Techie Feeds

QR code scams are making a comeback

Malwarebytes - Thu, 10/15/2020 - 12:02

Just when we thought the QR code was on its way out, the pandemic has led to a return of the scannable shortcut. COVID-19 has meant finding a digital equivalent to things normally handed out physically, like menus, tour guides, and other paperwork, and many organizations have adopted the QR code to help with this. And so, it would seem, have criminals. Scammers have dusted off their book of tricks that abuse QR codes, and we’re starting to see new scams. Or maybe just old scams in new places.

What is a QR code again?

A quick recap for those that missed it. A Quick Response (QR) code is nothing more than a two-dimensional barcode. This type of code was designed to be read by robots that keep track of items in a factory. As a QR code takes up a lot less space than a legacy barcode, its usage soon spread.

Smartphones can easily read QR codes—all it takes is a camera and a small piece of software. Some apps, like banking apps, have QR code-reading software incorporated to make it easier for users to make online payments. In some other cases, QR codes are used as part of a login procedure.

QR codes are easy to generate and they are hard to tell apart. To most human eyes, they all look the same. More or less like this:

URL to my contributor profile here Why are QR codes coming back?

For some time, these QR codes were mainly in use in industrial environments to help keep track of inventory and production. Later they gained some popularity among advertisers because it was easier for consumers to scan a code than to type a long URL. But people couldn’t tell from a QR code where scanning would lead them, so they got cautious and QR codes started to disappear. Then along came the pandemic and entrepreneurs had to get creative about protecting their customers against a real life virus infection.

To name an example, for fear of spreading COVID-19 through many people touching the same menu in a restaurant, businesses placed QR codes on their tables so customers could scan the code and open the menu in the browser on their phone. Clean and easy. Unless a previous visitor with bad intentions had replaced the QR code with his own. Enter QR code scams.

Some known QR code scams

The easiest QR code scam to pull off is clickjacking. Some people get paid to lure others into clicking on a certain link. What better way than to replace QR codes on a popular monument, for example, where people expect to find background information about the landmark by following the link in the QR code. Instead, the replaced QR code takes them to a sleazy site and the clickjacking operator gets paid his fee.

Another trick is the small advance payment scam. For some services, it’s accepted as normal to make an advance payment before you can use that service. For example, to rent a shared bike, you are asked to make a small payment to open the lock on the bike. The QR code to identify the bike and start the payment procedure is printed on the bike. But the legitimate QR codes can be replaced by criminals that are happy to receive these small payments into their own account.

Phishing links can just as easily be disguised as QR codes. Phishers place QR codes where it makes sense for the user. So, for example, if someone is expecting to login to start a payment procedure or to get access to a certain service, the scammers may place a QR code there. We’ve also seen phishing mails equipped with fraudulent QR codes.

Image courtesy of Proofpoint

The email shown above instructed the receiver to install the “security app” from their bank to avoid their account being locked down. However, it pointed to a malicious app outside of the webstore. The user had to allow installs from an unknown source to do this, which should have been a huge red flag, but still some people fell for it.

Lastly, there’s the redirect payments scam, which was used by a website that facilitated Bitcoin payments. While the user entered a Bitcoin address as the receiver, the website generated a QR code for a different Bitcoin address to receive the payment. It’s yet another scam that demonstrates that QR codes are too hard for humans to read.

How to avoid QR code scams

There are a few common sense methods to avoid the worse QR code scams:

  • Do not trust emails from unknown senders.
  • Do not scan a QR code embedded in an email. Treat them the same as links because, well, that’s what they are.
  • Check to see whether a different QR code sticker was pasted over the original and, if so, stay away from it. Or better yet, ask if it’s OK to remove it.
  • Use a QR scanner that checks or displays the URL before it follows the link.
  • Use a scam blocker or web filter on your device to protect you against known scams.

Even if the mail from a bank looks legitimate, you should at least double-check with the bank (using a contact number you’ve found on a letter or their website) if they ask you to log in on a site other than their own, install software, or pay for something you haven’t ordered.

As an extra precaution, do not use your banking app to scan QR codes if they fall outside of the normal pattern of a payment procedure.

Do I want to know what’s next?

Maybe not, but forewarned is forearmed. One method in development to replace QR codes on Android devices is the Near Field Communication (NFC) tag. NFC tags, like QR codes, do not require an app to read them on more modern devices. Most of the recent iPhones and Androids can read third-party NFC tags without requiring extra software, although older models may need an app to read them.

NFC tags are also impossible to read by humans but they do require an actual presence, i.e. they can’t be sent by mail. But with the rise in popularity of contactless payments, we may see more scams focusing on this type of communication.

Stay safe, everyone!

The post QR code scams are making a comeback appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FIFA 21 game scams: watch out for unsporting conduct

Malwarebytes - Wed, 10/14/2020 - 15:30

Despite COVID-19, soccer season is slowly ebbing its way back into daily life around the world. It’s also sneaking back onto TV screens in the form of huge-budget video games. Step up to the plate, FIFA 21.

FIFA games: the football juggernaut

The FIFA series is an absolute monster in terms of sales, clocking in at around 280 million copies across 51 countries over the lifetime of the franchise. According to the Guinness World Records, it’s the best-selling sports video game franchise in the world. It’s also premium bait for scammers as a result, with an enormous selection of potential victims to choose from. It’s incredibly popular with teens and younger children too, which simply increases the risk from both clever and incredibly basic attacks.

FIFA 21 launched last week, and it’s no doubt selling like hotcakes. If you’re unsure about the risks and what you should steer clear of, you’ve come to the right place. A lot of this is dependent on platform, and how deeply embedded your social media accounts are embedded into your gaming ecosphere. With that out of the way, let’s untangle any confusion you may have and avoid an own goal.

The lay of the land: explaining FIFA mechanics

It’s quite possible your kids own a few of the FIFA titles. You may well hear them talk about coins, or FUT, and speak at length about playing cards. Cards? In my football game? It’s more likely than you think. Before you can fathom the kinds of scams targeting your family members, it helps to understand the inner-workings of the title.

FUT: FIFA Ultimate Team. This is a wildly popular competitive game mode nestled inside various FIFA titles, which involves cards and coins in a continued quest for victory.

Coins: FIFA coins are the in-game currency used to perform various game related buying/selling activities. You earn coins simply by playing the game, completing challenges and objectives.

The coins stay in-game only. You’re not allowed to buy them from third parties, distribute them, or use multiple accounts to direct coins to a “main” account. Giveaways, or performing other actions to obtain coins, are all forbidden.

What do you do with the coins once you have enough of them? You spend them on cards.

Cards: The lifeblood of the game. The cards represent players in your team and come in various levels of quality. The rarer the card, the more coins they probably cost to purchase.

So far, so good…and essentially harmless. Unfortunately, the monetised aspects of the game away from the screen contributes to scammers wanting a piece of the action.

Extra-curricular activities: playing outside the game

You don’t need to spend in-game coins to purchase cards on the transfer market. Gamers can also buy “FIFA points”, sold inside the game, the relevant store for your gaming platform, or legitimate sellers. They buy these points with real money, as opposed virtual currencies. The monetisation of the game is red meat in the water to scammers.

Anything tied up in real world cash immediately offers several inroads to fakery. Arguments against this style of monetisation are also compelling. Desperation for coins / points means potentially being more susceptible to scams.

Common FIFA game scams Gift generators:

These target the platform you play on. It might be PC, it could be console. They might specify Steam, another store, or even something else altogether. They’ll offer up coins, free game keys, points, activation codes, money, whatever it takes. “All” you have to do is fill in a survey, or hand over your login details, or buy giftcards and send them the codes.

Perhaps your personal data is now in the hands of third party marketers, while potentially being out of pocket. Maybe you’re dealing with account compromise. You will commonly find these promoted on forums and YouTube videos.

Fake customer support assistance:

A tactic which has been around for a few years now, and frequently successful. Scammers will often pretend to be customer support reps, then insert themselves into support discussions on social media. The victim eventually lands on a phishing page. While we first came across this targeting FIFA gamers, the tactic was soon observed being used in banking scams too.

Social media fakeouts:

It’s the easiest thing in the world for scammers to create bogus pages on social media. It’s common to see fake accounts on Instagram and Facebook, and as usual the aim is to direct victims to phishing pages. If a major sporting event is taking place, they’ll probably craft banner imagery and general discussion towards said event in order to make it more convincing.

It’s also quite common for them to deploy bots in the comments to make it look as though the website/offer really works. Don’t take dozens of “this is genuine, thank you” messages for granted.

Bogus Direct Messages:

Scammers will pretend to be game admins, or console developers, or promoters. They’ll push the line that you’ve been selected for a special in-game reward, or a points offer. A technical issue may have occurred, and they need your login details to verify “something”. Perhaps they’ll claim your account has been restricted, and jumping through their hoops is the only way you’ll get your account back.

Whatever they claim, rest assured it’s all going to be nonsense. Nobody should ever ask for login credentials, and especially not in such casual fashion. All attempts sent your way should be blocked and reported on your platform. This will help to keep other people safe, too.

An increasingly wide playing field

EA titles recently returned to Steam, having been absent for some years. As each gaming platform has its own set of security protocols, parents and gamers need to keep up with how things work on each.

In a recent interview with The Daily Swig, I touched on aspects of microtransactions with regards to a rise in attacks during the pandemic lockdown. If you limit the time available for in-game items, or dabble in rarity as a reward, then younger gamers will gravitate towards parents who often hold the digital keys to the kingdom. Buy this, buy that, now buy six more of these.

What this means in practice, is endlessly jumping into one or more email accounts to authorise logins, transactions, trades, and more. Those accounts may also require several steps of authentication to login. Eventually, some parents will simply drop some security features in order to make things less of a hoop-jumping exercise.

At that point, the accounts are now vulnerable to attack. Streamlining games which require multiple platform logins, authentication, in-game validation, and email activity on a regular basis isn’t easy and that’s what scammers rely on.

Blow the whistle, referee

Whether your game of choice is FIFA or something else entirely, keep the above tips in mind. Ensure you’re aware of the latest FIFA scams doing the rounds and take some time to figure out security practices that work for you on your selected platform. Every small step you make towards keeping scammers out makes it harder for them to score the winning goal.

The post FIFA 21 game scams: watch out for unsporting conduct appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Silent Librarian APT right on schedule for 20/21 academic year

Malwarebytes - Wed, 10/14/2020 - 13:29

A threat actor known as Silent Librarian/TA407/COBALT DICKENS has been actively targeting universities via spear phishing campaigns since schools and universities went back.

In mid-September, we were tipped off by one of our customers about a new active campaign from this APT group. Based off a number of intended victims, we can tell that Silent Librarian does not limit itself to specific countries but tries to get wider coverage.

Even though many phishing sites have been identified and taken down, the threat actor has built enough of them to continue with a successful campaign against staff and students alike.

A persistent threat actor with a perfect attendance record

In March 2018, nine Iranians were indicted by the US Department of Justice for conducting attacks against universities and other organizations with the goal of stealing research and proprietary data.

Yet, both in August 2018 and 2019 Silent Librarian was lining up for the new academic years, once again targeting the same kind of victims in over a dozen countries.

IT administrators working at universities have a particularly tough job considering that their customers, namely students and teachers, are among the most difficult to protect due to their behaviors. Despite that, they also contribute to and access research that could be worth millions or billions of dollars.

Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded.

Same pattern in phishing domain registration

The new domain names follow the same pattern as previously reported, except that they swap the top level domain name for another. We know that the threat actor has used the “.me” TLD in their past campaigns against some academic intuitions and this is still the case, along side “.tk” and “.cf”.

This new phishing campaign has been tracked by several security researchers on Twitter, notably Peter Kruse from the CSIS Security Group.

Phishing siteLegitimate siteTargetlibrary.adelaide.crev.melibrary.adelaide.edu.auThe University of Adelaide Librarysignon.adelaide.edu.au.itlib.melibrary.adelaide.edu.auThe University of Adelaide Libraryblackboard.gcal.crev.meblackboard.gcal.ac.ukGlasgow Caledonian Universityblackboard.stonybrook.ernn.meblackboard.stonybrook.eduStony Brook Universityblackboard.stonybrook.nrni.meblackboard.stonybrook.eduStony Brook Universitynamidp.services.uu.nl.itlib.menamidp.services.uu.nlUniversiteit Utrechtuu.blackboard.rres.meuu.blackboard.comUniversiteit Utrechtlibrarysso.vu.cvrr.melibrarysso.vu.edu.auVictoria Universityole.bris.crir.meole.bris.ac.ukUniversity of Bristolidpz.utorauth.utoronto.ca.itlf.cfidpz.utorauth.utoronto.caUniversity of Torontoraven.cam.ac.uk.iftl.tkraven.cam.ac.ukUniversity of Cambridgelogin.ki.se.iftl.tklogin.ki.seKarolinska Medical Institutetshib.york.ac.uk.iftl.tkshib.york.ac.ukUniversity of Yorksso.id.kent.ac.uk.iftl.tksso.id.kent.ac.ukUniversity of Kentidp3.it.gu.se.itlf.cfidp3.it.gu.seGöteborg universitetlogin.proxy1.lib.uwo.ca.sftt.cflogin.proxy1.lib.uwo.caWestern University Canadalogin.libproxy.kcl.ac.uk.itlt.tkkcl.ac.ukKing’s College Londonidcheck2.qmul.ac.uk.sftt.cfqmul.ac.ukQueen Mary University of Londonlms.latrobe.aroe.melms.latrobe.edu.auMelbourne Victoria Australiantulearn.ntu.ninu.mentulearn.ntu.edu.sgNanyang Technological Universityadfs.lincoln.ac.uk.itlib.meadfs.lincoln.ac.ukUniversity of Lincolncas.thm.de.itlib.mecas.thm.deTH Mittelhessen University of Applied Scienceslibproxy.library.unt.edu.itlib.melibrary.unt.eduUniversity of North Texasshibboleth.mcgill.ca.iftl.tkshibboleth.mcgill.caMcGill Universityvle.cam.ac.uk.canm.mevle.cam.ac.ukUniversity of CambridgeTable 1: List of phishing sites and targets

Registering these subdomains to perform phishing attacks against universities is a known behavior for this APT group and therefore we can expect that they were registered by the same actor.

Figure 1: Phishing site for the University of Adelaide Phishing sites hosted in Iran

The threat actor uses Cloudflare for most of their phishing hostnames in order to hide the real hosting origin. However, with some external help we were able to identify some of their infrastructure located on Iran-based hosts.

It may seem odd for an attacker to use infrastructure in their own country, possibly pointing a finger at them. However, here it simply becomes another bulletproof hosting option based on the lack of cooperation between US or European law enforcement and local police in Iran.

Figure 2: Part of the phishing infrastructure showing connections with Iran

Clearly we only uncovered a small portion of this phishing operation. Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once.

We are continuing to monitor this campaign and are keeping our customers safe by blocking the phishing sites.

Indicators of Compromise (IOCs)

library[.]adelaide[.]crev[.]me
signon[.]adelaide[.]edu[.]au[.]itlib[.]me
blackboard[.]gcal[.]crev[.]me
blackboard[.]stonybrook[.]ernn[.]me
blackboard[.]stonybrook[.]nrni[.]me
namidp[.]services[.]uu[.]nl[.]itlib[.]me
uu[.]blackboard[.]rres[.]me
librarysso[.]vu[.]cvrr[.]me
ole[.]bris[.]crir[.]me
idpz[.]utorauth[.]utoronto[.]ca[.]itlf[.]cf
raven[.]cam[.]ac[.]uk[.]iftl[.]tk
login[.]ki[.]se[.]iftl[.]tk
shib[.]york[.]ac[.]uk[.]iftl[.]tk
sso[.]id[.]kent[.]ac[.]uk[.]iftl[.]tk
idp3[.]it[.]gu[.]se[.]itlf[.]cf
login[.]proxy1[.]lib[.]uwo[.]ca[.]sftt[.]cf
login[.]libproxy[.]kcl[.]ac[.]uk[.]itlt[.]tk
idcheck2[.]qmul[.]ac[.]uk[.]sftt[.]cf
lms[.]latrobe[.]aroe[.]me
ntulearn[.]ntu[.]ninu[.]me
adfs[.]lincoln[.]ac[.]uk[.]itlib[.]me
cas[.]thm[.]de[.]itlib[.]me
libproxy[.]library[.]unt[.]edu[.]itlib[.]me
shibboleth[.]mcgill[.]ca[.]iftl[.]tk
vle[.]cam[.]ac[.]uk[.]canm[.]me

158[.]58[.]184[.]213
46[.]209[.]20[.]154
103[.]127[.]31[.]155

The post Silent Librarian APT right on schedule for 20/21 academic year appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Amazon Prime Day—8 tips for safer shopping

Malwarebytes - Tue, 10/13/2020 - 10:11

Avid Amazon Prime Day shoppers may have been worried they’d missed it this year—thanks coronavirus. Fear not, last month Amazon announced Prime Day will take place three months after its original annual date, beginning today. And this year, it’ll take place over two days, rather than one.

This could mark the beginning of early “peak season” holiday shopping, which usually happens a week before Thanksgiving.

That said, it’s time to brush up on our cybersecurity wits so we can shop early, safely, and save ourselves future headaches in the new shopping season.

How to shop Amazon Prime Day the practical and cyber-sensible way 1. Secure your Amazon Prime account

You can do this by setting up two-factor authentication (2FA)—if you haven’t already done it. Many websites these days already have a secondary means to authenticate either a session or the user. As an Amazon user, you should know that Amazon has been using this security feature for a long time now. If you’re not aware of this, go to your local Amazon Help & Customer Service page and search for “two-factor authentication” to get yourself started.

2. Use only your credit card when buying online

When it comes to which card to use when buying things online, you cannot go wrong with using a credit card over a debit card. Why? Because credit cards have fraud protection in place whereas bank cards, often, don’t have any.

3. Use Amazon’s official app

You can download this from both the Google Play and Apple App stores. Not only would doing so be convenient, it’s also safer, as long as you’re using the legitimate one of course. It’s safe to assume that cybercriminals wouldn’t pass up on Prime Day, whether the date had been moved this year or not, given that Amazon is such a household name they can bank on.

4. Use your Alexa wisely

We cannot stress enough how vulnerable and unsecure IoT devices are. You can still use your Alexa to shop, but just make sure you do it with security and privacy in mind. By this, we mean Alexa shouldn’t be activated straight away, from the box into the boudoir. So make sure you take the time and effort to set up your personal assistant based on the level of privacy you want the device to give you. Here are several points to consider:

  • Make sure you secure your home network first.
    • Have you changed the default name of your home Wi-Fi?
    • Is your router firewall enabled?
    • Are you using the router’s default credentials?
    • Is your wireless network password the strongest you can make it?
    • Is your router’s firmware updated?
    • Have you disabled router features you don’t really need or use?
  • Manage Alexa’s voice recording.
    • You can do this by setting it to automatically delete voice recordings at the earliest setting, which is 3 months. If you think this is too long, you can manually delete the recordings yourself.
  • Disable the feature that allows users to improve Alexa’s transcription capabilities.
  • Lock certain voice purchase commands behind a PIN.
  • Turn off your Alexa (or its microphone) when not in use.
5. Buy only from sellers you are comfortable buying products from

This may seem like an easy decision, but when you’re already on your computer or phone and see something you really want—which isn’t on your shopping list, by the way—make sure your want doesn’t blind you to the seller’s reputation. When you find yourself in this position, ask yourself these questions: Would it really be such a hassle for me if I check what other buyers have to say about this seller first before I buy something from them? Do the reviews seem to have come from actual buyers and not paid reviewers? How long has this supplier been selling on Amazon? Is this deal too good to be true?

6. Get to know Amazon’s policies

If you encounter a suspicious email, call, text message, or webpage claiming to be from Amazon or someone associated with the company, would you know what to do? Familiarize yourself with Amazon’s policies so you can stay one step ahead of the scammers.

7. Use a VPN, especially when you’re shopping on-the-go

Everyone knows that public Wi-Fi is generally considered dicey. As such, users are advised to connect to public Wi-Fi with caution else you run the risk of compromising your privacy, along with your credentials and personally identifiable information (PII). One way to address this is to use VPNs on a secured (password-protected, in other words) public network. The caveat here, of course, is that you should pick a mobile VPN app that doesn’t just talk the talk.

The other way is to not shop on-the-go at all.

8. Familiarize yourself with potential scams that are aimed at Amazon users like you

Knowing is half the battle. Read up and remind yourself that a known cybercriminal modus operandi (MO) is to target users who aren’t aware and/or who seem to not care about their security and privacy. Once you have an idea of their MO, you’re more likely to be on the lookout and, in turn, avoid the scams.

Security beyond Prime Day

Shopping season is unlikely to end with Prime Day, and nor should our vigilance as online shoppers. This way, we can keep our data and PII as secure and far away from the grasp of online criminals as possible. Amazon is one of the many platforms we use to shop. But what we have outlined here can be tweaked to apply to others.

Have a happy, exciting, and safe shopping journey ahead!

The post Amazon Prime Day—8 tips for safer shopping appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep17: Journalism’s role in cybersecurity with Alfred Ng and Seth Rosenblatt

Malwarebytes - Mon, 10/12/2020 - 15:00

Most everything about cybersecurity—the threats, the vulnerabilities, the breaches and the blunders—doesn’t happen in a vacuum. And the public doesn’t learn about those things because threat actors advertise their exploits, or because companies trumpet their lackluster data security practices.

No, we often learn about cybersecurity issues because of reporting. And as the years have progressed, the stories have only become more intertwined into our everyday lives. We learn whether our products are safe to use, we read about how to safely browse online, and we try to understand why an app might suddenly disappear from the Apple App Store.

To help us better understand the role of journalism in cybersecurity—how the public’s attention has broadened over many years, how a cybersecurity threat is deemed newsworthy, and how to avoid advice that serves no one—we’re talking today to Alfred Ng, senior reporter for CNET, and Seth Rosenblatt, editor-in-chief for The Parallax. 

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:
  • A mobile network operator falls into the hands of Fullz House Magecart group.
  • A fileless APT attack abuses Windows Error Reporting service using a ‘your right to compensation’ lure.
  • The risky business stemming from the fact that a majority of people use work devices for personal use.
  • An update about the state of healthcare security instigated by a case in Germany where a woman died as a result of a ransomware attack.
  • More credit card skimmers, this time the target was a virtual conference platform.
Other cybersecurity news:
  • A new AI software tool to be developed for the U.S. Air Force and Special Operations Command may help to counter disinformation. (Source: Defense One)
  • Hackers have launched a sprawling, multifaceted cyber-attack against the state of Washington, according to two people familiar with the matter. (Source: Bloomberg)
  • The United States has seized 92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign. (Source: US Department of Justice)
  • Sam’s Club has started sending automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks. (Source: BleepingComputer)
  • The International Maritime Organization (IMO), a fully fledged United Nations entity, has become the latest high profile shipping victim of a cyber attack. (Source: Splash 247)

Stay safe, everyone!

The post Lock and Code S1Ep17: Journalism’s role in cybersecurity with Alfred Ng and Seth Rosenblatt appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Credit card skimmer targets virtual conference platform

Malwarebytes - Thu, 10/08/2020 - 19:57

We’ve seen many security incidents affecting different websites simultaneously because they were loading the same tampered piece of code. In many instances, this is due to what we call a supply-chain attack, where a threat actor targets one company that acts as an intermediary to others.

In today’s case, the targeted websites all reside on the same server and sell video content from various conferences and conventions. The host control panel belongs to Playback Now, a company that provides its customers with an array of services to capture and deliver recorded material into an online conference experience.

Criminals decided to impersonate Playback Now by registering a malicious domain lexically close to their official website that could be used to discreetly serve a credit card skimmer as well as collect stolen data.

Their next move was to inject a malicious reference to this skimmer code into dozens of Magento sites hosted on the same IP address belonging to Playback Now. As a result, the financial details from customers shopping for conference material are now at risk.

Online conference sites compromised with Inter skimming kit

Playback Now provides organizations with an easy way to seamlessly convert an event into an online virtual experience. Conferences and seminars can be delivered via live streaming, on demand, or a hybrid of the two.

Their offering of a virtual conference expo hall seems like a timely solution during the pandemic for organizers and exhibitors to connect with customers just like at an in-person event.

Figure 1: Legitimate PlayBack Now website

Businesses or organizations that want to join the experience can get a dedicated website from where they will serve and promote their content. Take the following website built for the Association of Healthcare Internal auditors.

Once users have registered and purchased one of the packages, they can access recorded sessions online or save them onto a flash drive.

Figure 2: A Playback Now customer site that has been compromised

A closer look at the website’s source code reveals an external reference to a JavaScript file. It would be easy to overlook, thinking it is served from the legitimate Playback Now website (playbacknow.com), but there is an extra ‘s’ in that domain name (playbacknows[.]com) that gives it away.

That domain was registered only a couple of weeks ago and its home page is void of any content.

Domain name: playbacknows.com Creation Date: 2020-09-21T20:22:10.00Z Registrar: NAMECHEAP INC Registrant Name: WhoisGuard Protected Registrant Street: P.O. Box 0823-03411  Registrant City: Panama

In total, we detected the reference to this domain in over 40 websites belonging to different organizations (see the IOCs section of this blogpost).

This JavaScript is a skimmer that has been lightly obfuscated and contains a certain number of strings that are a common marking for the Inter skimming kit.

Figure 3: Checkout page where skimmer will steal credit card data

When someone purchases a course or conference recording, their personal and credit card data will be leaked to criminals via the same malicious domain housing the skimmer.

Breach possibly related to Magento 1.x exploit

All affected Playback Now customer sites are running on the same IP address at 209.126.18.3. Using VirusTotal Graph we can see an interesting connection with a piece of malware we previously documented.

Figure 4: VirusTotal graph showing a connection between malware and hosting server

This GoLang sample attempts to bruteforce access into a variety of Content Management Systems. If successful, attackers could use the gained credentials to inject malicious code into e-commerce sites.

This connection was interesting but lost some value when we looked at the submission date for this sample to VirusTotal. It’s quite likely that the server was pinged just like many others, but it’s unclear whether it would have resulted in a breach, even at a later date.

Based on an analysis of the compromised Playback Now related sites, we found they were running a vulnerable version of the Magento CMS, namely version 1.x. Following the release of an exploitation tool, a wave of attacks was recently observed, compromising over two thousand sites.

Given the timeline, this incident could have been leveraging the same exploit and be carried out by the same or perhaps a different group.

The official website playbacknow.com is hosted on 209.126.18.3 as well, but it does not appear to be compromised. One thing to note though is that it is running a different CMS, namely WordPress version 5.4.

We contacted Playback Now to report this breach. In the meantime, Malwarebytes Browser Guard detects and blocks the fraudulent skimmer domain.

Figure 5: Malwarebytes Browser Guard blocking this attack Indicators of Compromise (IOCs)

Skimmer

playbacknows[.]com/playback/index.js

Compromised sites

WebsiteOrganizationplaybacknar[.]comNational Association of Realtorsnaraei[.]playbacknow[.]comNational Association of Realtorsnais[.]playbacknow[.]comNational Association of Independent Schoolsnasmm[.]playbacknow[.]comNational Association of Senior Move Managerstripleplay[.]playbacknow[.]comTriple Playdigitaldealer[.]playbacknow[.]comDigital Dealerplaybackaaj[.]comAmerican Association for Justiceplaybackacp[.]comAmerican College of Physiciansplaybacksmilesource[.]comSmile Sourceplaybackc21[.]comCentury 21 Universityplaybackada[.]comAmerican Diabetes Associationplaybacknailba[.]comNAILBAplaybackswana[.]comSWANAplaybacknaspa[.]comNASPAplaybackaupresses[.]comAssociation of University Pressesplaybacknacba[.]comNACBAplaybackaca[.]comACA Internationalplaybacknala[.]comNALA Paralegal Associationplaybacknatp[.]comNational Association of Tax Professionalsiplayback[.]com–playbackcore[.]com–playbackndsc[.]comNational Down Syndrome Congressplaybackaata[.]comAmerican Art Therapy Associationplaybacksnrs[.]comSouthern Nursing Research Societyplaybackssp[.]comSociety for Scholarly Publishingplaybackcaregiving[.]comCaregivingplaybackcas[.]comCasualty Actuarial Societyplaybackmpc[.]comMidwest Podiatry Conferenceplaybackhinman[.]comHinman Dentalplaybacknetworker[.]comPsychotherapy Networkerplaybacknara[.]comNational Association for Regulatory Administrationaspcvirtualsummit[.]orgAmerican Society for Preventive Cardiologyplaybackfgs[.]comNational Genealogy Societyplaybackifa[.]comInternational Franchise Associationplaybackashe[.]comAssociation for the Study of Higher Educationplaybackippfa[.]comIPPFAplaybackahri[.]comAir Conditioning Heating Refrigeration Instituteplaybackaonl[.]comAmerican Organization for Nursing Leadershipplaybackngs[.]comNational Genealogy Societyplaybackrlc[.]comRestaurant Law Centerplaybackahia[.]comAssociation of Healthcare Internal Auditorsplaybacknacac[.]comNational Association for College Admission Counseling

Server hosting compromised sites

209.126.18.3

The post Credit card skimmer targets virtual conference platform appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Healthcare security update: death by ransomware, what’s next?

Malwarebytes - Thu, 10/08/2020 - 15:30

A recent ransomware attack which played a significant role in the death of a German woman has put into focus both the dangers and the importance of cybersecurity today. But it has also led some to point fingers as to who was responsible.

As usual, playing the blame game helps no one, but it does remind us of the dire need to work on healthcare security.

What happened?

A few weeks ago, the university hospital Uniklinikum in the German city of Düsseldorf suffered a ransomware attack. The hospital decided not to admit new patients until it resolved the situation and restored normal operations.

Because of the admissions stop, a woman in need of immediate help had to be driven to the hospital of Wuppertal which is about 20 miles further. Unfortunately, she died upon arrival. The extra 30 minutes it took to get her to the next hospital turned out to be fatal.

As it turned out, the target of the ransomware gang was not even the hospital, but the university the hospital belongs to. When the attackers learned that the hospital had fallen victim as well, they handed over the decryption key for free. Despite that key, it took the hospital more than two weeks to reach a level of operability that allowed them to take on new patients.

This is not only tragic because the woman might have been saved if the university hospital had been operational, but also because it demonstrates once more how one of the most important parts of our infrastructure is lacking adequate defenses against prevalent threats likes ransomware.

What are the main problems facing healthcare security?

In the past we have identified several elements that make the healthcare industry, and hospitals in particular, more vulnerable to cyberthreats than many other verticals.

Here are some of those problem elements:

  • The Internet of Things (IoT): Due to their nature and method of use, you will find a lot of IoT devices in hospitals that all run on different operating systems and require specific security settings in order to shield them from the outside world.
  • Legacy systems: Quite often, older equipment will not run properly under newer operating systems which results in several systems that are running on an outdated OS and even on software that has reached the end-of-life point. This means that the software will no longer receive patches or updates even when there are known issues.
  • Lack of adequate backups: Even when the underlying problem has been resolved, it can take far too long for an attacked target to get back to an operational state. Institutes need to at least have a backup plan and maybe even backup equipment and servers for the most vital functions so they can keep them running when disaster strikes.
  • Extra stressors: Additional issues like COVID-19, fires, and other natural disasters can cut time and push aside the need to perform updates, make backups, or think about anything cybersecurity related. These stressors and other reasons are often referred to as “we have more important things to do.”
IoT security risks

Many medical devices that investigate and monitor the patient are connected to the internet. We consider them to be part of the Internet of Things (IoT). This group of devices comes with its own set of security risks, especially when it comes to personally identifiable information (PII).

In every case it is advisable to investigate whether the devices’ settings allow to approach it over the intranet instead of the internet. If possible, that makes it easier to shield the device from unauthorized access and keep the sensitive data inside the security perimeter.

Legacy systems

Medical systems come from various suppliers and in any hospital you will find many different types. Each with their own goal, user guide, and updating regime. For many legacy systems, the acting rule of thumb will be not to tinker with it if it works. The fear of a system failure outweighs the urgency to install the latest patches. And we can relate to that state of mind except when applied to security updates on a connected system.

Disaster stress

Okay, here comes our umpteenth mention of COVID-19—I know, but it is a factor that we can’t ignore.

The recent global pandemic contributes to the lack of time that IT staff at many healthcare organizations feel they have. The same is true for many other disasters that require emergency solutions to be set up.

In some cases, entire specialized clinics were built to deal with COVID-19 victims, and to replace lost capacity in other disasters like wildfires and earth slides.

More important matters at hand?

It’s difficult to overstate the importance of “triage” in the healthcare system. Healthcare professionals like nurses and doctors likely practice it every day, prioritizing the most critical patient needs on a second-by-second basis.

It should serve as no surprise that triaging has a place in IT administration, too. Healthcare facilities should determine which systems require immediate attention and which systems can wait.

Interestingly, the CISO of the hospital which suffered from the ransomware attack was accused of negligence in some German media. Law enforcement in Germany is moving forward with both trying to identify the individuals behind the ransomware attack, as well as potentially charging them with negligent manslaughter because of the woman’s death.

While we can hardly blame the CISO for the woman’s death, there may come a time when inadequate security and its results may carry punishment for those responsible.

Ransomware in particular

The ransomware at play in the German case was identified as DoppelPaymer and it was determined to be planted inside the organization using the CVE-2019-19781 vulnerability in Citrix VPNs.

In more recent news, we learned that UHS hospitals in the US were hit by Ryuk ransomware.

It’s also important to remember that the costs of a ransomware attack are often underestimated. People tend to look only at the actual ransom amount demanded, but the additional costs are often much higher than that.

It takes many people-hours to restore all the affected systems in an organization and return to a fully operational state. The time to recover will be lower in an organization that comes prepared. Having a restoration plan and adequate backups that are easy to deploy can streamline the process of getting back in business. Another important task is to figure out how it happened and how to plug the hole, so it won’t happen again. Also, a thorough investigation may be necessary to check whether the attacker did not leave any backdoors behind.

There’s a problem for every solution

Security will probably never reach a watertight quality, so besides making our infrastructure, especially the vital parts of it, as secure as possible, we also need to think ahead and make plans to deal with a breach. Whether it’s a data breach or an attack that cripples important parts of our systems, we want to be prepared. Knowing what to do—and in what order—can save a lot of time in disaster recovery. Having the tools and backups at hand is the second step in limiting the damages and help with a speedy recovery.

To sum it up, you are going to need:

  • Recovery plans for different scenarios: data breaches, ransomware attacks, you name it
  • File backups that are recent and easy to deploy or another type of rollback method
  • Backup systems that can take over when critical systems are crippled
  • Training for those involved, or at least an opportunity to familiarize them with the steps of the recovery plans

And last but not least, don’t forget to focus on prevention. The best thing about a recovery plan is when you never need it.

Stay safe, everyone!

The post Healthcare security update: death by ransomware, what’s next? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Risky business: survey shows majority of people use work devices for personal use

Malwarebytes - Wed, 10/07/2020 - 15:30

There’s no denying the coronavirus pandemic is having a significant impact on the way we use technology. Some changes feel like a subtle acceleration of behavioral shifts that were already well underway (i.e. more online shopping and more streaming TV/movies).

Other changes are more extreme and we’re only beginning to understand the long-term effects. One of the biggest changes has to do with the way people work. More people are working from home than ever before and many are doing so for the very first time.

Now, combine these newly appointed remote workers with company-owned hardware and things are bound to go wrong. Right?

When it comes to light duty personal tasks like checking email, reading the news, or shopping online, most people who are working from home during the pandemic have no qualms about doing so on a work assigned device. The reason? It’s convenient, it’s believed to be low risk, and, in many cases, it’s allowed. Comparatively, few remote workers avoid any and all personal activities on their work hardware.

These findings and more come out of the latest Malwarebytes Labs reader survey on working from home during the coronavirus pandemic.

Business cybersecurity: perception vs. reality

Before we dig into the results of this new survey, we need to get a little context by looking back at an earlier survey Malwarebytes Labs conducted in August. In this study of the impact of COVID-19 on business cybersecurity, the Labs team spoke with 200 managers, directors, and C-suite executives in IT and cybersecurity roles at companies across the US to determine how their security posture has changed since the start of the pandemic. Sure enough, many companies were caught flatfooted, with 24 percent saying they incurred unexpected expenses relating to a cybersecurity breach or malware attack following shelter-in-place orders. Another 20 percent of respondents said they faced a security breach as a result of a remote worker.

The Labs team wanted to get a better understanding of how and why these security breaches happened. Are remote workers engaging in risky behavior that might open employers up to a potential security breach? To get answers, we went straight to our readers.

We asked Labs readers if they worked from home and, if so, did they have a work device provided by their employer. For the purposes of this survey we defined a work device as a desktop computer, laptop, smartphone, or tablet.

Of the 900 readers who took the survey, 77.5 percent said they currently work from home. About half of at-home workers, 52.7 percent, said they had a work assigned device.

In the earlier study focused on IT leaders, 47 percent said they were confident that their employees were “very aware” of cybersecurity best practices when working from home. Only 17.3 percent believed their employees were “acutely aware and mindful to avoid risk.” A mere 5.4 percent said their employees were “oblivious and risky.” 

The results of the latest reader survey appear to support these assessments. 

When we asked Labs readers if they used a work device to perform personal tasks not relating to work, most people said they felt comfortable performing seemingly low risk everyday tasks. Specifically, 52.6 percent said they sent or received email, while 52 percent said they read the news. Another 37.8 percent said they shopped online, and 25 percent said they checked their social media. 

As for why, most people said it was convenient:

“I’m using the work device during the day, no point starting up my own personal device just to do something I could do on the device I’m already sitting at and using.”

  A smaller group of respondents said it was expressly allowed by their employer:

“Work policy allows some personal use outside of work times—read Washington Post, New England Journal of Medicine, Zoom with friends.”

A few said they didn’t have the luxury of switching to a personal computer:

“Kids are using the family computer, I’m already on my work computer.”

For a significant chunk of readers, breaking the monotony of day-to-day WFH life was worth any potential risk. Some 25 percent of respondents said they streamed music, while 24 percent said they streamed videos or movies.

“Easier to stream (within reason) background music and videos while working rather than switch to a dedicated device. Same with reading news and other activities that do not require a personal account sign-in.”

A small, but impressive 30 percent of respondents said they never performed any kind of personal activity on a work assigned device. When asked why, most said something to the effect of “It’s not my computer.”

“I don’t. When I’m tempted to, it’s because it’s easier to not switch to another device or because my work computer has better software than my personal computer. But it’s not my machine so I don’t.”

Others said that personal use was forbidden or outright restricted:

“I work for the government. They monitor computer usage, so no personal stuff done on the work laptop.”

Risky business for remote workers

Remote workers who engaged in online behavior that could be considered high risk were relatively few. Of those surveyed, 22 percent said they downloaded or installed an application on work systems. Another 6.5 percent of respondents said they used a work device as a WiFi hotspot for other devices. Possibly taking advantage of more powerful work hardware, 4.6 percent said they played video games.

It’s worth noting, gamers are a favorite target for cybercriminals. Malwarebytes Labs has reported on cheat tools that contain hidden malware, in-game currency scams, and phishing sites that lure victims in with the promise of “free” games.

Setting boundaries

At this point, you’re probably wondering why there’s no data about how many remote workers used work devices to connect to unsecure public WiFi networks. Varying shelter-in-place restrictions and the closure of many facilities that offer public WiFi (like coffee shops and restaurants) make it nigh impossible to get accurate data on the subject. If anything, we’ll save that question for a future survey. 

For now, it’s safe to say most people working from home are doing so safely. However, the onus is on employers to set clear boundaries around what employees can and cannot do with the company hardware.

One survey respondent summed it up best:

“Pure convenience. The work laptop is fully set up with a dock and connections to keyboard, mouse, external monitor, and wired Internet … So, short answer: I’m lazy.”

The same respondent added:

“It’s probably worth noting that the employer has a reasonable set of safeguards on the laptop itself—I could not, for example, randomly download new software, nor visit certain non-safelisted sites.”

If you’re a business owner, short of placing draconian restrictions on what your remote workers can and can’t do with their work devices, now is a good time to remind employees about work device protocols. To that end, check out our security tips for working from home. Finally, we would be remiss without mentioning Malwarebytes offers endpoint protection solutions that keep your employees, devices, and network safe if and when a remote worker clicks a bad link, opens an infected attachment, or visits a malicious website.

The post Risky business: survey shows majority of people use work devices for personal use appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Release the Kraken: Fileless injection into Windows Error Reporting service

Malwarebytes - Tue, 10/06/2020 - 15:00

This blog post was authored by Hossein Jazi and Jérôme Segura.

On September 17th, we discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service as a defense evasion mechanism.

That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens. When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.

While this technique is not new, this campaign started with a phishing attack enticing victims with a worker’s compensation claim. It is followed by the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques.

Malicious lure: ‘your right to compensation’

On September 17, we found a new attack starting from a zip file containing a malicious document most likely distributed through spear phishing attacks.

The document “Compensation manual.doc” pretends to include information about compensation rights for workers:

Figure 1: Malicious Document

The file contains an image tag (“INCLDEPICTURE“) that connects to “yourrighttocompensation[.]com” and downloads an image that will be the document template.

Figure 2: Imagetag embedded within the document Figure 3: yourrighttocompensation website

This domain was registered on 2020-06-05 while the document creation time is 2020-06-12, which likely indicates that they are part of the same attack.

Inside, we see a malicious macro that uses a modified version of CactusTorch VBA module to execute its shellcode. CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript.

The following figure shows the macro content used by this threat actor. It has both AutoOpen and AutoClose functions. AutoOpen just shows an error message while AutoClose is the function that performs the main activity.

Figure 4: Macro

As you can see in Figure 4, a serialized object in hex format has been defined which contains a .Net payload that is being loaded into memory. Then, the macro defined an entry class with “Kraken.Kraken” as value. This value has two parts that have been separated with a dot: the name of the .Net Loader and its target class name.

In the next step, it creates a serialization BinaryFormatter object and uses the deseralize function of BinaryFormatter to deserialize the object. Finally, by calling DynamicInvoke the .Net payload will be loaded and executed from memory.

Unlike CactusTorch VBA that specifies the target process to inject the payload into it within the macro, this actor changed the macro and specified the target process within the .Net payload.

Kraken Loader

The loaded payload is a .Net DLL with “Kraken.dll” as its internal name, compiled on 2020-06-12.

This DLL is a loader that injects an embedded shellcode into WerFault.exe. To be clear, this is not the first case of such a technique. It was observed before with the NetWire RAT and even the Cerber ransomware.

The loader has two main classes: “Kraken” and “Loader“.

Figure 5: Kraken.dll

The Kraken class contains the shellcode that will be injected into the target process defined in this class as “WerFault.exe“. It only has one function that calls the Load function of Loader class with shellcode and target process as parameters. This shellcode is a variant of Cobalt Strike.

Figure 6: Kraken class

The Loader class is responsible for injecting shellcode into the target process by making Windows API calls.

Figure 7: Load function

These are the steps it uses to perform its process injection:

  • StartProcess function calls CreateProcess Windows API with 800000C as dwCreateFlags.
  • FindEntry calls ZwQueryInformationProcess to locate the base address of the target process.
  • CreateSection invokes the ZwCreateSection API to create a section within the target process.
  • ZwMapViewOfSection is called to bind the section to the target process in order to copy the shellcode in by invoking CopyShellcode.
  • MapAndStart finishes the process injection by calling WriteProcessMemory and ResumeThread.
ShellCode Analysis

Using HollowHunter we dumped the shell code injected into WerFault.exe for further analysis. This DLL performs its malicious activities in multiple threads to make its analysis harder.

This DLL is executed by calling the “DllEntryPoint” that invokes the “Main” function.

Figure 8: Main Process

The main function calls DllMain which creates a thread to perform its functions in a new thread within the context of the same process.

Figrue 9: Dll main

The created thread at first performs some anti-analysis checks to make sure it’s not running in an analysis/sandbox environment or in a debugger.

It does this through the following actions:

1) Checks existence of a debugger by calling GetTickCount:

GetTickCount is a timing function that is used to measure the time needed to execute some instruction sets. In this thread, it is being called two times before and after a Sleep instruction and then the difference is being calculated. If it is not equal to 2 the program exits, as it identifies it is being debugged.

Figure 10: Created thread

2) VM detection:

In this function, it checks if it is running in VmWare or VirtualBox by extracting the provider name of the display driver registry key (`SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000′) and then checking if it contains the strings VMware or Oracle.

Figure 11: VM detection

3) IsProcessorFeaturePresent:  

This API call has been used to determine whether the specified processor feature is supported or not. As you see from the below picture, “0x17” has been passed to this API as a parameter which means it checks __fastfail support before proceeding with immediate termination.

Figure 12: InProcessorFeaturePresent

4) NtGlobalFlag:

The shell code checks NtGlobalFlag in PEB structure to identify whether it is being debugged or not. To identify the debugger it compares the NtGlobalFlag value with 0x70.

5) IsDebuggerPresent:

This checks for the presence of a debugger by calling “IsDebuggerPresent“.

Figure 13: NtGlobalFlag and IsDebuggerPresent check

After performing all these anti-analysis checks, it goes into a function to create its final shellcode in a new thread. The import calls used in this part are obfuscated and resolved dynamically by invoking the “Resolve_Imports” function.

This function gets the address of “kernel32.dll” using LoadLibraryEx and then in a loop retrieves 12 imports.

Figure 14: Resolve_Imports

Using the libpeconv library we are able to get the list of resolved API calls. Here is the list of imports, and we can expect it is going to perform some process injection.

VirtualAlloc
VirtualProtect
CreateThread
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
GetEnvironmentVariableW
CreateProcessW
CreateRemoteThread
GetThreadContext
SetThreadContext
ResumeThread

After resolving the required API calls it creates a memory region using VirtualAlloc and then calls “DecryptContent_And_WriteToAllocatedMemory” to decrypt the content of the final shell code and write them into created memory.

In the next step, VirtualProtect is called to change the protection to the allocated memory to make it executable. Finally, CreateThread has been called to execute the final shellcode in a new thread.

Figure 15: Resolve Imports and Create new thread Final Shell code

The final shellcode is a set of instructions that make an HTTP request to a hard-coded domain to download a malicious payload and inject it into a process.

As first step it loads the Wininet API by calling LoadLibraryA:

Figure 16: Loads Wininet

Then it builds the list of function calls that are required to make the HTTP request which includes: InternetOpenA, InternetConnectA, InternetOpenRequestA and InternetSetOptionsExA.

Figure 17: HttpOpenRequestA

After preparing the requirements for building HTTP request, it creates a HTTP request and sends it by calling HttpSendrequestExA. The requested URL is: http://www.asia-kotoba[.]net/favicon32.ico

Figure 18: HttpSendRequestExA

In the next step, it checks if the HTTP request is successful or not. If the HTTP request is not successful it calls ExitProcess to stop its process.

Figure 19: Checking the http request success

If the return value of HTTPSendRequestExA is true, it means the request is successful and the code proceeds to the next step. In this step it calls VirtualAllocExA to allocate a memory region and then calls InternetReadFile to read the data and write it to the allocated memory.

Figure 20: InternetReadFile call

At the end it jumps to the start of the allocated memory to execute it. This is highly likely to be another shellcode that is hosted on the compromised “asia-kotoba.net” site and planted as a fake favicon in there.

Since at the time of the report the target URL was down, we were not able to retrieve this shellcode for further analysis.

[Update:2020-10-09]

After further investigations we realized that this activity has no relation to any APT group and is part of red teaming activity.

Malwarebytes blocks access to the compromised site hosting the payload:

Figure 21: Lure document attempting to contact remote site IOCs

Lure document: 31368f805417eb7c7c905d0ed729eb1bb0fea33f6e358f7a11988a0d2366e942

Archive file containing lure document:
d68f21564567926288b49812f1a89b8cd9ed0a3dbf9f670dbe65713d890ad1f4

Document template image:
yourrighttocompensation[.]com/ping

Archive file download URLs:
yourrighttocompensation[.]com/?rid=UNfxeHM
yourrighttocompensation[.]com/download/?key=15a50bfe99cfe29da475bac45fd16c50c60c85bff6b06e530cc91db5c710ac30&id=0
yourrighttocompensation[.]com/?rid=n6XThxD
yourrighttocompensation[.]com/?rid=AuCllLU

Download URL for final payload:
asia-kotoba[.]net/favicon32.ico

The post Release the Kraken: Fileless injection into Windows Error Reporting service appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile network operator falls into the hands of Fullz House criminal group

Malwarebytes - Mon, 10/05/2020 - 20:49

Update (2020-10-05): The malicious code has been removed from Boom! Mobile’s website

Most victims of Magecart-based attacks tend to be typical online shops selling various goods. However, every now and again we come across different types of businesses which were affected simply because they happened to be vulnerable.

Today we take a quick look at a mobile operator who offers cell phone plans to its customers. Their website lets you shop for devices and service with the well known shopping cart experience.

However, criminals related to the Fullz House group that was previously documented for their phishing prowess managed to inject malicious code into the platform and thereby capture data from unaware online shoppers.

Unusual victim

Boom! Mobile is a wireless provider that sells mobile phone plans that operate on the big networks. The Oklahoma-based business advertises great customer service, transparency, and no contracts.

Our crawlers recently detected that their website, boom[.]us, had been injected with a one-liner that contains a Base64 encoded URL loading an external JavaScript library.

Once decoded, the URL loads a fake Google Analytics script from paypal-debit[.]com/cdn/ga.js. We quickly recognize this code as a credit card skimmer that checks for input fields and then exfiltrates the data to the criminals.

This skimmer is quite noisy as it will exfiltrate data every time it detects a change in the fields displayed on the current page. From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded.

Known threat actor

We recognized this domain and code from a previous incident where threat actors were using decoy payment portals set up like phishing pages.

RiskIQ tracked this group under the nickname “Fullz House” due to its use of carding sites to resell “fullz,” a term used by criminals referring to full data packages from victims.

In late September, we noticed a number of new domains that were registered and following the same pattern we had seen before with this group.

However this group was quite active in the summer and continues on a well established pattern seen a year ago. Those domains are on AS 45102 (Alibaba (US) Technology Co., Ltd.), also previously documented by Sucuri.

Website compromise

According to Sucuri, boom[.]us is running PHP version 5.6.40 which was no longer supported as of January 2019. This may have been a point of entry but any other vulnerable plugin could also have been abused by attackers to inject malicious code into the website.

We reported this incident both via live chat and email to Boom! Mobile but have not heard back from them at the time of writing. Their website is still compromised and online shoppers are still at risk.

Malwarebytes Browser Guard was already blocking the skimmer before we detected this incident, therefore prevent the remote script from loading its malicious code.

Thabnks to @AffableKraut and @unmaskparasites for sharing additional IOCs.

Indicators of Compromise

Skimmer domains

google-standard[.]com
bing-analytics[.]com
google-money[.]com
google-sale[.]com
paypal-assist[.]com
paypal-debit[.]com
connect-facebook[.]com
cdn-jquery[.]com
google-assistant[.]com
paypalapiobjects[.]com
google-tasks[.]com
jquery-insert[.]com
googleapimanager[.]com

Skimmer IPs

8.208.79.49
47.254.170.245

Registrant email

medialand.regru@gmail.com

The post Mobile network operator falls into the hands of Fullz House criminal group appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 28 – October 4)

Malwarebytes - Mon, 10/05/2020 - 17:00

Last week on Malwarebytes Labs, we dug into what happens when card fraud comes calling, we gave a rundown on some novel ransomware attacks that took advantage of smart coffee makers, and we introduced VideoBytes, our new, monthly series in which we’ll provide video coverage of some of the cybersecurity world’s top stories. In our first week, we gave viewers look at both the infamous Twitter hack and the evolution of ransomware.

Finally, we published our latest episode of Lock and Code, in which we spoke with Open Path co-founder and chief security officer Samy Kamkar about the digital vulnerabilities in our physical world.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (September 28 – October 4) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

VideoBytes: Ransomware gets wasted!

Malwarebytes - Fri, 10/02/2020 - 17:00

Hello dear readers, and welcome to the latest edition of VideoBytes! On today’s episode, we’re talking about how ransomware is on the rise again, focused on attacking corporations with malware that not only encrypts files, but also steals it

The tactics used to deploy these forms of ransomware have become more capable and the amount of effort that goes into an attack is far greater than what we saw 3 years ago. Ransomware is also evolving as we continuously see new tactics to evade detection and/or increase infection and encryption speed.

Watch on to learn all about it. Or, as our esteemed host always says: Sit back, relax, here come the facts.

A rise in ransomware attacks

A recent study found that 25% of all UK universities have experienced a ransomware attack in the last 10 years, including Sheffield Hallam University that had 42 attacks in the past seven years!

Most of the universities covered in the study had been attacked multiple times. However, of the universities that responded, many reported that they did not pay the ransom, rather they restored from backups.

One point made by Ionut Ilascu from Bleeping Computer mentions that “the results from the FOIA are a poor reflection of the recent period as close to half of all the schools receiving the solicitation refused to give any information, motivating with concerns that admission of attack would only encourage the hackers.”

Logic dictates that going after a previous cybercrime victim is like trying to launch a sneak attack on an enemy who already knows you are coming. Clearly, some folks believe that admitting you have been the victim of a cyber-attack is a sign of weakness or insecurity.

Attackers threaten to report you!

There are possible legal difficulties that may affect whether or not a company pays or even reports a ransomware attack. For example, the General Data Protection Regulation, or GDPR, is a sweeping data privacy and protection law in the European Union that attempts to enforce the safe and secure protection of user data by organizations operating in Europe. 

Admitting that an attack occurred and inviting possible investigation into how secure, or insecure, your data storage policies are may be enough reason for some organizations to downplay attacks. In fact, a ransomware group has recently taken advantage of this and is using GDPR threats to try and extort victims.

For example, servers running the MongoDB database software are being targeted by attackers who are focused on insecure deployments of the software, with the goal of accessing databases, stealing data and replacing it with README files that demand bitcoin payments in 48 hours or else all stolen data will get released online.

Part of the ransom note claims that if the victim doesn’t pay, not only will they release the files, but they will also report the organization to the GDPR authorities, which may lead to a fine or arrest (according to the note, anyway, which is clearly meant to drum up fear).

Victor Gevers of the GDI Foundation, who has been tracking this threat, identified over 15,000 servers that the README ransom note was found on. He obtained this information after querying the internet device search engine Shodan. However, other scanners show up to 23,000 affected servers.

According to a Bleeping Computer article by Lawrence Abrams, which featured Victor Gevers: “With the ransom amount being small at $135.55 and the worry of GDPR violations, Gevers feels that it may cause some people to pay. The actors then know that the data is valuable to the owner and extort them for even more money.”

WastedLocker ransomware lands a whale

That $135 ransom is a lot less than Garmin reportedly paid when it suffered an attack from a ransomware known as WastedLocker, which knocked down a lot of their services in the process. According to media reports, Garmin ended up using a ransomware negotiation company called Arete IR to pay millions of dollars to the attackers and get everything back up and running again.

WastedLocker is a ransomware  tool known to be associated with the Russian Cybercrime Gang: “Evil Corp” and it has been on a bit of a spree over the last few months. And you’re right—it’s not the most inventive name for a cybercriminal gang.

Fake news?

In July it was reported that this same ransomware strain was found infecting networks of dozens of US newspaper websites. They hosted WastedLocker executables on those infected servers and, when needed, would download it from the same sites. The goal was to mask the malicious intent of the traffic by making it look like a user just reading the news.

In addition, Symantec warned folks about this group a month before the Garmin attack was made public. These guys are not messing around; they only seem to go after well-resourced and likely well-researched organizations, unlike other ransomware families we have seen in the past who target anyone willing to run their malware.

Evading protection

An example of this group’s sophistication is their use of new features meant to evade detection by anti-ransomware tools. Many AR tools use the behavior of an untrusted executable doing ransomware-like things to identify a possible ransomware infection, for example, encrypting files and deleting them.

WastedLocker loads files into the “Windows Cache Manager” which can hold temporary versions of files. The malware reads the contents of a victim file into the Windows Cache Manager, then encrypts the data found in the cache, not the file on disk. 

When enough of the data in the cache has been “modified” or encrypted by the ransomware, the cache manager automatically writes the modified data to the original file. In simple terms, it replaces the unencrypted, legitimate file with the encrypted version and it does this under the umbrella of a legitimate system process, not some shady EXE file.

The idea is that if an anti-ransomware tool does not see the malware binary doing the encryption, then maybe it will not detect the malware. However, vendors are already updating their tools to detect this kind of behavior, so it may not be a clever trick for much longer.

The new normal for ransomware

Researchers believe that WastedLocker is manually directed by attackers who utilize things like stolen passwords and outward facing, vulnerable network entry ports that allow them to not just launch malware, but scope out a target and determine the best strategy for attack.  Something like that is more difficult to predict and defend against, especially when the actor is proven to be sophisticated and clever.

Wastedlocker has already proven itself multiple times over as being a dangerous and capable malware. Depending on what Evil Corp wants to do next, they could continue trying to ransom corporate networks or they could set up shop and start selling modified versions of WastedLocker to other cyber criminals. The ransomware-as-a-service scene (yes, you read that right) is very lucrative.

Ransomware-as-a-service

Ransomware-as-a-service is a term used to describe a cybercrime group that develops malware for individual customers to spread. This takes a lot of the overhead out of launching a ransomware attack, because previously an attacker might have needed to develop, steal, or buy their own ransomware, then go about trying to infect people with it. The quality of that ransomware was not guaranteed, and it might not even work.

With more advanced families of ransomware like Cerber and Locky, the value was in the proven effectiveness of the ransomware. The creators of these families only needed to make slight updates and provide individualized modifications to customers (like what email the victim should reach out to) who would then go about distributing the malware.  Once a ransom payment occurs, the creators of the ransomware get their own cut and the distributors get most of the payment.

However, to avoid being scammed by the criminals selling the ransomware, who may include a backdoor in that ransomware, it comes down to reputation of the malware. Have there been news stories about it? Has it been proven in the wild? Combine those queries with the reputation of the creators and sellers of the service: Do they have good relationships with other criminals? Can they be counted on to come through on their end of the bargain?

It’s like buying something off the DarkNet, you have to put your confidence into the seller that they will deliver the product you are buying and a lot of times that comes in the form of previous customer reviews. If a criminal developing malware was putting backdoors into what they were selling, someone would notice and tell other folks about it. Eventually, the vendor will not be trusted anymore, and nobody will buy their wares.

It’s sort of like a rampant free market, but for ransomware, and totally terrible for businesses and consumers. The product with the most reliability, the strongest reviews, and the best, uh, returns, will likely enjoy the most sales.

The post VideoBytes: Ransomware gets wasted! appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Chaos in a cup: When ransomware creeps into your smart coffee maker

Malwarebytes - Thu, 10/01/2020 - 16:56

When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would’ve imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker, smart doorbell, or smart light bulb.

Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note.

Courtesy of Dan Goodin, Ars Technica

Yes, Hron turned his coffee maker into a ransomware machine by directly modifying its firmware.

Your bedlam before breakfast

Simply put, firmware is software that allows users to control the electronic hardware they’re using. Typically, firmware has no encryption or any form of protection, making it a likely and easy target to hit by malicious hackers and spy agencies.

“My colleagues often hear me say that ‘firmware is a [sic] new software.’ And that software is very often flawed,” writes Hron in a blog post detailing his coffee machine tinkering exploits, “The weakened state of IoT security is due in large part to the fact that, nowadays, it is more convenient and cheap to place a processor inside a device […]. This solution is not only cheap, but has also one important property—it can be updated.”

When it comes to breaking into smart coffee makers to explore vulnerabilities in smart devices, this isn’t Hron’s first rodeo. He also made a ransomware machine out of the coffee maker he hacked in June 2019 to make it do things we’ve seen in the above video. Not only that, he demonstrated that smart devices, in general, can be used as a gateway into private networks, allowing threat actors to do as they please within this space. From snooping on every device connected to the same network the coffee machine is connected to, to intercepting communication between and among users, to downloading sensitive data, to uploading malicious software.

Unfortunately, the latter was what happened to one company when ransomware was suddenly introduced in their system via a compromised coffee machine.

Coffee, connectivity, and a ransom note

A Reddit user who went by the handle C10H15N1—they admitted to the alias being a throw-away one to maintain anonymity—realized first-hand how a small mistake in setting up IoT devices in the workplace could cause panic and potentially massive problems if not dealt with early on.

Three years ago, they recounted in a post, they were faced with a problem when an operator of a local factory control system reported that all four computers with monitoring software installed were down and showing an error message, which we later on find out is actually a ransomware message. As a programmable logic controllers (PLC) expert, C10H15N1 assisted the operator to find out what’s wrong and come up with a solution. First, the operator described to him what sounded like a ransomware infection—something that wouldn’t happen given that the affected computers, which were still running on an outdated version of Windows XP, were not connected to the internet.

C10H15N1 then instructed the operator to restart the computers and reinstall a fresh image. It worked for a while, then one-by-one, the computers started showing the same error again, leaving C10H15N1 stumped. While in the middle of figuring out why the computers got reinfected, the operator went off to get coffee, only to come back empty handed because he couldn’t get a cup as the coffee machines were displaying the same error message.

At the end of the day, no human or machine were harmed during the attack. They eventually realized that malicious actors used the coffee machines as a platform to infect other computers within their network. Normally, smart coffee machines are connected to their own, isolated Wi-Fi; however, the third-party personnel who installed the percolators connected them to the control room network via a cable.

Nevertheless, C10H15N1’s company sent out a scathing letter to their coffee machine supplier about what happened.

What can you do to protect yourself from troubles your smart coffee machine may cause you?

While it is true that IoT ransomware is no longer a theory but a reality—albeit rare—this doesn’t mean that it’s alright for organizations and consumers alike to keep their guard down. Now that we have a real-world scenario, coupled with multiple feats of security researchers successfully hacking into smart percolators [1][2][3][4][5][6][7], IoT ransomware must be on every enterprise’s and private citizen’s radars. They should already be thinking of ways to better protect themselves. Let’s start with these:

  • Ensure that your smart percolator is not connected to a network that is also connected to by systems with sensitive information. Also avoid connecting to a network where sensitive communication within your organization (or home) takes place.
  • Update your smart percolator’s firmware ASAP.
  • Secure your network. Instead of using your router’s default password, change it to a more complex one.

When it comes to whether you should get an IoT device or not, the general rule is to first ask yourself this question: Do I really need my light bulb/coffee pot/washing machine/doorbell/other household items to be smart?

If your answer is “no”, then you should keep using the items and appliances you are using. However, if having an IoT in the home is unavoidable—you really need to replace that broken TV, and no shop is selling the same make and model anymore—then by all means buy that smart TV, and that smart coffee maker, too, while you’re at it. But please make sure that you do everything you can to stay protected. Remember that your supplier has their part to play in the security of things. You have your part, too.

Happy International Coffee Day! Keep that coffee flowing and, as always, stay safe!

The post Chaos in a cup: When ransomware creeps into your smart coffee maker appeared first on Malwarebytes Labs.

Categories: Techie Feeds

VideoBytes: Twitter gets hacked!

Malwarebytes - Thu, 10/01/2020 - 16:00

Hello dear readers, and welcome to the latest and greatest from VideoBytes: a brand new, video feature that we announced just yesterday.

On our debut post today, we’re talking to you about the Twitter hack, in which hackers accessed the Twitter accounts of 130 high profile figures, like Barack Obama, Joe Biden and Elon Musk by gaining access to an employee administrative panel.

Watch on to learn all about it! Or, as our esteemed host always says: Sit back, relax, here come the facts.

(And a quick note to our readers: For just a couple of days, you may see a YouTube title that doesn’t mention “VideoBytes.” Do not worry, there is nothing wrong with your … er, television set? That’s us, updating our videos as we move along.)

The Attack

The hackers called Twitter employees on their phones and tricked them into handing over their passwords. Basically, they used some simple social engineering. They accomplished this by calling a lot of people and eventually obtaining a few passwords for accounts with fewer accesses.  The attackers then worked their way into compromising accounts with more accesses and reset the passwords for 45 of the targeted accounts and logged in.

The Damage

According to Twitter, 130 total accounts were targeted, 45 of them had tweets sent by attackers, 36 accounts had their direct messages accessed and a few accounts had their Twitter data archive downloaded. Yikes.

The tweets sent by the attackers using the hijacked accounts all pointed to a bitcoin gathering scam. Each tweet claimed that the user was “giving back” by sending people double the bitcoin they put into a wallet. If that immediately sounds too good to be true, well, it was.

The cryptocurrency wallet set up by the hackers collected about $120,000 worth of bitcoins. Interestingly enough, it could have been a lot more, but Coinbase, the US-based cryptocurrency exchange, blacklisted the bitcoin address for the hackers’ wallet. The exchange company therefor prevented almost 1000 users from getting scammed and sending bitcoin worth approximately $280,000 over to the hackers. Good work.

Recovery

In response to this attack, Twitter blocked all accounts involved from tweeting for 3 hours while they cleaned it up.

To reduce the chance of it happening again, Twitter admins are also significantly limiting employee access to internal systems during the investigation and improving tools to identify unauthorized access to their internal systems.

Finally, Twitter is rolling out company-wide phishing training.

The administrative tools the hackers gained access to could disable two-factor authentication. So, victims had no chance of preventing their accounts from being hijacked.  It was an unfortunate, but thankfully not devastating, lesson for the social media company.

The post VideoBytes: Twitter gets hacked! appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Introducing VideoBytes, by Malwarebytes Labs

Malwarebytes - Wed, 09/30/2020 - 15:30

We have exciting news for avid readers of Malwarebytes Labs: This week, we’re launching a new, monthly video series that will feature the research, insights, and commentary of our own Adam Kujawa, security evangelist and a director for Malwarebytes Labs.

Welcome to VideoBytes, our little corner of threat cinema on the web.

The stories we’ll cover in VideoBytes will be similar to the trustworthy news coverage you’re using to finding here on Malwarebytes Labs. We’ll cover major hacks, unveil new data about emerging threats, dive deep into deepfakes, and, for just a handful of videos, we’ll look back on some of our earlier coverage here on Malwarebytes Labs, but with more information, more discussion, and more to tell.

All of this will come to you from Adam Kujawa, who, if you haven’t seen him before, you’ve likely heard talk on several topics. He’s been a frequent guest on our podcast Lock and Code, helping listeners understand the nuances of security hubris and how it can harm their businesses, and diving into the complicated world of data security today.

VideoBytes will follow a long tradition here at Malwarebytes Labs of presenting the information that readers want in an easy-to-find, reliable package. When readers wanted to learn more about specific malware threats, we developed our “Explained” series. When we realized that readers needed more information about the litany of technology products that could enter their homes, we release our “Please Don’t Buy This” series.

For VideoBytes, we’ll deliver new videos to you every month, and you can expect our first video as early as tomorrow, in which we’ll talk to you directly about the recent Twitter hack. You also won’t have to wait long for our next video, which will drop the day after, in which we will explore the evolution of ransomware in recent months.

We’ll see you again soon, and, for perhaps your first time ever, you’ll see us.

The post Introducing VideoBytes, by Malwarebytes Labs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Caught in the payment fraud net: when, not if?

Malwarebytes - Tue, 09/29/2020 - 17:00

Sometimes, I think there are three certainties in life: death, taxes, and some form of payment fraud. Security reporter Danny Palmer experienced this a little while ago, and has spent a significant amount of time tracking the journey of his card details from the UK to Suriname. His deep-dive confirmed that it is easy to become tangled up in fraud, even if you’re very careful. I myself have experienced one of the more peculiar forms of credit card theft, detailed below.

Sometimes it’s you…

Right off the bat, let’s clarify that there are ways to both help and hinder the security of your payment information.

Maybe you switched something off while traveling for easy access and forgot to turn it back on at the other end. Perhaps there was some ancient Hotmail account still tied to something important with a password on six hundred thousand password dumps. Maybe you did one of those “Without giving your exact date of birth, please tell us something you’d recognise from your childhood and also your exact date of birth and credit card number” things bouncing around on social media.

These are all ways you can inadvertently generate problems for yourself at a later date.

Sometimes it isn’t you

On the other hand, instead of winding up in one of the above examples, let’s say you successfully navigated all perils.

You secured your desktop, installed some security software, followed the advice to keep your system up to date, and avoided all dubious installs. Locking down your phone was a great idea. Reading some blogs on password managers was the icing on the cake. You’ve done it all, and anything going wrong after this will have to be one heck of a fight.

There is, however, a third path outside of what you do or don’t do to keep data secure.

Occasionally, the issue is elsewhere

Maybe people you don’t know, who you entrusted with the well-being of your card data, did something wrong. Perhaps a Point of Sale terminal is missing vital patches. The store across town didn’t keep an eye on their ATM, and the company responsible for it didn’t have a means to combat the skimmer strapped across the card slot. The clothing store you bought your jacket from did a terrible job of locking down payment data and everything is sitting in the clear.

This is absolutely one of those “whatever will be, will be” moments.

The…good?…news about hacks outside of your control is, they can happen to anyone. Including people who work in security. As a result, you shouldn’t feel like you’ve done something wrong. In many cases, you almost certainly haven’t. It’s way beyond time to normalise the notion that huge servings of guilt aren’t a pre-requisite for data theft.

Setting the scene: My experience with card fraud

When I received my fraud missive through the post, it was shortly after an incredibly time consuming and complicated continent-spanning house move. Did I make a multitude of payments in all directions? You bet. Shipping, storage, local transportation, and a terrifyingly long list of general administrative and paperwork duties from one end of a country to another.

I avoided using my banking debit card throughout the process, relying on my credit card instead. There’s a reason for this.

Interlude: why I used a credit card

If you buy something with your debit card and it ends up with a scammer, you may have problems recovering your funds. You may well have to endure a lengthy dispute process, or prove you weren’t being negligent in order to get your money back.

Increasingly, banks are making this a little harder to do.

If you bank online, you’ll almost certainly have seen a digital caveat any time you go to transfer money. They’re usually along the lines of waiving the ability to reclaim your money back if tricked into sending your cash to a scammer. They’ll ask you to confirm you know who you’re sending the money to or place the responsibility for transferring funds directly on your own shoulders. Perhaps they’ll try and get out of paying up if your PC was compromised by malware. If you pay by cheque, you could get into all sorts of tedious wrangling behind the scenes too.

Even without all of the above, your bank may well have a number of minimum best practices for you to follow. Unless you want to run into potential pitfalls, try and keep things ship-shape there too.

Meanwhile, the credit card is a fast-track to getting your money back, because it’s the incredibly large and powerful credit company getting their money back. You’re just there for the ride, as it were. This in no way removes your requirement to be responsible with your details, but from experience, I’ve had more success righting a cash-related wrong where it involved credit rather than debit. It’s an added form of leverage and protection. The real shame is that isn’t usually the case when paying with your own money. Once again, we’re back in the land of “whatever will be, will be”.

End of interlude: when things go wrong

I don’t know exactly what happened with my card, or who took the details. I’ve no idea if the details were swiped from an insecure database, or a store had Point of Sale malware on a terminal. I can’t say if it was cloned from one of the few times I had to use an ATM.

Stop and think about the places you frequently buy items from. Maybe even draw up a list on a map. You’ll almost certainly have a handful of stores you use regularly, with a few random places thrown in for good measure. Perhaps you avoid ATMs completely, opting for cashback in stores instead. You probably shop online at the same places too, with a few more off-the-beaten-track sites popping up here and there, too.

You may get lucky and discover one of them has had a breach. If they’re small shops or family businesses, sorry…you probably won’t read about it in the news. Website compromises can lay undetected for a long time. Same for Point of Sale malware on physical terminals. Your shopping circle of trust only extends so far and is only useful for figuring out a breach up to a point. After that, it’s guesswork and for various reasons, your bank/credit card company won’t disclose investigation information.

The scammers strike

What I do know, is that a letter came through the door telling me someone had tried to make a purchase of around 14 thousand pounds on my credit card. Their big plan was to order a huge supply of wine from a wine merchant. What I was told by the bank, is that these aren’t places you can typically wander in off the street and throw some wine in a shopping trolley. These are organisations which sell directly to retailers.

Logic suggests that card fraud circles around small, inconspicuous transactions to remain off the grid. Nothing screams small, inconspicuous transactions like “a purchase more than the limit on your card for a bulk supply of rare, expensive wine from a direct to store wine merchant unavailable to the public”.

Though this is outside my realm of experience, my guess is a successful purchase would’ve resulted in the wine being sold on in ways which obscure the source of the original funds. By the time anyone has figured out what happened, the scammer has turned a profit and I’m left holding the incredibly large wine bag.

Luckily for me, “Make small inconspicuous transactions” doesn’t appear to have been in their playbook. Even if the fraud detection team had somehow missed this utterly out of character purchase, the scammers also managed to blow past my credit card limit. I assume the big fraud detection machine exploded and required a bit of a lie down afterwards to recover.

Dealing with the aftermath

I was very lucky, if you can call it that, because of the baffling way the scammers tried to rip me off. If the ludicrous size of the attempted payment hadn’t set alarm bells ringing, the unusual items purchased probably would have given the same end result. Similarly, Danny Palmer’s card flagged the fraud tripwires before any money was taken. Banks and credit card companies are constantly adding new ways to detect dubious antics and also make logging into banking portals a safer experience.

All the same, we shouldn’t rely on others too much to ensure our metaphorical bacon is saved at the last minute. Keep locking things down, be observant when using ATMs, and familiarise yourself with the security procedures for your payment method of choice. We can’t stop everything from going wrong, but we can certainly help tip the odds a little bit more in our favour.

I probably won’t crack open a bottle of wine to celebrate, though.

The post Caught in the payment fraud net: when, not if? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lock and Code S1Ep16: Investigating digital vulnerabilities with Samy Kamkar

Malwarebytes - Mon, 09/28/2020 - 15:45

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Samy Kamkar, chief security officer and co-founder of Open Path, about the digital vulnerabilities in our physical world.

If you look through a recent history of hacking, you’ll find the clear significance of experimentation. In 2015, security researchers hacked a Jeep Cherokee and took over its steering, transmission, and brakes. In 2019, researchers accessed medical scanning equipment to alter X-ray images, inserting fraudulent, visual signs of cancer in a hypothetical patient.

Experimentation in cybersecurity helps us learn about our vulnerabilities.

Today, we’re discussing one such experiment—a garage door opener called “Open Sesame,” developed by Kamkar himself.

Tune in to hear about the “Open Sesame,” how it works, what happened after its research was presented, and how the public should navigate and understand a world rife with potential vulnerabilities on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on: Other cybersecurity news:
  • Threat intelligence researchers from Group-IB has outed a new Russian-speaking ransomware gang called OldGremlin, and it has been targeting big companies in Russia. (Source: CyberScoop)
  • Tyler Technologies, a product vendor of US states and counties during election seasons, recently admitted that an unknown party has hacked their internal systems. (Source: Reuters)
  • Graphika unearthed a campaign they called Operation Naval Gazing, which is aimed at supporting China’s territorial claim in the South China Sea. (Source: TechCrunch)
  • As the US elections draw near, the FBI and CISA warn voters against efforts and interference from foreign actors potentially spreading disinformation regarding election results. (Source: The Internet Crime Complaint Center (IC3))
  • Activision, the video game publisher for Call of Duty (CoD), denied that it had been hacked after reports that more than 500,000 accounts have had their login information leaked. (Source: Dexerto)

Stay safe, everyone!

The post Lock and Code S1Ep16: Investigating digital vulnerabilities with Samy Kamkar appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Taurus Project stealer now spreading via malvertising campaign

Malwarebytes - Thu, 09/24/2020 - 21:45

For the past several months, Taurus Project—a relatively new stealer that appeared in the spring of 2020—has been distributed via malspam campaigns targeting users in the United States. The macro-laced documents spawn a PowerShell script that invokes certutil to run an autoit script ultimately responsible for downloading the Taurus binary.

Taurus was originally built as a fork by the developer behind Predator the thief. It boasts many of the same capabilities as Predator the thief, namely the ability to steal credentials from browsers, FTP, VPN, and email clients as well as cryptocurrency wallets.

Starting in late August, we began noticing large malvertising campaigns, including, in particular, one campaign that we dubbed Malsmoke that distributes Smoke Loader. During the past few days we observed a new infection pushing the Taurus stealer.

Campaign scope

Like the other malvertising campaigns we covered, this latest one is also targeting visitors to adult sites. Victims are mostly from the US, but also Australia and the UK.

Traffic is fed into the Fallout exploit kit, probably one of the most dominant drive-by toolsets at the moment. The Taurus stealer is deployed onto vulnerable systems running unpatched versions of Internet Explorer or Flash Player.

Figure 1: Traffic capture showing the malvertising chain into Fallout EK loading Taurus

Because of code similarities, many sandboxes and security products will detect Taurus as Predator the thief.

Figure 2: The string ‘TAURUS’ as seen in the malware binary

The execution flow is indeed pretty much identical with scraping the system for data to steal, exfiltrating it and then loading additional malware payloads. In this instance we observed SystemBC and QBot.

Stealer – loader combo continues to be popular

Stealers are a popular malware payload these days and some families have diversified to become more than plain stealers, not only in terms of advanced features but also as loaders for additional malware.

Even though the threat actors behind Predator the thief have appeared to have handed over a fork of their original creation and disappeared, the market for stealers is still very strong.

Malwarebytes users are protected against this threat via our anti-exploit layer which stops the Fallout exploit kit.

We would like to thank Fumik0_ for background information about Predator the thief and Taurus.

Indicators of Compromise

Malvertising infrastructure

casigamewin[.]com

Redirector

89.203.249[.]76

Taurus binary

84f6fd5103bfa97b8479af5a6db82100149167690502bb0231e6832fc463af13

Taurus C2

111.90.149[.]143

SystemBC

charliehospital[.]com/soc.exe
c08ae3fc4f7db6848f829eb7548530e2522ee3eb60a57b2c38cd1bdc862f5d6f

QBot

regencymyanmar[.]com/nt.exe
3aabdde5f35be00031d3f70aa1317b694e279692197ef7e13855654164218754


The post Taurus Project stealer now spreading via malvertising campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

20 percent of organizations experienced breach due to remote worker, Labs report reveals

Malwarebytes - Thu, 08/20/2020 - 10:00

It is no surprise that moving to a fully remote work environment due to COVID-19 would cause a number of changes in organizations’ approaches to cybersecurity. What has been surprising, however, are some of the unanticipated shifts in employee habits and how they have impacted the security posture of businesses large and small.

Our latest Malwarebytes Labs report, Enduring from Home: COVID-19’s Impact on Business Security, reveals some unexpected data about security concerns with today’s remote workforce.

Our report combines Malwarebytes product telemetry with survey results from 200 IT and cybersecurity decision makers from small businesses to large enterprises, unearthing new security concerns that surfaced after the pandemic forced US businesses to send their workers home.

The data showed that since organizations moved to a work from home (WFH) model, the potential for cyberattacks and breaches has increased. While this isn’t entirely unexpected, the magnitude of this increase is surprising. Since the start of the pandemic, 20 percent of respondents said they faced a security breaches as a result of a remote worker. This in turn has increased costs, with 24 percent of respondents saying they paid unexpected expenses to address a cybersecurity breach or malware attack following shelter-in-place orders.

We noticed a stark increase in the use of personal devices for work: 28 percent of respondents admitted they’re using personal devices for work-related activities more than their work-issued devices. Beyond that, we found that 61 percent of respondents’ organizations did not urge employees to use antivirus solutions on their personal devices, further compounding the increase in attack surface with a lack of adequate protection.

We found a startling contrast between the IT leaders’ confidence in their security during the transition to work from home (WFH) environments, and their actual security postures, demonstrating a continued problem of security hubris. Roughly three quarters (73.2 percent) of our survey respondents gave their organizations a score of 7 or above on preparedness for the transition to WFH, yet 45 percent of respondents’ organizations did not perform security and online privacy analyses of necessary software tools for WFH collaboration.

Additional report takeaways
  • 18 percent of respondents admitted that, for their employees, cybersecurity was not a priority, while 5 percent said their employees were a security risk and oblivious to security best practices.
  • At the same time, 44 percent of respondents’ organizations did not provide cybersecurity training that focused on potential threats of working from home (like ensuring home networks had strong passwords, or devices were not left within reach of non-authorized users).
  • While 61 percent of respondents’ organizations provided work-issued devices to employees as needed, 65 percent did not deploy a new antivirus (AV) solution for those same devices.

To learn more about the increasing risks uncovered in today’s remote workforce population, read our full report:

Enduring from Home: COVID-19’s Impact on Business Security

The post 20 percent of organizations experienced breach due to remote worker, Labs report reveals appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The impact of COVID-19 on healthcare cybersecurity

Malwarebytes - Tue, 08/18/2020 - 19:30

As if stress levels in the healthcare industry weren’t high enough due to the COVID-19 pandemic, risks to its already fragile cybersecurity infrastructure are at an all-time high. From increased cyberattacks to exacerbated vulnerabilities to costly human errors, if healthcare cybersecurity wasn’t circling the drain before, COVID-19 sent it into a tailspin.

No time to shop for a better solution

As a consequence of being too occupied with fighting off the virus, some healthcare organizations have found themselves unable to shop for different security solutions better suited for their current situation.

For example, the Public Health England (PHE) agency, which is responsible for managing the COVID-19 outbreak in England, decided to prolong their existing contract with their main IT provider without allowing competitors to put in an offer. They did this to ensure their main task, monitoring the widespread disease, could go forward without having to worry about service interruptions or other concerns.

Extending a contract without looking at competitors is not only a recipe for getting a bad deal, but it also means organizations are unable to improve on the flaws they may have found in existing systems and software.

Attacks targeting healthcare organizations

Even though there were some early promises of removing healthcare providers as targets after COVID-19 struck, cybercriminals just couldn’t be bothered to do the right thing for once. In fact, we have seen some malware attacks specifically target healthcare organizations since the start of the pandemic.

Hospitals and other healthcare organizations have shifted their focus and resources to their primary role. While this is completely understandable, it has placed them in a vulnerable situation. Throughout the COVID-19 pandemic, an increasing amount of health data is being controlled and stored by the government and healthcare organizations. Reportedly this has driven a rise in targeted, sophisticated cyberattacks designed to take advantage of an increasingly connected environment.

In healthcare, it’s also led to a rise in nation-state attacks, in an effort to steal valuable COVID-19 data and disrupt care operations. In fact, the sector has become both a target and a method of social engineering advanced attacks. Malicious actors taking advantage of the pandemic have already launched a series of phishing campaigns using COVID-19 as a lure to drop malware or ransomware.

COVID-19 has not only placed healthcare organizations in direct danger of cyberattacks, but some have become victims of collateral damage. There are, for example, COVID-19-themed business email compromise (BEC) attacks that might be aiming for exceptionally rich targets. However, some will settle for less if it is an easy target—like one that might be preoccupied with fighting a global pandemic.

Ransomware attacks

As mentioned before, hospitals and other healthcare organizations run the risk of falling victim to “spray and prey” attack methods used by some cybercriminals. Ransomware is only one of the possible consequences, but arguably the most disruptive when it comes to healthcare operations—especially those in charge of caring for seriously ill patients.

INTERPOL has issued a warning to organizations at the forefront of the global response to the COVID-19 outbreak about ransomware attacks designed to lock them out of their critical systems in an attempt to extort payments. INTERPOL’s Cybercrime Threat Response team detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.

Special COVID-19 facilities

During the pandemic, many countries constructed or refurbished special buildings to house COVID-19 patients. These were created to quickly increase capacity while keeping the COVID patients separate from others. But these ad-hoc COVID-19 medical centers now have a unique set of vulnerabilities: They are remote, they sit outside of a defense-in-depth architecture, and the very nature of their existence means security will be a lower priority. Not only are these facilities prone to be understaffed in IT departments, but the biggest possible chunk of their budget is deployed to help the patients.

Another point of interest is the transfer of patient data from within the regular hospital setting to these temporary locations. It is clear that the staff working in COVID facilities will need the information about their patients, but how safely is that information being stored and transferred? Is it as protected in the new environment as the old one?

Data theft and protection

A few months ago, when the pandemic proved to be hard to beat, many agencies reported about targeted efforts by cybercriminals to lift coronavirus research, patient data, and more from the healthcare, pharmaceutical, and research industries. Among these agencies were the National Security Agency, the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, and the UK National Cyber Security.

In the spring, many countries started discussing the use of contact tracing and/or tracking apps in an effort to help keep the pandemic under control. Apps that would warn users if they had been in the proximity of an infected user. Understandably, many privacy concerns were raised by advocates and journalists.

There is so much data being gathered and shared with the intention of fighting COVID-19, but there’s also the need to protect individuals’ personal information. So, several US senators introduced the COVID-19 Consumer Data Protection Act. The legislation would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, device, geolocation, and proximity data. The bill will also hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.

The impact

Even though such a protection act might be welcome and needed, the consequences for an already stressed healthcare cybersecurity industry might be too overwhelming. One could argue that data protection legislation should not be passed on a case by case basis, but should be in place to protect citizens at all times, not just when extra measures are needed to fight a pandemic.

In the meantime, we at Malwarebytes will do our part to support those in the healthcare industry by keeping malware off their machines—that’s one less virus to worry about.

Stay safe everyone!

The post The impact of COVID-19 on healthcare cybersecurity appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds