Techie Feeds

Vital infrastructure: Threats target financial institutions, fintech, and cryptocurrencies

Malwarebytes - Fri, 05/10/2019 - 15:00

With news of a malware attack on accounting firm Wolters Kluwer causing a “quiet panic” in the accounting world this week, our assertion that financial institutions—from banks to brokers—are part of the vital infrastructure of society has been solidified.

According to its website, Wolters Kluwer provides software and services to all of the top 100 accounting firms in the United States, 90 percent of the top global banks, and 93 percent of Fortune 500 companies. With many of its tax, accounting, and vital storage services down since Monday, employees and customers have been unable to access data during a busy filing period (taxes for non-profits are due May 15.

It is unknown at this time if personally identifiable information was taken in the attack, or if the infection spread to any of Kluwer’s customers. The company released a statement saying they had no reason to believe either were true, but that the investigation is still ongoing.

In the meantime, communication with the firm is spotty and day-to-day work operations have been impeded. Up against a deadline, some accountants are having to complete tax returns for their clients by hand.

And that’s just one attack on one firm.

When we lose trust in our financial institutions, it turns our society upside down. When the paper is no longer worth the number printed on it, or you cannot withdraw money from your account, that rattles the bases of our economy. And in the capitalist society we live in, that means literally everything changes.

Whether attacks empty our accounts or expose our data, how can we feel comfortable investing in the future? And if everyone turned their back on financial institutions because of lack of security, what would happen? Would we have to turn back the clocks to a more primitive age when currency was forged from precious metals or we bartered for goods?

Financial institutions

For further discussion, it makes sense to define what we consider to be financial institutions. Also called financials or banking institutions, they are the corporations that act as intermediaries of financial markets or money management. These businesses can be:

  • Banks
  • Insurance companies
  • Stock traders and other brokers
  • Pension funds
  • Mortgage companies
  • Digital currency markets
  • Accounting firms
The digital era

Not only has the digital world introduced new financial institutions, it has also changed the way existing financial institutions work. The hardware and software used in the financial world is generally referred to as fintech. Needless to say, fintech has a special interest from the malware community at large. In fact, as we’ve already mentioned on Labs, 25 percent of all malware target financial institutions.

Banks were more or less forced to develop new standards and new technologies to keep up with modern demands. It is no longer acceptable having to wait for days for a money transfer to come through when we can purchase goods online and receive them at home a day later.

An important role has been taken up by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to establish quick and secure money transfers. SWIFT does not only aim to enable speedy identification, but also to eliminate errors and omissions in payment data, such as missing or incorrect beneficiary information or incomplete regulatory information.

In addition, there are banks that only exist online and use no brick-and-mortar branches at all. These banks use websites and apps only to provide their customers with the means to make transactions. This makes them and their customers possible targets for fake malicious websites or malware that takes advantage of vulnerabilities in apps. But the same is true nowadays for most older, established banks. They have all set up a digital infrastructure to keep up with the competition—and all of that infrastructure is open to attack.

Old school malware

Some of the oldest malware around the block was created to target financial institutions. However, calling it old school does not mean this malware is no longer effective. While many families have been around for years, they are under constant development to keep up with the latest methods of distribution and gathering financial data.

Banking Trojans are one of the first forms of malware that come to mind when considering which threats target our financial institutions. Nothing frightens us more than threat actors who can get ahold of enough personal information to clean out our bank account. Famous banking Trojan families are as follows:

  • Emotet was originally designed as a banking Trojan that attempted to sneak onto computers and steal sensitive, private information. Later versions of this malicious software saw the addition of spamming and malware delivery services—including other banking Trojans and cryptowallet stealers.
  • Ursnif is one of the most popular forms of information-stealing malware targeting Windows PCs, and it has existed in one form or another since at least 2007.
  • Zeus has been around in many forms for a long time as well and has a wide variety of offspring. This is because the code was published in 2011, and many other threat actors have build it out from there.
  • Kronos was first discovered in 2014 and quickly made a name for itself as an adept malware capable of stealing credentials and using web injects for banking websites. It is also believed to be marketed and rebranded as Osiris.

But PCs are not the only target modern threat actors are after. Odinaff is the name generally in use for a malware strain that performs targeted attacks on SWIFT software to inject fraudulent money transactions. In February 2016, attackers were successful in stealing $81 million from Bangladesh Bank using custom malware that allowed them to hack into the bank’s SWIFT software, transfer money into their accounts, and hide their tracks.

Also, with the introduction of banking apps, we saw the simultaneous introduction of Android banking malware. For example, take Gustuff, a Trojan equipped with web fakes designed to target Android app users of many top international banks. This mobile malware is also after crypto services, fintech companies’ Android programs, marketplace apps, online stores, payment systems, and messengers.


It’s not just consumers who are wary of being robbed by malware authors. So are many traders in digital currencies—and for good reason. Many of them have been robbed. Other trading platforms have been accused of exit scams, where the transactions are frozen in the platforms’ intermediate account under false pretenses, and eventually all the funds are funneled into the account of the perpetrator(s).

Cryptocurrencies have also introduced new types of crime. Blockchain technology allows for threat actors to perform a Sybil attack, which is like overwhelming the system by majority vote so you can influence any decision to be taken by the blockchain. Some networks make this easier than others because they are small or because they only use selected nodes as public peers. Electrum, for example, was confronted with malicious versions of their wallets that DDoS’ed legitimate nodes so that older clients were forced to connect to malicious ones.

Exploit kits

Banking malware and exploit kits have a long-standing relationship. Traditionally, exploit kits like RIG have been involved in the distribution of banking Trojans and other information stealers. EKs make their way onto machines via malvertising, malspam, drive-by-downloads, or as part of a Trojan-turned downloader such as Emotet, helping to spread malware laterally throughout networks.

Banks are not only a target for malware dropped by exploit kits because they are the shortest route to the money, but disrupting the financial sector of a country or region could be a useful card to play in a game of cyberwar.

APTs against banks

It is rare that an APT attack against a bank is discovered, but Carbanak is probably the most famous—and successful—one. However, even Carbanak was not particularly advanced, as no zero-days were used, although it was rather persistent.

The threat actors behind Carbanak managed to steal over $1 billion from a single bank. They did this by infecting the bank’s systems with spyware using spear phishing techniques. Analyzing the data sent to them by the spyware consisting of screenshots and keylogger logs, they learned enough to overtake the bank’s systems in such a way that they were able to create fake rich accounts, manipulate SWIFT transactions, and manipulate ATM payouts. An attack could last a few months and involved the use of many money mules.


The type of phishing we see most is an email supposedly from a bank, asking us to log in to perform some an urgent action—reset passwords and verify account information are comment requests. Only the links provided in the email go to a malicious copy of the bank’s website that was set up by the threat actor. If the victim logs in there, the threat actor can use the provided credentials to perform unauthorized withdrawals to an account under their control.

Users should also be aware of the dangers of phishing attempts on mobile devices, and of spoofed banking apps. In fact, even legitimate banking apps are quite vulnerable to attack.


As we have seen, financial institutions are targeted in many ways. What consumers can do to protect themselves and their financial accounts is both obvious and difficult to adhere to:

  • Don’t fall for the temptation to become a money mule.
  • Think before you click a link in an email. Better yet, bookmark the website for your bank and only use that site to log in.
  • Use a clean and protected device to make any financial transactions.
  • Use a safe and protected browser or banking app to check your accounts, deposit, or transfer money.
  • Be careful when you choose your cryptocurrency trading platform.

Financial institutions can follow a few ground rules to avoid attacks on their infrastructure:

  • Implement an anti-phishing plan.
  • Use specialized cybersecurity techniques to detect and thwart attacks, including a comprehensive cybersecurity solution, a well-trained IT staff, and an extensive cybersecurity policy/plan.
  • Limit permissions over the network to the minimum that is necessary to function.
  • Have an emergency plan in place for data breaches. Financial institutions traditionally store a lot of personal and sensitive information about their customers. Needless to say, these should be stored and handled with care (encrypted end-to-end).
  • Use trusted third-party or in-house developers to create secure banking apps and websites.
Money makes the world go round

As much as the landscape for financial institutions has changed, their importance to our functioning infrastructure remains intact. Where once bank robbers and con artists could rip off individuals and institutions, now cybercriminals, too, target our banks and other financial systems. It is key that our financial institutions protect our dollars and our data so that we can keep investing our money and our trust in them.

Stay safe, everyone!

The post Vital infrastructure: Threats target financial institutions, fintech, and cryptocurrencies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How 5G could impact cybersecurity strategy

Malwarebytes - Thu, 05/09/2019 - 16:00

With the recent news that South Korea has rolled out the world’s first 5G network, it’s clear that we’re on the precipice of the wireless technology’s widespread launch.

Offering speeds anywhere from 20 to 100 times faster than 4G long-term evolution (LTE), the next generation of wireless networks will also support higher capacities of wireless devices. That’s a huge deal considering the rise of IoT and similar technologies, all of which require a high-speed, active connection.

But along with the network upgrade—which will surely bring with it a boost in users relying on wireless frequencies—there are security concerns, some new.

Lucky for South Korea, this is something the local telecom companies are not so concerned with. Park Jin-Hyo, head of SK Telecom’s Information and Communication Tech Research Center says, “I don’t think we have a security issue in South Korea.”

However, the reality is that 5G introduces a variety of new cybersecurity concerns, particularly when it comes to intensified attacks.

As more and more devices are powered on and synced up, each one becomes a potential security vulnerability for the wider network. More specifically, many organizations will have to change or restructure their cybersecurity strategies to deal with the new platform.

Here are four ways that the rise of 5G can and will impact a company’s cybersecurity.

1. New risks will surface

In 2016, an incredibly dangerous denial-of-service (DDoS) attack took down most of the Internet on the US east coast. Initially, authorities believed that a certain hostile nation-state was responsible, targeting the country with nefarious ideations. As it turns out, the Mirai botnet was actually to blame, and it involved thousands of insecure IoT devices, including security cameras and similar tech.

More alarming is the fact that its creator originally only developed the system to take down rival Minecraft servers as a means to make some extra cash. The original intention was never to unload on the Internet as a whole, which shows that not all cybersecurity problems stem from mastermind criminals.

What does any of this have to do with 5G? Anything and everything. As soon as 5G networks are rolled out to the greater public, devices will be powered on and connected from a variety of mediums.

Everything from smart home security cameras to smart refrigerators to industrial-grade smart sensors can and will tap into the higher-performance networks. That presents a whole slew of new devices, tools, and systems that hackers can use to their advantage. From there, it’s not a stretch to predict another botnet will rise, one that targets vulnerable and insecure devices, which would mean we’ll see another series of attacks like the Mirai event.

2. More devices will necessitate smarter security solutions

As more devices are introduced, the security landscape becomes broader than ever before. Where once cybersecurity was concerned with internal computers and machines and a handful of authorized mobile devices, it is now expanded to include every possibility.

Install smart coffee makers in the company office? There needs to be a new set of security solutions administered to protect any incoming and outgoing connections related to that device. Install new machine sensors and remote-operation tools for industrial equipment? The same is true.

Security solutions will need to become just as broad to account for all the new network channels and devices, as a means to protect an entire operation. Not only will this facilitate new security requirements—like outsourcing to a more capable provider—but it will also have sweeping implications on the privacy and security of organizations as a whole.

Take that smart coffee maker, for instance. One might not think it’s transmitting or sharing sensitive data—it’s a simple coffee maker. But that doesn’t matter. Hackers could reverse engineer the device to serve more nefarious purposes. For example, they could tap into a microphone which should be used for voice commands and use it to spy on sensitive communications or events.

3. Increased bandwidth will raise capability concerns

Many security solutions involve monitoring traffic in real time to identify potential threats based on activity and sniffed data. Someone in-house visiting a flagged URL, for example, might reveal an inside man, so to speak. They might also discover that a device or machine has been infected, which warrants further investigation.

In any case, these systems are largely able to keep up because of bandwidth limitations. The Internet bandwidth or capacity of a network can only handle so much traffic at once. This is bad in terms of user performance but good in terms of managing security and traffic. With 5G, which offers incredibly higher speeds and capacity, all of that goes out the window.

Security solutions must be upgraded to deal with these new capabilities, particularly when it comes to monitoring, encryption, and prevention—the latter being handled by firewalls. A majority of legacy solutions may no longer work because of the increased capacity, speeds, and overall latency boost that 5G offers.

The frightening element is that because we have no 5G networks around today to test, no one truly knows what the network upgrade is going to require of security professionals. To achieve the higher capabilities, hardware will need to be upgraded to become more powerful, and the solutions themselves may need to be redeveloped to deal with the state of networks. What that looks like exactly, we won’t know until 5G is here.

4. Integration and automation will be a must

We’ve been on the verge of widespread security automation for some time. The current landscape has helped push the need for it, as organizations must be ready to deal with security threats at all hours of the day and night.

But integration has been optional, at least until recently. Integration simply means that the security architecture and system in use is connected across the entire operation. Data must correlate and sync even between security layers, and that’s true whether those divides are physical or digital in nature.

For example, someone trying to force their way inside a physical security facility should be flagged, and any further data that is related to their actions should be monitored digitally. That same person might try to find another way inside company infrastructure, including using various digital or physical systems and vulnerabilities. But integration extends beyond this quick example. Security data and the overall architecture must be evolved to handle the same kinds of threats that are developing in the real world.

A digital-centric hacker might move to physical means and vice versa, at any time. They might use a combination of strategies and attacks to gain unauthorized access—as they’re already showing with Emotet’s polymorphic, multiple module attacks or CrySIS ransomware’s versatile attack vectors. They will constantly be looking for ways in, which requires using automation to keep things running during the off-hours, too.

5G is coming

Advanced 5G and wireless networks are coming, and they will bring a huge selection of benefits, including higher traffic capacities, lower latency, and increased reliability. Naturally, that means more people and more organizations will rely on the new system for their devices.

Unfortunately, it also introduces a slew of cybersecurity concerns and problems, particularly as it relates to current security solutions.

Organizations will need to be prepared and should already have plans in place to upgrade and augment their existing security solutions. Failing to do so could have serious implications, not just for the organization itself but for the world at large. Sensitive data pertaining to the company and its customers could be stolen, and vulnerable devices could be used for nefarious deeds—just like we saw with Mirai botnet.

As we inch ever closer to the launch of next-gen wireless, we must continue to ask ourselves if we are truly prepared.

The post How 5G could impact cybersecurity strategy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Vulnerabilities in financial mobile apps put consumers and businesses at risk

Malwarebytes - Wed, 05/08/2019 - 16:30

Security hubris. It’s the phrase we use to refer to our feeling of confidence grounded on assumptions we all have (but may not be aware of or care to admit) about cybersecurity—and, at times, privacy.

It rears its ugly head when (1) we share the common notion that programmers know how to code securely; (2) we cherry-pick perceived-as-easier security and privacy practices over difficult and cumbersome ones, thinking that will be enough to keep our data secure; and (3) we find ourselves signing up to services owned by big-named institutions, believing that—given their strong branding, influence, and seemingly infinite resources—they are securing the privacy of their users’ data by default.

Point three, in particular, applies to how we perceive official mobile apps of financial institutions: We believe they are inherently secure. In a study called “In Plain Sight: The Vulnerability Epidemic in Financial Mobile Apps” [PDF], application security company Arxan Technologies looked to see if this perception is founded. Alas, what they found proved that it is not.

Understanding mobile app vulnerabilities

The overall lack of security in financial mobile apps stems from poor or weak app developing practices. According to the study, Arxan found 11 types of vulnerabilities because of this. They are:

  • Lack of binary protections. Binary protection is the same as binary hardening or application hardening. It’s the process of making a finished app difficult to tamper with or reverse engineer. Source code obfuscation is a way to harden an app’s security, for example. Unfortunately, the study found that all the financial institution apps they tested had no application security, making it easy for threat actors to decompile the app, find its weaknesses, and create an attack.
  • Insecure data storage. Financial mobile apps aren’t particularly good at storing users’ data. They usually store sensitive data in the mobile device’s local or external storage, outside of the sandbox environment, allowing other users to access and exploit it.
  • Unintended data leakage. The majority of financial apps share services with other apps on the mobile device, therefore leaving user data accessible to other apps on the device.
  • Client-side injection. This high-risk vulnerability, when exploited, allows malicious code to execute on the mobile device via the app itself. This could also allow threat actors to access various functions of the mobile device, adjust trust settings for apps, or, if the owner has put a sandbox in place for added protection, break out of it.
  • Weak encryption. An overwhelming number of financial institutions are either using the MD5 encryption algorithm or have implemented a strong cipher incorrectly. This allows for the easy decryption of sensitive data, which threat actors can steal or manipulate.
  • Implicit trust of all certificates. Financial apps do not implement checks when presented with web certificates. This makes the app susceptible to man-in-the-middle (MiTM) attacks, especially when fake certificates are involved. Attackers can intercept an exchange between the app and the financial institution, for example, by changing the bank account number from the original owner’s to the criminal’s in the middle of a money transfer transaction without anyone noticing.
  • Execution of activities using root. A considerable number of the mobile apps tested could conduct tasks on devices with elevated privileges. Much like an admin to a computer, who has free rein over what he can perform on the machine, criminals are also given similar privileges for the app if compromised. Elevated privileges can grant anyone access to normally-restricted data and the ability to manipulate settings, which are otherwise restricted to normal users.
  • World readable/writable files and directories. A fractional number of financial apps allowed for the reading and writing of their files, even when stored in a private data directory. Not only would this cause a level of data leakage, but compromised apps could allow criminals to manipulate said files to change the way the app behaves.
  • Private key exposure. Some apps have hard-coded API keys and private certificates either in their code or in one or more of their component files. Since these can be retrieved easily due to the app’s lack of binary protection, attackers could steal and use them to crack encrypted sessions and sensitive data, such as login credentials.
  • Exposure of database parameters and SQL queries. As financial apps show readable code when decompiled, attackers with a trained eye could readily know important code bits like sensitive database parameters, SQL queries, and configurations. This allows the attacker to perform SQL injection and database manipulation.
  • Insecure random number generator. Apps use a random number generation system for encryption or as part of their function. The better the system, the higher its unpredictability, the stronger the encryption. Most financial apps, however, reply on sub-par generators that makes guessing an easy challenge for attackers.
Small organizations are big on security

When it comes to creating secure financial mobile apps, medium- to large-sized companies could learn a thing or two from smaller organizations. According to the report, “Surprisingly, the smaller companies had the most secure development hygiene, while the larger companies produced the most vulnerable apps.”

Nathan Collier, Senior Malware Intelligence Analyst at Malwarebytes and principal contributor to our Mobile Menace Monday series, felt positive about this finding. “I love that smaller companies that care about their customers did better,” Collier said. “I checked my own credit union’s app, and they seem to be up-to-snuff with most of the things in the report.”

There’s room for improvement

In a recent report from Forbes, researchers found that 25 percent of all malware are targeting financial institutions. Other attacks related to financial services, such as fraud, are also on the uptick.

Given this trend, financial institutions must not only act to protect themselves from direct attacks, but also investigate how they develop the products they offer to clients. Whether apps are made in-house or via third-party, leaving security out of software development and letting programmers continue to write insecure code will cause more harm than good in the end.

Developers do care about security, and vulnerable software is the bane of every business organization. So why not make this an opportunity to innovate and adapt new practices based on the current threat landscape? After all, there’s always room for improvement.

The post Vulnerabilities in financial mobile apps put consumers and businesses at risk appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The top six takeaways for user privacy

Malwarebytes - Wed, 05/08/2019 - 15:00

Last week, Malwarebytes Labs began closing out our data privacy and cybersecurity law blog series, a two-month long exploration spanning five continents, 50 states, just as many data breach notification laws, three non-universal definitions of personal information and personal data, five pending US data protection laws, and one hypothetical startup’s efforts to just make sense of it all.

We published six high-level takeaways from that series, focusing on what companies can and should do for data privacy compliance in the US and around the world.

Today, we bring the focus back to users. Amidst never-ending data breaches and constantly-surprising company fiascos, here are six takeaways for anyone in the US who cares about protecting their online privacy, whether in a court of law or in a web browser.

1. You are not alone

From January 14 through February 15, 2019, Malwarebytes surveyed nearly 4,000 individuals across 66 countries, asking them about their approaches to online privacy and cybersecurity. Do they care about online privacy? Do they do anything to protect their information online? Where do they admittedly fail?

The results were clear: Almost everyone, no matter their age or postal code, cares about online privacy.

A full 96 percent of respondents said they care about protecting their personal information, while 97 percent said they take steps in protecting their online data. Those steps include refraining from posting any sensitive personal data online, using cybersecurity software on their machines, running software updates regularly, and verifying the security of websites before making any purchases.

2. In the US, you have few legal options to assert your data privacy rights in court

Historically, the United States has approached data privacy legislation on a case-by-base basis, writing and passing laws that protect specific types of data collected by industry-specific companies.

There’s a law that protects health care data handled by health care providers (HIPPA). There’s a law protecting children’s data that applies to companies that knowingly market their products toward children (COPPA). There’s a law for video rental history, another for credit information, and another for banks, insurance companies, and certain financial institutions that collect personal information.

However, the sheer volume of these sector-specific data privacy laws never coalesces into comprehensive, legal data protection for Americans. Instead, the laws interlink to form more of a net—holes included.

As we wrote before:

“If a company gives intimate menstrual tracking info to Facebook? Tough luck. If a flashlight app gathers users’ phone contacts? Too bad. If a vast network of online advertising companies and data brokers build a corporate surveillance regime that profiles, monitors, and follows users across websites, devices, and apps, delivering ads that never disappear? Welcome to the real world.”

When a certain type of data isn’t regulated by a certain law, consumers are left with little legal recourse, said Lee Tien, senior staff attorney for Electronic Frontier Foundation.

“In general, unless there is specific, sectoral legislation, you don’t have much of a right to do anything with respect to [data privacy],” Tien said.


There is one caveat though…

3. Companies cannot legally lie about how they handle your data

In the US, companies are bound by laws that prohibit “unlawful, unfair, or fraudulent” business practices, along with “unfair, deceptive, untrue, or misleading” advertising. Those laws also cover data protection practices.

So, if a company says it will not sell your data, but it does, that company has broken the law, and it can be hit with a lawsuit. This same principle applies when a German automaker lies to the public about its “clean diesel” engines, or when the world’s largest social media company allegedly violates a privacy decree it made many years prior.

While these types of lawsuits can be filed by individuals, their success is limited. If, say, an individual wants to sue a company because of a data breach, that individual must first show that they personally suffered harm. Because of the myriad variables involved in any data breach—the actual criminals who stole the data, the direct relation from a data breach to potential economic injury—such harm is exceedingly difficult to prove.

In 2017, an Uber driver failed to meet just this requirement when he sued the company for a data breach that affected up to 50,000 drivers.

The judge at his hearing told him:

“It’s not there. It’s just not what you think it is…It really isn’t enough to allege a case.”

Fortunately, there is yet another caveat. State Attorneys General, county District Attorneys, and city attorneys can sue a company for its deceitful business practices without having to show personal harm. 

Those lawsuits have worked.

4. Take data privacy into your own hands with online tech tools

Filing a successful lawsuit—or waiting around for a government attorney to file one for you—is not the only way to protect your online privacy. Today, there are multiple online privacy tools that protect users from invasive online tracking, helping to put a wall between users and persistent online ads.

Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, said that users can protect their online activity by using a number of both privacy-focused web browsers and tracker-blocking browser extensions. Though Privacy Rights Clearinghouse does not endorse any products, Stephens mentioned the web browsers Brave and Firefox Focus—which both automatically block online tracking—and the browser extension Disconnect, which the New York Times chose as its favored anti-tracking tool.  

5. Beware of “data leakage”

Stephens had more advice for users that want to protect their online information: Do not trust any app to leave your private data alone.

“We have this naïve conception that the information we’re giving an app, that what we’re doing with that app, is staying with that app,” Stephen said. “That’s really not true in most situations.”

Stephens pointed to several examples of mobile apps that have, for no discernible reason, vacuumed up user data, like the flashlight app that collected mobile contacts. To avoid this problem, Stephens suggested users navigate the Internet on their mobile devices with a privacy-focused browser and not through any company-developed app.

“Quite frankly,” Stephens said, “I would not trust any app to not leak my data.”

6. You might gain more legal data protections in the next two years

Data privacy is, finally, a hot topic for US Congress members.

Last year, after the Guardian revealed how a political consultancy harvested the Facebook profiles of millions of unwitting users in a covert operation to sway the 2016 US presidential election, Congress responded. They called in Facebook CEO Mark Zuckerberg to testify. They peppered him with questions. They told him to his face that they would regulate his lurching social media behemoth.

Since then, they’ve held pursuit.

They invited Google, Alphabet, Twitter, and Facebook executives to explain what their companies were doing to curb Russian disinformation campaigns, and they balked at Google’s self-branded “error” in failing to disclose the microphones installed in its Nest home security products.

This new Congressional temperament has resulted in multiple legislative efforts to protect Americans’ data. Four US Senators and one digital rights nonprofit have all proposed individual federal bills that would regulate how companies collect, store, share, or sell user data. Even the private search engine DuckDuckGo threw its idea into the ring early this month.

Though the bills lack a clear frontrunner, data privacy itself could remain an important topic in the 2020 presidential election. Three Democratic candidates—Senators Amy Klobuchar of Minnesota, Cory Booker of New Jersey, and Michael Bennet of Colorado—have authored or co-sponsored data privacy legislation in the past year.

The post The top six takeaways for user privacy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What to do when you discover a data breach?

Malwarebytes - Tue, 05/07/2019 - 15:00

Your cell phone goes off in the middle of your well-deserved sleep and you try to find it before your partner wakes up as well.

“What could be wrong? Why would they page me in the middle of the night?”

More asleep than awake, you stumble down the stairs and call the number on the screen, which you already recognize as the one in use by the chief of the night shift. When you ask why you were called, he tells you it’s because you are part of the data breach incident response team.

Couldn’t it wait until morning?

The chief doesn’t know, that’s above his pay grade. You are the one who gets to decide whether it’s urgent enough to wake up the entire response team, so you’d better hurry over there.

On scene, one of the IT staff shows you two files on a server that shouldn’t be there. They are called and mimikatz. The hairs on the back of your neck stand up in reflex. Without further investigation, you have to assume that a database was zipped and transferred to an unauthorized machine and that someone got their hands on some passwords, or at least tried to retrieve them.

Your company has been breached.

You’ve been breached: now what?

The first point of attention is to figure out which type of information was stolen. So, you try to open the zip in an attempt to get a better idea about the content. Alas, the file is password protected, so you give up none the wiser.

The next item on your to-do list is to find out how the threat actors got in and how to keep them out. Since that is not your field of expertise, you ping the next person on your list.

You decide that it is of no use to assemble the rest of the team until you know more. Even though you have customers in every imaginable time zone, the rest of the research will have to wait until you can get ahold of the firm you contracted for forensic investigations.

While waiting for the night to pass, you prepare a press statement and, together with the system administrator, you prepare a preliminary report for the proper law enforcement authorities.

Be prepared

Data breaches do happen, as has been demonstrated over and over. We wish we could give you a fool-proof method to prevent them, but since such a thing doesn’t exist, the next best steps to take are:

  • To limit the possibilities of breaches happening again
  • To protect any sensitive data that could be stolen
  • To limit the usefulness of the stored data for a thief (e.g. by encrypting the data)
  • To be prepared for another eventual data breach

Our main character was fairly prepared, better than most organizations are in reality, I’m afraid. Having a detailed response plan enables security teams to reduce stress and makes sure that they don’t skip any steps. Without a script to follow, important steps could be forgotten or urgent tasks could be delayed while less compelling work is completed.

The steps outlined in our story are not necessarily right for every use case or organization, but they demonstrate that it helps if everyone knows who to contact, how to get in touch, and how to proceed in the face of an obstacle. A big part of setting up such a plan is to make sure that you follow obligations dictated by law and customer agreements.

Dealing with data breaches

How an organization manages a data breach is of the utmost importance. Going about it in the wrong way can break a company, while being open, transparent, and honest about it with the public can ultimately even improve customer trust.

It is imperative to figure out how the breach happened—not only to prevent it from happening again, but also to inform the public. Not knowing what happened means that it can happen again at any given time, since you will not have discovered which precautions were rendered useless, and which actually stopped the attack from doing further damage.


Our main character did some preliminary investigation but ultimately had to give up and wait for other professionals. It is advisable to hire an outside consultancy to help you with investigations if your internal team does not have the skills. They offer a professional viewpoint that is not too close to the target.

Inside eyes are sometimes troubled by near-vision or may be reluctant to point out the true cause. Hiring an outside consultancy also improves the public’s view of your organization, as they see you have gone through the trouble and cost of trying to keep their data safe.

Informing the public

Before you inform the public, it makes sense to get the full picture about what, exactly, was stolen. You don’t want to cause a panic over a couple emails discussing Friday night plans.

But don’t wait too long, or that could backfire. Sometimes it’s better to give out a quick statement and let the public know that you are investigating the matter further. If they somehow find out before you have issued a statement, that will make your organization look like it has something to hide.

What customers want to know:

  • Which data were stolen? And was I affected?
  • Can the stolen data easy lead back to a person? Is it personal information?
  • What do I need to do if I was affected? Is it a matter of simply changing a password or do I need to worry about identity theft?

What the press wants to know:

The press will have some extra questions, which usually boil down to:

  • How did it happen?
  • What are you going to do to prevent it from happening again?

Be open about all of the above, unless you haven’t been able to close the hole in your defenses. It may help other organizations and it will highlight your transparency. It might also help law enforcement with their investigation. Even when the damage is already done, you will still want the threat actors to be brought to justice, if possible.

General advice on data breaches

Of course, we hope you’ll never need these tips but many have wished they would have thought of them beforehand:

  • Be prepared. Make sure everyone knows who to inform and those involved know how to act. An emergency plan will never be a perfect fit, but it should at least outline the order and importance of actions.
  • Don’t run the risk of legal implications to add to your burden. Know what your obligations are and fulfill them.
  • Be open and transparent about what happened and what was stolen.
  • Hire outside specialists to assist in your investigations.
  • Learn from the incident to prevent a retake.

Stay safe, everyone!

The post What to do when you discover a data breach? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 29 – May 5)

Malwarebytes - Mon, 05/06/2019 - 15:21

Last week on Labs we discussed the possible exit scam of dark net market Wall Street Market, how the Electrum DDoS botnet reaches 152,000 infected hosts, we looked at the sophisticated threats plague ailing healthcare industry, a mysterious database that exposed personal information of 80 million US households, how Mozilla urges Apple to make privacy a team sport, the state of cryptojacking in the post-Coinhive era, and we digested the top six takeaways for corporate data privacy compliance.

Other cybersecurity news
  • The news that Europol shut down two prolific dark web marketplaces in simultaneous global operations, one of which was Wall Street Market, shed a new light on the possible exit scam. The other marketplace was Silkkitie aka the Valhalla Marketplace. (Source: Europol)
  • Scammers are now sending sextortion emails stating that they have a tape of you and them having intercourse and are threatening to release it if you do not send them a $1,500 in bitcoins. (Source: Bleeping Computer)
  • Mozilla has released an update today for Firefox that fixes the issue with an expired signing certificate that disabled add-ons for the vast majority of its userbase over the weekend. (Source: ZDNet)
  • A Pennsylvania credit union is suing financial industry technology giant Fiserv, alleging that security vulnerabilities in the company’s software are wreaking havoc on its customers. (Source: Krebs on Security)
  • A researcher has discovered vulnerabilities in more than 100 plugins designed for the Jenkins open source software development automation server and many of them have yet to be patched. (Source: SecurityWeek)
  • Facebook has been hit with three new separate investigations from various governmental authorities—both in the United States and abroad—over the company’s mishandling of its users’ data. (Source: The Hacker News)
  • NIST tool uses updated combinatorial testing to enable more comprehensive tests on high-risk software to reduce potential errors. (Source: NIST)
  • A hacker exploited the fact that some botnet operators had used weak or default credentials to secure the backend panels of their command and control (C&C) servers and was able to take over the IoT DDoS botnets of 29 other hackers. (Source: ZDNet)
  • Programmers say they’ve been hit by ransomware that seemingly wipes their Git repositories’ commits and replaces them with a ransom note demanding Bitcoin. (Source: The Register)
  • Mirrorthief group uses Magecart skimming attack to hit hundreds of campus online stores in US and Canada. (Source: Trendlabs)

Stay safe everyone!

The post A week in security (April 29 – May 5) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The top six takeaways for corporate data privacy compliance

Malwarebytes - Fri, 05/03/2019 - 15:00

For nearly two months, Malwarebytes Labs has led readers on a journey through data privacy laws around the world, exploring the nuances between “personal information” and “personal data,” as well as between data breach notification laws in Florida, Utah, California, and Iowa.

We explored the risks of jumping into the global data privacy game, comparing the European Union’s laws with the laws in China, South Korea, and Japan. And we also examined current legislative proposals in the United States to better protect Americans’ data.

But all that information was delivered across five separate blogs of more than 10,000 collective words. Look, we get it—it’s a lot to read through. So, we’re offering some help.

Before fully closing out our data privacy and cybersecurity law series, we are providing the top six takeaways for corporate data privacy compliance. From emerging startups to burgeoning enterprises, these rules should help businesses not just with legal liability, but also to better understand—and gain—user trust.

Here we go.

1. Write and post a privacy policy

In 2004, California changed the online privacy landscape for companies everywhere. The Golden State—which would soon become a pioneer in data privacy law—passed the California Online Privacy Protection Act.

The law is simple. Any company, organization, or entity that runs a website which also collects the personally identifiable information of California residents must also post a privacy policy on their site.

The privacy policy must explain the types of information collected from users, the types of information that may be shared with third parties, the effective date of the privacy policy, and the process—if any—for a user to review and request changes to their collected information.

Because the law applies to any website that collects Californians’ information, it applies far beyond the state’s geographic borders. This isn’t just for California-based companies like Apple, Google, Twitter, and LinkedIn. It’s also for Washington-based Microsoft, New York-based Verizon, and Texas-based Dell.

Also, the law requires that every privacy policy be easy to find. Even Big Tech doesn’t challenge this requirement: In 2007, after reporting by the New York Times, Google decided to more prominently display its privacy policy on its website.

2. Do not lie in your privacy policy

This should be obvious, but in case it is not: Do not lie to your users about what you do with their data. You can collect their data, store their data, share their data, even sell their data, so long as you tell them the truth.

Any company that lies about its data protection practices could be hit with a lawsuit from a state Attorney General or, pending some legal hoops to jump through, an individual user. That’s because, in the US, data protection rights can still be asserted under an area of the law that prohibits “unlawful, unfair, or fraudulent” business practices, along with “unfair, deceptive, untrue, or misleading” advertising.

Lee Tien, senior staff attorney at Electronic Frontier Foundation, explained this area of consumer privacy law.

“Most of consumer privacy that’s not already controlled by a statute lives in this space of ‘Oh, you made a promise about privacy, and then you broke it,’” Tien said. “Maybe you said you don’t share information, or you said that when you store information at rest, you store it in air-gapped computers, using encryption. If you say something like that, but it’s not true, you can get into trouble.”

These lawsuits have been successfully filed against companies before. Last year, Uber agreed to pay $148 million to settle a lawsuit alleging the company’s misconduct when covering up a 2016 data breach. The lawsuit was brought by every single state Attorney General in the United States, plus the Attorney General for Washington, DC.

3. If you want to expand beyond the US market, consult a data privacy lawyer first

Data privacy and cybersecurity laws abroad are not like the laws in the US.

For example, the European Union recently bestowed upon its citizens the new rights to access, control, transport, and delete information that companies collect on them. China’s cybersecurity law grants its government the right to inspect and even copy the source code of incoming software products. South Korea’s cybersecurity laws include fierce penalties and even possible jail time. Singapore, often viewed as a friendly country for US expansion, has its own cybersecurity law that protects “essential” services, a definition that does not exist here in the US.

Expanding into a new country is, most of all, a question of risk: Can you afford—quite literally—the cost of compliance? 

4. Personal information is not the same as personal data

The terms “personal information,” “personal data,” and “personally identifiable information” get thrown around a lot, sometimes even interchangeably, but these terms have specific legal definitions that do not carry over so easily from one to another. The definitions for the terms do vary, however, depending on which law in which state or country you consult.

The important thing to remember is that these terms describe types of information that companies are legally required to protect. Protecting one law’s definition of “personal information” is not the same as protecting another law’s definition of “personal data,” and mixing the two up could lead to compliance mishaps.

The best advice is to, once again, consult a data privacy lawyer. Getting lost in an array of country-specific, legal rabbit holes does not help anyone.

Michelle Donovan, intellectual property and cyber law partner at Duane Morris LLP put it clearly:

“What it comes down to, is, it doesn’t matter what the rules are in China if you’re not doing business in China. Companies need to figure out what jurisdictions apply, what information are they collecting, where do their data subjects reside, and based on that, figure out what law applies.”

5. Get ready for comprehensive data privacy legislation in the US

In the past year, at least four US Senators have proposed comprehensive, federal data privacy legislation. Each bill seeks to improve Americans’ online privacy.

Sen. Ron Wyden’s bill, for example, proposes that dishonest tech executives face potential jail time. Sen. Amy Klobuchar’s bill, on the other hand, focuses on making corporate privacy policies clear and understandable. Sen. Marco Rubio’s bill would ask the country’s trade enforcement agency, the Federal Trade Commission (FCC), to propose its own rules on data privacy, which Congress would later vote on. And Sen. Brian Schatz’s bill would place a new “duty to care” requirement on companies handling user data.

None of the above-mentioned bills have received a vote in Congress, but this area could move fast, and many assume that data privacy will become a lynchpin issue in the 2020 presidential election.

6. Respect and protect your users’ data

Your users have few legal options in asserting their data privacy rights. Despite this, your company should take it upon itself to treat user privacy with respect.

You will not be alone in this proactive decision. Apple, Mozilla, Signal, WhatsApp, CREDO Mobile, ProtonMail, Helix DNA, and several other companies already understand that meaningful user privacy can serve as a competitive advantage.

As Malwarebytes Labs showed this year, people care immensely about online privacy. Listening to your users should not be a matter of legal compliance, but a matter of respect.

Join us next week for another set of data privacy takeaways, this time for consumers in the US.

The post The top six takeaways for corporate data privacy compliance appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cryptojacking in the post-Coinhive era

Malwarebytes - Thu, 05/02/2019 - 15:00

September 2017 is widely recognized as the month in which the phenomenon that became cryptojacking began. The idea that website owners could monetize their traffic by having visitors mine for cryptocurrencies in their browser was not new, but this time around it became mainstream, thanks to an entity known as Coinhive.

The mining service became a household name overnight, and quickly drew ire for its original API, whose implementation failed to take into account user approval and CPU consumption. As a result, threat actors were quick to abuse it by turning compromised sites and routers into a large illegal mining business.

The ride was wild but, as we came to see, short-lived, as Coinhive shut its doors in March 2019 following months of steady decline and loss of interest in browser-based mining.

As such, this blog will strictly focus on web-based miners, which were impacted the most by Coinhive’s closure. It will not cover malware (binary-based) coin miners that are still infecting PCs, Macs, and servers.

Coinhive relics left behind

Interestingly, we still detect thousands of blocks for Coinhive-related domain requests, even though the service announced it was shutting down on March 8. Over the past week, our telemetry recorded an average of 50,000 blocks per day.

A spike in traffic just days after the service shut down, followed by decline and plateau

Digging deeper, we see that a large number of websites and routers have never been cleaned, and the bits of JavaScript requesting the Coinhive library are still there. Evidently, with the service down, the necessary WebSocket that sends and receives data between client and server will fail to connect to the server, resulting in zero mining activity or gain.

Hacked site makes web request for Coinhive but fails to connect to the backend Is cryptojacking still a thing?

To answer that question, we go back to the early adopters of browser-based mining: torrent sites. In the screenshot below, we can see something familiar enough—CPU usage maxed out at 100 percent while visiting a proxy for The Pirate Bay.

Torrent portals are still running cryptojacking code

This is exactly what started the cryptojacking trend back in 2017, when users weren’t told about this code running on their machine, let alone that it was hijacking their processor for maximum usage.

In this instance, the mining API was provided by CryptoLoot, which was one of Coinhive’s competitors at the time. While we are nowhere near the same levels of activity as we saw during fall 2017 and early 2018, according to our telemetry, we detect and block over 1 million requests to CryptoLoot each day.

There are a few other services out there, and it’s worth mentioning CoinIMP, which we’ve seen used more sensibly on file-sharing sites.

Router-based mining still going

While the number of compromised sites loading web miners was going down in 2018, a fresh opportunity presented itself, thanks to serious vulnerabilities affecting MikroTik routers worldwide.

By injecting mining code from a router and serving it to any connected devices behind it, criminals could finally scale the process so it was not limited to visiting a particular website, therefore generating decent revenues.

The number of hacked routers running a miner has greatly decreased. However, today we can still find several hundred that are harboring the old (inactive) Coinhive code, and have also been injected with a newer miner (WebMinePool).

Campaigns gone missing

Perhaps the biggest change in cryptojacking-related activity is the lack of new attacks and campaigns in the wild targeting vulnerable websites. For example, in spring 2018, we saw waves of attacks against Drupal sites where web miners were one of the primary payloads.

These days, hacked sites are leveraged in various traffic monetization schemes that include browlocks, fake updates, and malvertising. If the Content Management System (CMS) is Magento or another e-commerce platform, the primary payload is going to be a web skimmer.

We might compare cryptojacking to a gold rush that didn’t last too long, as criminals sought more rewarding opportunities. However, we wouldn’t rush to call it fully extinct.

We can certainly expect web miners to stick around, especially for sites that generate a lot of traffic. Indeed, miners can provide an additional revenue stream that is, as concluded in this Virus Bulletin paper,”depend[ent] on various factors, including, of course, the value of cryptocurrencies, which historically has been volatile.”

The next time cryptocurrencies see an upturn in the market, expect threat actors to do what they do best: exploit the situation for their own profit.

The post Cryptojacking in the post-Coinhive era appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mozilla urges Apple to make privacy a team sport

Malwarebytes - Wed, 05/01/2019 - 17:39

We often say cybersecurity is a team sport, but, pending a public advocacy campaign from one major tech developer to another, the same might be true for online privacy.

Mozilla is currently getting people around the world to lend their voices toward Apple, asking that the company place some extra barriers between iPhone users and online advertisers. Though cybersecurity researchers disagree about the technology behind the request, the campaign has proved popular. In little over a week, more than 11,000 individuals put their names to the cause.

Public advocacy campaigns, common amongst digital rights groups, are a tried-and-true practice for Mozilla, which racked up a couple wins in the past year-and-a-half. And, while such campaigns often target privacy abusers, Mozilla’s petition to Apple is different—it puts the pressure on another privacy champion.

So, why spend the time to push Apple to raise the bar? Because, according to Mozilla, it could work, which could then lead to an outsized benefit for users everywhere.  

“Apple’s track record of protecting user privacy was actually a motivation, and not a deterrent, for launching this campaign,” said a spokesperson from Mozilla’s advocacy team. “It’s an issue they clearly care about, so we’re encouraging them to do better.”

Apple has not yet responded to the petition, and it did not respond to a request for comment, but if Mozilla succeeds, it will have made an important point: When the technology industry pushes itself to better respect user privacy, we all win.

The petition and the tech

In mid-April, Firefox developer Mozilla launched a public petition at Apple. The browser-making nonprofit asked Internet users around the world to push the world’s richest company into making one small change to its iPhones—regularly rotate an internal ID that lets advertisers track users’ online behavior.

“There is a unique ID living on your iPhone right now that allows advertisers to track the ads you click on, the videos you play, and the apps you install,” Mozilla wrote about the iPhone ID code, which is called an “ID for Advertisers,” or IDFA. Though the ID cannot reveal an iPhone user’s identity—and users can actually turn the identifying feature off—Mozilla argued that it still poses a roadblock to privacy.

“It’s like a salesperson following you from store to store while you shop and recording each thing you look at,” wrote Mozilla Vice President of Advocacy Ashley Boyd in a related blog.  Pushing back against Apple’s recent advertising campaign that bills the iPhone as the near-definition of privacy, Boyd wrote: “Not very private at all.”

Cybersecurity researchers are split on the idea. Some experts—including Thomas Reed, director of Mac and mobile at Malwarebytes—actually called for even tougher privacy controls.

“I think that Apple should disable ad tracking and location-based ads by default, rather than the user having to opt out,” Reed said, referring to users’ ability to turn off the IDFA capabilities. “That would provide way more benefit than what Mozilla proposes.”

Forrester Research senior analyst John Zelonis, in speaking to ThreatPost, shared Reed’s sentiment, explaining that monthly IDFA changes—as Mozilla proposed—would not meaningfully impede on advertisers’ ability to track users online.

“Rolling the IDFA on a monthly basis would only be an effective anonymizer if the app owners weren’t able to track a user across those newly-generated IDFAs using login sessions or other methods of associating a user to an IDFA,” Zelonis told the outlet. “The impact of making this change would likely only increase the value of the data collected by apps that are finding ways to track across IDFA, not necessarily solve the problem at hand.”

However, a separate researcher also told ThreatPost that Apple should not have to change a thing.

“Apple’s current way of handling the IDFA is the correct one,” the researcher said.

Despite the researchers’ disagreements, there’s a separate story here. It’s about privacy champions pushing one another to do better.

Privacy vs. privacy

For years, Mozilla has not only advocated for privacy, it has also developed it into online tools.

In 2017, Mozilla released its privacy-focused Android web browser, Firefox Focus, earning more than one million downloads in the first month. In 2018, Mozilla developed a browser add-on to give users a more private experience when using Facebook, making it harder for the social media giant to collect information away from the platform itself. In the past two months, Mozilla has also released a secure file transfer service and a password manager.

The nonprofit then pivoted, using its earned reputation in privacy to push others to do better.

In 2018, before the release of Amazon’s “Echo Dot Kids Edition”—which includes a version of the smart assistant Alexa that tells children “wake-wakey, eggs and bakey”—Mozilla asked the retail giant to open up about how it would collect children’s data.

Months later, Mozilla launched a public campaign about the payment processing app Venmo, gathering 25,000 signatures to steer the company into making users’ payment transactions private by default.

“It’s a tactic we use often,” said the Mozilla spokesperson. “We’ve learned that when companies hear from consumers, they act.”

As an example, the spokesperson pointed to Mozilla’s success in getting Target and Walmart to stop selling a hackable children’s toy last summer.

Despite Mozilla’s familiarity with this turf, the target is new: Apple has a far better track record than Amazon or Venmo in defending user privacy.

In 2015, Apple began its famous fight against a government request to build a workaround to its secure mobile operating system. The workaround—which many in the technology community called a “backdoor”—would have let the FBI access encrypted data on a suspected terrorist’s iPhone. But the demand pushed too far, said Apple CEO Tim Cook in an open letter published the day after his company received the legal order.

“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation,” Cook wrote. “In the wrong hands, this software—which does not exist today—would have the potential to unlock any iPhone in someone’s physical possession.”

Apple’s stance won the approval of many privacy rights advocates, including the American Civil Liberties Union, Electronic Frontier Foundation, and Center for Democracy and Technology. The move also won the approval of Mozilla, conjuring executive-penned op-eds in both Time and CNN.

It is these two tech developers’ strong privacy records that makes Mozilla’s petition seem more like a friendly reminder than a stern warning. But no matter the tone, if Mozilla gets the iPhone maker to move, the impact could go beyond Apple’s ecosystem.

As Mozilla’s Boyd wrote:

“If Apple makes this change, it won’t just improve the privacy of iPhones—it will send Silicon Valley the message that users want companies to safeguard their privacy by default.”

We agree.

The post Mozilla urges Apple to make privacy a team sport appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mysterious database exposed personal information of 80 million US households

Malwarebytes - Wed, 05/01/2019 - 15:51

Word has broken of yet another massive data trove exposed for anyone to see. A research team from vpnMentor discovered an exposed 24GB database hosted on a Microsoft cloud server containing the addresses, income levels, and marital statuses of users within 80 million US households.

As we’ve seen recently, many organisations aren’t taking steps to secure their customer data and every so often one makes the news. Some may have been exploited while exposed; others will have been lucky.

Occasionally, there’s a quick takedown of the exposed information; sometimes it’s nearly impossible to find out who, exactly, is responsible. At that point, the only option left is to ping someone like Microsoft to take that final step and hope they can do something about it.

What’s the damage report?

Since 80 million US households were sitting in this database, that means considerably more people could have been impacted. Across thousands of entries, the researchers couldn’t find anyone listed under the age of 40.

The exposed data included a mixture of coded information and non-coded information. Non-coded items included street addresses, cities, states, counties, zip codes, latitude and longitude coordinates, ages, dates of birth, and first/last names along with middle initials. The data assigned a coded, numerical value contained information, such as marital status, income, gender, dwelling type, and homeowner status.

Decoding the numbers

In practice, what the coded and non-coded entries mean is you could easily view someone’s name or address, but something like gender or title is instead assigned a numerical value. Some of the information chained to coded values may not be possible to figure out: For example, “Income [1]” or “Income [6]” may be too obscure to put a salary range on it. However, if you see “Steve” and the gender assigned is “[1]” then it’s probable that 1 = male on all their records.

In this way, even where data is assigned a numerical code, you can piece together most of a person’s profile. If the salary for people listed 70 and up is “10”, then 10 might be “retired”, “on a pension plan”, or something similar.

In fact, there’s a lot of code-assigned sections alongside viewable data, so full street address + code for dwelling type + Google maps = a quicker and easier way to assign home-types to people listed then (say) target them with property-specific phish attacks or other social engineering tactics.

What exactly is this database for?

Given the upper end of the ages listed in this database, they could well be more susceptible to these kind of tricks. The database was eventually taken offline by Microsoft, who have apparently notified the owner(s). Meanwhile, researchers have asked the public to try and help identify exactly who this data belongs to.

They suspect it has some sort of financial service connection, such as insurance or mortgaging or perhaps healthcare. The specific age range shown in the data looks at might have suggested a form of dating app for older generations, except it makes no sense for it to focus on households rather than individuals. The geo-locational coordinates may associate this with some form of mobile app connection, as you’d typically expect to see that via portable apps as opposed something filled in on the desktop.

Time to play the waiting game

No matter the purpose of  the database, the good news is that it’s currently offline. It also doesn’t seem to be the case that it’s been used maliciously—for now, anyway. There isn’t a huge amount anyone can do in this situation beyond advising to be wary of the usual social engineering scams.

Ultimately, this database is large but also quite generic, with no way to say for sure exactly what it’s for. As a result, it’s a case of being on your guard and keeping some common sense handy at all times.

This isn’t something to worry about for the time being, and hopefully this tale begins and ends with “someone needs to secure their data better.”

The post Mysterious database exposed personal information of 80 million US households appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sophisticated threats plague ailing healthcare industry

Malwarebytes - Tue, 04/30/2019 - 15:00

The healthcare industry is no longer circling the drain, but it’s still in critical condition.

While many organizations in healthcare have aimed at or made positive strides toward a more robust cybersecurity and privacy posture, they still have a long way to go.

In 2018, healthcare had the highest number of breaches recorded compared to other industries. This is according to BakerHostetler’s 2019 Data Security Incident Response Report, which is in its fifth annual iteration this year.

Even today, black hat hackers are continuing to go after patient healthcare data, and as such breaches will only intensify, according to Business Insider. The HIPAA Journal, a website dedicated to covering HIPAA-related news, corroborates this intensity after seeing a steady reporting of at least one breach per day from January through March, 2019.

What’s causing these daily breaches?

Hacking and IT incidents, which include malware attacks, have been consistently topping the list.

Malware in healthcare sectors

Healthcare falls short on a lot of security measures: unpartitioned networks, reliance on legacy infrastructure, non-compliance with HIPAA security rules and NIST CSF controls, unmanaged IoT devices, vulnerable medical management apps, the slow implementation of government-recommended IT and cybersecurity practices over the last four years, and the lack of email authentication and low adoption of always-encrypted sessions. For starters.

More importantly, healthcare systems are massively susceptible to malware infection and hijacking, since there are little-to-no protections in place. And when the threats being lobbed at healthcare are more advanced, all that lagging on security takes its toll.

So which types of malware are targeting healthcare organizations? We have collated and analyzed data from our own product telemetry to determine the top malware aiming to infect systems and networks, exfiltrate patient data, and disrupt operations. Here are our results.

Trojans and riskware are common on healthcare systems Malicious and risky files plague healthcare systems worldwide

Among the five types of malware we found affecting healthcare systems, more than three-quarters (79 percent) are Trojans. This is followed by riskware (11 percent)—those pieces of software that are not inherently malicious, but could still pose a risk to systems on which they’re installed. Others are ransomware, spyware, and worms—all with an equal share of 3 percent.

We take a deep dive into each.


Based on our data, a sizable chunk of information-stealing Trojans and downloaders, as well as files posing as legitimate Microsoft (MS) files are present on healthcare systems. We detect them as Trojan.Emotet (35 percent) and Trojan.FakeMS (33 percent), respectively.

The top 6 Trojans detected in healthcare, with Trojan.Emotet leading.

Emotet is an information stealer that can target user credentials stored in browsers and listen to network traffic. Known new versions of Emotet act as downloaders, dropping other banking Trojans, such as TrickBot and Qakbot, ransomware, such as Ryuk, and, at times, cryptominers and cryptowallet stealers.

Emotet has had success in penetrating organizations and spreading because of its simple, yet tried-and-true delivery method—phishing emails—as well as its use of an NSA exploit called EternalBlue, which pushes the infection laterally through networks. In addition, Emotet contains its own malspam module, which churns out additional phishing to continue the cycle.

To add insult to injury, once on networks, Emotet is notoriously difficult to remediate.

Information stealers, in general, are particularly dangerous to have in healthcare systems, as they put electronic health records (EHRs) at risk. Staff credentials can also be swiped and re-used by threat actors to gain access to more information and resources they can use, misuse, or sell to the highest bidders in the dark market.

Emotet has widely affected the health insurance, hospital, pharmaceutical, biotechnology, and medical device sectors. In fact, this threat has been consistently gaining ground on all organizations over the last year, increasing in both persistence and volume to the tune of almost 650 percent from the same time last year.

Trojan.FakeMS, on the other hand, is the detection we use for malware posing as legitimate Microsoft files. Healthcare personnel may or may not have been aware of such files ending up on their work systems. Either way, their presence on machines that staff rely on to processes sensitive records or pull up correct patient data at critical times isn’t ideal.

Meanwhile, cryptominer infections, which we sometimes detect as Trojans, often present machine slowdown as a common symptom, and 17 percent of healthcare systems have been showing this sign.

Cryptomining schemers, who may or may not be part of healthcare staff, can manually download miners, which we generically detect as Trojan.BitCoinMiner, from the Internet and discreetly install them onto machines that are used for record keeping. This resource abuse was the case for the Decatur County General Hospital in Tennessee when their electronic medical records (EMR) server has been hijacked in September 2017 to house a miner.


As mentioned earlier, riskware is non-malicious; however, we flag it for a number of reasons, one of which is its ability to block other programs from receiving patches. This leaves the user’s machine open for exploitation by a number of threats, including EternalBlue mentioned above.

RiskWare.MicTray makes up 98 percent of our riskware detections in several healthcare sectors, primarily in health insurance and pharmaceuticals. MicTray is the name of our detection for the keylogger component present in the Conexant audio driver set.

The remaining 2 percent of detections are for Riskware.Tool.HCK, the name we use for tools or applications that may be illegal to use in certain countries. Cracked versions of paid software are examples of this.


Ransom.WannaCrypt, otherwise known as WannaCry, is the ransomware responsible for crippling the UK’s National Health Services (NHS) in 2017, costing them a total of £92 million (approximately $120 million) from cancelled appointments due to unusable systems to remediation and IT system upgrades. It’s also the malware that forced the healthcare industry to take cybersecurity and privacy seriously.

More than a year later, WannaCry is still at large and continues to affect organizations across industries and countries, disrupting normal operations and putting patient lives and data at risk.

The Ransom.WannaCrypt ransom note

Our data shows that WannaCry is currently in the top five malware families affecting healthcare. This could also mean that a vast number of systems are still open to the EternalBlue vulnerability, waiting to be exploited.


When it comes to spyware in healthcare, Spyware.TrickBot and Spyware.Emotet have dominated the detection count at 45 percent each. Spyware.Agent accounted for 10 percent of our total spyware detections in healthcare.

The top 3 spyware detected in healthcare, with Spyware.TrickBot leading.

As secondary infections to Trojan.TrickBot and Trojan.Emotet, it’s no surprise to see TrickBot and Emotet spyware on healthcare systems. Normal users hardly notice how these information stealer modules work in the background; however, network admins may be able to spot odd connections to blacklisted domains as an attempt to reach command-and-control (C&C) servers to upload stolen data.


Worm.Parite, a detection name we use for a polymorphic file infector targeting executable programs (files ending in .exe) and screensavers (files ending in .scr) on local and shared networked drives, is the only one of its kind affecting systems within the biotech/medical sector.

One thing to note about Parite is that systems it infects may not show any obvious signs of infection—at least at first. Once a user executes an infected file, the virus code attached to it runs, and then passes back the control to the .exe or .scr file so it executes as normal.

If users don’t address a worm or virus infection, the system is at risk of further infection and exploitation from other malware.

Oh, and one more thing: fileless malware

Fileless malware is one of those new schemes that black hat hackers adopted several years ago, and they continue to do so at an ever-increasing pace.

A fileless infection means that traces of actual malware present on the affected system are so minute that it evades regular antivirus detection and makes the work of grabbing samples a challenge to security analysts.

Our telemetry data has revealed that, although nominal, fileless malware are present in healthcare organization systems, among them the health insurance and pharmaceutical sectors.

We are able to detect fileless infections flagged as Rootkit.Fileless.MTGen. They’re our broad detection for fileless malware that use rootkits to hide their presence on affected systems.

Some examples of fileless malware that we’ve seen through the years include the following, which we have rounded up in a list below:

No better time to act

The healthcare industry is ripe with opportunity. Despite the cybersecurity and privacy challenges it is working to address, it continues to evolve by embracing innovative technologies—such as blockchain, virtual reality, and artificial intelligence—and adopting new models to better serve patients. Of course, adding new technologies can sometimes make protecting systems more complex than it already is.

However healthcare organizations plan to move forward, there are still two simple objectives they must not lose sight of: the security of systems and devices from malware, zero-day vulnerabilities, and hardware hacks, and the protection of patient healthcare data from thieves and malicious insiders.

In mid-April, researchers from the Ben Gurion University released their study on the malicious tampering of CT scans using deep learning AI. According to their paper, they were able to successfully demonstrate how threat actors can remove or add evidence of medical conditions on scans. They used a man-in-the-middle device, which is another computer loaded with malware to gain access to CT scans and feed medical devices with false information. If such a technology would be used in the wild, people’s medical records and treatment plans would be at risk, jeopardizing their overall health.

Indeed, healthcare organizations have a lot of catching up to do to protect themselves from online threats that continue to grow in sophistication. A lot more is at stake within this sector than virtually any other. It’s not just potential earnings or sensitive data at risk if cybersecurity is breached. Patients’ lives are at stake.

To keep the aforementioned objectives in focus, we recommend healthcare organizations visit these guides to shape up their security posture:

Stay safe!

The post Sophisticated threats plague ailing healthcare industry appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Electrum DDoS botnet reaches 152,000 infected hosts

Malwarebytes - Mon, 04/29/2019 - 17:00

By Jérôme Segura, Adam Thomas, and S!Ri

We have been closely monitoring the situation involving the continued attacks against users of the popular Electrum Bitcoin wallet. Initially, victims were being tricked to download a fraudulent update that stole their cryptocurrencies. Later on, the threat actors launched a series of Distributed Denial of Service (DDoS) attacks in response to Electrum developers trying to protect their users.

Since our last blog, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing. Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000, according to this online tracker. Since then, it has gone up and down and plateaued at around the 100,000 mark.

New loader identified

We have been able to correlate two distribution campaigns (RIG exploit kit and Smoke Loader) that are fueling this botnet by dropping malware we detect as ElectrumDoSMiner. Now, we have just identified a previously undocumented loader we call Trojan.BeamWinHTTP that is also involved in downloading ElectrumDoSMiner (transactionservices.exe).

New Trojan.BeamWinHTTP connected to ElectrumDoSMiner

As can be seen in the VirusTotal graphs above and below, there are hundreds of malicious binaries that retrieve the ElectrumDoSMiner. We surmise there are probably many more infection vectors beyond the three we’ve uncovered so far.

The main infrastructure hosting ElectrumDoSMiner binaries and configuration files Botnet geographic distribution

By analyzing the IP addresses and mapping them to a country, we are able to have a better idea of where the bots are located. We find the largest concentration in the Asia Pacific region (APAC). For the Americas, most bots are located in Brazil and Peru.

World map showing presence of bots part of the Electrum DDoS botnet

The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks. Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily.

Number of ElectrumDoSMiner infected machines cleaned by Malwarebytes An underreported and yet massively fraudulent scheme

Crooks wasted no time in exploiting a vulnerability in Electrum wallets to phish unsuspecting users. What followed next with retribution attacks on Electrum servers was unexpected but logical, considering what is at stake.

While these DDoS attacks have not been publicized much by mainstream media, they have undoubtedly caused millions of dollars in losses over the span of just a few months.

Indicators of Compromise

ElectrumDoSMiner infrastructure



Hashes for the binaries tied to the ElectrumDoSMiner infrastructure can be downloaded here.

The post Electrum DDoS botnet reaches 152,000 infected hosts appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Wall Street Market reported to have exit scammed

Malwarebytes - Mon, 04/29/2019 - 15:54

Around April 20, many users reported that Wall Street Market, a broadly known dark net market, had executed an exit scam, and that any pending orders were unlikely to be completed.

Scamming with enterprises involving Bitcoin is not unheard of, and dark net markets with centralized escrow are particularly vulnerable. As these markets grow in popularity and amass large amounts of transactions, the potential payout of an exit scam can be enormous, as seen with the Evolution market exit scam in 2015, totaling roughly 12 million in stolen Bitcoins.

A common tactic in these types of scams is to initially freeze transactions for “technical difficulties,” followed by taking the entire market offline and grabbing the funds.

What the users say

Wall Street Market appears to have followed a similar trajectory, with frozen transactions leading to side channel messages warning of scams, to a mass vendor exodus. Notable in the saga is that at least one actor appears to have compromised a market admin account to notify users of potential issues.

What the money might say

While now empty, the public address (32Eup1TPADYTAa46wq48c7qmg7AuFwigeM) has been identified
by users of Wall Street Market as being the destination of funds stolen from escrow accounts. A recent series of withdrawals totaling about 2,067 BT— around $11.5 million USD—is being broken down and likely laundered through various means so that thieves can cash out their profits.

Average market traffic patterns

Starting with the transaction on April 14, 2019, at 7:15:35PM, the market admins appear to have modified the process that occurs during the release of escrow funds once an order is completed. Instead of funds
being released to vendors, all the funds were instead diverted to the fraudulent account.

Redirection of traffic to a single address, correlating to user complaints

After moving from this address, funds appear to be following a similar pattern of being grouped into 70 BTC amounts.

At this point, most of the funds currently remain untouched except for a few transactions, which appear to be initial tests to cash out funds. For instance, following the outputs of transaction (8b36afc40700c51941fd4218873fd219a19bd36beeaac2f06082362f5327642c) eventually leads us to the known wallet address for Houbi, a large Crypto exchange originally founded in China.

What does it mean?

While we can’t prove intent to scam, the transaction pattern over the past few days, in addition to admin behavior mirroring that of previous exit scams, suggests the market admins might not have the best of intentions with their customers’ Bitcoin.

Due to a paucity of fraud controls other than reputational built into most marketplace systems, the temptation to exit scam has gotten the best of more than one dark net market. Unfortunately, the best advice available to customers at present time is caveat emptor.

The post Wall Street Market reported to have exit scammed appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 22 – 28)

Malwarebytes - Mon, 04/29/2019 - 15:31

Last week on Labs, we looked at security threats to headphones, privacy options in the world of law, and wandered through the FBI’s 2018 IC3 online crime report. We also explored another MageCart attack, and we released our 2019 Q1 Crime Tactics and Techniques report.

Other cybersecurity news
  • Fooling automated surveillance cameras: Bypassing neural network frameworks with colourful abstract signs. Well, rectangles, to be more accurate. (Source: Arvix)
  • VPN traffic raises concerns: Users of NordVPN query traffic they consider to be unusual related to the popular app. (Source: The Register)
  • Who keeps your data safe? People think banks are best, but a majority still fear identity theft. (Source: Help Net Security) 
  • Microsoft abandons password expiration for Windows 10: MS joins the growing trend for not finding a huge amount of value in needless password changes. (Source: Microsoft)
  • Biometrics take a hit in Danish passports: A glitch is responsible for switching left and right hand prints tied to up to a quarter of a million travel documents. (Source: Copenhagen Post)
  • A primer to credential stuffing: a nice summary of what, exactly, is involved with this most common of bad Internet practices. (Source: ZDNET)
  • Cryptominer targets enterprise, ignores consumers: Beapy almost exclusively targets businesses in Asia, letting consumers temporarily off the hook. (Source: SCMag)
  • Fake social: As bogus social media profiles continue to spread, can end-users tell the difference? (Source: Infosecurity Magazine)
  • Emotet variant up to no good: compromised devices are being turned into proxy command and control servers, in an effort to make the attack slightly less overt. (Source: Bleeping Computer)
  • Avoiding Apple ID phish attacks: They sometimes feel like they’re everywhere, and occasionally look quite convincing. Learn how to spot the signs of a scam. (Source: Heimdal Security)

Stay safe, everyone!

The post A week in security (April 22 – 28) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

GitHub hosted Magecart skimmer used against hundreds of e-commerce sites

Malwarebytes - Fri, 04/26/2019 - 16:06

Every day, new e-commerce websites fall into the hands of one of the many Magecart skimmers. Unbeknownst to shoppers, criminals are harvesting their personal information, including payment details in the online equivalent of ATM card skimming.

Most often the skimming code—written in JavaScript and obfuscated—is hosted on infrastructure controlled by attackers. Over time, they have created thousands of domain names mimicking Magento, the CMS platform that is by far most targeted.

However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year.

This latest skimmer is a hex-encoded piece of JavaScript code that was uploaded to GitHub on April 20 by user momo33333, who, as it happens, had just joined the platform on that day as well.

In the above and below screenshots, you can see that the threat actor was fine tuning the skimmer, after having done a few tests:

Just like with any other kind of third-party plugins, compromised Magento sites are loading this script within their source code, right after the CDATA script and/or right before the </html> tag:

According to a search on, there are currently over 200 sites that have been injected with this skimmer:

A look at the deobfuscated script reveals the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent to:

It’s worth noting that the compromised Magento sites will remain at risk, even if the GitHub-hosted skimmer is taken down. Indeed, attackers can easily re-infect them in the same manner they initially injected the first one.

It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.

We reported the fraudulent GitHub account which was quickly taken down. We are also protecting our users by blocking the exfiltration domain.

The post GitHub hosted Magecart skimmer used against hundreds of e-commerce sites appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Labs Cybercrime Tactics and Techniques report finds businesses hit with 235 percent more threats in Q1

Malwarebytes - Thu, 04/25/2019 - 07:01

The Malwarebytes Labs Cybercrime Tactics and Techniques Q1 2019 report found businesses at the butt end of a bad joke. In just one year, threats aimed at corporate targets have increased by 235 percent, with Trojans, such as Emotet, and ransomware in particular revving up in the first quarter.

Included in the report is analysis of sharp declines in consumer cryptomining and other threats, further cementing the shift away from individual targets and toward businesses, with SMBs in particular suffering because of lack of resources.

“Consumers might breathe a sigh of relief seeing that malware targeting them has dropped by nearly 40 percent, but that would be short-sighted,” said Adam Kujawa, director of Malwarebytes Labs. “Consumer data is more easily available in bulk from business targets, who saw a staggering 235 percent increase in detections year-over-year. Cybercriminals are using increasingly clever means of attack to get even more value from targets through the use of sophisticated Trojans, adware and ransomware.”

In addition to analysis of trending threats, broken down by region and segment (consumer vs. business), this quarter the Labs team added a section on data privacy to the report.

Following its March survey on data privacy, in which respondents overwhelmingly showed concern about protecting their data online, the Labs team highlighted some of its key takeaways and discussed ways in which businesses are failing to shore up that data.

Highlights from the report include:

  • Emotet continues to target enterprises. Detections of Trojans (Emotet’s parent category) on business endpoints increased more than 200 percent since Q4 2018, and almost 650 percent from the same time last year.
  • Ransomware has gained rapid momentum, with an increase of 195 percent in business detections from Q4 2018 to Q1 2019. Compared to the same time last year, business detections of ransomware have seen an uptick of over 500 percent, due in large part to a massive attack by the Troldesh ransomware against US organizations in early Q1.
  • Cryptomining against consumers is essentially extinct. Marked by the popular drive-by mining company CoinHive shutting down operations in March, consumer cryptomining has significantly decreased both from the previous quarter and the previous year.
  • Mobile and Mac devices are increasingly targeted by adware. While Mac malware saw a more than 60 percent increase from Q4 2018 to Q1 2019, adware was particularly pervasive, growing over 200 percent from the previous quarter.
  • The US leads in global threat detections at 47 percent, followed by Indonesia with nine percent and Brazil with eight percent.

To learn more about threats and trends in cybercrime in Q1, download the full report:

Cybercrime Tactics and Techniques Q1 2019

The post Labs Cybercrime Tactics and Techniques report finds businesses hit with 235 percent more threats in Q1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A look inside the FBI’s 2018 IC3 online crime report

Malwarebytes - Wed, 04/24/2019 - 15:57

The FBI’s Internet Crime Complaint Center have released their annual Crime Report, with the most recent release focusing on 2018. While the contents may not surprise, it definitely cements some of the bigger threats to consumers and businesses—and not all of them are particularly high tech. Sometimes less is most definitely more.

What is the Internet Crime Complaint Center?

Good question. For those not in the know, it’s the FBI’s way of allowing you to file a complaint about a computer crime. If the victim or alleged perpetrator are located in the US, you can file. The information is then handed to trained analysts who distribute the data as appropriate.

They eventually take all that information and turn it into a report. There’s a fair bit in there to chew on—here’s the report, in PDF format—but there are some prominent themes on display. Shall we take a look at what’s hot?

Business Email Compromise (BEC)

Business Email Compromise is something we mention on here fairly regularly. Someone usually pretends to be the CEO of an organisation, and attempts to pull off a wire transfer via someone else in finance. Cash is often routed through Hong Kong where wires are common, so as not to attract attention. 

It’s a straightforward attack, low risk, small overheads, and if you fire enough out, eventually someone will bite. You only need one successful attack to walk away with millions.

In 2018, IC3:

  • Received just over 20,000 reports of BEC attacks
  • Declared adjusted losses of over $1.2 billion

Those are big numbers, but even bigger when you consider BEC reports the year before were 15,000, and adjusted losses were $675 million. One slightly peculiar twist to the usual “steal your money” approach is this:

In 2018, the IC3 received an increase in the number of BEC/EAC complaints requesting victims purchase gift cards. The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons.

Not quite as glamorous as Hong Kong wires, and in all honesty it sounds faintly ludicrous at first viewing, but it’s definitely working for somebody.

Payroll diversion

This is an interesting twist on the BEC scams. The attackers don’t waste time pretending to be CEOs. Instead, they go for logins tied to payroll processing systems. Once they’re in, they change the account information and the money is diverted to somewhere controlled by the hacker. They’ll also hide warnings to admins, which would’ve alerted them to deposit information changes. The money will then typically be sent to a  prepaid card—yes, prepaid cards are flavour of the month (year?) this time around. From the report:

Institutions most affected by this scam have been education, healthcare, and commercial airway transportation.

From just one hundred complaints, there was a combined reported loss of $100 million dollars. This is frankly astonishing. Phishing can truly be devastating in the right hands.

Tech support fraud

Tech support scams feel as though they’ve been around forever, and they’re busy cementing their place in the top three table of awful things. The 2018 tally for these antics weigh in at 14,000 complaints from victims scattered across 48 countries. The losses almost hit $39 million, representing a 161 percent rise from the previous year. Most of the victims are over 60, which fits the general M.O. of going after older targets who may not be aware of the latest happenings in fraud land.

The full report covers topics such as top states divided by both number of victims and victim losses, breakdowns on target age groups, crime types, assets recovered, and much more.

One thing’s for sure: with over 900 complaints a day, roughly 300,000 complaints received per year on average, and something in the region of $2.71 billion in losses accounted for in 2018, online crime isn’t going away anytime soon.

The post A look inside the FBI’s 2018 IC3 online crime report appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Consumers have few legal options for protecting privacy

Malwarebytes - Tue, 04/23/2019 - 17:03

There are no promises in the words, “We care about user privacy.”

Yet, these words appear on privacy policy after privacy policy, serving as disingenuous banners to hide potentially invasive corporate practices, including clandestine data collection, sharing, and selling.

This is no accident. It is a strategy.

In the US, companies that break their own privacy policies can—and do—face lawsuits over misleading and deceiving their users, including making false statements about data privacy. But users are handicapped in this legal fight, as successful lawsuits and filings are rare.

Instead of relying on the legal system to assert their data privacy rights, many users turn to tech tools, installing various web browsers, browser extensions, and VPNs to protect their online behavior.

Luckily, users aren’t alone in this fight. A small number of companies, including Apple, Mozilla, Signal, WhatsApp, and others, are truly committed to user privacy. They stand up to overbroad government requests. They speak plainly about data collection. And they often disengage from practices that put user data in the hands of unexpected third parties.

In the latest blog in our series on data privacy and cybersecurity laws, we look at the options that consumers actually have in asserting their digital privacy rights today. In the US, it is an area of law that, unlike global data protection, is slim.

As Jay Stanley, senior policy analyst with the ACLU Speech, Privacy, and Technology Project, put it: “There’s a thin web of certain laws that exist out there [for digital consumer privacy], but the baseline default is that it’s kind of the Wild West.”

Few laws, few protections

For weeks, Malwarebytes Labs has delved into the dizzying array of global data protection and cybersecurity laws, exploring why, for instance, a data breach in one state requires a different response than a data breach in another, or why “personal information” in one country is not the same as “personal data” in another.

Despite the robust requirements for lawful data protection around the world, individuals in the United States experience the near opposite. In the US, there is no comprehensive federal data protection law, and thus, there is no broad legal protection that consumers can use to assert their data privacy rights in court.

“In the United States, the sort of default is: Consumer beware,” said Lee Tien, senior staff attorney with the digital rights nonprofit Electronic Frontier Foundation.

As we explored last month, US data protection law is split into sectors—there’s a law for healthcare providers, a law for video rental history, a law for children’s online information, and laws for other select areas. But user data that falls out of those narrow scopes has little protection.

If a company gives intimate menstrual tracking info to Facebook? Tough luck. If a flashlight app gathers users’ phone contacts? Too bad. If a vast network of online advertising companies and data brokers build a corporate surveillance regime that profiles, monitors, and follows users across websites, devices, and apps, delivering ads that never disappear? Welcome to the real world.

“In general, unless there is specific, sectoral legislation, you don’t have much of a right to do anything with respect to [data privacy],” Tien said.

There is one caveat, though.

In the US, companies cannot lie about their own business practices, data protection practices included. These laws prohibit “unlawful, unfair, or fraudulent” business practices, along with “unfair, deceptive, untrue, or misleading” advertising. Whatever a company says it does, legally, should be what it actually does, Tien said.

“Most of consumer privacy that’s not already controlled by a statute lives in this space of ‘Oh, you made a promise about privacy, and then you broke it,’” Tien said. “Maybe you said you don’t share information, or you said that when you store information at rest, you store it in air-gapped computers, using encryption. If you say something like that, but it’s not true, you can get into trouble.”

This is where a company’s privacy policy becomes vital. Any company’s risk for legal liability is only as large as its privacy policy is detailed.

In fact, the fewer privacy promises made, the fewer opportunities to face a lawsuit, said ACLU’s Stanley.

“This is why all privacy policies are written to not make any promises, but instead have hand-wavy statements,” Stanley said. “What often follows a sweeping statement is 16 pages of fine print about privacy and how the company actually doesn’t make any promises to protect it.”

But what about a company that does make—and break—a promise?

Few laws, fewer successful assertions

Okay, so let’s say a company breaks its data privacy promise. It said it would not sell user data in its privacy policy and it undeniably sold user data. Time to go to court, right?

Not so fast, actually.

The same laws that prohibit unfair and deceitful business practices also often include a separate legal requirement for anyone that wants to use them in court: Individuals must show that the alleged misconduct personally harmed them.

Proving harm for something like a data breach is exceedingly difficult, Tien said.

“The mechanism of harm is more customized per victim than, say, an environmental issue,” Tien said, explaining that even the best data science can’t reliably predict an average person’s harm when subjected to a data breach the way that environmental science can predict an average person’s harm if they’ve been subjected to, for instance, a polluted drinking source.

In 2015, this difficulty bore out in court, when an Uber driver sued the ride-hailing company because of a data breach that affected up to 50,000 drivers. The breach, the driver alleged, led to a failed identity theft attempt and a fraudulent credit card application in his name.

Two years later, the judge dismissed the lawsuit. At a hearing she told the driver: “It’s not there. It’s just not what you think it is…It really isn’t enough to allege a case.”

There is, again, a caveat.

Certain government officials—including state Attorneys General, county District Attorneys, and city attorneys—can sue a company for its deceitful business practices without having to show personal harm. Instead, they can file a company as a representative for the public.

In 2018, this method was also tested in court, with the exact same company. Facing pressure from 51 Attorneys General—one for each US state and one for Washington, D.C.—Uber paid $148 million to settle a lawsuit alleging the company’s misconduct when covering up a data breach two years earlier.

Despite this success, waiting around for overworked government attorneys to file a lawsuit on a user’s behalf is not a practical solution to protecting online privacy. So, many users have turned to something else—technology.

Consumer beware? Consumer prepared

As online tracking methods have evolved far past the simpler days of just using cookies, consumers have both developed and adopted a wide array of tools to protect their online behavior, hiding themselves from persistent advertisers.

Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, said that, while the technology of tracking has become more advanced, so have the tools that push back.

Privacy-focused web browsers, including Brave and Mozilla’s Firefox Focus, were released in the past two years, and tracking-blocking browser extensions like Ghostery, Disconnect, and Privacy Badger—which is developed by EFF—are all available, at least in basic models, for free to consumers. Even Malwarebytes has a browser extension for both Firefox and Chrome that, along with obstructing malicious content and scams, blocks third-party ads and trackers that monitor users’ online behavior.

Stephens said he has another philosophy about protecting online privacy: Never trust an app.

“We have this naïve conception that the information we’re giving an app, that what we’re doing with that app, is staying with that app,” Stephen said. “That’s really not true in most situations.”

Stephens pointed to the example of a flashlight app that, for no discernible reason, collected users’ contact lists, potentially gathering the phone numbers and email addresses for every friend, family member, and met-once-at-a-party acquaintance.

“Quite frankly,” Stephens said, “I would not trust any app to not leak my data.”

Corporate respect for consumer privacy

There is one last pillar in defending consumer privacy, and, luckily for many users, it’s a sturdy one: corporations.

Yes, we earlier criticized the many nameless companies that window-dress themselves in empty privacy promises, but, for years, several companies have emerged as meaningful protectors of user privacy.

These companies include Apple, Signal, Mozilla, WhatsApp, DuckDuckGo, Credo Mobile, and several others. They all make explicit promises to users about not selling data or giving it to third parties that don’t need it, along with sometimes refusing to store any user data not fundamentally needed for corporate purposes. Signal, the secure messaging app, takes user privacy so seriously that the company cannot read users’ end-to-end encrypted messages to one another.

While many of these companies are household names, a smaller company is putting privacy front and center, and it’s doing it for a much-needed field—DNA testing.

Helix DNA not only tests people’s genetic data, but it also directs them to several partners who offer services that utilize DNA testing, such as The Mayo Clinic and National Geographic. Because Helix serves as a sort of hub for DNA testing services, and because it works so closely with so many companies and organizations that handle genetic data, it decided it was in the right position to set the tone for privacy, said Helix senior director of policy and clinical affairs Elissa Levin.

“It is incumbent on us to set the industry standards on privacy,” Levin said.

Last year, Helix worked with several other companies—including 23andMe, Ancestry, MyHeritage, and Habit—to release a set of industry “best practices,” providing guidance on how DNA testing companies should collect, store, share, and respect user data.

Among the best practices are several privacy-forward ideas not required by law, including the right for users to access, correct, and delete their data from company databases. Also included is a request to ban sharing any genetic data with third parties like employers and insurance companies. And, amidst recent headlines about captured serial killers and broad FBI access to genetic data, the best practices suggest that companies, when possible, notify individuals about government requests for their data.

Helix itself does not sell any user data, and it requires express user consent for any data sharing with third parties. Helix also brought in privacy executive and current head of data policy at the World Economic Forum Anne Toth to advise on its privacy practices before even launching, Levin said.

As to whether consumers appreciate having their privacy protected, Levin said the proof is not so much in what consumers say, but rather in what they don’t say.

“The best way to gauge that is in looking at the fact that we have not gotten negative feedback from users or concerns about our privacy practices,” Levin said. She said that any time a company is in the news for data misuse, there is never a large uptick in users reflexively walking away, even though Helix allows users to remove themselves from the platform.

Consumer privacy is the future

Online privacy matters, both to users and to companies. It should matter to lawmakers, but in the US, it has taken Congress until barely last year to take substantial interest in the topic.

Until the US has a comprehensive data privacy law, consumers will find a way to protect themselves, legal framework or not. Companies should be smart and not get left behind. Not only is protecting user privacy the right thing to do—it’s the smart thing to do.

The post Consumers have few legal options for protecting privacy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Of hoodies and headphones: a spotlight on risks surrounding audio output devices

Malwarebytes - Mon, 04/22/2019 - 18:15

More than a decade ago, cardiologists from the Beth Israel Medical Center in Boston presented their findings at the American Heart Association (AHA) Scientific Sessions 2008 about MP3 headphones causing disruptions with heart devices—such as the pacemaker and the implantable cardioverter defibrillator (ICD)—when the headphones were placed on their chests, directly over their devices’ location.

These interference can range from preventing a defibrillator from detecting abnormal heart rhythms, deactivating the defibrillator temporarily (and, thus, stopping it from delivering a life-saving shock), forcing a pacemaker to deliver signals to the heart (and, thus, making it beat while disregarding the patient’s current heart rhythm), to fully reprogramming the heart device.

Experts named neodymium magnets, which are common in most headphones, as the culprit to these potentially life-threatening disruptions. Doctors have been repeatedly warned pacemaker and defibrillator patients about the risks of magnets and other devices that would accidentally interrupt their functionalities, but the warnings seem to have fallen on deaf ears.

Headphones, earphones, and headsets were never designed to interfere with heart devices—yet, interfere they did. While the interference was accidental, the curious among us may start to wonder: Can headphones be intentionally messed with to harm their users? What else can headphones do that they weren’t supposed to? Thankfully, the answer to the former is, “Not with life-endangering consequences.” However, audio output devices, including headphones, can pose a security and privacy risk to users, especially when abused by smart people with ill-intent.

Headphones, like webcams, are now suspect

It’s not just the webcam you should mind and secure. For years, researchers have been looking for and poking holes in our audio output devices, in the name of security and privacy. While the potential risks of headphones may be a new subject for our readers, the solutions for securing them are (thankfully) practical and familiar.

In the next few sections, we’ll cover various potential risks and vulnerabilities of headphones and other audio output devices, as well as any tech related to them—including the software that comes with some headphone sets.

From headphones to microphone to risk

YouTube houses a trove of videos on how one can turn their headphones and even ear buds into a microphone. This is possible because the make of the two are identical, meaning they work in much the same way. That makes it easy for anyone to MacGyver a microphone if all they have is a pair of headphones.

Exactly how do users transform their headphones into microphones? By physically plugging their headphone or earphone jack into the audio line in port. Unfortunately, headphones aren’t optimized to be microphones and vice versa, which means the quality won’t be the same.

But can headphones used as a makeshift microphone be a risk to your privacy? Indeed they can, albeit a minor one. If you put one speaker really close to your mouth while pouring your heart out, vulnerabilities in the headphones can enable threat actors to record whatever it is you’re spouting to the mirror or to a room full of tipsy friends.

Spying without spyware

Improvising a microphone with headphones is not the only way to put oneself at risk. As this CNET video shows, headphone software can be used to create a microphone and become subject to attacks as well.

Researchers at Ben Gurion University (BGU) in Israel found a way to automate the physical task of switching the output to the input, and improve the headphones’ ability to capture sounds clearly from across the room in the process.

They did this by introducing a proof-of-concept malware they called SPEAKE(a)R to a Realtek audio sound card, which quietly re-tasked the output channel to an input channel of a headphone set connected to a PC or laptop, and recorded any sounds or conversations happening in the room. You can watch the video recording of the demo in their lab below, or read their paper on the subject here [PDF]:

The SPEAKE(a)R lab demo

In their tests, the researchers used a pair of Sennheiser headphones. This could probably explain the clear quality of the recorded sound even from 20 feet away. We guess that the sound quality is dependent on the quality of headphones, as Sennheiser is one of a handful of brands known for high fidelity headphones.

The only way to make the SPEAKE(a)R malware useless is to not physically attach the headphones to an affected system.

When headphone software opens systems to MITM attacks

Speaking of Sennheiser, the company found itself in security hot water after researchers at Secorvo found a vulnerability not in their headphones, but in their headphone software: HeadSetup.

According to Secorvo’s 16-page report [PDF], this flaw can affect users of both Windows and macOS systems who are using or have used the headphones software. The flaw stems from the way the software creates an encrypted Web Socket (a communications protocol) with the browser: It installs a self-signed TLS certificate in the OS’s Trusted Root CA certificate store (for Windows) and the macOS Trust Store (for macOS).

Since all TLS certificates and their associated keys are identical for all installation instances of the headphone software, threat actors who use HeadSetup can potentially access the key and use it to forge certificates. This automatically confirms fake sites, which can be used to perform Man-in-the-Middle (MITM) attacks against target users. Yikes.

Sennheiser users can update the HeadSetup software to the latest version to protect themselves from future attacks.

Exploited USB headphone port in Nexus 9 can lead to data exfiltration

Aleph Security researchers, inspired by the work of Michael Ossmann and Kyle Osborn on multiplexed wired attack surfaces [PDF], experimented on and later discovered that the headphone jack of the Nexus 9 can be used to access and interact with its FIQ (Fast Interrupt Request) Debugger. The Debugger is a developer tool that is shipped with Google Nexus devices. The researchers were able to access it using a Universal Asynchronous Receiver/Transmitter (UART) debug cable that they built themselves.

More unfortunate still, the FIQ Debugger for the Nexus 9 could respond to commands that those with ill-intent may find especially useful. This includes the unauthorized access of sensitive information in the Android OS via the stack canary value, registry, and process list, and other functionalities, such as bootloader, that could force the device to do a factory reset.

FIQ Debugger interface with a list of help commands (Source: Aleph Security)

Fortunately, Google has fully patched flaws the researchers reported.

Risks surrounding Bluetooth headphones, earphones, and headsets

BlueBorne is the name used to describe an attack method that uses Bluetooth technology to infiltrate and control Bluetooth-enabled devices. Since many wireless headphones, ear buds, and stream services use Bluetooth tech, they are susceptible to this attack.

Discovered in 2017 by IoT security company Armis, BlueBorne consists of eight related zero-day vulnerabilities that can compromise major OS platforms. Affected devices can cause all sorts of security problems to their users, including malware propagation, espionage, and information theft, to name a few.

Anyone can eavesdrop on users via Bluetooth-enabled headsets, even if they’re not in discoverable mode. All one needs is the known default PIN code of the headset, which for most is “0000” (without quotation marks), an external antenna (to extend the Bluetooth range), and a device to control it remotely. SANS Senior Instructor Joshua Wright showed how this can be done in the video “Eavesdropping on Bluetooth Headsets.”

Users can avoid falling victims to BlueBorne attacks and eavesdropping by ensuring that their device’s firmware is up-to-date and turning off their device’s Bluetooth when not in use.

From audiophile to…paranoiac?

Covering your laptop’s built-in webcam is a common and effective security practice to deter potential voyeurs from clandestinely watching you without your knowledge. This is also the reason why users are recommended to disconnect external cameras from desktop computers when not being used.

In terms of headphones, headsets, and earphones, another set of approaches are needed. While securing webcams is easy, securing audio inputs is not. In fact, putting a tape over a laptop’s microphone input—even a thick piece doubled up à la Mark Zuckerberg—simply wouldn’t work. Securing audio inputs takes knowledge of how your device’s audio technology works, a bit of patience, and, in extreme cases, destroying a good pair of ear plugs.

If you’re worried that your headphones, earphones, or headset could be used to invade your privacy, you don’t have to go to extremes. Applying basic cybersecurity hygiene to how you use your audio listening devices, such as updating all software and hardware, including firmware and the apps you use with the device, is a good place to start.

But if you absolutely and undoubtedly don’t want your headphones snooping on you in any way, here’s a simple, low-cost way of doing it: disconnect them from your computing or mobile device.

Happy, and safe, listening!

Other resources:

The post Of hoodies and headphones: a spotlight on risks surrounding audio output devices appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 15 – 21)

Malwarebytes - Mon, 04/22/2019 - 15:47

Last week, Malwarebytes Labs revealed multiple giveaway online scam campaigns banking on the popularity (and generosity) of Ellen DeGeneres, weighed in on the hack that compromised legacy Microsoft email service accounts like Hotmail and MSN, explained what “like-farming” means and how to spot it on social media, and spotlighted on uncharacteristic executable file formats one of our researchers presented at the SAS conference.

We also exposed persistent phishing campaigns targeting Electrum wallet users to defraud them of Bitcoins and how malware can pose a physical threat to those inside industrial plants and to the residents nearby them.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (April 15 – 21) appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds