they simply happen to be vulnerable and are used as part of the threat actor’s infrastructure.

Figure 2: Compromised site loads decoy template to trick victims

This fake forum posting is conditionally and dynamically created if the correct victim browses the compromised website. A script removes the legitimate webpage content from the DOM and adds its own content (the template showing a link to a file to download).

Figure 3: A view of the HTML code behind the decoy template

There is a server-side check prior to each visit to the page to determine if the user has already been served the fake template or not, in which case the webserver will return legitimate content instead.

Fileless execution and module installation

The infection process starts once the victim executes a malicious script inside the zip archive they just downloaded.

Figure 4: Malicious script, heavily obfuscated

This script is the first of several stages that leads to the execution of the final payload. The following diagram shows a high level overview:

Figure 5: Infection flow Stage 1 – The first JavaScript

The first JavaScript is the module that has to be manually executed by the victim, and it has been obfuscated in order to hide its real intentions. The obfuscation consists of three layers where one decodes content for the next.

The first stage (a version with cleaned formatting available here) decodes the next element:

Figure 6: First stage script

The decoded output is a comma-separated array of JavaScript blocks:

Figure 7: Decoded comma-separated array of scripts

There are four elements in the array that are referenced by their indexes. For example, the element with the index 0 means “constructor”, 1 is another block of JavaScript code, 2 is empty, 3 is a wrapper that causes a call to a supplied code.

Block 1 is responsible for reading/writing registry keys under “HKEY_CURRENT_USER\SOFTWARE\<script-specific name>”. It also deobfuscates and runs another block of code:

Figure 8: Third JavaScript layer

This fragment of code is responsible for connecting to the C2. It fetches the domains from the list, and tries them one by one. If it gets a response, it runs it further.

The above downloader script is the first stage of the loading process. Functionality-wise it is almost identical in all the dropped files. The differentiation between the variants starts in the next part, which is another JavaScript fetched from the C2 server.

Stage 2 – The second JavaScript (downloaded from the C2)

The expected response from the server is a decimal string, containing a pseudorandom marker used for validation. It needs to be removed before further processing. The marker consists of “@[request argument]@”.

Figure 9: GET request with C2 server

After conversion to ASCII, the next JavaScript is revealed, and the code is executed. This JavaScript comes with an embedded PE payload which may be either a loader for Gootkit, or for the REvil ransomware. There are also some differences in the algorithm used to deobfuscate it.

Example for the Gootkit variant (commented, full)

Figure 10: The downloaded JavaScript

The downloaded code chunk is responsible for installing the persistent elements. It also runs a Powershell script that reads the storage, decodes it and runs it further.

Stage 3 – The stored payload and the decoding Powershell

The authors diversified the method of encoding and storing the payload. During our tests we observed two ways of encoding. In one of them, the PE is stored as a Base64 encoded string, and in the other as a hexadecimal string, obfuscated by having certain numbers substituted by a pattern.

The payload is usually stored as a list of registry keys, yet we also observed a variant in which similar content was written into a TXT file.

Example of the payload stored in a file:

Figure 11: Payload as a file on disk

The content of the file is an obfuscated Powershell script that runs another Base64 obfuscated layer that finally decodes the .NET payload.

Example of the Powershell script that runs to deobfuscate the file:

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX (([System.IO.File]::ReadAllText('C:\Users\[username]\bkquwxd.txt')).Replace('~',''));"

Below we will study two examples of the loader: One that leads to execution of the REvil ransomware, and another that leads to the execution of Gootkit.

Example 1—Loading REvil ransomware

The example below shows the variant in which a PE file was encoded as an obfuscated hexadecimal string. In the analyzed case, the whole flow led to execution of REvil ransomware. The sandbox analysis presenting this case is available here.

Execution of the second stage JavaScript leads to the payload being written to the registry, as a list of keys. The content is encoded as hexadecimal, and mildly obfuscated.

Figure 12: Fragment of the payload stored in the registry, encoded as a hexadecimal string obfuscated with a pattern

After writing the keys, the JavaScript deploys a PowerShell command that is responsible for decoding and running the stored content.

Figure 13: The JS component deploys PowerShell with a Base64 encoded script

Decoded content of the script:

Figure 14: Decoded content

It reads the content from the registry keys and deobfuscates it by substituting patterns. In the given example, the pattern “!@#” in the hexadecimal string was substituted by “1000”, then the PE was decoded and loaded with the help of .NET Reflection.

The next stage PE file (.NET):

The .NET loader comes with a hardcoded string that is the next stage PE: the final malicious payload. The Setup function called by the PowerShell script is responsible for decoding and running the next PE:

Figure 15: Hardcoded string (PE) Figure 16: Deploying the payload

The loader runs to the next stage with the help of Process Hollowing – one of the classic methods of PE injection.

Figure 17: REvil ransom note Example 2 – Loading Gootkit

In an other common variant, the payload is saved as Base64. The registry keys compose a PowerShell script in the following format:

$Command =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("[content]")); Invoke-Expression $Command;Start-Sleep -s 22222; Figure 18: Registry key storing payload

After decoding the base64-encoded content, we get another PowerShell script:

Figure 19: More PowerShell

It comes with yet another Base64-encoded piece that is further decompressed and loaded with the help of Reflection Assembly. It is the .NET binary, similar to the previous one.

The script calls a function “Install1” from the .NET module. This function loads another PE, that is embedded inside as a base64 encoded buffer:

Figure 20: Another buffer Figure 21: Deploying the payload

This time the loader uses another method of PE injection, manual loading into the parent process.

The revealed payload is a Gootkit first stage binary: 60aef1b657e6c701f88fc1af6f56f93727a8f4af2d1001ddfa23e016258e333f. This PE is written in Delphi. In its resources we can find another PE (327916a876fa7541f8a1aad3c2270c2aec913bc8898273d545dc37a85ef7307f ), obfuscated by XOR with a single byte. It is further loaded by the first one.

Loader like matryoshka dolls with a side of REvil

The threat actors behind this campaign are using a very clever loader that performs a number of steps to evade detection. Given that the payload is stored within the registry under a randomly-named key, many security products will not be able to detect and remove it.

However, the biggest surprise here is to see this loader serve REvil ransomware in some instances. We were able to reproduce this flow in our lab once, but most of the time we saw Gootkit.

The REvil group has very strict rules for new members who must pass the test and verify as Russian. One thing we noticed in the REvil sample we collected is that the ransom note still points to decryptor.top instead of decryptor.cc, indicating that this could be an older sample.

Banking Trojans represent a vastly different business model than ransomware. The latter has really flourished during the past few years and has earned criminals millions of dollars in part thanks to large ransom payments from high profile victims. We’ve seen banking malware (i.e. Emotet) turn into loaders for ransomware where different threat actors can specialize in what they do best. Time will tell what this return of Gootkit really means and how it might evolve.

Detection and protection

Malwarebytes prevents, detects and removes Gootkit and REvil via our different protection layers. As we collect indicators of compromise we are able to block the distribution sites so that users do not download the initial loader.

Our behavior-based anti-exploit layer also blocks the malicious loader without any signatures when the JavaScript is opened via an archiving app such as WinRar or 7-Zip.

Figure 22: Blocking on script execution

If a system is already infected with Gootkit, Malwarebytes can remediate the infection by cleaning up the registry entries where Gootkit hides:

Figure 23: Detection of payload hidden in registry

Finally, we also detect and stop the REvil (Sodinokibi) ransomware:

Figure 24: REvil ransomware blocked heuristically Indicators of Compromise

Compromised websites downloading JavaScript loader:

docs.anscommerce[.]com
ellsweb[.]net
entrepasteles[.]supercurro.net
m-uhde[.]de
games.usc[.]edu
doedlinger-erdbau[.]at

3rd stage JavaScript C2s:

badminton-dillenburg[.]de
alona[.]org[.]cy
aperosaintmartin[.]com

Variant 1 (Gootkit):

  1. NET loader [973d0318f9d9aec575db054ac9a99d96ff34121473165b10dfba60552a8beed4]
  2. Delphi PE [60aef1b657e6c701f88fc1af6f56f93727a8f4af2d1001ddfa23e016258e333f]
  3. PE stored in resources [327916a876fa7541f8a1aad3c2270c2aec913bc8898273d545dc37a85ef7307f]

Variant 2 (REvil):

  1. NET loader [0e451125eaebac5760c2f3f24cc8112345013597fb6d1b7b1c167001b17d3f9f]
  2. Delphi PE [d0e075a9346acbeca7095df2fc5e7c28909961184078e251f737f09b8ef892b6] – the ransomware
  3. PE stored in resources [a7e363887e9a7cc7f8de630b12005813cb83d6e3fc3980f735df35dccf5a1341] – a helper component

The post German users targeted with Gootkit banker or REvil ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

November spam roundup: Stalkers, property tips, porn, stern words and PayPal

Malwarebytes - Mon, 11/30/2020 - 11:11

Today we’re rounding up some of the interesting pieces of spam currently in circulation, taking in everything from housing deals to mysteriously free slices of cash. You may have seen some of these already. Hopefully we can help make up your mind about whatever’s lurking in your mailbox.

A full house of spam

Whether by accident or design, you may see spam land in your inbox reminiscent of multiple unrelated scams. It’s quite something when you don’t know if you’re looking at something ransom/blackmail related, or dating, or stolen passwords/data, or a combination of all three.

The title of the email is itself somewhat disturbing at first glance:

I am watching you every day let’s talk here [URL] I live next to you, you recognize me from the photo) after entering, I look forward to meeting you

From the getgo, we have a big stalker vibe going on. It’s a neighbour, and they’re going to…invite themselves in? What are they doing in your house? Why do they want to come in? Have they been watching you? I’ve seen many of those “I have your password and stole your files” mails that open with a line similar to “I’m watching you”. Admittedly, those claim to be watching through a webcam and not your bedroom window, but it’s still enough to set the old panic bells ringing.

Then things get very weird.

Do you like houses? Our spammer does

The tone shifts from vaguely menacing, to “rich intimate fantasies”. It’s also no longer happening in your own home, but one of several random properties close to you. If you ever wanted to meet up with a totally random stranger from the internet, in a dreamlike luxury bungalow which belongs to neither yourself or the message sender, then this is definitely the mail for you.

At this point, you may be asking yourself why you have a bunch of property tips next to what sounds like murderous dating spam. The answer is that spammers are trying to get around blocks/filters. There’s not much point spending time and effort spamming, if nobody ever sees it. If they can make use of valid services and piggyback into your mailbox, they’ll do that instead. Mail services may think twice about stopping messages coming from what are legitimate sources, even if the contents are somewhat dubious.

Skipping the security fence

There’s many ways to attempt a bypass. Splitting Bitcoin addresses and writing in languages other than English, using images, avoiding certain words or hiding the text, or piggybacking on other services. Here, they’re likely trying to take advantage of a legitimate site’s service to blast through detection. The property website in question offers the ability to send property recommendations with no need for sign up. It didn’t work for us in testing so either it only works sometimes, the site owners have switched it off, or the scammers haven’t used it at all. They’re merely imitating it to make it look as though it’s the real thing.

The spam links lead to a number of explicit sites. Whether or not you say you’re over/under 18, you’ll still be taken to graphic pornography games or adult dating websites.

A somewhat innovative method to get round spam traps, but I’m not sure what kind of success rate we’re talking about. Any process which goes from “potentially threatening”, to “houses for sale”, with a splash of “randomly taken to explicit pornography games” can’t have that big a target audience.

Users of Malwarebytes will find they’re protected from the sites linked from the initial mails, and also further clickthroughs/redirections:

adultgames(dot)fun
mojzz(dot)playtillcum(dot)com
mojzz(dot)dateworlds(dot)net
milffinder(dot)com
h90348it(dot)beget(dot)tech  
liksss(dot)beget(dot)tech

The case of the unfriendly 419 spam

Another day, another attempt to part you from money. This 419 style missive takes the form of someone, er, telling you off. A lot. It reads as though you’re halfway through some shadowy, clandestine operation. Did I mention you’re being told off? Because that happens. A lot.

Some salient extracts:

Sometimes, I do wonder if you are really, really with your senses. How Could you keep trusting people and at the end you will lose your hard Earned money, or are you being deceived by their big names? They Impersonate on many offices, claiming to be Governors, Directors/Chairman of one Office or the other.

Their game plan is only just to extort your hard Earned money. Now, the question is how long you will continue to be Deceived? Sometimes, they will issue you fake check, introduce you to fake Diplomatic delivery, UN-existing online banking and they will also fake wire transfer of Your fund with Payment Stop Order and even send you fake ATM cards etc.

If this doesn’t feel like someone winning your confidence, you’d be right. It gets worse:

Anyway, by the virtue of my position I have been following this Transaction from inception and all your efforts towards realizing the Fund. More often than not, I sit down and laugh at your ignorance and That of those who claim they are assisting you, it is very unfortunate That at the end you loose.

Please I beseech you to stop pursuit of shadows and being Deceived. Feel free to contact me immediately as you receive this mail so that I can Explain to you the modus-operandi guiding the release of your Payment. Do not panic, be rest assured that this arrangement will be Guided by your Embassy here in Nigeria.

I do wonder what the success rate is for this one.

Lazy phishers and bad phishing pages

This is possibly the laziest or worst phish page I’ve ever seen. It starts off reasonably enough for a scam, claiming to be from a bank manager telling you there’s vast sums of unclaimed funds.

The main hook of the mail reads as follows:

As the regional Bank Manager of BOA BANK. It is my duty to send a financial report to my head office at the end of each year On the course of the 2019 year report, We discovered an excess profit of Eight Million Us Dollars, Which we have kept in SUSPENSE ACCOUNT without any beneficiary. As an officer of the bank I can not be directly connected to this Fund for Security Reasons, that is why I am contacting you for us to work together to get the said Fund. into your bank account for INVESTMENT in your Country The percentage Ratio is thus: 30% for you, 70% for me and my colleagues.

All you have to do to get the cash is fill out a form. The wheels almost immediately come off when you look at the bottom and see “Create your own Google form”.

When a phish goes off the rails

That doesn’t sound massively encouraging for a bank. All the same, it could be enough to grab some details from the unwary. That’s what I’d normally say, only for clicking the link and seeing this, the top entry for “Most depressing phish attempt in this or any other decade”:

Filling in an “Untitled form”, with an “Untitled question” containing precisely one option to select called “Option 1” and no text entry to go with it? Phenomenal and astounding, can’t see how that is going to work.

While it’s a spectacular bit of embarrassment for the scammers, it’s wonderful news for potential victims. Some serious miracle working will have to take place to part them from their money. We’ll take this as a win.

And finally…

Just a gentle reminder that fake mails claiming to be from PayPal are still doing the rounds. As per the older missives, the mail claims to be from a intl-paypal(dot)com address (it isn’t), and wants you to restore access to your account. The phishing site the mail linked to was already offline as we received it. It reads as follows:

Dear Customer,

Your account has just closed temporarily, because there is suspicious activity on your account. To avoid unwanted things, we took action to close your account temporarily. Immediate update and re-activate your account.

As part of this process, your old security info will be deleted and your contact email

Click the button below to finish update and active your info.

As always, follow the same process for the older spam runs: block, report, and delete.

Never a day goes by without a terrific volume of spam and phishing knocking at your doorstep. With any luck, we’ve given you a few pointers on who to turn away.

Stay safe, everyone!

The post November spam roundup: Stalkers, property tips, porn, stern words and PayPal appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (November 23 – November 29)

Malwarebytes - Mon, 11/30/2020 - 10:44

Last week on Malwarebytes Labs, we talked with Chris Boyd about charities that track you online.

We also looked back at Zoom, and wondered whether it’s any safer months after its first vulnerability was reported. We talked about how Apple’s security is hampering the detection of potentially unwanted programs (PUPs). Lastly, we reported on Spotify resetting some user accounts after stolen or leaked credentials from a third-party were used in accessing them, and the US Senate passing the IoT Cybersecurity Bill.

Other cybersecurity news
  • GoDaddy employees were reportedly socially engineered to assume control over several cryptocurrency services. (Source: KrebsOnSecurity)
  • A report from Check Point Security revealed that vishing, or “voice phishing”, is on the uptick. And usually employees who fall for such tactics are those working from home due to the pandemic. (Source: SecurityBrief)
  • Meanwhile, according to a survey by Juniper Networks, remote work has widened organizations’ attack surface, giving cybercriminals more opportunities to launch attacks against them. (Source: Entrepreneur)
  • Smart doorbells were found to be an “easy target for hackers”. Why are we not surprised? (Source: The BBC)
  • The FBI warned people to be careful after it found newly registered domains pretending to belong to the organization. (Source: Bleeping Computer)
  • Several Minecraft mods were found in the Google Play Store that are just adware apps and do nothing for you or for the game. (Source: CyberScoop)
  • Mustang Panda, a suspected hacking group from China, continues to gather intelligence about Vatican diplomacy due to the Catholic Church’s operations in China. (Source: CyberScoop)
  • According to a report, 38 percent of online video gamers have suffered from account hacking “at least once” in the past. (Source: Atlas VPN)

Stay safe, everyone!

The post A week in security (November 23 – November 29) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IoT cybersecurity bill passed by Senate

Malwarebytes - Wed, 11/25/2020 - 14:32

Days before taking a week-long Thanksgiving recess, the US Senate passed an almost mundane cybersecurity bill that, if approved by the President, will improve security guidelines and protocols for Internet of Things (IoT) devices purchased and owned by the Federal government.

The bill, called the Internet of Things Cybersecurity Improvement Act of 2020, was actually introduced into the US House of Representatives last year. The Senate agreed to pass the legislation on November 17 under “unanimous consent,” which means that one Senator—in this case Senator Rob Portman of Ohio—asked that the bill be passed without any single objection from any of his colleagues. It does not mean the bill received unanimous votes in its favor. The procedural move is rare when passing legislation in the Senate.

Upon passage, Harley Geiger, director of public policy at cybersecurity company Rapid7, spoke highly of the bill.

“This is arguably the most significant US IoT-specific cybersecurity law to date, as well as the most significant law promoting private sector adoption of coordinated vulnerability disclosure,” Geiger wrote in a company blog post. “IoT security is widely acknowledged as a global priority, and vulnerability disclosure processes are fundamental security practices, so passage of the bill should be seen as a very positive step forward for cybersecurity and the security community.”

The bill focuses primarily on guidelines and procedures.

First, the IoT Improvement Act of 2020, if signed into law, will require the Director of the National Institute of Standards and Technology (NIST) to develop and publish “standards and guidelines for the Federal government on the appropriate use and management by agencies of Internet of Things devices.”

Those standards will apply to IoT devices owned and controlled by Federal government agencies, and they must provide guidance on secure development, identity management, patching, and configuration management.

After the NIST director publishes those guidelines, the bill will require that the Director of the Office of Management and Budget review the current information security policies and principles of Federal civilian agencies, and make sure that those policies line up with the NIST’s newer guidelines. That review will also require coordination with the director of the Cybersecurity and Infrastructure Security Agency, or CISA, which until last week, was a position held by Chris Krebs.

Further, the current Federal acquisition rules for purchasing and owning IoT equipment must be updated in line with the required NIST guidelines to be published after the passage of the bill. As part of these requirements, a government agency will not be allowed to purchase IoT devices if that agency’s Chief Information Officer finds that such a device would fall short of the newly imposed rules.

Finally, the bill will require that NIST also develops guidelines for discovering and disclosing vulnerabilities in IoT devices that it owns or controls.

The IoT Cybersecurity Improvement Act of 2020 marks a significant first step for the Federal government into placing security regulations on IoT devices. As we have repeatedly written aboutand spoken about—IoT security is a nascent landscape, and the lack of standardization across devices means that we are somehow both safer and more at risk to cybercriminals.

As Adam Kujawa said on our podcast about IoT cybersecurity this month, the best advantage we have for IoT security are that there are different platforms, different frameworks, and different protocols, which make it harder for any single group of cybercriminals to launch a wide-scale attack.

At the same time, though, Kujawa said that this scenario “works against us in the sense that developing security tools in order to protect these devices is just as difficult because you can’t create one solution that will necessarily work on every single device.”

The IoT Cybersecurity Improvement Act of 2020 could help usher in a future where IoT device-makers can look to a single set of guidelines for their products. While the bill does not require these standards to be applied to devices purchased by general consumers, the guidance itself could still be helpful in creating agreed-upon security goals.

With unanimous consent from the Senate, there should be little reason for the president not to sign the IoT Cybersecurity Improvement Act of 2020 into law.

The post IoT cybersecurity bill passed by Senate appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Spotify resets some user logins after hacker database found floating online

Malwarebytes - Wed, 11/25/2020 - 13:24

A team of researchers working for vpnMentor has found a treasure trove in the form of an unsecured Elasticsearch database containing over 380 million records. The trove contained login credentials and other data belonging to Spotify users.

So what’s Spotify doing leaving its user data hanging around on an unsecured database? Answer: It’s not. On investigation, the team found the database didn’t actually belong to Spotify. Instead, the database was in use by a third party to defraud Spotify users.

What happened?

“The vpnMentor research team discovered the database as part of a huge web mapping project.”

After port scanning and examining weaknesses and vulnerabilities, the researchers habitually look for leaked data. This database was unsecured and unencrypted, so it was fully accessible for anyone that found it. After reviewing and confirming what they found, the team informed Spotify. Together they concluded that whoever owned the database had probably obtained the login credentials from an external site and used them on Spotify accounts.

The database builders may have used credential stuffing to verify whether the logins were valid for the Spotify service.  

The origin of the database

How this third party came into possession of, or managed to build, the database is as yet unknown. There is a possibility that it was obtained from vendors on the Dark Web. Either way, it’s clear that it would have taken them a great amount of work and/or money to amass such a huge database with verified accounts. An investment they surely would hope to earn back by defrauding Spotify users.

Trying not to gloat

It is hard not to gloat about someone’s misfortune in a case where the fraudsters’ database gets exposed. It looks as if the threat-actors should have read our blog about backdoors in elastic servers. The problem is that besides the researchers, there may have been others that found this exposed database and their intentions could have been malicious.

The content of the database

Besides the usernames and passwords for Spotify, many of the database records also contained personally identifiable information (PII) like:

  • email addresses
  • country of residence

Besides taking over a victim’s Spotify account, anyone with access to this database could use the PII to connect the data to other accounts of the victim, such as their social media profiles. The PII could also be used for spear phishing or even identity theft.

What do Spotify users need to do?

Spotify initiated an automated reset of passwords for all users affected. So if your credentials were in that database you should have received a notice about this password reset. If you didn’t receive such a notice but you want to reset your password anyway, you can follow this link and find the instructions there.

Unfortunately, and despite many users asking for MFA, Spotify has not yet enabled any kind of multi-factor authentication that we know of.

Re-used credentials

If you have used the same login credentials on other sites, which we advise against, you should change those passwords as well. Then go read our blog about why you don’t need 27 different passwords for some pointers.

Stay safe, everyone!

The post Spotify resets some user logins after hacker database found floating online appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Apple security hampers detection of unwanted programs

Malwarebytes - Tue, 11/24/2020 - 16:59

Anyone who uses Malwarebytes software is probably familiar with the fact that, in addition to things like malware and adware, Malwarebytes detects potentially unwanted programs (PUPs). These are programs that exhibit a variety of unsavory behaviors, but that, for legal reasons, cannot be called malware.

PUP (n): a program that may include advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs often come bundled with other software that you installed.

https://blog.malwarebytes.com/glossary/pup/

For the entire history of Malwarebytes software on iOS—the system that runs on iPhones, iPads, and iPod Touches—there have been things we would consider to be PUPs on the iOS App Store. However, due to limitations imposed by Apple, we’ve been completely unable to scan or remove PUPs from those devices (iPhones or iPads). This is simply the reality of working within Apple’s ecosystem.

On macOS, however, we’ve always been able to detect and remove PUPs. Unfortunately, we’re seeing the first signs that this is starting to change—not just for Malwarebytes, but for all security companies.

PUPs on the App Store?!

Although PUPs on Mac can be downloaded either from the App Store or the web, the question of why PUPs exist on the App Store at all is a key factor in the problem at hand. The answer is pretty simple: because Apple and Malwarebytes have different tolerance levels.

At Malwarebytes, we have a very low threshold of tolerance for PUP behaviors. We’re very aggressive in our detection of PUPs, and we have an amazing legal team that helps make that possible. It’s not always an easy stance to take, but it’s one we believe strongly in and are willing to spend resources defending.

Apple, on the other hand, is essentially in a monopoly position. It owns the hardware and the systems, and if it decides you shouldn’t run a particular program, you won’t be running that program without some significant efforts. This makes Apple far more vulnerable to lawsuits, and it has to take a more conservative approach towards PUPs.

As much as I’d like Apple to be tougher on PUPs, I understand why it can’t be as aggressive as we are.

This is not to say Apple won’t do anything about PUPs, it just needs more evidence of egregious behavior before it can act. We’ve successfully lobbied Apple in the past to get PUPs removed from the App Store, while other times we’ve been unsuccessful.

A new technology

Starting in macOS 10.15 (Catalina), Apple introduced a couple important new technologies. The first is support for system extensions. These differ from the older kernel extensions in that they are safer and easier for developers to create. Kernel extensions could fairly easily cause catastrophic crashes and other issues if a developer wrote poor kernel code.

The second technology is the EndpointSecurity framework, designed to provide support for all the things that security software used to use kernel extensions for.

These technologies are not open to everyone, however. Developers have to apply for entitlements to be allowed to use them. These entitlements are not easy to get. It took some time for us to get them here at Malwarebytes, and there are people who have a legitimate use case for these entitlements who have been rejected.

Once you have these entitlements, though, there’s a significant advantage to using system extensions in security software: once installed, and approved by the user, they are protected by macOS. This means that they become nearly impossible to remove, except by the software that installed them in the first place.

This is a really great feature for security software that may be targeted for removal by malware in order to not be detected. However, it turns out there’s a problem with this protection.

PUPs protected against removal

One of the common sub-groups of PUPs we detect are antivirus programs that show unwanted behaviors meeting certain criteria. As an example, a program that requires payment, but the antivirus engine it uses is available for free from another company, would be a likely candidate for detection.

Unfortunately, antivirus programs are also candidates for the system extension and EndpointSecurity entitlements. Anyone can apply for these entitlements, but you stand a much better chance of getting them if you are—or appear to be—a security company.

We’ve now seen a case where two different companies with a long history of making PUPs—including junk antivirus programs—have gotten these entitlements. Those programs now have a system extension, which cannot be removed by Malwarebytes or any other software.

In one case, the PUP in question is the most hated PUP by Mac IT admins and Mac tech shops everywhere, and was the subject of two separate class action lawsuits alleging fraudulent behavior.

The fallacy of Apple security

For many years, iOS has existed as a locked-down environment, incapable of being scanned for malware by any app. Antivirus software does not—and cannot—exist on iOS.

Yet iOS is not invulnerable to malware. It is unfortunately possible for an iPhone to get infected. The most famous case involves the Pegasus malware, created by NSO and used to infect journalist Jamal Khashoggi’s iPhone. Khashoggi had no way to determine that his phone was infected, and had to trust that Apple’s system was as secure as claimed. Unfortunately, this may have led to his demise.

This is a dramatic story that by no means embodies the impact of all iOS infections… but it does underscore the fact that they exist, and there’s little that anyone outside Apple can do about it. Since well-written malware shows no symptoms that the average person would be able to identify, an infected iOS device is likely to stay infected.

Apple’s new EndpointSecurity feature was touted as a more stable way for antivirus software to do its job than low-level kernel extensions. However, they are under Apple’s tight control, and this is the first concrete sign that control may push macOS in the direction of iOS.

At this point, it’s hard to say what the future of antivirus on macOS is. It’s obvious that Apple has at least some interest in supporting antivirus software, as evidenced by the creation of the EndpointSecurity framework. This is distinctly different from iOS, where such a framework does not exist.

However, it is starting to look like antivirus developers will have to play by increasingly limiting rules, and that now means not being able to protect users against certain things. Worse, Mac users will be unable to manually remove those things without contortions that the average person will find quite cumbersome.

The post Apple security hampers detection of unwanted programs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Looks like we’re stuck with Zoom: Is it any safer?

Malwarebytes - Tue, 11/24/2020 - 11:35

Earlier this month, Zoom’s stock price took a dive on news of two promising COVID vaccines offering over 90 percent effectiveness against the virus (a third vaccine was just announced). That’s nice. Glad to know some people think this nightmare is ending soon and we’ll all go back to the office and the classroom.

But our ability to walk into a clinic and get either of these vaccines is still months away and we’re dealing, right now, with a surge of new coronavirus infections. The reality is we’re going to be stuck with Zoom for a while longer.

Earlier in the pandemic we reported on the security risks associated with Zoom. Much of it was pretty juvenile. Think Zoombombers drawing on screen using the annotate function. On the other hand, there are countless stories online of meetings being interrupted by attendees scrawling racial epithets on screen, posting pornographic images, and threatening presenters with acts of violence. It was also revealed that Zoom’s encryption wasn’t as secure as the company claimed.

As you prepare to log in to your next Zoom meeting or class, let’s take another look at Zoom. Has it gotten any safer?

Zoombombing

Zoom has several existing settings that users can leverage against potential meeting interlopers. That’s all well and good, but when you’re in the middle of defending your doctoral dissertation and you’re suddenly staring at a giant phallus someone drew over your Powerpoint (sadly, this actually happened), there’s just no good option short of shutting down your entire meeting—until now.

This month, Zoom debuted three new features that can prevent or stop disruptions like these from happening.

Suspend Participant Activities

The Suspend Participant Activities option acts like a ban hammer for presenters. Hitting this switch pauses all video, audio, chat, annotation, screen sharing, recording, and Breakout Rooms. From there, the meeting organizer can report a user and they’ll be removed from the meeting immediately.

Report users

Zoom has made it easier to report disruptive users on both the web app and the desktop client. There’s also a new setting that admins can flip that allows participants to take the initiative and report users on their own.

At-Risk Meeting Notifier

Zoom has introduced the At-Risk Meeting Notifier which scans social media posts and “other websites” for publicly shared Zoom links. If the notifier finds a meeting link online, it’ll send an automated email to the account owners and admins alerting them to the potential risk. From there, the meeting organizer can delete and reschedule the meeting with a new link.

As a quick reminder, you should require pre-registration before every meeting. Otherwise, use a random meeting ID for every meeting, instead of your Personal Meeting ID, and require a passcode to enter the meeting. And for goodness sake, disable annotation for participants if you’re delivering a presentation that in no-way requires your attendees have the ability to draw on screen.

Encryption

Zoom got busted back in March for its creative definition of “end to end encryption.” As reported by The Intercept, Zoom conference data was being encrypted between the user and Zoom, meaning data was safe from someone spying on your WiFI connection. However, Zoom still had the ability to access unencrypted conference data on its end, which could be a problem if Zoom was involved in a data breach. Zoom could also be forced to hand over conference data at the request of government agencies. Fortunately, Zoom started encrypting meetings for real for both free and paid users in October.

All that being said, you have every right to remain wary given Zoom’s ambiguous language around encryption. One quick fix is to use a virtual private network (VPN) like Malwarebytes Privacy, for example. With a VPN, you’re effectively creating your own secure tunnel between yourself and Zoom. However, you’re still trusting Zoom with your data once it’s on the company’s servers.

Use something else

If this post sounds like a diss on Zoom—it’s not. This reporter happens to like Zoom. You might feel otherwise. However, switching to something else is easier said than done. Your employer or your school likely has a service agreement with Zoom. Going rogue and using the conferencing software of your choosing may not be allowed or it might not be something you can afford out of pocket. If you’re in a position where you can pick whatever web conferencing software you want, here are some important considerations:

  • Does this conferencing software feature true end-to-end encryption?
  • What options are built-in for handling meetings crashers (aka Zoombombers)?
  • Do attendees need to install the application on their computer before attending a conference?

Those are just a few of the questions you should be asking. Whatever you choose, do your due diligence, pick the right conferencing software for your needs, and keep your meetings secure.

The post Looks like we’re stuck with Zoom: Is it any safer? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep20: Tracking the charities that track you online with Chris Boyd

Malwarebytes - Mon, 11/23/2020 - 15:00

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Chris Boyd, lead malware intelligence analyst for Malwarebytes, about charity organizations and online ad tracking. Though many might assume that these two topics have no overlap, they absolutely do.

Ad tracking itself isn’t anything new—luxury brands used to place their advertisements specifically in newspapers that delivered to high-income zip codes, and medications for age-related illnesses broadcast commercials during daytime television, when retirees are more likely to watch.

But today’s ad tracking supercharges that match-making game with a complex, opaque machinery that can track what you do online, what websites you visit, what browser you use, and even your gender, religion, and political bias.

Tune in to hear about how charity organizations utilize online ad tracking tools—and why that could concern some users—on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:
  • Malsmoke operators abandon exploit kits in favor of social engineering scheme
  • WebNavigator Chromium browser published by search hijackers
  • Chris Krebs, director of Cybersecurity and Infrastructure Security Agency, fired by President
  • IoT forecast: Running antivirus on your smart device?
Other cybersecurity news:
  • Microsoft unveiled Pluton, a new security chip for Windows PCs that the tech giant will deliver through partnerships with Intel, AMD and Qualcomm. (Source: SecurityWeek)
  • The ransomware gang known as DarkSide has announced plans to offer a distributed storage platform for affiliates. (Source: Hot for Security)
  • Facebook fixed a critical flaw in the Facebook Messenger for Android messaging app that allowed callers to listen to other users’ surroundings. (Source: BleepingComputer)
  • A Chinese state-sponsored hacking group has infected more than 200 systems across Southeast Asia with FunnyDream. (Source: ZDNet)
  • Capcom has confirmed that hackers stole customer data and files from its internal network following a ransomware attack. (Source: TechCrunch)

Stay safe, everyone!

The post Lock and Code S1Ep20: Tracking the charities that track you online with Chris Boyd appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Black Friday 2020: How to shop safely online

Malwarebytes - Fri, 11/20/2020 - 16:00

Black Friday 2020 promises to be somewhat different from years gone by thanks to COVID-19. The annual surge of in-store chaos and trolley dashes isn’t compatible with social distancing, and so retailers will be looking to drive shoppers online.

Friday 27th November is when things kick off this year, and yet some aspects will be radically different. If you intend to go to physical stores, then there’s a few things you’ll need to keep in mind.

Black Friday: Not spared from the lockdown

Some retailers are closing physical stores. Others are looking to extend how long their sales last, with the possibility of fewer sales in-store and more offered online to keep visitors to a minimum. One possible knock-on effect of so many online orders could be a delay in deliveries. Online shopping has increased as much as 75% already due to the pandemic, and Black Friday looms ominously in every retailer’s calendar.

Retailers are usually incredibly pleased about upcoming sales bumps. Now? It’s largely just the promise of in-store problems and offline capacity issues. While this may not concern the biggest retailers too much, small and medium businesses could well feel the pinch depending on what their 2020 Black Friday strategy is.

Sadly, this year’s sales bonanza comes with a possible increase in online scammers hunting for targets. Here are some ways you can beat the double threat of COVID-19 and internet scams this coming Black Friday.

Staying safe on Black Friday: Our tips
  1. Be suspicious of emails claiming to be from stores, especially if they ask for login details and/or supply you with links which look different to the URL you’re most familiar with. Spelling mistakes aren’t always a sign of a scam, but on the other hand, most businesses use proof-read templates, so errors are unusual. Similarly, HTTPS doesn’t mean the site is legitimate; only that data entered can’t be easily snooped by third parties. Pretty much anyone can get a free HTTPS certificate these days, so it’s not a sure-fire sign of legitimacy either way.
  2. Use a credit card if possible, as it’s generally the safer option online. Debit cards tied to your bank account are often more problematic when dealing with a scam situation—the money immediately leaves your account and it can be more difficult to get it back than with a credit card.
  3. Scammers may direct you to malware-laden sites or try to compromise legitimate sites in the run-up to Black Friday. Make sure your operating system is up to date, your security software is running the latest version, and you’ve got all the in-browser plugin protection you need before heading off to the virtual shopping races.
  4. Watch out for shortened links on social media, as they may be hiding nasty surprises.
  5. Don’t fall for “retweet/share to win a prize” tricks. Any giveaway is a tempting prospect but you’ll want to ensure the account running the promotion is legit. Do they have a verified presence on the social media platform? If not, how familiar with the account are you generally? Social etiquette top tip: some of your audience won’t like lots of competitions and raffles dropped into their curated timelines. Do them and yourself a favour, consider running a standalone account just for competitions. They’ll appreciate you not spamming their feed, and if you do end up retweeting something bad, you’ll be massively reducing its reach.
Further resources for keeping yourself secure

Here’s some blogs you may find useful to help with the above tips.

Shop safely in 2020

As has been mentioned, this year’s Black Friday is going to be a bit of an odd one. If you’d rather not venture out into possible crowds, or be stuck in very long distanced lines, that’s great. Stay home and reduce the potential COVID-19 risk. However, you’ll need to ensure your online security is similarly precaution filled. If your devices need a general spring cleaning to get things where they need to be security-wise, this could be the perfect moment to make a start.

Our very own Black Friday discount

It would be remiss in an article about safely shopping on Black Friday, not to mention that Malwarebytes is offering a Black Friday discount itself. You can save 50% on Malwarebytes Premium and 40% on Malwarebytes Premium + Privacy.

Whatever you do this Black Friday, we wish you safe and secure shopping for both Black Friday and beyond.

The post Black Friday 2020: How to shop safely online appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Demystifying two common misconceptions with e-commerce security

Malwarebytes - Fri, 11/20/2020 - 15:59

Online shopping has seen a dramatic increase in the months following the Covid-19 outbreak as more and more people opt-out of visiting physical stores. Such a phenomenon does not go unnoticed or without additional consequences. During the same time period, we have seen an increase in the usual scams but also digital skimming, the online equivalent of credit card theft.

As a consumer, you may be hearing different tips on how to shop online safely. A common one is to look for the “https” in the site’s URL, but what exactly does that mean in the case of a compromised site?

As a merchant, processing transactions securely is one of the top requirements in order to achieve SAQ-A level PCI DSS compliance. Many businesses choose to work with a Payment Service Provider (PSP) and use iframe containers. Once again, how do those fare when malicious code is at play?

When it comes to online security there is always a caveat, and the important thing is to understand the sometimes subtle nuances of technology concepts and their limitations.

The padlock

When we visit a website, our browser makes a series of requests to a web server via the HTTP protocol. The server will in turn reply with responses that include the text and images displayed on screen.

There was a time not so long ago when most websites were not using encryption and therefore exposed communications between server and browser. In other words, an attacker could capture sensitive data you might be typing into a website because that data was sent in clear text.

With the adoption of HTTPS, HTTP requests and responses are encrypted via the TLS (Transport Layer Security) protocol, the successor of SSL (Secure Sockets Layers). In addition, HTTPS authenticates web servers such that when you browse to https://www.facebook.com, private and public keys using the site’s SSL certificate are matched to guarantee the legitimacy of the server. (Note: we still commonly use the term “SSL certificate”, but the technology behind it is TLS).

Today, there really is no valid reason for a website not to have an SSL certificate anymore. Not only can they be obtained for free, but browsers will display a warning that could deter people from visiting your website.

One recommendation you might hear about when it comes to shopping online is that if the site is secure, its URL should start with “https://” and include a lock icon on the shopping cart page. While technically this is true, the meaning of ‘secure’ needs to be properly defined.

Indeed, a number of people will wrongly assume that a site using HTTPS is secure, and therefore can be trusted to buy from. The SSL certificate guarantees that the connection to the site is secure (meaning, encrypted) and that the site is who it pretends to be, but that’s it.

To drive the point home, at Malwarebytes we detect thousands of websites that all use HTTPS and are yet dangerous or outright malicious. In fact, when it comes to e-commerce, almost all of the sites that have been injected with a credit card skimmer do use HTTPS.

Figure 1: A number of merchant sites using HTTPS that have been hacked

When a website has been compromised, an SSL certificate does little to guarantee your online safety. This is why it’s important to understand the difference between a secure communication protocol and a secure website.

Websites run on software that can have vulnerabilities and be exploited by threat actors. A hacked site may contain malicious code that controls what you see and do within your browser, whether it uses HTTPS or not.

Figure 2: A web skimmer using HTTPS to load malicious code and exfiltrate data

The irony is that online criminals themselves have adopted SSL certificates too. And there’s not much comfort in knowing that your credit card data has been stolen and exfiltrated ‘safely’.

There is no doubt you should stay away from sites that have not adopted the latest secure communication protocols. However, you should not take for granted that a site is secure (in the sense of safe to shop) simply because you see a padlock.

iframe protection

A number of online shopping sites use a Content Management System (CMS) such as Magento where the checkout page relies on third-party forms to handle sensitive data. The integration is meant to be seamless in order to give shoppers the best experience possible.

One popular option is the iframe container, where a merchant site integrates a third-party script within an iframe on the checkout page. In technical terms, the provider script is inserted within an iframe container where the customer will enter their payment details (i.e. credit card number, month and year expiry and CVV). This means that no cardholder data is stored, processed or transmitted by the merchant.

Figure 3: Braintree Hosted Fields isolating payment data

The same-origin policy (SOP) enforced by modern browsers ensures that code contained in one page can only access data in another page if both web pages have the same origin. In other words, if the merchant site gets hacked, SOP prevents malicious code from stealing data within the protected iframe.

Unfortunately, there are many ways to bypass iframe protection and it usually comes down to having control of what is loaded onto a page. The PCI Security Standards Council states in one of its reports that “If an attacker has compromised the merchant’s website, however, they can create alternative content for the frame, which then allows completion of the payment process as well as creation of a copy of the cardholder data for the attacker.”

In an attack we observed recently, threat actors were targeting Braintree Hosted Fields to inject their very own iframe within the same container after disabling the legitimate one.

Figure 4: A rogue iframe takes the place of the Braintree iframe

As you can see in Figure 2, the legitimate Braintree iframe (braintree-hosted-field_number) has its display property set to none while a malicious iframe (fpmt) takes it place.

This means that the attackers now have direct access to the credit card number field and can steal it once the customer types it in, completely bypassing the iframe container protection.

Containers still have value for merchants as they can help them achieve PCI compliance and also generally augment their overall security posture. However, externalizing the payment process does not mean that your platform is secure from hackers.

Security in layers

There is no absolute in the security field, and if one technology claims to solve all problems it probably is too good to be true.

As the threats targeting online shoppers evolve, so must our response too. Credit card skimmers can target just about any platform and business, but there are some higher risk areas and behaviors. When evaluating a shopping site, you need to look well beyond the HTTPS padlock and even security seals.

  • Is the site up to date? While technically this would require scanning the CMS core files to determine their version, some things such as copyright notices showing dates of years past are a giveaway.
  • Is this a small ‘mom and pop’ website? Those are generally at greater risk because the owners have fewer resources to invest in security.
  • Does the site offer payment options that may be more secure such as a separate payment gateway, or token system?
  • Does the checkout page render properly without any odd looking elements? Skimmers often try to inject phishing forms or hijack existing fields, which can sometimes be noticed visually.

After doing due diligence checks on the site, you can still thwart the risk of online skimming by using security software, and in particular browser extensions that can block malicious code from loading. Malwarebytes Browser Guard was designed to filter out ads, scams and malicious content.

As an online merchant, there are a number of security decisions to make when you run a website. It would be difficult to list them all here, but as a general rule it’s good to remember that security is not an end state but a constant process that requires resources. Being proactive to anticipate attacks and have a plan in case of a compromise is also critical.

There are a number of services that provide security hardening and monitoring with varying costs. These can be a good option for a merchant that does not have its own IT team. As a side note, most web developers or web agencies (unless specified otherwise) will only build a website but not provide ongoing security updates and monitoring.

The post Demystifying two common misconceptions with e-commerce security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IoT forecast: Running antivirus on your smart device?

Malwarebytes - Thu, 11/19/2020 - 17:47

In 2016, threat actors pulled off a basic but devastating botnet attack that harnessed the power of the Internet of Things (IoT).

After gathering a list of 61 default username and password combinations for IoT devices, threat actors scanned the Internet for open Telnet ports and, when they found a vulnerable device, gained entry, eventually amassing an army of IoT devices to launch a massive DDoS attack.

This was the Mirai botnet attack. Though it began as a simple get-rich-quick scheme involving, of all things, the popular video game Minecraft, it led to a widespread Internet outage on the US East Coast.

In terms of ingenuity, the attack was fairly crude. There was no social engineering element and no clever attack machinery.

But if that kind of rudimentary attack destabilized an entire region’s Internet, what would a focused IoT attack do instead? And what types of IoT security are protecting users today?

Last month, for Cybersecurity Awareness Month, Malwarebytes hosted multiple educational webinars and cybersecurity training sessions for its employees, offering advice on strong password creation, two-factor authentication, and how to spot a phishing email. 

In our final week of Cybersecurity Awareness Month, we hosted a live version of our podcast, Lock and Code, for our employees. In the episode, (which you can listen to in full here) we spoke to John Donovan, chief information security officer for Malwarebytes, and Adam Kujawa, security evangelist and a director of Malwarebytes Labs, about the future of cybersecurity for the Internet of Things.

What we learned was interesting enough to present to our audience in both our podcast and, today, as a blog on Malwarebytes Labs.

Crucially, the future of cybersecurity for IoT devices is not separate from the future of cybersecurity for all devices. In fact, as our use and reliance on IoT devices shifts from general convenience to full integration into daily routines, the two concepts may very well merge.

Here’s what is keeping us safe today, and what we can expect to keep us safe tomorrow.

IoT non-standardization: Boon or burden?

Perhaps non-intuitively, IoT devices are currently protected by the exact same infrastructure that leaves them vulnerable—they are not standardized. That means that many IoT devices out there today, from smart fridges to smart speakers to smart watches, are often built on different parts that run different operating systems that rarely, if ever, talk to one another.

From one perspective, that’s good, Kujawa said.

“Right now, the best security we have for IoT devices is that [development] isn’t standardized yet,” Kujawa said. “There are lots of different devices using different platforms, on different frameworks, with different protocols in some cases, and that confusion makes it difficult to do things like develop a serious security threat to these devices.”

From another perspective, though, this same non-standardization presents a threat to effective IoT security solutions.

“It also works against us in the sense that developing security tools in order to protect these devices is just as difficult because you can’t create one solution that will necessarily work on every single device,” Kujawa said.

Until that standardization arrives, Donovan said that a lot of IoT device cybersecurity hygiene falls to the users themselves. Donovan and Kujawa offered several best practices that consumers should be able to implement today, no matter their level of tech proficiency:

  • Change the default password on your IoT devices
  • Do not connect your IoT devices to networks you do not trust
  • Stay informed about any reported vulnerabilities for your devices
  • Update your devices

These four steps will better protect your IoT device from harm because, as we learned from the Mirai attacks, cybercriminals are primarily looking for easy targets. Think of it like actual burglary attempts: Thieves don’t often go looking for padlocks to try and pick, they look for doors that are unlocked.

Beyond these basic steps, Donovan noted that the lack of IoT standardization has created a higher bar for some users to fully secure their own devices and networks.

“All the things you would do to secure a corporate network? Now you have to do it in your house,” Donovan said. That includes several security best practices like segregating individual IoT devices and setting up a virtual LAN—or VLAN—to isolate IoT devices from the rest of a network.

No matter the level of tech proficiency, though, there’s more to cybersecurity than personal responsibility.

Donovan said that IoT developers should include automatic security updates by default. No automatic updates often result in no meaningful cybersecurity, and that goes for any popular device or software.

Where the problems really start to compound, though, is in the corporate world.

Cybersecurity issues for businesses

The Internet of Things is not there solely to help consumers set oven timers while cooking or to play a few rounds of the game show Jeopardy! when bored. In fact, countless manufacturing factories and hospitals utilize devices and equipment that routinely connect to the Internet for communication and operation. So, when one of those devices goes down, or if threat actors discover a vulnerability, the overall threat could be more severe.

Complicating the issue is that some of the companies that actually manufacture this type of equipment are small businesses that can sometimes fail, Kujawa said.

“I’ve heard about this plenty of times for plenty of hospitals, where they’ve got this equipment that’s running on Windows XP, and the company that built it doesn’t exist anymore, and they never released updates for it.” Kujawa said. “It puts the organization in a really tough spot.”

Imagine the many businesses in just this situation, saddled with a now-unsupported IoT device that is crucial to their daily operations. If a vulnerability is discovered, what options can they take? Remove the IoT device and lose days of production time, or risk running the device until a serious cyberattack hits, which would also incur high costs to resolve? 

Either way, relying on specialized IoT devices made by small companies that cannot support their own products is a recipe for disaster, Kujawa said.

“Especially the smaller stuff and the specialized stuff, it’s very unlikely you’ll get security updates for that,” Kujawa said. “This is basically a vulnerability machine you can plug into your network.”

Despite the difficult cybersecurity realities today, the future of IoT devices looks potentially simpler.

The future of IoT cybersecurity

Much like how IoT devices are becoming increasingly crucial to businesses, these devices are also becoming increasingly integrated into our day-to-day lives.

It’s important to remember that our smartphones are not excluded from the IoT conversation, and every extension of our smartphones—tablets, smart watches, even far-away concepts like augmented reality glasses—will present us with more ways to connect to the Internet than ever before. No longer will cyberspace be relegated to the computer screen. 

With that increase in popularity and daily integration, Kujawa predicted that the public would see the rise of about four to five primary IoT developers. It’s not hard to imagine today which companies will be included on that list; already, Apple, Google, and Amazon are cornering the market on smart speakers, smart watches, and, of course, cell phones.

Whatever those four major players will be, Kujawa said, there will also be a narrowing in the number of operating systems available for IoT devices. Once enough people have purchased enough IoT devices running on a limited number of operating systems, then, Kujawa said, the cybercriminals will strike.

“When we get to that point and more folks are using [IoT devices] for things like banking or social media, then that’s when we see the investment by cybercriminals,” Kujawa said.

But, Kujawa said, these cybercriminal waves will demand a cybersecurity response.

“When we see investment by the cybercriminals, that means that all of the security vendors, if they haven’t already been migrating to those platforms, they need to do that,” Kujawa said. “[If] that’s where the focus is going to be by the bad guys, that’s where the focus has to be by us as well.”

When asked if he could ever see a future where Malwarebytes and other similar antivirus tools run on IoT devices, Kujawa spoke matter-of-factly:

“Absolutely. We’re headed in that direction right now.”

The post IoT forecast: Running antivirus on your smart device? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds