Techie Feeds

Phone spampocalypse: fighting back in the age of unwanted calls

Malwarebytes - Thu, 09/27/2018 - 18:58

When Nigel Guest, then president of the Council of Neighborhood Associations (CNA), sent an email with the subject line, “test,” and the small letter “x” in its message body, the city of Berkeley, CA, went into a frenzy. You see, Mr. Guest thought he sent it only to himself, but he actually posted that terse email by accident to thousands of registered voters in the area. And thus, what is now known to locals as the Berkeley Spampocalypse was born.

Some were understandably annoyed, angry—even threatening—while others took it with grace. Those in the latter group were able to organize a potluck picnic they called “CNA Survivor Picnic” that weekend at Ohlone Park. 70 residents turned up, had a blast, and capped off the event by handing Mr. Guest a can of Spam as a thank-you gift.

Granted, not many spam stories have a happily ever after. In fact, many of us know that a positive outcome like typically doesn’t happen at all. When it comes to spam, faces flush red, pupils dilate, and people force a smile behind gritted teeth.

Bulk unwanted email spam was once the bane of society before the technology of filtering was introduced. Although email spam can still cost someone else’s productivity, we can genuinely say that at this point in time, we have, at least, come to manage bulk email spam.

Sadly, we can’t say the same about phone spam.

Spampocalypse reborn

Users have found themselves at war with a constantly burgeoning trend of unwanted calls that plagues smartphones, traditional landlines, and VoIP devices. And while there are tools to help consumers address robocalls, scam calls, and spoofed calls, contrary to popular opinion, US telecommunications companies have the technology to protect customers themselves—they just haven’t done it yet.

To this day, some of these companies are still hemming and hawing about aggressively block robocalls, putting technology on the back burner. Another roadblock to the adoption of new blocking technologies is the existence of legacy phone systems that may not be up to the task. As a result, addressing the robocall problem is left mostly in the hands of consumers.

But the spam problem isn’t going to go away on its own. According to a report from First Orion, a company that provides call blocking, by 2019 almost half of cellphone calls in the US will be scams. We’re also seeing a new and emerging trend of non-English speaking robocallers targeting immigrant communities. Thankfully, lawmakers have taken note of the rising tide of phone spam and decided to do something about it.

The long arm of the law

Many might feel that the fight is like David (stone and slingshot in hand) versus 10 Goliaths in chariots, but what users must realize is that they are not alone.

Read: Stop telephoning me-eh-eh-eh-eh: robocalls explained

Regulators and lawmakers have long recognized that consumers cannot solve this seemingly impossible problem. After all, they are just as affected by the deluge of unwanted calls as the average Joe, and have similarly witnessed the consistent surge of phone spam over the last few years. Thus, several new legislation and rules have been passed and/or introduced to help address robocalls and other illegal calls. They include:

DNO list

In the fourth quarter of 2017, the FCC approved rules that authorize voice service providers—mobile phone carriers, landline carriers, and VoIP carriers—to instantly block telephone numbers in a “Do-Not-Originate” (DNO) list. A DNO is a set of phone numbers that do not or cannot make outgoing calls. The nature of calls received from numbers that belong in the DNO are always fraudulent, and instantly blocking them can curb unwanted calls. While those in the telecommunications profession agreed that a DNO list would help, they also believed that scammers would eventually find a way around it.


Officially designated as H.R. 4986, the Repack Airwaves Yielding Better Access for Users of Modern Services, or RAY BAUM’S Act, gives power to the Federal Communications Commission (FCC) to strengthen the US’s critical telecommunications services and increase the deployment of 5G. RAY BAUM’S Act, which was passed in March 2018, is also meant to “advance proposals that would help the FCC and law enforcement protect consumers from fraudulent telephone calls, and to educate Americans about their options to stop these illegal calls.”

Florida Call-Blocking Act

Bill number CS/HB 1267, or the Florida Call-Blocking Act, gives power to telecommunications service providers to block calls from bogus numbers, spoofed numbers, and numbers that impersonate local numbers. It also authorizes telecoms to stop blocking certain calls, such as emergency calls.


The Repeated Objectionable Bothering Of Consumers On Phones, or ROBOCOP Act, if passed, will give more power to telecom customers to pick and choose the type of calls they want to receive and block. It will also give users the right to take legal action against telecoms that violate this act. Telecoms will also be required to verify the accuracy of caller IDs and offer free, optional robocall-blocking technology to their customers.

In an April 2018 blog post, Contact Center Compliance noted that the ROBOCOP Act may do harm to legitimate debt collectors and to those reliant on collection calls. As we all know, consumers aren’t particularly keen on receiving calls from debt collectors. The ROBOCOP Act would make it easy to simply block them and forget their troubles.

Mitigate, mitigate, mitigate

Since the publication of our last post on robocalls, additional technologies and strategies have resurfaced that some consumers use and swear by their success in blocking unwanted calls. The list below supplements the mitigation steps we have already provided:

Consider using a Google Voice number to screen and forward calls. Google Voice has been around for almost a decade, and users have found that using Google’s free phone number as their primary number instead of their real number has helped filter out unwanted calls. Unfortunately, Google Voice is only available in the US. Google advises that those outside the US can use Hangouts.

Use your phone’s “Do Not Disturb” feature. Doing so, in effect, will whitelist calls from your contacts and block everything else. You can do this on iOS by opening the Settings app, flipping on Do Not Disturb—don’t give it a schedule—and then tap “Allow Calls From” and pick “All Contacts.” On Android, you can do this by going to Settings > Sound > Do Not Disturb.

Note that while this is a blanket workaround, it might be wise to regularly add numbers you trust, such as those used by your child’s school, to your contact list to avoid missing any important calls from them. And remember: calls from potential employers, doctor’s offices, or anyone with a phone number that hasn’t been entered in your contacts list will not get through to you.

Android also has a built-in caller ID & spam feature that you may want to enable.

Consider using an external robocall-blocking device. Traditional landline and VoIP phone users may find these nifty gadgets helpful. If you’re wondering what these devices are, Consumer Reports already has a review out for specific products you can start off with, like CPR Call Blocker Protect (a device geared towards more vulnerable users like those who have Alzheimer’s), Nomorobo, Digitone Call Blocker Plus, Landline Call Blocker, and Sentry Dual Mode Call Blocker.

Think about purchasing a phone spam-blocking security app for your smartphone, such as Malwarebytes for iOS or Malwarebytes for Android, both of which will block spammy or malicious text messages as well.

Get ready for STIR and SHAKEN. STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) is a standard created and currently being tested by the Alliance for Telecommunications Industry Solutions (ATIS). The general idea of STIR/SHAKEN is borrowed from the textbook of modern cryptography. New York Magazine has illustrated what this would look like once implemented, and we have duplicated it below for your convenience:

Someone would place an outbound call. That call would contain a certificate verifying that the call is indeed coming from the number it claims to be coming from. The phone call is passed along to the incoming carrier (e.g., AT&T), which would then check the certificate’s public key against a heavily encrypted private key. A policy administrator, run by the telecom industry with oversight from the FCC, would be in charge of handing out certificates and making sure everything is on the level.

While the technology has yet to take off, some of the downsides of STIR/SHAKE are already identified. For one, STIR/SHAKE can only work in the US, and robocalling is a global problem. It may also take time for all US carriers to adapt to the new system, and if they do, it could cost them millions. As such, it’s likely that they would pass along the cost to existing customers. Lastly, malicious callers could get and use a verified number to call their targets, the same way phishers use HTTPS certificates to make their phishing sites more believable.

When the dust settles

More unwanted call tactics will spring up in the future, no doubt—experience has taught us to expect it. Thankfully, we see a lot more movement from regulators, law enforcement, and several telecoms and private companies to address the problem of unwanted calls.

It’s great to know we’re not entirely defenseless in this fight against phone spam. So, let’s make use of the tools available to us, take advantage of protection services offered by your phone provider, and continue to hold telecom companies accountable for preemptively blocking unwanted calls. Remember that the dust will settle eventually. And if we really think happy thoughts, maybe there’ll be a potluck picnic for survivors of unwanted calls, too.

Additional reading:


The post Phone spampocalypse: fighting back in the age of unwanted calls appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT

Malwarebytes - Wed, 09/26/2018 - 17:13

A variant of a remote code execution vulnerability with Internet Explorer’s scripting engine known as CVE-2018-8373 patched last August has been found in the wild. Looking at the IOCs posted by our colleagues at TrendMicro, we recognized the infrastructure serving this exploit. The same static domain has been active since at least early July, and is being redirected to from an adult website injected with a malicious script.

In the below traffic capture from August, we were served CVE-2018-8174, which is thought to be from the same author. It is interesting to note that this is not an exploit kit, but rather appears to be a single actor who implemented the available Proof of Concept to distribute his payload, the Quasar Remote Administration Tool (RAT).

During our tests with this new variant of CVE-2018-8373, we found it to be quite unstable and failing to detonate its payload via Powershell invocation. However, a working CVE-2018-8174 was still serving the same payload we had captured back in August.

The source code for CVE-2018-8373 has been uploaded to many platforms already (PasteBin, VirusTotal), including to the AnyRun sandbox. That sample triggers the exploit and spawns PowerShell. In the following animation, we replayed this attack to show how our anti-exploit technology is able to mitigate this vulnerability at various levels.

We can expect that other treat actors will be looking at this code for possible implementation. However, unless it is improved, it is unlikely to be integrated into exploit kits, considering that its cousin, CVE-2018-8174, works flawlessly.

Indicators of compromise

Injected adult site

198.211.33[.]67 clubtubes[.]com

Exploit-serving domain

54.191.17[.]130 myswcd[.]com/vol/m3.html,CVE-2018-8373 myswcd[.]com/vol/m2.html,CVE-2018-8174 myswcd[.]com/vol/me.html,CVE-2018-8174


myswcd[.]com/vol/s1.exe,Loader myswcd[.]com/vol/v1.exe,Installer myswcd[.]com/vol/v2.exe,Quasar RAT 7EEF6EF8FED53B7C3BF61BA821F375A0A433EA4CB0185FD223780B729A9A5792 268909BC33F0F8C5312B51570016311E3676AF651A57DE38E42241DCC177B2D6 D9A967D0CAA8DB86FECA3AE469EF6797E81DFDAC4D8531658CB242A87C80CE05

The post Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Holes found in Mojave’s privacy protection

Malwarebytes - Wed, 09/26/2018 - 15:00

macOS Mojave was released on Monday, September 24, with much promise of increased privacy protections. In particular, apps are now required to get permission from users before they can access data in certain locations, such as Mail data, contacts, calendar events, Safari user data, and more.

Blocking access to Safari user data would have prevented the issue brought to light earlier this month, in which apps from the Mac App Store were capturing users’ browsing history. In Mojave, unless the user approves an app like Dr. Battery to access that data—which seems unlikely, considering that the app’s purpose had nothing to do with browsing history—the app would be prevented from accessing that data at all.

What’s the problem?

Although the new privacy protections are well-intended, developers and security researchers have expressed some concerns about the way they have been implemented. In particular, there is a legitimate concern about an issue called “dialog fatigue.” The idea is that people get tired of being hassled when they’re trying to get work done, and will just do whatever is needed to click past a warning dialog without actually reading it.

Dialog fatigue—similar to security fatigue—is real, and after having upgraded to Mojave, I can attest to the fact that it has a tendency to display a lot of these dialogs in the beginning. I had to approve access to data for quite a few of my apps. Chances are, the average person will get tired of doing so, and will simply approve each one without paying attention.

To add confusion, these dialogs simply display “Don’t Allow” and “OK” buttons. Although there’s certainly the implication that OK means “allow,” this is not explicitly stated and could result in mistakes being made.

There are also issues with apps that use background processes not triggering the user approval, which can break those apps in interesting ways, such as causing crashes or silently impairing functionality.

Mojave’s privacy protection is far from perfect so far, but it turns out problems go much deeper than user interface issues. Two security researchers have independently, within 24 hours of the Mojave launch, announced troubling findings.

Patrick Wardle posted a video on Monday demonstrating a zero-day vulnerability that can allow a malicious program to gain access to protected data without needing to get the user’s approval. The video demonstrates how to trigger a request for access to contact data in the Terminal, and shows that request being denied. Subsequent attempts to access that data from the Terminal simply fail.

The video then goes on to show execution of a proof-of-concept app Wardle developed, called This app does not trigger any access request, and is able to read and copy that data nonetheless.

Wardle has reported this to Apple, but has not made the details of this vulnerability public at this time. He has promised to discuss them at the upcoming Objective by the Sea, the first ever Mac security conference.

The next day, a blog post from a source at SentinelOne revealed that it is possible for a remote attacker to gain access to protected data via ssh.

ssh is a Unix program, and the name is an abbreviation for “secure shell.” The program allows you to establish a remote connection to another computer and send Unix commands through that connection. ssh is often targeted by attackers as a way into a system. And if an attacker can get in via ssh, they can have full control of the machine and access to all data.

SentinelOne goes on to point out that many different processes will be highly likely to be given full disk access. For example, the Terminal can be used to access many different parts of the disk, and may be given a global exemption by power users. People who run AppleScripts are likely to give access to programs like System Events, Script Editor, or Automator. Any of these could be hijacked to execute malicious commands.

What does this mean?

As far as actual risk, you’re no worse off in Mojave than you were running any older version of macOS, none of which featured this kind of privacy protection. In fact, despite these bugs, it’s still harder for an app to get access to this data than it was before.

However, these changes continue a troubling trend at Apple. macOS High Sierra began a concerning process of causing significant problems for developers and users alike, via the user approval process for installing kernel extensions. There are many issues in that process involving both the user experience and bugs in macOS. The user ends up confused and frustrated, and the developer ends up working as unpaid Apple support.

The explosion of new approval dialogs produced by these changes to Mojave will be another step down this same road. The friction people experience with these dialogs will result in developers being penalized for doing interesting and innovative things, while many users will continue to click “OK” in warning dialogs without reading them.

Protecting the user’s privacy is an extremely noble goal, but the multiple issues and bugs involved with this particular implementation will likely cause more problems in the short term than they will solve.

The post Holes found in Mojave’s privacy protection appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Safari users: Where did your extensions go?

Malwarebytes - Tue, 09/25/2018 - 16:00

Safari 12 has brought with it some changes to how OSX handles browser extensions. At WWDC in June, Apple announced that Safari would block legacy extensions installed from outside the Extensions Gallery, which itself would now be deprecated.

As a replacement, Safari will now rely on “app extensions.” Apple said that app extensions don’t see any browsing details, are more segregated from user data, and put much less of a strain on overall performance. Sounds great, right? Unfortunately implementation has been somewhat high-handed, as you can see below:

No user interaction required, no real information on why specific extensions were turned off to the exclusion of others, just an automatic disabling. When this happens with security-focused extensions, it can be a little alarming, and a lot of users seem to have been caught by surprise.

How to re-enable extensions

Some extension makers like Adblock Plus have released new versions to comply with Apple’s security requirements. But if your favorite hasn’t been updated yet, how do you re-enable it?

With Safari open:

  • Go to Preferences
  • Click the Extensions icon
  • Manually check the box next to the extension you’d like to enable

But why is this a security issue?

That’s not very much work to get your extensions back, so what’s the big deal? Apple announced it in advance, after all. Let’s look at a few reasons why this might not have been the best way to roll out new OSX features.

The dialog box lies

“Safari turned off extensions that slow down web browsing.” In the most literal sense, this is true.  Browsing without any extensions at all would most likely be fractionally faster. This is not why Safari turned them off, however.

“You can find newer extensions in the App Store.” This is literally true. But can you find newer versions of the specific extensions referenced? Who knows? The extensions in the screenshot at the top were most likely turned off because they did not come from the extension gallery to begin with, and only one had a new app extension available at time of writing.

Apple does not communicate any of this via the dialog box.

The release notes are confusing

Here’s what the Safari 12 release notes say on the subject:

  • Automatically turns off Safari extensions that negatively impact browsing performance
  • Improves security by only supporting legacy Safari Extensions that have been reviewed by Apple

In the above example, the extension block was most likely due to the second bullet. But the dialog only references the first bullet. Which one was it? How can I tell which of my legacy extensions will continue to receive support?

The choice is made for you

This is somewhat a matter of taste, as not everyone wants to be bothered with the inner machinations of their Mac. Very few people read the text in any dialog box, and when it comes to security, most people assume that their Mac knows best.

But when security improvements impact performance, shouldn’t you be given the option to think about it before a change? Further, what about extensions that are used routinely to get work done? Some are much more critical than those that change the word “millennial” to “snake people” on web pages. Switching off everything indiscriminately can have negative effects on productivity.

Apple’s motives with the change are pure, and strengthening a wall between extensions and user data is a great idea. But implementations that don’t consider user experience create a great deal of short term frustration, and can erode trust in future security improvements.

The post Safari users: Where did your extensions go? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

100 channels and nothing on, except TV Licensing phishes

Malwarebytes - Tue, 09/25/2018 - 09:00

We’ve seen a lot of people referencing fake TV Licensing emails they’ve received over the last few days. The majority so far appear to be fake refund notices, asking potential victims to log in to a phony TV License website and provide payment details for refunds. It’s definitely keeping customer support busy:

Click to enlarge

Many of the URLs we’ve looked at are down now, but not all, so we thought we’d take a look.

The scam pages are what we’d describe as functional; a fairly accurate depiction of what one might expect to see on a genuine refund page hosted on the TV Licensing website. In this example, the site claims the visitor is owed a £147 refund, though there are variable amounts quoted in the scam mails, as we’ll see later.

Here’s one of the scam sites in question, located at:


Click to enlarge

Alongside the usual personal information scammers like to obtain, the site wants both card details and bank account information, which could result in extended discussions with the bank afterwards to get everything straightened out. They also ask for mother’s maiden name, presumably for additional social engineering attempts further down the line (or even just a general grab for a password reset answer).

As with many of these scams, the site claims the victim needs to give “two to three days” to allow for the refund to be processed. This is a tactic as old as the hills to give the scammers enough breathing room to do their damage while the victim does nothing, eagerly awaiting a refund that’s never going to arrive.

General observations

A lot of the sites finding their way into people’s inboxes may not be from the same campaign, and as a result, they’re all doing many different things. Below, we’ve tried to pin down some of the common patterns we’ve seen from this spam blast.

1) Some of the sites currently bouncing around have a copyright notice of 2017, whereas the rest say 2018. While this probably isn’t enough to tip someone off that the site they’re looking at is a fake, it might help tip the balance for some.

2) We haven’t seen any HTTPs sites (yet), but that doesn’t mean they’re not out there. This is the part where we gently remind everyone that phishing pages can and do make use of HTTPs to make things look more legitimate, and given the amount of free certificate services on offer, it’s not exactly difficult to achieve. Here’s what you see on the non secure site up above from our example:

Click to enlarge

3) Refund amounts and deadlines listed in the mails vary widely. We’ve seen a few people complaining about phishing attempts in the region of £124.50, with 30 September being given as the deadline to process any refund requests. The longest deadline time we’ve seen is “2 to 4 weeks,” which is an incredibly long time for a scammer to assume a potential victim will still be waiting around for their money.

The largest fake refund amount we’ve seen cited so far is a whopping £492.57. Given that a colour TV License costs somewhere in the region of £150, there’s no possible way someone could be owed close to £500 for a year’s worth of TV Licenses unless something had gone massively wrong.

4) The sites look similar, but don’t follow a uniform template. Below is one (now offline) example, which looks quite a bit different from the one up above, separating the various requests for information onto separate pages.

Click to enlarge

5) There’s also been a few mentions of dubious PDF attachments on Twitter, but so far no word as to if they’re loaded with malware or simply an additional part of the phish. Some scammers will attempt to make their missives look more legitimate with fancily thrown together PDFs to give everything an extra veneer of “this is definitely the real thing.” Just because an attachment is present, doesn’t necessarily mean it’s an infection file. (Of course, we’d never advise opening one to check.)

Final thoughts

This isn’t an overly complicated scam, but then again, it doesn’t need to be. Asking for a few hundred pounds from people here and there quickly adds up, and fear of not paying your TV License on time is almost something of a panic reflex for the British. It makes sense, then, for scammers to take advantage of people’s wariness and thank their lucky stars for a too-good-to-be-true license refund.

If you’re worried, check out the TV License website’s advice on phishing scams, and be wary of any emails claiming to offer up cash, no matter the amount. There’s a good chance the missive in front of you needs to be deposited where it belongs: in the recycle bin.

The post 100 channels and nothing on, except TV Licensing phishes appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: SMS phishing attacks target the job market

Malwarebytes - Mon, 09/24/2018 - 17:45

Recently, a co-worker received an enticing SMS message from ASPXPPZUPS Human Resources. It read:

Tired of your old job? Join our team today, work from home and earn $6,200 per month: hire-me-zvcbrvpffy.<hidden>.com.  

Could it be that our dream job awaits via random text message? On the contrary, this SMS phishing attack could cause nightmares for unsuspecting job hunters.

Don’t quit your day job

In order to investigate this phish further, the first step is browsing to this so-called career-changing website mentioned in the message.

Click to view slideshow.

Amazon!? Awesome! Let’s review this exciting position of Prime Agent. Great base salary plus commission! Full healthcare and minimal working hours! Brand new car!? All for a couple of easy job responsibilities you can do from home—Apply now!

Okay, seriously though, if the brand-new car bit doesn’t tip people off this is a ruse, I don’t know what will.

Gathering information

Knowing this is a ruse, let’s proceed forward by clicking Apply now regardless.

Click to view slideshow.

This is where I’m a little disappointed in the scammers. This could be an opportunity to gather a person’s full resume, with history of work, education, where they live, and a plethora of other information. Instead, they only ask for name, email, and phone number. Lazy. Still, this is enough to send spam emails and even more SMS phishing attacks.

Adding fake information and turning on a network sniffer, I submitted the information.

As a result, the network capture shows the information going to a amz-jobs-careers.<hidden>/apply.php. After hitting Submit Details, it redirects to to make things look legitimate.

Job hunters beware

Many studies have shown that in America, many people are unhappy with their current jobs. For example, the Conference Board conducted a 2018 study reporting that 51 percent of people are satisfied with their jobs, thus leaving 49 percent unhappy. In addition, it’s a job-rich economy right now, which means it’s a great time to be looking if you aren’t happy in your current situation. It’s no wonder scammers are targeting job hunters. For those in the 49 percent, best to stick with more trustworthy methods than through SMS phishing messages.

To aid in the battle against SMS phishing attacks, our premium version of Malwarebytes for Android alerts users of dangerous links in SMS messages. Furthermore, our it also scans phishing URLs when using the Chrome browser, once again alerting on detection.

In case anyone was wondering, I’m fortunate to be in the 51 percent of people happy with their jobs—mainly because I get to protect readers like you! Stay safe out there!

The post Mobile Menace Monday: SMS phishing attacks target the job market appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 17 – 23)

Malwarebytes - Mon, 09/24/2018 - 17:03

Last week, we took a look at a low level spam campaign on Twitter, explored the signs of falling victim to phishing, and examined a massive WordPress compromise. We also explained some SASL vulnerabilities and covered a breaking Emotet spam campaign.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (September 17 – 23) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Emotet on the rise with heavy spam campaign

Malwarebytes - Fri, 09/21/2018 - 22:55

The threat landscape is changing once again, now that the ocean of cryptocurrency miners has shrunk to a small lake. Over the last couple months, we’ve seen cybercriminals lean back on tried and true methods of financial theft and extortion, with the rise of a familiar Banking Trojan: Emotet.

However, over the last few days, we’ve noticed a large increase in malicious spam spreading Emotet, as well as a higher number of detections from our customers. Looks like we’re in the middle of an active Emotet campaign.

What is Emotet?

For those who are unfamiliar, Emotet is a nasty piece of malware that has had numerous purposes over the years, including stealing data and eavesdropping on network traffic. For its latest trick, Emotet is spreading other banking Trojans, or malware that steals your financial information, bank logins, and in some cases, Bitcoin wallets.

Emotet has the ability to propagate through a network by using the popular EternalBlue vulnerability, first seen in use in the famous WannaCry ransomware outbreak. This functionality makes the malware even more dangerous to businesses, which have numerous endpoints linked together.

Once a system is infected, Emotet can then spread itself outside the network via built-in spam module. Imagine an Emotet-infected endpoint as a flower. Emotet’s spam module, then, would be the bees that spread pollen from flower to flower. The spam module sends new infections to other systems, which (if the users fall victim) creates even more new infections, which then blast spam to even more systems. And the process continues again.

Now, accelerate our metaphorical pollination process by at least 1000x, and you can begin to see how Emotet is quickly making a lot of…um, flowers…for businesses.

Spam campaign

Recently, the security community noticed an increase in malicious spam either spreading Emotet or coming from systems infected with Emotet. In addition to Emotet, this malspam campaign is also pushing Trickbot, a popular information-stealing malware that we spoke about last year when unused code was discovered using the same exploit as WannaCry.

We're seeing a large #Emotet spam campaign with maldocs, originally spewing malicious Word documents, but now sending out PDFs. At its peak, we blocked over 300k spam emails in 3 hrs. Detection name: TrojanDownloader:PDF/Domepidief.A

— Windows Defender Security Intelligence (@WDSecurity) September 18, 2018

This spam campaign is pushing malicious documents to users: first Microsoft Word documents with malicious macro scripts and then PDFs with built-in malicious scripts. This method of attack (malspam), using these specific file types (malicious documents), has become the de-facto default method of spreading malware today.

Malicious spam emails that are spreading Emotet and Trickbot right now have similar subject lines. Below is a list of common subject lines for this campaign:

Sales Invoice Account September Invoice **** from **** Statement 20/09/2018 for customer **** Your Invoice: **** - Our Ref: **** Account Alert - Your recent Wellsfargo payment notice Activity Alert: Money transfer details Activity Alert: Your recent payment notification Payment details Your recent payment notice August Invoice **** Invoice **** from **** Invoice for August Invoice **** - **** Invoice No - **** Invoice number **** Invoice **** from **** for Order : **** Invoices from **** INV-**** **** Complete invoice **** **** report: Complete invoice Q7370 - 21 September 2018 OVERDUE INVOICE Re: Your recent invoice request for your account Sales invoice from **** **** Invoice Ready To View September Invoice INV-B58986 from **** SERVICE INVOICE **** Invoice/Credit **** Statements/Invoices Ready To View Your **** Invoice for billing period 08/2018 Increase in stats

In addition to the increase of malspam spreading Emotet, we’ve also observed an increase in Emotet detections from our users. The chart below shows a five month period, from mid-April to mid-September 2018, broken down by the day. You can see a steady increase of Emotet through the end of the summer into September, with the largest spike in Emotet detections happening only a few days ago. While this is not a sign that it will rain Emotet, when you combine that spike with the known ability of Emotet to spread itself quickly and efficiently, we could be in for some nasty infections over the weekend.

Despite its ups and downs—Emotet has not seen a continuous rise over the past year, though there was a similar massive Emotet and Trickbot campaign earlier in 2018—Emotet has been a bit of a thorn in the side of the security community for most of the year. That’s because when it is active, it has potential to do a lot of damage.

How much damage? Emotet is dangerous not only because of its capabilities to spread like wildfire and steal sensitive financial data, but also because it can download and install additional malware, which leaves the door open for anything coming through, from spyware to ransomware. Potential fallout could include:

  • Theft of Personally Identifiable Information (PII), which could lead to identity theft 
  • Stolen financial information, which can later lead to extortion
  • Stolen proprietary information, which can be held for ransom
  • Credential theft, which means other accounts and passwords are vulnerable
  • Theft of locally-stored cryptocurrency wallet
  • Protracted remediation times for network admins
  • Loss of productivity for workers whose endpoints must be taken off the network
Stay protected

Staying safe from the current Emotet campaign is not particularly difficult, since it is spread through malicious spam. However, users who don’t have a keen eye or little training in common phishing techniques might fall victim. One of the easiest ways to stay protected against Emotet is simply to keep a keen eye out for shady emails, especially if they have one of the subject lines mentioned above, include an Office document or PDF attachment, and come from unrecognizable email addresses. However, when it comes to social engineering, there is no guarantee someone won’t be fooled.

Thankfully, even if they open the email and download the document, Malwarebytes users (both those who purchased Malwarebytes Premium and business customers) will be safe from the malicious code within the document, as our anti-exploit technology identifies the malicious script and puts a stop to it.

Also, users that have real-time protection enabled will have the malware itself blocked if it somehow manages to get through the anti-exploit defenses.

Another way to stay safe: Make sure systems are patched for the EternalBlue vulnerability, which is still exploitable—preferably before encountering this threat.

Malwarebytes has worked hard to keep an eye on this threat, and more importantly, how to stop it. Emotet is a mean adversary, and we expect to continue dealing with it through the rest of the year, as well as any future evolutions or copy cats.

That being said, making sure you, your family, and your employees know how to recognize emails attempting to deliver Emotet—or any other threat—is a key pillar in the fight against cybercrime, right alongside having a strong security solution and a “worst case scenario” plan to protect your data, users, and remediate your machines.

Thanks for reading, good luck out there, and safe surfing!

The post Emotet on the rise with heavy spam campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Simple Authentication and Security Layer (SASL) vulnerabilities

Malwarebytes - Fri, 09/21/2018 - 15:00

Simple Authentication and Security Layer (SASL) is an authentication layer used in Internet protocols. SASL is not a protocol, but rather a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity–checking, and encryption.

Within the framework and a few of its plugins, there are a couple of known vulnerabilities that we want to make you aware of. Although patches have been issued, not everyone has implemented them.

Why would I need to know about SASL?

Most server administrators will recognize the acronym from this type of error message or report:

“SASL LOGIN authentication failed: authentication failure”

Usually the message will contain more details about the failure, depending on the specific software and plugins that you are using. While receiving such a message in itself is not a reason for alarm, if you see it repeatedly and originating from the same IP address, then there is reason to investigate further. Possibly someone is trying to gain access to your server and planning to use it as a spam-box. They might be looking for a way to use your server and your resources to send out a spam campaign.

Countermeasures against brute force attacks

SASL attacks usually turn out to be brute force attacks, meaning an automated script or a bot is trying over and over to log into an existing email account on your server, trying many combinations of credentials to find a valid username and password pair. Thankfully, there are some countermeasures you can take against these attacks.

  • If you have the option to make your server listen on a different port, doing so might make you a less likely target for new attacks.
  • If the SASL message is from the same IP all the time, block that IP in your firewall.
  • If the attackers keep coming at you from different IPs, there are software solutions that use  machine learning to automatically block any new assailant. One caveat to this solution: Be vigilant about false positives so that you don’t shut out legitimate users, such as remote employees.

If you are seeing some of these attacks, there is no reason to feel singled out. There are threat actors out there that constantly sweep the Internet for new servers listening on port 25.

SASL framework

SASL is a framework for application protocols, such as SMTP or IMAP, that adds authentication support. It checks whether the user has the proper permissions to use the server in the way they request. It also offers a framework for data integrity–checking and encryption.

For a better understanding of how the framework actually works and where the vulnerabilities throw a wrench in the process, we want to give you some background about the flow of information between server and clients.

The following figure shows the basic SASL architecture:

Client and server applications make calls to their local copies of the SASL library, or libsasl, through the SASL API. The libsasl then communicates with the SASL mechanisms through the SASL service provider interface (SPI).

The following diagram shows steps in the SASL life cycle. The client actions are shown on the left and the server actions on the right. The arrows in the middle show interactions between the client and server over an external connection.

Memcached vulnerability

Memcached is a software package that implements a high-performance caching server for storing chunks of data obtained from database and API calls in RAM. This helps speed up dynamic web applications, making it well suited for large websites and big-data projects.

In 2016, security researchers from Cisco’s Talos found three remote code execution vulnerabilities. All of these flaws affected memcached’s binary protocol for storing and retrieving data, and one of them was in the Simple Authentication and Security Layer (SASL) implementation. These vulnerabilities were fixed by Memcached later that year, but there has been a bad adoption rate.

Dovecot server vulnerabilities

A Denial of Service vulnerability was found in the SASL authentication component of the Dovecot server. Remote attackers can crash vulnerable systems due to a validation error when the vulnerable software handles a crafted username when processing SASL authentication if the auth-policy component has been activated. The vulnerable versions were 2.2.25 through, and unfortunately some of these are still in active use.

Another flaw was found in Dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in the Dovecot auth client used by login processes. The leak has an impact on high-performance configurations where the same login processes are reused and can cause the process to crash due to memory exhaustion.

More recent vulnerabilities

A more recent vulnerability was found in Apache Qpid Broker. Both the Qpid broker and Qpid clients use the Cyrus SASL library, a full-featured authentication framework, which offers many configuration options. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called “Authentication Providers.” Each Authentication Provider can support several SASL mechanisms, which are offered to the connecting clients as part of SASL negotiation process.

The vulnerability that was discovered is a Denial of Service vulnerability, and it was found in Apache Qpid Broker-J 7.0.0 in the functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91, and 0-10 when either PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows an unauthenticated attacker to crash the Broker instance.

Update your software

As you can see, there are quite a few of these vulnerabilities still active, and I didn’t even touch on the older ones. In fact, there are a lot more older vulnerabilities than new ones, and I’m afraid that not all of them have been patched.

So we can’t say this enough, and we won’t stop telling you, either: Always make sure you are running the latest and patched version of the software you are using. This is especially true when talking about Internet-facing servers, and absolutely vital if one of their jobs is to keep your resources safe and secure. SASL is a vital authentication mechanism, in particular where many email servers are concerned.

Stay safe, everyone!


The figures in this article are courtesy of Oracle.

The post Simple Authentication and Security Layer (SASL) vulnerabilities appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mass WordPress compromises redirect to tech support scams

Malwarebytes - Thu, 09/20/2018 - 17:42

Content Management Systems (CMSes) such as WordPress, Drupal, or Joomla are under a constant barrage of fire. Earlier this year, we detailed several waves of attacks against Drupal, also known as Drupalgeddon, pushing browser-based miners and various social engineering threats.

During the past few days, our crawlers have been catching a larger-than-usual number of WordPress sites being hijacked. One of the most visible client-side payloads we see are redirections to tech support scam pages. Digging deeper, we found that this is part of a series of attacks that have compromised thousands of WordPress sites since early September.

Multiple injections

The sites that are affected are running the WordPress CMS and often using outdated plugins. We were not able to figure out whether this campaign was made worse by the exploitation of a single vulnerability, although the recent RCE for the Duplicator plugin came to mind. Our friends over at Sucuri believe this is a combination of multiple vectors.

Threat actors inject vulnerable sites in different ways. For example, on the client-side we see one large encoded blurb, usually in the HTML headers tag, and a one liner pointing to an external JavaScript. Website owners are also reporting malicious code within the wp_posts table of their WordPress database.

The domain examhome[.]net had a recent whois change (2018-09-16) and interesting nameservers:

1a7ea920.bitcoin-dns[.]hosting a8332f3a.bitcoin-dns[.]hosting ad636824.bitcoin-dns[.]hosting c358ea2d.bitcoin-dns[.]hosting

The redirection flow shows further use of encoding to load mp3menu[.]org with a whois updated on 2018-09-15 and the following nameservers:

a8332f3a.bitcoin-dns[.]hosting ad636824.bitcoin-dns[.]hosting

That .TK URL pattern is well known and has been documented in detail as part of a large Traffic Distribution System (TDS) responsible for massive redirections to browlock pages. Note the custom mouse cursor (the “Evil cursor”), which we reported on recently, has yet to be patched.

Scope and mitigations

The number of WordPress sites that have been compromised is increasing in the last few days, suggesting that these are ongoing campaigns.

Website owners affected by these attacks will have to perform a thorough cleanup of injected pages, databases, and backdoors. More importantly, they will need to identify the root cause of the compromise, which often times is an outdated WordPress installation or plugin.

Malwarebytes users running our browser extension are protected against the tech support scam pages without any need for signature updates.

Indicators of compromise,examhome[.]net,Examhome Campaign (URI),uustoughtonma[.]org,Examhome Campaign (URI),mp3menu[.]org,Examhome Campaign (URI),ejyoklygase[.]tk,TK TSS Browlock (URI) Injected blurb (partial): String.fromCharCode(118, 97, 114, 32, 115, 111, 109 From Sucuri Labs: ads.voipnewswire[.]net/ad.js cdn.allyouwant[.]online/main.js?t=c

The post Mass WordPress compromises redirect to tech support scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

6 sure signs someone is phishing you—besides email

Malwarebytes - Thu, 09/20/2018 - 16:00

There are several common and, unfortunately, frequently successful avenues of attack that cybercriminals can use to part you from your personal contact and financial information. These phishing attack methods include email, phone calls, corrupted software or apps, social media, advertisements, and even direct SMS (text) messages.

Beyond the medium used to reach you (which is most often email—still!), what are some of the signs and behaviors to look for? Not every threat is as obvious as you’d hope, and conversations that focus on the inbox only are completely inadequate in the harrowing landscape we now find ourselves in.

1. Your software or app itself is phishing

Even the most recent headlines indicate counterfeit software and apps are still real and present dangers for digital nomads. On both Android and iOS, unscrupulous coders periodically find ways to circumvent the approval process and deliver an app that seems to provide ordinary functionality even as it siphons personal information and sends it to parties unknown.

There are other means of deception, too. Fake reviews on app stores are still astonishingly common. Several hundred or even a couple thousand glowing reviews give a surface-level impression of legitimacy, but a closer look will reveal similar phrasing used by multiple users or even suspiciously similar usernames.

Sometimes, all it takes is a pretty user interface to rope in unsuspecting app store users. In some cases, dishonest developers might even improve on the UI of the app they’re trying to spoof, for that extra little boost of trustworthiness.

2. You’ve received a mysterious text or call

Much of the focus of social engineering remains on email, but it would be a mistake to discount smishing (SMS message phishing) and vishing (voice phishing). Would-be troublemakers can easily spoof local area codes you might recognize, or they might even pose as technical support representatives to encourage you to give up the credentials for your devices or accounts.

This is one of the oldest tricks in the books—and it’s still working. Thankfully, telling a real company dispatch apart from a fake one is usually fairly easy. Many companies, such as Microsoft and the IRS, are clear about never making unsolicited contact with customers over the phone. If you get a call from somebody offering help you didn’t ask for and don’t need, hang up immediately and block the number in your phone’s settings.

3. You’ve “won” something

Lottery scams and those ubiquitous “You’ve Won Something Glorious!” pop-up ads are still a popular way to phish for people’s bank account and routing numbers. Unfortunately, the fact they still exist and are so common means they still work. We all know that rush of adrenaline and excitement when we receive something when we least expect it.

A victim might receive a message on a fraudulent website indicating they have won a cash prize or a lottery drawing they did not enter, and that their winnings are available for direct deposit. If you get a message like this one, delete it (unread) and block the email address and/or phone number.

4. Your social media accounts are being weaponized

Social media has given rise to particularly nasty forms of “spear phishing”—that is, mining victims’ public profiles for useful information, and then posing as somebody you know, or who you at least might mistake as legitimate. Remember to vet your digital friends carefully.

Another way social media might be weaponized is through game mechanics, including surveys and questionnaires. You might be encouraged to spin a wheel, interact with the screen, or provide feedback on something, after which you’ll “win” the game and be asked for additional information.

As far as surveys go, remember that if you’re not obviously a customer, you’re probably the product. It might not surprise you to learn this, but fake surveys are so common on Facebook that users frequently light up the social site’s official message boards asking about individual questionnaires—even the rare legitimate one—where users receive compensation for providing their opinion.

At its most devious, traps like these fuel social engineering efforts like those conducted by Cambridge Analytica during the Brexit campaign, as well as by domestic and foreign actors during the 2016 presidential election.

5. Your URL doesn’t look right

No matter how you come into contact with a phishing scheme, there’s a good chance part of the action they want you to take involves visiting a specific URL. Knowing how to tell when a URL isn’t genuine, or isn’t affiliated with the person or company claiming to contact you, is a critical skill.

The logical first step is to run a Google or Bing search for the company and view the top results. The URL you’ve been given should match what appears at the top of a search results page. Some browsers even give you a hand with this.

Apple’s Safari truncates the address in the URL bar to just the main domain and sub-domain as appropriate. The idea is to cut out the numbers, letters and other filler to let you know immediately if you’re somewhere you didn’t expect to be. Phishers have made an art of using long and convoluted URLs to hide their intentions.

Another thing you can do is maintain an address book with the official URLs, contact numbers, and email addresses of the companies you do business with. You might also write some rules or filters so your inbox automatically weeds out and discards incoming messages based on trust symbols you’ve already identified, such as questionable sender addresses.

6. You’ve been warned or given an ultimatum

This is another type of scam that’s as old as the digital hills, and one that preys on the human element of fear, or the innate worry of missing an important deadline.

Scammers love to include vaguely threatening language in their phishes in order to illicit a fast, irrational response from their targets. For example, a negative message campaign might include a script that tells users their information has been compromised, and they had better hand over payment before the scammers leak that (sometimes scandalous) information to the public. A classic case of extortion.

However, you’re more likely to compromise yourself by reacting too quickly to a false threat than you are to actually have been locked out of your system, or whatever the claim is.

Do you feel prepared?

Living a digital life isn’t really optional anymore—not when our entire professional, social, and even political lives unfold online.

Even daily browsing can feel like a minefield, but hopefully, you feel better prepared to handle the quintessential threat that’s at the heart of nearly every malware attack today: phishing. Scam artists know how to reel in their victims, even if they’re outside the email pool. So guard your apps, your social media, your mobile devices, and your browsers well!

The post 6 sure signs someone is phishing you—besides email appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A month of giveaway spam on Twitter

Malwarebytes - Wed, 09/19/2018 - 15:00

We’ve observed a low level spam campaign working its way through Twitter, with just under 2,000 posts visible on public search since September 1.

Click to enlarge

The posts promote what appears to be CBD oil. For those who don’t know (And I was one of them—still not sure if this oil is supposed to be inhaled or consumed, but anyway), CBD is short for Cannabidiol, which is a chemical found in cannabis thought to have pain-relieving properties. It is often distilled into oil that can be used in many different ways for various ailments.

The posts follow one of two formats. The first is a large image splash attached to each Tweet:

Click to enlarge

It says:

Have you entered into the giveaway yet for a bottle of [product name]?

They are giving it away for FREE

Follow these simple steps:
Step 1: RE-TWEET this post!
Step 2: Click the “Link” below to get your FREE [product name] for the last step!

The second post format we’ve seen is just text with a referral link:

Click to enlarge

In both cases, the Tweets lead the curious clicker to a site located at


This website’s Whois data is listed as domains by proxy, and it offers an email sign up for users to be the “first to know” about…well, no idea. It doesn’t say. I assumed the product was some sort of energy boost tablet, or maybe some kind of juice, and only learned of the medicinal oil connection after several bouts of Googling. All the visitor knows at this point is he has to sign up for something via email.

Click to enlarge

Once an email address has been handed over, the visitor will be taken to a second page that claims to offer various bundles depending on how many friends make use of the referral/sign-up links. The options available are sharing it via Facebook, Twitter, and email.

Click to enlarge

If you refer five friends, you get one month of free supplies. Ten friends, two months. If you can summon 50 friends, then they claim you’ll receive a full year’s supply.

On our sign-up page, we were told “one friends [sic] have joined…keep checking.”

I don’t know who that friend is, because I certainly didn’t invite anyone (much less have them join).

We haven’t seen any evidence of the posts being automated, so it’s likely people are firing them off manually in the hopes of a freebie or 12.

I can’t say we advise jumping on the free stuff bandwagon; it’s never actually certain if the people participating will receive their desired games, ringtones, or other gifts. In this case, there’s also zero information we can see on the site about what the product is, what it does, how you use it, or if it’s even allowed in whatever region you happen to live.

Factoring CBD into the picture further complicates the matter because CBD is only legal in certain regions (globally), and under certain conditions. For example, CBD is legal in all 50 US states if it’s derived from the hemp plant. But if derived from marijuana, it’s legal in only eight US states. If prescribed by a doctor, it’s legal in 46 states. That’s not confusing at all.

Same deal for shipping, come to think of it. Is it targeted to one area only? Is International shipping possible with CBD?

I have no idea, and most likely neither does anyone else firing the links everywhere.

Always be cautious around sets of identical posts promising you free gifts in return for performing specific tasks. Most of the time, you’re doing little more than acting as free brand promotion for someone else’s SEO team taking the day off. I’m all for boosting the brand and increasing the verticals, but that’s taking things a little too far.

The post A month of giveaway spam on Twitter appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 10 – 16)

Malwarebytes - Mon, 09/17/2018 - 15:56

Last week on Malwarebytes Labs, we assessed the security of a portable router, identified ways to waste a scammer’s time, named the many faces of omnichannel fraud, questioned the security of 2FAs, profiled a massive tech support scam operation, and exposed a new HMRC phishing campaign.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (September 10 – 16) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

HMRC phish swipes email login, payment details

Malwarebytes - Fri, 09/14/2018 - 16:00

It’s not tax season in the UK, but that hasn’t deterred scammers from sending out mail looking to swipe both card details and email logins in one fell swoop.

The email, which claims UKGOV has issued a tax refund to the tune of 542.94 GBP, arrives under the following title, which is spectacularly poorly formatted:

[RCPT-07010144] processed your automatic payment is available – “Subscription- 10 SEPTEMBER 2018″[Email No.’6922′]

The body content states that recipients can reclaim the cash by logging in on their “gateway portal.” Better make haste though, as (in our case) the mail has a same day expiration date for the ability to put in a claim.

Click to enlarge

Typically, we tend to see time limits of a few days on fake mails such as this one, so they’re really relying on pressure to get the job done here. We suspect anyone else receiving one of these will find themselves faced with a similarly pressing deadline.

Unlike many boilerplate tax phishes, we’re not sent directly to a fake HMRC page to enter card details.

With this scam, the first point of entry is on an imitation Outlook login, where potential victims are asked for their email address and password.

The scam site is located at:


Click to enlarge

Click to enlarge

Once the email details have been harvested, they’re then taken to a rather threadbare HMRC phish. There are no splash screens or fake logins or anything remotely resembling the process of having to sign into the so-called gateway portal. Instead, it’s just a page full of boxes to be filled with name, address, city, phone number, DOB, mother’s maiden name, and then full credit card information, just to round things off.

Click to enlarge

The site performs a basic validation check on some of the information entered. The reason for this is so the scammers can be reasonably confident that the person on the other side of the screen entered accurate information. They also gain some (slight) protection from doing this; you can’t enter some fake details to waste the scammer’s time, because when you hit the credit card number section, it’ll probably just prevent you from going any further.

Click to enlarge

You could probably still do it given enough time, but they’re likely banking on most people giving up and simply moving on instead. Make no mistake, a site such as the above is expressly geared toward nothing but the victim.

While these scams tend to experience a boom period during tax season (in this case, around April for the US and UK), there’s nothing preventing scammers from firing these out at other times of the year. In fact, it might be more of a benefit for them to do so. Recipients may be more likely to have their guard down due to the lack of “fake tax refund” articles making the rounds. Out of sight, out of mind and all that.

If you receive a mail similar to the above and you’re not sure if it’s real or not, the HMRC website has a number of pages giving advice on these specific situations. The main one to check out would be their phishes and frauds page, where you can see the type of correspondence they send out, and when they do (or don’t) send refund notices, as well as the method of said notification. They also provide some examples of phishing emails with their name on it.

One thing is for certain: You definitely won’t be sent from a HMRC refund email to an Outlook login. Don’t fall victim to a scam such as this, or you’ll have to chase down your bank and your email provider. If you have any logins tied to the compromised email account, you may have to play clean up for those, too.

Never underestimate how much trouble a fairly crude, simple phish can cause—it doesn’t take much to cause endless financial headaches and a large bundle of password resets.

The post HMRC phish swipes email login, payment details appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Is two-factor authentication (2FA) as secure as it seems?

Malwarebytes - Fri, 09/14/2018 - 15:00

Two-factor authentication (2FA) was invented to add an extra layer of security to the—now considered old-fashioned and insecure—simple login procedure of entering a username and password.

One of the most well-known examples of 2FA is when you try to log into a familiar website from a different machine or from a different location, which results in a different IP. With 2FA-enabled login procedures, you will first enter your username and password on the computer and then receive a text message to your phone providing you with a verification code. You must enter that verification code on the computer to complete the login procedure.

Explaining the different factors

Two-factor authentication is a less-complex version of multi-factor authentication (MFA), which simply uses more factors to determine the authenticity of a login. So what are these factors? There are three main categories of possible factors in a multi-factor authentication setup. Let’s have a look at the possibilities.

Something you know

The “something you know” category is the factor we are most familiar with. It requires a person to enter information that they know in order to gain access to their account. The combination of a username and a password is the prime example, but things like security questions used by your bank fall in this category.

Something you have

Receiving a verification code like the one we mentioned earlier means that the procedure you are using is the “something you have” factor of two- or multi-factor authentication. Something you have can be a separate email account or phone to which a verification code can be sent, but there are also specialized hardware solutions like the YubiKey that fall into this category.

Something you are

The “something you are” category is still in development, but it centers on certain physical markers that can be analyzed by technology, or biometrics, to prove your identity. These biometrics include:

  • Fingerprints
  • Retina scan
  • Voice recognition
  • Face identification

Most of these methods still need to be made trustworthy enough for everyday use, though industries for which security is imperative have started adopting them, including healthcare institutions, banks, and mobile phones.

Many of these methods, once fully realized, would make it quite difficult for cybercriminals to crack. However, most of these are still too expensive to implement or simply too big to use on our phones.

How is 2FA vulnerable to attack?

Despite the best of intentions—to protect people’s data by making it much harder to access for criminals—two-factor (and multi-factor) authentication can still be made vulnerable. How? Criminals bypass it by already being in possession of a factor of authentication, or they brute force their way in, or they use that one evil tool that no technology can protect against: social engineering.

Here are the most common ways 2FA is being abused:


Phishing can be used to lure victims to a fake login page. When the victim enters his credentials, the attacker forwards these to the real login page, thus triggering the 2FA procedure that prompts the victim for the numerical code that was texted or mailed to him, or in some cases produced by an authenticator app. The attacker catches this code again on the fake login page the victim is still using and now has a complete authentication set. Obviously, due to the limited usefulness of the numerical, the attacker will have to be fast. But once he does successfully log in, there is nothing stopping him from changing the phone number the next code will be sent to—or anything else in the account he wants.

Password reset

Some authentication procedures can be bypassed by performing a “lost password” procedure if the attacker is in possession of the “something you have” item. For example, let’s say the attacker gained access to the victim’s email account, and a verification link for a certain login was sent to that account. In such a case, the attacker could use the “forgot password” link on the website and use the following email interaction to change the password to something he knows.

Brute force

Some 2FA tokens are so short and limited in characters that they are easily obtainable by brute force. Unless there are fail-safes in place, a four-digit token is quite useless if the attacker has the time to apply brute force. Tokens that have a limited validity in time (TOTP) offer better protection against this type of attack.

Third-party login

On some login processes, the user is offered the option to log in using a third-party account and using this option bypasses the 2FA procedure. The best-known example is the “login with your Facebook account” that is used for certain sites and applications. In such a case, an attacker can take over other accounts once they know your Facebook credentials. (Which is why we recommend you don’t sign on using third parties unless absolutely necessary.)

How can we protect ourselves?

With more and more massive data breaches of hugely-popular companies recorded each month, 2FA authentication is fast becoming standard procedure. And even though there are ways to get around 2FA, it is still safer than just using the old-fashioned username and password combo. To bypass 2FA, the attacker would still have to break two authentication cycles, vs. just one for usernames and passwords.

So how can do our part to keep criminals away from 2FA? Follow these steps to keep your personal information secure:

  • Pay attention to emails telling you that an account was used from a new or unknown device, and check if that was really you. Also, pay attention to other obvious red flags like emails notifying you of failed login attempts or password reset requests that didn’t come from you.
  • If you have a Facebook account, check under Settings > Apps and Websites whether everything listed there was used by you and whether it should be there. Also, keep in mind that a “disabled” Facebook account can be resurrected when you use the “login with your Facebook account” option somewhere.
  • If you have a choice in authentication procedures, do some research into known vulnerabilities and apply those lessons. For example, weak token algorithms can be used by an attacker to predict the next token if they can see the previous ones. Or using short tokens without a limited validity can leave you open to attack. [LESSON: Use strong token algos.]
  • Train yourself and your staff on recognizing phishing attempts.

If 2FA is still vulnerable, you might be asking, “Then why not use multi-factor authentication?” The sad truth is that even multi-factor authentication has its workarounds. The methods for “something you are” authentication being used on our devices right now are still pretty easy to get around—it doesn’t take a genius hacker to trip up voice recognition.

But the industry is learning rapidly as it moves forward. For example, the use of two high-definition cameras spaced apart made the iPhoneX a lot better at face recognition than some of the older iPhone models. As more secure and robust versions of multi-factor authentication are made available, the hope remains that someday, it’s pretty near impossible to dupe.

The post Is two-factor authentication (2FA) as secure as it seems? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Partnerstroka: Large tech support scam operation features latest browser locker

Malwarebytes - Thu, 09/13/2018 - 15:00

Tech support scams continue to be one of the top consumer threats in 2018, despite actions from security vendors and law enforcement. Scammers are constantly looking for new ways to reel in more victims, going beyond cold calls impersonating Microsoft to rogue tech support ads using the good name of legitimate brands, and of course, malicious pop-ups.

We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. While it is common for crooks in this industry to reuse design templates, we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstroka.

However we caught up with the same campaign again recently and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome. In this blog post, we share some of our findings on this group and their latest techniques.


The browser locker is typical of those we normally see, but the crooks have ensured that most browsers and operating systems are covered with their own landing page. This is determined by looking at the user-agent string when the client requests the page to the malicious server. It is further customized via JavaScript functions that perform the “locking” part of the scam.

Different templates for the same browlock domain

The name we track this campaign under is inspired by the string “stroka” found within the HTML source code. That same string (and similar code) was also present in previous JavaScript-based “Police Browlocks” that required users to pay a fine with vouchers. However, because code reuse is common among scammers, it is likely to be an entirely different group.

Campaign identification via redirects, TLD and registrar

The threat actors use dozens of Gmail accounts following a somewhat predictable pattern.

Registrants emails tied to the Partnerstroka campaign

Each email address is tied to anywhere from a few to several hundred .club (gTLD) browlock domains abusing the GoDaddy registrar/hosting platform, with whom we have shared our investigation.

A view of the domains belonging to one email address

We were able to extract over 16,000 malicious domains during a period of several months, but we believe the actual number is much higher. Indeed, our visibility into the depth of this campaign was partly tied to the email addresses we had cataloged and unfortunately, the new privacy laws around whois records hindered our research.

Traffic distribution

We observed different techniques to redirect unsuspecting users to the browlock pages, although malvertising was almost always an element in the chain. The likelihood of getting redirected to one of these browlocks is higher when visiting websites that have less than optimal advertising practices.


BlackTDS is a Traffic Distribution System (TDS) used by crooks to deliver web threats and avoid unwanted traffic (i.e. not real humans). The kind of traffic that comes out of it ranges from social engineering attacks to infections via exploit kits.

The Partnerstroka group used various ad networks to drive visitors to the browlock page, sometimes directly but often times via the intermediary of an .info gate.

BlackTDS traffic, malvertising, .info gate, and .club browlock

Decoy sites

Another technique the threat actors leveraged was redirects via decoy portals performing what we call “cloaking,” a trick used to only serve malicious content to certain kinds of users and redirect others (non targets) to a benign-looking page instead.

Traffic from decoy sites leading to .club browlock

Blogspot redirects

We also came across a number of blogs hosted on Blogger (now owned by Google). These were either empty or only showed limited content, and again, their purpose was to perform redirects to the browlock pages.

Rogue Blogspot pages used for redirects

Studying their redirection chain more closely, we found something interesting in how the browlock domain was being called. They used a marketing platform in between that would respond with the latest registered browlock domain:

Redirect from Blogspot to the browlock

Malvertising via injected sites

The majority of activity we are observing lately comes from websites that have been injected with ad code. While some website owners do this purposely to monetize their traffic, it becomes a lot more suspicious when we find matching ad campaign identifiers across domains that have seemingly nothing in common. Thanks to @baberpervez2 for providing recent malvertising chains.

Browser locker for Edge on Windows 10 from a malvertising chain

The evil cursor

There are many different documented techniques that can be used to prevent users from closing a tab or browser window, and often times those are specific to each browser. For instance, Edge and Firefox users will often get the authentication required prompt in a loop, while Chrome users are served with more nasty stuff, such as actual attempts to freeze the browser or trigger thousands of downloads.

In early September, we came across the Partnerstroka group again and noticed that they had incorporated a browser locker technique that was working against the latest version of Google Chrome (69.0.3497.81). Similar to other tricks, it effectively prevented from closing the offending page because the mouse cursor had been hijacked.

As can be seen in the animation above, the red dot represents what the user actually clicks on, even though the cursor itself seems to be way off. The code responsible for this unwanted behavior can be found within the HTML body tag:

A few lines of code to alter the mouse cursor

The Base64 blurb decodes to a simple image of a low-resolution mouse cursor, but the important bit is the 128×128 transparent pixel, which essentially turns your cursor into a large box. We reported this issue via the Chromium bug tracker portal, and the first person who replied showed what that custom “evil” cursor looks like:

The new cursor showing an actual (invisible) square

This is one example of many such tricks that can be used against modern browsers. Often times, features that are either well-documented or more obscure turn into attack vectors used to further fool end users, causing them to dial up the scammers for assistance. Indeed, the sound of an alert and a browser that appears to be completely locked up triggers panic for many people. These are essentially the same scare tactics that have been used for ages and still work well.

Similar campaigns

We have noted an increase in tech support scams abusing the NameCheap registrar. While we cannot positively identify that this is also the Partnerstroka group (landing page reuse among scammers is a thing), they definitely share some common traits.

Domain Name: ukxhdp[.]club Registrar URL: Creation Date: 2018-08-21T15:06:23Z

Browlock using the same cursor trick with a domain registered via Namecheap

Domain Name: descorservicesavailoffer[.]club Registrar URL: Creation Date: 2018-08-22T12:16:07Z

Browlock hosted on AWS S3 bucket


Due to the size and ever-changing nature of the infrastructure between different browser locker campaigns, applying a domain/IP database approach against them is not an effective solution. Although it does offer some coverage, scammers are always a step ahead because of their ability to register new (yet to be detected) domain names.

Here at Malwarebytes, we tackle this issue using both blacklist and, more importantly, heuristics techniques. Our browser extension (Beta) can detect and prevent browlocks:

Browlock stopped via the Malwarebytes extension

Tech support scams have been going on for some time and followed various trends over the years. While social engineering is their main leverage, they often incorporate techniques that help with that effort. We can expect crooks to keep coming up with clever ways to disrupt the browsing experience and abuse advertising, registration, and hosting platforms along the way.

As defenders, we must also face new challenges in tracking threat actors that benefit from changes brought up by privacy protection laws. As we adapt to these new realities, sharing threat intelligence with involved parties becomes more important than ever to tackle the problem at a larger scale.

Indicators of Compromise

Recent .info redirectors

getshopea7[.]info meshopea4[.]info bestshopec97[.]info

Recent .club browlocks

ourtabta133[.]club xtabtec134[.]club doebase1089[.]club digivinta137[.]club 99shopez16[.]club

Decoy sites

allaboutsearching[.]com bestcookingonline[.]com best10traveltips[.]com thronetheater[.]com bestporngifs[.]org bestshockers[.]com toptipstotravel[.]com hddfilms[.]com

Blogger redirects

part-added-to-a-book-document[.] best-account-in-world.blogspot[.]com thjdfk.blogspot[.]com webanalysesteam.blogspot[.]com latestdeliverystatusesofallyours[.] speechwordstominutes.blogspot[.]com templateanditwillalwaysservethe.blogspot[.]com themeswritingpadandcustomise.blogspot[.]com

The post Partnerstroka: Large tech support scam operation features latest browser locker appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The many faces of omnichannel fraud

Malwarebytes - Wed, 09/12/2018 - 15:00

The rise of new technologies, social networks, and other means of online communication have brought about compelling changes in industries across the board.

For example, in retail, organizations use digital tools such as websites, email, and apps to reach out to their current and potential clients, anticipate their needs, and fully tailor their business strategies around making the user shopping experience as positive, seamless, frictionless, and convenient as possible.

This is the heart of the omnichannel approach. And while the foreseen outcome may sound lovely in the ears of consumers and businesses, it’s actually easier said than done. A lot of planning, executing, aligning of goals and core values, and—most importantly to us—securing is involved.

As for the organizations who have adopted this approach, a majority of them believe that they don’t have adequate tools and measures in place to protect their businesses against fraud in the omnichannel environment.

What is omnichannel?

To understand how we can protect businesses in an omnichannel environment, we should go back to basics. It’s important to know what omnichannel is, how it works, and how it affects clients of organizations using this approach.

Omnichannel—also spelled omni-channel—is a compound word composed of the words “omnis” and “channel.” Omnis is the Latin word for “all,” while channel, in this case, pertains to a way of making something, such as information or a product, available. With these in mind, one could roughly define omnichannel as available in all channels, irrespective of the business or the industry it belongs to.

For example, although an omnichannel banking strategy looks different from an omnichannel retail strategy, both apply the same principles. Here’s a simple illustration:

In omnichannel banking, the customer can access their accounts anywhere, pay their bills anywhere, and get money anywhere.

In omnichannel retail, the customer can browse items anywhere, pay anywhere, and return them anywhere.

It’s safe to assume that a majority of businesses already have the “all channels” part covered, but the basic tenet that sets the omnichannel approach apart from the multi-channel approach is its focus: Omnichannel pays more attention to how the organization interacts with the client and less on the actual transaction. The interaction between customer and organization is seamless—meaning, the customer won’t meet bumps when switching from one device to another in the middle of a purchase—regardless of the channel the customer chooses.

Because communication among channels also happens at the backend, the organization is able to anticipate a customer’s future needs, wants, and likes, which they then use to (1) tailor their pitches and/or ads and (2) communicate messages to the customer consistently across channels.

A successful and effective omnichannel strategy fosters a deeper relationship between customer and organization, which in turn translates into invaluable, loyal, and happy customers.

When a new strategy introduces new security risks

Risks are unavoidable when an organization undergoes strategic change. It’s already challenging enough for organizations to let their channels start talking to each other as part of the drive to enhance customer experience. With customers now becoming more informed, connected, and knowledgeable about what they want and what they don’t want to encounter when interacting with a brand, they significantly influence and shape the way retailers respond to them.

And why not? Nowadays, it’s relatively easy for customers to be put off by a brand that doesn’t address their growing demand for a faster, more personalized, flexible, and seamless experience overall.

Addressing such demands inevitably leads to introducing new ways consumers can shop, an uptick in the availability of fulfillment options, and the increased availability of new payment options to users. Of course, where a hand-over of money, product, or data is involved, fraud is fast on its heels.

Types of fraud in omnichannel

Organizations looking into adopting an omnichannel approach should also look into ways they can protect user data, user accounts, and sensitive financial data (if they haven’t already), on top of protecting their physical and digital assets. Below, we have identified several fraud types that are found in an omnichannel retail environment. (Note that some of these can also be found in multi-channel retail environments as well):

  • Card-not-present (CNP) fraud. A well-known scam where a fraudster uses stolen card and owner details to make online or over-the-phone purchases. As the fraudster cannot show the card to the retailer for visual inspection, they get away with the fraudulent purchase.
  • Cross-border or cross-channel fraud. Fraudsters steal credentials and sensitive personal information used by their target in one channel so they can commit fraud to another or an associated channel.
  • Click-and-collect fraud. This is otherwise known as the “buy online, pick-up-in-store” fraud. This occurs when a fraudster, armed with stolen card details and details of the real owners (for backup), buys online then picks up the item from the store. The purchase is flagged as fraudulent.
  • Card-testing fraud. Also known as “stolen card number testing,” this tactic occurs when fraudsters use a merchant’s website to test if stolen card credentials are still valid by making small, incremental purchases. According to Radial, an omnichannel solutions company, there has been a 200 percent increase in card-testing fraud in 2017.
  • Return fraud. This comes in many shapes and sizes. One type, which is friendly fraud, happens when a seemingly legitimate buyer purchases an item online, receives it, and then contacts their card issuer to claim that they never received the item they bought. Return fraud also happens when a buyer purchases electronics, takes out their expensive parts, and then returns the item to the store.
  • Mobile payment fraud. In a world that is now described as “mobile-first,” it’s only logical to expect that fraud born from mobile device usage could outpace web fraud. And it has. Before, mobile browsers were typically the point-of-origin of such fraud; nowadays, fraud can be done via mobile apps.
Addressing omnichannel fraud

With the current amount of fraud omnichannel organizations are vulnerable to, a unified approach to solving all of them is a must. There are already third-party solution service providers that an organization can approach to assist them in this. However, there are practical ways organizations can do and lean on, especially if the budget is particularly tight, to nip fraud in the bud.

Track fraud across your channels. This allows organizations to identify the flaws in each of their channels so they can tailor their security strategy. Consider putting together an exclusive department to oversee this task and manage the data. With a team or one person focused on assessing, identifying, and coming up with ways to mitigate the business’s risk against fraud,  it would be easier to get executive backing, especially when it’s time to invest funds on more sophisticated protection tools as the business grows.

Come up with a fraud prevention strategy. And this can only be done after the data from tracking channels has been collected and analyzed. Remember that for a fraud prevention strategy (or any strategy for that matter) to be effective, it should be designed based on the current and future needs of the organization.

Implement multi-factor authentication (MFA). Authentication is the first line of defense against fraud, so having at least two forms implemented is better than not using any authentication protocol at all. But organizations must make sure that the auth methods they want to adopt are reliable and difficult to intercept. That said, SMS authentication should no longer be an option.

If consumers want a unified and consistent experience across all channels, they should expect the same when it comes to identity authentication. While a true omnichannel authentication is still in its infancy, many organizations already recognize its importance and potential. This is good news, and organizations must keep an eye on.

Encrypt data. It’s one of the fundamental ways an organization can protect the exchange of data between their clients and their systems. Yet, there are still organizations that transfer, share, and store sensitive data in human-readable format. They probably think it’s still okay to do this in the age of breaches, even when point-to-point encryption methods are already available for businesses to use. But here’s the truth: This. Shouldn’t. Be. Happening. Anymore.

Dear Organization, please don’t be that company.

Read: Encryption: types of secure communication and storage

Secure your e-commerce website. Principles we learned in Security 101 apply here: Keep your software updated, use HTTPS hosting, use strong passwords (especially for those with admin accounts), back up data regularly, and use security software. Also, we hastily add not storing sensitive data to your server. Instead, use a third-party payment solution to conduct secure payment transactions between the organization and your clients.

The store of the future and cybersecurity: final thoughts

Going omnichannel is a continuing trend that won’t be going away any time soon. In retail, today’s customer demands and expectations are high, and businesses are expected to meet or exceed them. Doing so gives organizations an edge over their competitors, not to mention that evolving to omnichannel is a sure way of future-proofing their businesses. However, organizations must keep this in mind: If the omnichannel approach increases the user convenience, it may be convenient for fraudsters, too.

While overall growth is a business’s main objective, cybersecurity considerations should not be deprioritized. In an omnichannel environment, exposure to fraud, malware, and other digital crimes are heightened. As such, a lot more assets need to be protected.

The post The many faces of omnichannel fraud appeared first on Malwarebytes Labs.

Categories: Techie Feeds

5 safe ways to get back at spammers: a guide to wasting time

Malwarebytes - Tue, 09/11/2018 - 15:00

Everyone hates spam (apart from the people who send it). While many people simply report spam and delete, a few look for ways to get back at the spammers wasting their time. In fact, a common question we’re asked is, “How can we waste their time?”

My own opinion on this is a little loaded with caution; simply striking up conversations with spammers and scammers with no prior experience is a good way to get yourself into trouble.

Maybe you replied from your work mail, and now they’re sending missives to your boss. Perhaps you used a mail service revealing your IP address, and now they’re making empty yet terrifying-sounding threats about hacking you. How about responding to their request for ID and accidentally sending them the real thing, instead of a humorously-constructed image built from MS paint?

There’s a lot to think about before embarking on this path, but if you still want to waste some spammer’s time (and in a much safer fashion), read on.

The basics

1) NO GENUINE INFORMATION EVER. Yes, I realize all caps is a bit shouty but it’s important enough information to warrant shouting. No matter what you do, or which method you use to waste a scammer’s time, revealing things about you and yours is always a bad idea.

2) Use an anonymous email address. And don’t tie it to something you use daily. Avoid work email, personal email, email tied to anything “business critical” (websites/domain registrations, or other sensitive logins).

Worried that a spammer won’t reply if you reply to them with your new-fangled anonymous/throwaway account instead of the one they sent it to? Don’t be. They don’t care, they’ll reply to anything. Mail, voicemail, love letter painted on the side of a cow, anything at all. One common spammer trick is to direct you to alternate email addresses to reply to because their main one is liable to be shut down at any moment anyway, so they really won’t care where your time-wasting antics come from.

3) Don’t tell people to do dangerous things. There is a popular form of 419 scam-baiting called “Going on safari,” where the pretend victim manipulates the scammer into a long, potentially dangerous trek into parts unknown. While some of these tales are humorous in an “Oh no, you did what?” fashion, you really don’t want to get yourself involved in any situation where somebody falls off a cliff and they have a printout in their pants with your “There’s buried treasure 500 miles this way, honest” mail in them.

Outside of that, how you waste their time is really up to you. One word answers to all of their missives tend to aggravate them in spectacular fashion, if that helps. If you’re not comfortable with the direct approach, there’s more than a few ways to keep your hands clean (so to speak) while gobbling up more of their precious time.

Let someone else do the dirty work

As it turns out, a little automation goes a long way. There’s a variety of tools online for you to make use of in the fight against spammers, and the best part is they won’t have any idea about your involvement.

4) Use a chatbot app, such as Spamnesty, to automate email spam exchanges. All you must do here is strip out any personal information of your own from any email exchange, forward the spam on to the Spamnesty email address, and then sit back and giggle a lot as a chatbot pretending to be a CEO endlessly frustrates a scammer. Bonus: you can read through some of the conversations. Everyone can enjoy that.

Re:Scam gets an honorable mention because although currently offline, it has the promise of eventually coming back to life. Another chatbot, it cycles through various personalities to get the job done and has (according to their stats) replied to more than a million emails and wasted roughly five years of their time in total, which is spectacular.

5) Use a spam blocker app with automated responses for telemarketers. Not all spam is email-based, and significant volumes continue to land on our mobile devices in the form of phone calls. If you’re really unlucky, it’s a nonstop barrage of missed calls, unknown callers, and premium rate call-back scams just waiting to get their teeth into your cash. Several apps exist that will block cold callers and add them to spam lists (which isn’t always straightforward to figure out on a vanilla phone), but there’s not many wasting the time of the scammers with chatbots.

Robokiller is one of the first to deploy a variety of (hopefully?) humorous chatbots to choose from, then set them loose in calls with unwanted telemarketers. As with the mail-based equivalents, wasting time is the name of the game because wasted time equals wasted money on the part of the spammer. While I don’t believe this approach is ever going to prevent phone spammers from giving up their day job, one wasted call is another person not losing a ton of money or personal information to a con artist. That can only be a good thing.

The future of time wasting

Burning out scammers isn’t just an occasional pastime for forum goers anymore. You can turn it into an actual occupation with a little bit of outlay and hard work. The future is YouTube scam baiting gone mainstream. Just remember before you start punking your next scammer that (depending on the method of outreach and how much of your information might be lurking in breach dumps), they could well have your real information. It’s really not pleasant to hear “We’ll have our people at your home address, watch your back.”

If in doubt, stick to non-identifiable automation or leave things to the professionals. It’s generally a lot safer that way, and you’ll probably get to watch a humorous YouTube video in the bargain. That’s a win for everybody—except perhaps for the spammer on the receiving end.

The post 5 safe ways to get back at spammers: a guide to wasting time appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 3 – 9)

Malwarebytes - Mon, 09/10/2018 - 16:44

Last week on Malwarebytes Labs, we looked at spyware going mainstreamhow the popular game Fortnite sparks security concerns for Android users, and how certain Mac App Store apps are stealing user data.

Other cybersecurity news:
  • Microsoft announced Windows 7 Extended Security Updates in a blog post titled “Helping customers shift to a modern desktop.” (Source: Microsoft)
  • “Five Eyes” governments call on tech giants to build encryption backdoors—or else. (Source: TechCrunch)
  • How US authorities tracked down the North Korean hacker behind WannaCry. (Source: ZDNet)
  • ProtonMail confirms it helped in Apophis Squad-member arrest. (Source: Neowin)
  • Tesla will restore car firmware/OS when hacking goes wrong. (Source: Bleeping Computer)
  • Google quietly bought Mastercard credit and debit card records. (Source: Naked Security)
  • Feel the shame: Email-scammed staffers aren’t telling bosses about it. (Source: The Register)
  • Vulnerabilities were discovered in two major VPN clients by Cisco Talos. (Source: Talos Intelligence)
  • Chrome extension caught stealing passwords, cryptocurrency private keys. (Source: ZDNet)
  • The Brighton police department is asking residents to register their home security cameras. (Source: CBS Denver)

Stay safe, everyone!

The post A week in security (September 3 – 9) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Assessing the security of a portable router: a look inside its hardware

Malwarebytes - Mon, 09/10/2018 - 15:00

Network administrators should perform security assessments of hardware that they will provide their users, or particularly paranoid users might want to poke at their devices just to be extra sure.

In this blog post, we will demonstrate the techniques used to assess security on a generic portable router purchased online. We have redacted its identifiable information as our goal here isn’t to provide a free penetration test to the hardware manufacturer. (Someone enterprising enough could still figure this out.)

Can we actually trust this device? This was an inexpensive router, and probably assembled with off-the-shelf components.

In order to assess how secure this device really is, we are going to have to take it apart and figure out what makes it tick.

The packaging

The router came in a small box covered in helpful information about its capabilities, with the only brand attribution being a silver sticker with [REDACTED] written on it.


It looks like a device made by a third party and re-branded to quickly bolster the product offerings of another company. A quick Google search did not yield a website for this product on the first page of results, but more digging did reveal a manufacturer that we will not disclose here.

Perusing their product line, we were able to find the router we had purchased. We located a firmware update and downloaded it for further investigation. More on this later.

Gathering equipment

Once we received the router, the first thing we did was disassemble it. The best tool to do this is the ifixit tool kit.

This is the gold standard for disassembling stuff. It comes with many of the esoteric fastener heads devised to frustrate anyone trying to take things apart.

This mini router had no visible screws—this is a trend for many devices as of late. Disassembly required the use of the “spudge tool” from the ifixit toolkit, and we gently pried the cover off. Thankfully, there weren’t any of the warranty “void if tampered” stickers. These are illegal.

Taking the router apart revealed the main router board with two antennae and one chip in the center. The main chip in the center was an MIPS processor, and there’s a specific model number silk screened onto the mainboard.

Some light Googling revealed that this chipset has a manufacturer website and even a product-specific page.

I also found a WikiDevi page on our exact model. WikiDevi is a user-editable database for computer hardware based on MediaWiki and Semantic MediaWiki. This page contains a ton of good info on the chipset, its capabilities, where it is sold, and by who.

Let’s file those tidbits of information away for now. We’ll come back to them later.

The board has four unpopulated pin holes. These are typically called either “plated-through holes” or “annular rings.” We will just refer to them as plated-through holes for this exercise.

This looks suspiciously like an interface that the manufacturer left on the mainboard. These plated-through holes are usually used to flash the operating system onto the board and test the unit at the factory to verify everything is working properly. There’s no attempt made to hide its purpose.

After some light digging on the product website, we did find mention of the slow I/O features of this chipset.

Further, Googling showed that this pinout is fairly common and might be of the UART variety.

There’s mention of UART on the [REDACTED] product page. This looks promising, like a good place to start. But the plated-through holes are in an awkward position, and examining the mainboard is difficult.

More equipment

In order to get a better look, we did some online shopping. We purchased a “third hand” to hold the mainboard. This portable router is bolted straight to a transformer for the sake of compactness. This means we are in the proximity of 120 Volts, so we should exercise a modicum of caution.

This device is compact and tightly integrated. The chips on the mainboard are pretty small, and our eyesight isn’t what it used to be. Back to the Internet to get a jeweler’s lamp.

So now we had the magnifying lamp, and it is much better than the little one that comes with the third hand. The LED lights also made examining the main board much easier.

To interact with these pins, we could solder wires in, but we’re planning on using this device, provided it passes muster. This meant we were going to try and be as delicate with our probing as we could. Back to the Internet. After some searching, we found breakaway headers.

Snapping four off the length make for a perfect pinout adapter. No solder needed, plus easy access for eventually connecting the USB header and for probing the pins.


Now we needed to investigate what those diagnostic pins were. Did they have voltage? Were they used to send and receive information? Back to the Internet again for more shopping.

Not wanting to buy something too cheap or inappropriate for the task, we Googled affordable voltmeter and found a review for decent and affordable voltmeters. We settled on the Extech EX330 Autoranging Mini Multi-Meter with Built-In Thermometer and Type K Remote Probe.

We also purchased the additional probe connectors kit for good measure. We started with checking for voltage. The bottom half of the router is the transformer. It typically steps down from 120 Volts to 12 Volts. We set the voltmeter to 200 Volts, just to be safe, and got to probing.

Diving in

The bottom plated-through hole had a square about it. Maybe it was special? So we started by applying the ground to it and power to the top pin, and the result was -3.3 Volts. Quickly inverting the probes gave us +3.3 Volts.

Some quick Googling told us that there are two common voltages used in these types of interfaces: 3.3 Volts and 5 Volts. It looks like our router is of the 3.3 Volts variety, the top pin is ground, and the bottom square pin is positive with 3.3 Volts.

So now we knew what the top and bottom pins were. This left the two center pins as a mystery.

Many other much more talented people than us have gone down this particular rabbit hole, and in this, Google was invaluable. We found pictures of other UART interfaces on other routers.

It does not appear that there’s a standardized pin order, but in most of the examples we found online, gnd (ground) and VCC are at the outer edges.

In our case, VCC would stand for “Voltage Common Collector.” More Googling indicated that there is a cable available to interface with these pins and, most importantly, that you don’t need to connect the 3.3 Volt pin unless you want to watch your cable, your router, and potentially your computer go “poof-the-magic-dragon.”

Good to know. Let’s also store this tidbit of information for later.

More shopping

So back to more shopping. We found a USB to RS232 TTL UART PL2303HX Converter USB to COM Cable Adapter Module.

We also found some that specified that they came with both voltage selections and, just to be thorough, we also ordered one of these. It wasn’t available with Prime, so we’re still waiting for this to arrive from the slow boat from China.

Back to the investigation

Not being one to assume anything, we also researched what the color coding was for the cable, as it came in a little bubble wrap with no instructions and sadly nothing in the packaging to indicate whether it was of the 3.3 Volts or 5 Volts variety. Similar USB to UART cables had documentation on the web. We made an assumption and theorized that the cable coloring would be the same as the Google picture results (fingers crossed).


Colors matched: black for ground, red for power, green for receive, white for transmit. So far, so good. We plugged in the UART to USB cable in our test machine and encountered another roadblock.

While it was properly detected and Windows did install the correct drivers, it didn’t work. Some investigation revealed the device could not start.

We tried moving the USB device to a different com port in the device manager with no success. We tried downloading the driver directly from the Prolific website and again weren’t met with success. We also tried moving the USB device to a different port (from USB v3 to regular USB). Again, no go.

Digging a little further into the properties of the device revealed that the device cannot start.

Researching this error yielded this forum post. And more specifically, to this entry:

“Windows 8/8.1/10 are NOT supported in PL-2303HXA and PL-2303X EOL (End Of Life) chip versions.”

So while this USB dongle presumably works, it won’t work in Windows 10. What a surprise! Not to be easily defeated, we rebooted into Ubuntu Linux with the USB dongle still attached.

We then proceeded to check if the USB to serial adapter was working. This is achieved by issuing this command:

$ dmesg | grep tty

So now we know that the USB adapter is ttyUSB0. The Windows forum mentioned the pl2303 chipset in the adapter wasn’t supported, and we see it here. In Windows, we would’ve used the Putty terminal program. In Linux, we elected to use GtkTerm. It was installed with this command:

$ sudo apt-get install gtkterm

We found that for best results, invoking GtkTerm from bash needed sudo. (We suspect it needed the user account to be part of a group that has permissions to access the ports.)

$ sudo gtkterm

Once gtkterm was running, we needed to select the proper port. We selected the configuration option and opened the port option.

In the port drop-down menu, at the very bottom, we saw /dev/ttyUSB0. This is the Prolific USB adapter.

We left parity bit, stop bit, and flow control to the defaults and hoped for the best.

After this came the tedious task of determining which of the two pins in the center were transmit and receive, as well as the correct baud rate. Our first attempt was gnd, rx  tx and vcc unconnected. <-VCC = 3.3V = poof! bad!

These were the results we got. Either TX and RX are inverted, or we have selected the wrong baud rates. There is some kind of communication taking place, but the contents are all garbled. We went through the most common baud rates, but were not met with any success.

We then flipped the TX and RX and started the process of unplugging and re-plugging the transformer portion of the router, while incrementing the available baud rates in GtkTerm. When selecting the 57600 baud rate, we were met with success!

We could now see how this portable router starts up. It uses u-boot (1.1.3). As the system is starting, there is a brief moment where you are offered options:

If you enter “4” at just the right moment, it interrupts the boot process and dumps you at a prompt. This is probably the menu used at the factory to apply the correct firmware and perform quality assurance checks and confirm that the unit isn’t defective. Some of the options look like they could be destructive and brick the device, so we were careful in our selection.

Entering “help” gives you a list of the commands available at the u-boot command line.

Printenv gives even further information. We could re-flash this unit. We could reset the unit. All of this is good, but doesn’t really help us ascertain the security posture of the device.

We kept navigating the menus looking for interesting things to do, but the U-Boot environment was pretty limited. We also discovered that if you let the boot process take place normally and press any key once it is done, you are dumped at a command prompt as well.

Navigating to the available directories revealed a set of folders: cfg, net, and os. These folders contain files. They are not subdirectories. They don’t have an extension. When invoked individually with no switches, they show a Usage description.

What we learned so far

So what have we learned about the security of this device? Someone with local access could probably modify its behavior quite easily.

The documentation on the chipset mentions that the “[REDACTED] embedded with 8MB memory and provide eCos turnkey for compact router…”

We have a sneaky suspicion that this is the underlying operating system. We know that the U-Boot for MIPS boot loader turns control over to “something” once it’s done initializing the hardware. Turnkey sounds easy, and easy is usually what manufacturers go for.

The wiki for eCos has interesting entries under the “Criticism” heading:

The FreeBSD TCP/IP network stack included with eCos is out of date (circa 2001) and exposes systems to numerous security and stability vulnerabilities (FreeBSD RELENG 4 4 0 RELEASE for IPv4 and FreeBSD’s origin KAME for IPv6). Official eCos maintainers do not appear to monitor FreeBSD or KAME for security or stability updates, but rather rely on minimal and insufficient bug reports from users of eCos.[citation needed]

The SNMP package is rudimentary at best, once again, apparently due to its age.[original research?]


Let’s look at what it has taken so far to gather this information. Some specialized tools, some specialized hardware, some non-trivial computer knowledge, and a certain amount of pig-headedness. And after all this, we haven’t even found anything remotely close to a glaring vulnerability. We know more about our device, and that’s a good thing. However, there’s no way that an average user will go through this. It’s a cool exercise. But it isn’t realistic to expect average users to reverse their devices.

What next?

We want to confirm what the OS is 100 percent and not just rely on a “hunch.” Remember the firmware update we collected from the [REDACTED] website? We’ll try to extract information from the .img file. We are hoping that the update will contain information that is useful. We’re also interested in dumping the local firmware off of the router as well. We’re doing this so we can compare the original firmware with the modified, updated one, as well as to see what was corrected or changed and maybe figure out what was the issue that this update addressed.

Maybe they implemented a fix that only partially fixes the issue? Maybe they fixed the problem and not the underlying vulnerability? All of these questions are worthy of an answer.

Do you see something I’ve done wrong? Have suggestions on other things to try? Reach out to @jean_taggart on the Twitters. I’m keenly interested to hear from all of you.

The post Assessing the security of a portable router: a look inside its hardware appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds