Techie Feeds

Ransomware tries its hand at being a deadly viral meme

Malwarebytes - Tue, 12/13/2016 - 17:06

Memes are weird things and weren’t always about lolcats or frogs or whatever the latest terrible image macro doing the rounds happens to be. I quite like this line from Wikipedia on said subject:

Proponents theorise that memes are a viral phenomenon that may evolve by natural selection…Memes that propagate less prolifically may become extinct, while others may survive, spread, and (for better or for worse) mutate.

The plot of The Ring is pretty much the concept of a meme made deadly – pass on this cursed videotape within 7 days, or you die horribly.

How far will you go to save yourself?

Well, our old friend 2016 is here to ask that question one more time, because ransomware authors have decided to tweak their victim’s get out of jail method. Don’t have the funds to obtain an unlock key? No problem – just infect two people and you’re back in business (assuming they pay up to unlock their own files). It’s all gone a bit pyramid scheme, hasn’t it?

Interestingly, the time limit to regain your files is the same as the time limit imposed on potential victims of Sadako: seven days.

The only way that could be creepier is if they’d released this during Halloween.

Named after the well known BitTorrent client Popcorn Time, this file goes one step further than most in a mission to make some money. It encrypts files in the usual places – Documents, Music, Pictures and Desktop – and targets pretty much every file extension under the sun. After encryption, the splash screen explaining what’s happened claims the creators are from Syria and that money generated from the ransomware will be used for “food, medicine, and shelter”.

At this point, the choices available boil down to randomly entering a key to unlock the files (not a good idea, as there is mention in the source code that incorrect key entry may eventually result in automatic file deletion), or to play the game and begin the process of infecting other people, in the hopes of obtaining an unlock key.

Note that it isn’t enough to infect another person – you have to hope they pay the ransom too, or they don’t count as a notch on your tally of victims.

All of this only works on the assumption that the ransomware authors will actually provide an unlock key and that is certainly up for debate. It’s also probable that victims won’t want to risk friendships so they’ll end up trolling for random victims in chat rooms, social media and other fish in a barrel locations. In other words, like common or garden script kiddies going about their daily business.

What a mess!

As Graham Cluley mentions, you don’t want to risk getting into trouble with the law because you decided to save yourself by torching the data of others. Should you fall victim to a piece of ransomware, don’t give up hope – many of these files are poorly coded and in many cases, members of the security community, independent researchers, security firms, and more besides manage to come up with decryption tools.

Meanwhile, users of Malwarebytes 3.0 will find we detect this as Ransom.FileCryptor.

Christopher Boyd

Categories: Techie Feeds

A week in security (Dec 04 – Dec 10)

Malwarebytes - Mon, 12/12/2016 - 23:29

Last week we launched Malwarebytes 3.0, our next-generation antivirus replacement.

We also touched on domain generating algorithms (DGA), went up-close and personal with a rootkit, and featured a fake “smart drug” news story.

Lead Malware Intelligence Analyst Jérôme Segura reported on another malvertising campaign, about which the group behind it is identified as AdGholas.

Below are notable news stories and security-related happenings:

  • Disttrack Wiper Malware Hits Saudi Arabia’s Aviation Agency. “Shamoon attackers with their Disttrack wiper malware have hit Saudi Arabian entities again. The Saudi government confirmed the latest breaches on Thursday, and for now the identity of only one target has been revealed: the country’s General Authority of Civil Aviation (GACA), which is the national institution in charge of aviation and related matters, as well as the operator of four international and 23 domestic airports within the country.” (Source: Help Net Security)
  • Exploit Company Exodus Sold Firefox Zero-Day Earlier This Year. “This week, an exploit was publicly distributed that could break into the computers of those using the Tor Browser or Firefox. The Tor Project and Mozilla patched the underlying vulnerability on Wednesday. One research company gave details of the exploit method used to a defensive cybersecurity firm last year so it could protect its own clients’ systems. In turn, the exploit research company went on to sell details of the recent Firefox vulnerability to another customer for offensive purposes this year, according to two sources.” (Source: Vice’s Motherboard)
  • Ransomware As A Service Fuels Explosive Growth. “Believe it – you too can become a successful cyber criminal! It’s easy! It’s cheap! It’s short hours for big bucks! No need to spend years on boring things like learning how to write code or develop software. Just download our simple ransomware toolkit and we can have you up and running in hours – stealing hundreds or thousands of dollars from people in other countries, all from the comfort of your home office – or your parents’ basement. Sit back and watch the Bitcoin roll in!” (Source: CSO)
  • Researchers Warn Of Visa Payment Fraud Gaps. “Researchers have warned that deficiencies in Visa’s e-commerce payment network could allow attackers to brute force credit card details in as little as six seconds. A paper from Newcastle University’s Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel describes how they were able to launch a “distributed guessing attack” against Alexa top-400 online merchants’ payment sites to work out expiry dates and CV2 values.” (Source: InfoSecurity Magazine)
  • The Flowering Of Voice Control Leads To A Crop Of Security Holes. “‘Tis the season of cybersecurity threat predictions for 2017. Vendors’ glossy reports shower onto the desks of customers and journalists like gentle Christmas snow. But so many of these reports, like so many snowfalls, are nothing but slush. All year we’ve been hearing about the spreading plague of ransomware, and how the Internet of Things (IoT) will be a security nightmare. Remember the botnet made of video cameras? Vendors have been waving around phrases like ‘artificial intelligence’ and ‘machine learning’ and ‘threat intelligence sharing’ like magic wands.” (Source: ZDNet)
  • Facebook, Microsoft, Twitter And YouTube Team To ID Terror Content. “Facebook, Microsoft, Twitter and YouTube have teamed up to share their expertise spotting terrorism-related content, in order to crimp its spread. The four put their name to a joint statement in which they declare ‘There is no place for content that promotes terrorism on our hosted consumer services.'” (Source: The Register)
  • Reality Check: Getting Serious About IoT Security. “In an effort to curtail a new and disturbing cyberattack trend, the Department of Homeland Security has placed Internet of Things (IoT) device manufacturers on notice. The recent proclamation clarified how serious the agency is about the issue and how serious it wants corporate decision makers to be. In short, the DHS “Strategic Principles for Securing the Internet of Things” acknowledges the gravity of the current climate and the potential for greater harm by encouraging security to be implemented during the design phase, complete with ongoing updates based on industry best practices.” (Source: Dark Reading)
  • Verizon: Unknown Assets A Hacker’s Playground. “Service Provider & Enterprise Security Strategies — Merger and acquisition activity may be financially rewarding but it can actually create and contribute to enterprise security risks, Verizon Enterprise Solutions’ Christopher Novak warned today. The Risk Team director said many data breaches, including some that last for months, have targeted assets that are networked but not covered by company security solutions, often because the corporation is unaware of their existence.” (Source: Light Reading)
  • What Role Does Privacy Play In Your Digital Transformation Strategy? “If you are a senior leader in an organisation, I am sure you have been asked the question – ‘What is your digital strategy?’ You may also be getting tired of people telling you that new market entrants (especially millennials) are disrupting traditional business models and are forcing you to redefine the end to end customer experience. And here is another good one -‘Have you hired a digital transformation executive yet?’ While I make light of all the digital hype, this transformation is not a joke – it is a survival necessity.” (Source: IT Security Guru)
  • Call For Privacy Probes Over Cayla Doll And i-Que Toys. “The makers of the i-Que and Cayla smart toys have been accused of subjecting children to ‘ongoing surveillance’ and posing an ‘imminent and immediate threat’ to their safety and security. The accusations come via a formal complaint in the US by consumer groups. They, along with several EU bodies, are calling for investigations into the manufacturers.” (Source: The BBC)
  • Hackers Launch Stealth Malvertising Campaign Exposing Millions Online To Spyware And More. “Millions of internet users visiting popular news sites over the past few months may have been exposed to a malicious malvertising campaign. The cybercriminals behind the campaign are distributing malicious ads, which redirect users to the Stegano exploit kit. Security researchers uncovered that the Stegano malvertising campaign, exploited several Flash vulnerabilities. The malicious ads came embedded with attack codes within individual image pixels. Stegano has been active since 2014, however, researchers noted a fresh campaign launched in October, which operates in an exceedingly stealthy manner to infect victims.” (Source: The International Business Times)
  • Hackers Get Easy Route To Patient Data. “Patients are being put at risk because most NHS trusts are using an obsolete IT operating system that no longer receives security updates, researchers have warned. The trusts’ use of the old Windows XP system could enable hackers to steal patient data or take control of hospital infrastructure. Criminals have already used cyberattacks to hold hospitals to ransom and an NHS trust in Lincolnshire and East Yorkshire said this week that an attack in October led to the cancellation of more than 2,800 patient appointments, including operations.” (Source: The Times)
  • TAG Awards First Group of “‘Certified Against Fraud’ Seals to Companies Meeting Strict Anti-Fraud Standards. “The Trustworthy Accountability Group (TAG), an advertising industry initiative to fight criminal activity in the digital advertising supply chain, today announced the initial group of companies to complete the review process and be awarded the TAG ‘Certified Against Fraud’ Seal, showing they have met TAG’s rigorous anti-fraud standards. The initial recipients of the TAG “Certified Against Fraud” Seal include Amobee; comScore; DoubleVerify; Dstillery; Google; WPP’s GroupM; Horizon Media; Integral Ad Science; Interpublic Group; Moat; Omnicom Media Group; OpenX Technologies, Inc.; ProData Media; Rocket Fuel Inc.; Sovrn; and White Ops, Inc.” (Source: Street Insider)
  • The Security Gift Guide. “Even more than most IT professionals, security professionals are asked for advice on a regular basis. We are supposed to know not just about computers in general, but how people can protect themselves both online and in the real world. Whether it is getting a printer working, or if it is safe to shop online, we are expected to have the answers. At the same time, shopping for gifts can be problematic. You’re never sure what people have. Some people provide gift lists, which are great. But in the absence of a specific request, you might as well give people something useful that might make things easier for you. This guide can be useful even if you are not a security professional. Also remember that security is not just about stopping hackers, but about providing confidentiality, integrity, and availability in all forms.” (Source: CSO)
  • Corporate Data Left Unprotected In The Wild. “A new survey conducted by YouGov has highlighted the risks to corporate data from poor encryption, and employee use of unauthorised and inadequately protected devices. The survey of British office workers found that 42% use devices not provided by their employer to work with corporate e-mails and files. Half (52%) also use personal online accounts, such as Enterprise File Sharing Services (EFSS) to store or access work files – with only 34% saying they have never done so.” (Source: Help Net Security)
  • Small Businesses Underestimate The Cyber Threats Of Irresponsible Employee Actions. “Small companies (up to 50 employees) are significantly less concerned about employee activities leading to cybersecurity breaches than larger corporations. Only 36 per cent of small businesses worry about their staff’s carelessness while more than half of medium-sized and large enterprises consider it a major concern, says IT Security Risks Report 2016 by Kaspersky Lab. Uninformed or careless staff, whose inappropriate use of IT resources can put an organization’s cyberprotection in jeopardy, can harm businesses of any size. According to the survey, employee actions are among top three security challenges that make companies worldwide feel vulnerable. More than half (61 per cent) of the businesses experiencing cybersecurity incidents in 2016 admitted that careless and uninformed employee behavior has been a contributor.” (Source: Deccan Chronicle)
  • App Developers Not Ready For iOS Transport Security Requirements. “A month before Apple is expected to enforce stricter security requirements for app communications in iOS, enterprise developers don’t seem ready to embrace them, a new study shows. The study was performed by security firm Appthority on the most common 200 apps installed on iOS devices in enterprise environments. The researchers looked at how well these apps conform to Apple’s App Transport Security (ATS) requirements.” (Source: CSO)
  • Dailymotion Urges Users To Reset Passwords In Wake Of Possible Breach. “Breach notification service LeakedSource has added information about over 87 million Dailymotion users to its search index. The information includes 87+ million email addresses, user IDs, and over 18 million associated passwords. It was apparently stolen in a breach that happened around October 20, 2016. The passwords have been put through the bcrypt hashing algorithm, so they can’t be easily cracked. LeakedSource said they won’t attempt to crack them, but told Bleeping Computer that ‘a determined hacker who wants to crack one person’s hash may still be able to.'” (Source: Help Net Security)
  • Standards Body Warned SMS 2FA Is Insecure And Nobody Listened. “The US National Institute of Standards and Technology’s (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security. Last July NIST declared that sending one-time passwords to mobile phones was insecure. The organisation wrote in its advisory that the likelihood of interception makes TXT unreliable.” (Source: The Register)
  • Hackers Gamify DDoS Attacks With Collaborative Platform. “A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to ‘gamify’ DDoS attacks in order to attract a critical mass of hackers working toward a unified goal. The hacking platform is called Surface Defense and is being promoted in Turkish-language Dark Web forums including Turkhackteam and Root Developer, according to Forcepoint Security Labs, the security firm that first uncovered and reported the DDoS platform.” (Source: Kaspersky’s Threatpost)
  • Researchers Find Fresh Fodder For IoT Attack Cannons. “New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.” (Source: KrebsOnSecurity)
  • Flash Exploit Found In Seven Exploit Kits. “A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future. The Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was singled out by Microsoft for using separate Flash and Windows zero days in targeted attacks this year.” (Source: Kaspersky’s Threatpost)
  • Cybersecurity Gamification: A Shortcut To Learning. “Cybersecurity awareness trainings are usually a boring affair, so imagine my colleagues’ surprise when I exited the room in which I participated in a demonstration of the Kaspersky Interactive Protection Simulation (KIPS) game and told them: ‘You have to try this!’ This enthusiasm is apparently shared by the overwhelming majority of people who undergo one or more of the trainings that make part of Kaspersky Lab’s set of cybersecurity awareness products, game host Slava Borilin told me later.” (Source: Help Net Security)
  • What The Rise Of Social Media Hacking Means For Your Business. “A product marketing manager at your company just posted a photo on LinkedIn. The problem? In the background of the image, there’s a Post-It note that contains his network passwords. You can barely see it, but using artificial intelligence algorithms, hackers can scan for the publicly available image, determine there are network passwords, and use them for data theft. According to data security expert David Maynor, this is not rocket science. In fact, the AI program is easier to use than a search engine.” (Source: CSO)
  • Corporations Cite Reputational Damage As Biggest Cyber Risk. “Public businesses fear the possibility of losing customer or employee’s personally identifiable information (PII) and the subsequent brand-damage fallout more so than other risks, a new study published by the International Association of Privacy Professionals (IAPP) found. The IAPP Westin Research Center studied US Securities and Exchange Commission (SEC) Form 10-K disclosure statements from more than 100 publicly traded companies. The forms are where businesses share risk factors that could prove concerning to investors.” (Source: Dark Reading)
  • Law School Victim Of A Cyber Attack, Applicant Data Compromised. “The stress of applying to law school can be intense. The LSAT, the essay, the hassle of it all. Now there’s an additional stress factor — well, if you applied to the University of Wisconsin Law School in 2005-06. Last week Wisconsin Law experienced a cyber attack in which the personal information — including Social Security numbers — of 1,213 applicants from the 05-06 season was compromised. That’s a real… unexpected downside to applying to law school.” (Source: Above the Law)
  • Global Businesses In Firing Line As Hackers Target Christmas Gadgets. “F5 Networks (NASDAQ: FFIV) and Loryka today revealed the findings of a report examining the use of connected devices as cyber weapons by hackers. The report, entitled ‘DDoS’s Newest Minions: IoT Devices,’ was created by F5 Labs using data from F5 partner Loryka and shows that hackers are increasingly searching for products with network connectivity to manipulate for their own means. With one in three Brits set to give gifts leveraging the Internet of Things for Christmas this year, the influx of smart products will also provide a welcome present for hackers. The report, entitled ‘DDoS’s Newest Minions: IoT Devices,’ was created by F5 Labs using data from F5 partner Loryka and shows that hackers are increasingly searching for products with network connectivity to manipulate for their own means. With one in three Brits set to give gifts leveraging the Internet of Things for Christmas this year, the influx of smart products will also provide a welcome present for hackers.” (Source: IT Security Guru)
  • Phishing Malware August Lures Customer Service Staff. “A new malware-laden phishing campaign, dubbed August, has been detected targeting customer service and managerial staff at retailers, according to a new report from Proofpoint. The clever ploy spreads through an email arriving in the inboxes of targeted individuals with subject lines referring to supposed purchases via the company’s website. Recipients are specifically selected who are appropriate reps to deal with customer issues. The message further dupes recipients by saying more detailed information is contained in the attached document.” (Source: SC Magazine)
  • New Call To Regulate IoT Security By Design. “A Washington, D.C. think tank whose mission is critical infrastructure security has joined the call for lawmakers to consider regulating the security of connected devices. In a report published this week, the Institute for Critical Infrastructure Technology pinned the blame for a rash of Mirai malware-inspired IOT botnet DDoS attacks on manufacturer negligence. The report points out the lack of security by design in devices such as DVRs and IP-enabled closed circuit TV cameras that are protected by weak or known default credentials as the root cause for the emergence of these attacks. Further, they caution that the availability of the Mirai source code has brought these large-scale attacks within reach of script kiddies, criminals and nation-states alike.” (Source: Kaspersky’s Threatpost)
  • Russia Proposes 10 Year In Prison Sentence For Hackers And Malware Authors. “The Russian government has introduced a draft bill that proposes prison sentences as punishment for hackers and cyber criminals creating malicious software used in targeting critical Russian infrastructure, even if they have no part in actual cyber attacks. The bill, published on the Russian government’s website on Wednesday, proposes amendments to the Russian Criminal Code and Criminal Procedure Code with a new article titled, ‘Illegal influence upon the critical informational infrastructure of the Russian Federation.'” (Source: The Hacker News)
  • Your Public Facebook Posts Might Still Be ‘Private’ In UK Cops’ Eyes. “Cops are all over social media, using monitoring tools to keep tabs on sporting events, protests, and more. These tools often aren’t just about gathering public posts or tweets; sometimes, they’re used to scrape metadata in aggregate and map out somebody’s movements over time too. But according to the UK’s National Police Chiefs’ Council (NPCC), which coordinates police forces across the country, you might have a reasonable expectation of privacy over your social media posts, even if they are public.” (Source: Vice’s Motherboard)
  • Fingerprint Passwords Not Theft-proof. “It sounds like a great idea: Forget passwords, and instead lock your phone or computer with your fingerprint. It’s a convenient form of security — though it’s also perhaps not as safe as you’d think. In their rush to do away with problematic passwords, Apple, Microsoft and other tech companies are nudging consumers to use their own fingerprints, faces and eyes as digital keys. Smartphones and other devices increasingly feature scanners that can verify your identity via these “biometric” signatures in order to unlock a gadget, sign into web accounts and authorize electronic payments.” (Source: Longview News Journal)
  • Threats Of Tomorrow: Using AI To Predict Malicious Infrastructure Activity. “The ever-increasing scale and complexity of cyber threats is bringing us to a point where human threat analysts are approaching the limit of what they can handle. We believe the next-generation of cyber threats must be tackled by a combination of machines equipped with artificial intelligence (AI) and human analysts — what we call centaur threat analysts. One example of this is presented here: a new approach to forecasting malicious IP infrastructure by using machine learning.” (Source: Recorded Future)
  • Tighe: Insider Threat Is Never Going Away. “The insider threat is never going to go away.  This statement, echoed by many in government and directly by Vice Adm. Jan Tighe, deputy chief of naval operations for information warfare and director of naval intelligence, is a recognition that the insider threat problem is virtually impossible to defend against.” (Source: C4IRSNet)
  • Researchers Question Security In AMD’s Upcoming Zen Chips. “As more computing heads to the clouds, security researchers are questioning the security of virtual machine control panels called hypervisors. One of the first hardware-based solutions to address these concerns will be deployed by chip manufacturer AMD, called Secure Encrypted Virtualization. The feature is part of its upcoming x86 AMD Zen server family of microprocessors, slated to be released in the second quarter of 2017.” (Source: Kaspersky’s Threatpost)
  • Phishing From The Middle: Social Engineering Refined. “Phishing attacks have long been associated with malicious emails that spoof well-known institutions in order to trick users into coughing up credentials to banks accounts, email accounts, or accounts for major online services. Phishes that exploit the good name of trusted brands familiar to users have also been known to deliver ransomware, backdoors, and other malicious software designed to compromise the companies and organizations those users work for. Spoofing well known institutions and brand names is old hat, though, and users have become increasingly wary of emails claiming to hail from familiar companies and organizations. In response, the bad guys have been refining their use of social engineering, the key to any successful phishing campaign.” (Source: Spiceworks)
  • ‘We Could Not Deliver Your Parcel’ Email Could Be Scam. “As Christmas approaches, experts suggest an extra dollop of caution before clicking on email package delivery notices. Fake notifications are proliferating, bringing not holiday cheer — but holiday ransomware. The holiday phishing season began just before Thanksgiving and will likely extend until after Christmas, said Caleb Barlow, vice president for IBM Security.” (Source: USA Today)
  • Software Salesman Pleads Guilty To PoS Scam. “A Washington state man has pleaded guilty to wire fraud for selling revenue-suppression software (RSS) to hospitality and retail businesses for tax evasion purposes in a scam that cost the US government more than $3.4 million. The US Department of Justice (DoJ) says John Yin sold a software program called Tax Zapper that allowed users to portray inaccurate sales figures, thus lowering their tax obligations.” (Source: Dark Reading)
  • Child Porn On Government Devices: A Hidden Security Threat. “Daniel Payne, director of the Pentagon’s Defense Security Service, admitted this spring to encountering “unbelievable” amounts of child pornography on government computers. The comment came during an event in Virginia where military and intelligence officials gathered to address threats posed by federal workers. Mr. Payne, who spent much of his career in senior CIA and intelligence community roles before taking the Pentagon post, wanted to stress the value of monitoring employees’ systems to ensure they remained fit to handle top-secret information.” (Source: The Christian Science Monitor’s Passcode)
  • 15 Under 15: Rising Stars In Cybersecurity. “Kids born after the year 2000 have never lived a day without the internet. Everything in their lives is captured in silicon chips and chronicled on Facebook. Algorithms track how quickly they complete their homework; their text message confessions and #selfies are whisked to the cloud. Yet the massive digital ecosystem they inherited is fragile, broken, and unsafe. Built without security in mind, it’s constructed on faulty code: From major companies such as Yahoo to the US government, breaches of highly sensitive or personal files have become commonplace. The insecurity of the internet is injecting itself into presidential politics ahead of the November election. In the not too distant future, digital attacks may set off the next war.” (Source: The Christian Science Monitor’s Passcode)
  • Malaysia To Establish Cybersecurity Academy. “The Malaysian Digital Economic Corporation (MDEC) and Protection Group International (PGI) have signed an agreement to work together to develop a cybersecurity academy in Malaysia. It will be known as the UK-APAC Centre of Security Excellence and will see PGI and MDEC collaborate, generate and formulate awareness and strategies to regularly promote bilateral cybersecurity research and investment opportunities. PGI will provide strategic advice on the design of the academy’s cybersecurity courses, infrastructure and resources.” (Source: InfoSecurity Magazine)
  • Facebook Begins Asking Users To Rate Articles’ Use Of ‘Misleading Language’. “A survey asking users about “misleading language” in posts is the latest indication that Facebook is facing up to what many see as its responsibility to get a handle on the fake news situation. At least part of its solution, it seems, is to ask users what they think is fake. The “Facebook Survey,” noticed by Chris Krewson of Philadelphia’s Billy Penn, accompanied (for him) a Philadelphia Inquirer article about the firing of a well-known nut vendor for publicly espousing white nationalist views. (It’s a small town, everyone knows everyone.)” (Source: TechCrunch)
  • Nintendo Teams Up With HackerOne To Secure 3DS Via Bounty Program. “Security vulnerabilities are a nightmare for a console company.  Piracy and inappropriate content are particularly troublesome to Nintendo, so it’s teamed up with the web site HackerOne to find information on possible exploits of the 3DS platform.  This is being done by offering a bounty for any security issues found in that hardware family specifically, with rewards starting at $100 and going all the way up $20,000 for any major issues that are discovered.  The rewards are currently focused on discovering problems in the 3DS hardware or Nintendo-published titles, so vulnerabilities in, for example, the general eShop structure or exploits from bugs in non-Nintendo games would be exempt.” (Source: Hardcore Gamer)

Safe surfing, everyone!

The Malwarebytes Labs Team

Categories: Techie Feeds

Announcing Malwarebytes 3.0, a next-generation antivirus replacement

Malwarebytes - Thu, 12/08/2016 - 12:59

I am thrilled to announce the launch of our next-generation product, Malwarebytes 3.0! This product is built to provide comprehensive protection against today’s threat landscape so that you can finally replace your traditional antivirus.

Our engineers have spent the last year building this product from the ground up and have combined our Anti-Malware, Anti-Exploit, Anti-Ransomware, Website Protection, and Remediation technologies all into a single product which we simply call “Malwarebytes.” And it scans your computer 4 times faster!

With the launch of Malwarebytes 3.0, we are confident that you can finally replace your traditional antivirus, thanks to our innovative and layered approach to preventing malware infections using a healthy combination of proactive and signature-less technologies. While signatures are still effective against threats like potentially unwanted programs, large portion of our malware detection events already come from our signature-less technologies like our Anti-Exploit and Anti-Ransomware; that trend will only continue to grow. For many of you, this is something you already know, since over 50% of our customers already run Malwarebytes as their sole security software, without any third-party antivirus. But rest assured, we continue to support compatibility if you choose to use a third-party antivirus or other security software alongside Malwarebytes 3.0.

With the combination of our Anti-Malware ($24.95), Anti-Exploit ($24.95) and Anti-Ransomware (free, beta) technologies, we will be selling Malwarebytes 3.0 at $39.99 per computer per year, 20% less than our previous products combined and 33% less than an average traditional antivirus. But don’t worry, if you are an existing customer with an active subscription or a lifetime license to Malwarebytes Anti-Malware, you will keep your existing price and get a free upgrade to Malwarebytes 3.0. If you have both an Anti-Malware and an Anti-Exploit subscription, we will upgrade you to a single subscription to Malwarebytes 3.0, reduce your subscription price and add more licenses to your subscription. More on that below! As always, we will be keeping malware remediation absolutely free.

I am so excited about this product and its ability to replace your traditional antivirus. It’s something we’ve been working toward for many years, and something both our consumer and business customers have been asking for.

See Malwarebytes 3.0 in action by viewing this video. You can download Malwarebytes 3.0 by clicking this link.

If you have any questions, please read the FAQ below first and then ask away!



Frequently Asked Questions

The complete Malwarebytes 3.0 Frequently Asked Questions can be found in our forums. Below is a selection of the most relevant FAQs.

So, I can replace my traditional antivirus?
Yes! As I said above, over 50% of our customers already have too. We believe in layered defense and built Malwarebytes 3.0 to provide the right mix of proactive and signature-less technologies to combat modern threats and zero-day malware. The combination of our Anti-Malware, Anti-Exploit, Anti-Ransomware, Website Protection, and Remediation technologies has you better covered against modern threats than the traditional antivirus companies that charge more for less effective protection.

Can I still run Malwarebytes alongside my Symantec, McAfee, etc.?
Certainly! We built Malwarebytes 3.0 to be compatible with all major antivirus software, even Windows Defender and Microsoft Security Essentials.

I’m an existing subscriber of Malwarebytes Anti-Malware. How much do I have to pay?
You don’t have to pay anything extra. Even though Malwarebytes 3.0 sells for $39.99, we are grandfathering ALL our existing customers at their original price. So if your subscription is currently $24.95, that is the price it will remain at, and you can get Malwarebytes 3.0 without having to pay anything extra. Your existing license key will work automatically with Malwarebytes 3.0.

I have a Malwarebytes Anti-Malware lifetime license. Will it work for Malwarebytes 3.0?
Yes! Simply install Malwarebytes 3.0 on top of your Malwarebytes Anti-Malware and your lifetime license will automatically apply to Malwarebytes 3.0.

Which Operating Systems does Malwarebytes 3.0 work under?
We continue to support all versions from Windows XP to Windows 10. Our Anti-Ransomware technology is only enabled on Windows 7 and higher.

How do I upgrade my Malwarebytes Anti-Malware to Malwarebytes 3.0?
Simply download and run the installer from here. Malwarebytes 3.0 will automatically upgrade Malwarebytes Anti-Malware 2.x to Malwarebytes 3.0 and apply its license key accordingly.

How do I upgrade to Malwarebytes 3.0 if I also have Anti-Exploit or Anti-Ransomware installed?
Simply download and run the installer from here. Malwarebytes 3.0 will automatically remove the old Anti-Malware, Anti-Exploit and Anti-Ransomware and upgrade them all to Malwarebytes 3.0.

I’m a business customer and I want Malwarebytes 3.0! When can I get it?
Small businesses that use the un-managed Malwarebytes Anti-Malware 1x or 2x versions can uninstall the old product and install the new Malwarebytes 3.0 Premium. The centrally managed Malwarebytes 3.0 will be shipping for business customers by early next year. We’re very excited about some really cool endpoint protection management technologies we have in the pipeline for our business customers.

Categories: Techie Feeds

Simple userland rootkit – a case study

Malwarebytes - Wed, 12/07/2016 - 17:02

Rootkits are tools and techniques used to hide (potentially malicious) modules from being noticed by system monitoring. Many people, hearing the word “rootkit” directly think of techniques applied in a kernel mode, like IDT (Interrupt Descriptor Table) hooking, SSDT (System Service Dispatch Table) hooking, DKOM (Direct Kernel Object Manipulation), and etc. But rootkits appear also in a simpler, user-mode flavor. They are not as stealthy as kernel-mode, but due to their simplicity of implementation they are much more spread. That’s why it is good to know how they works. In this article, we will have a case study of a simple userland rootkit, that uses a technique of API redirection in order to hide own presence from the popular monitoring tools.

Analyzed sample


//special thanks to @MalwareHunterTeam

The rootkit code

This malware is written in .NET and not obfuscated – it means we can decompile it easily by a decompiler like dnSpy.

As we can see in the code, it hooks 3 popular monitoring applications: Process Explorer (procexp), ProcessHacker and Windows Task Manager (taskmgr):

Let’s try to run this malware under dnSpy and observe it’s behavior under Process Explorer. The sample has been named malware.exe.  At the beginning it is visible, like any other process:

…but after executing the hooking routine, it just disappears from the list:

Attaching a debugger to the Process Explorer we can see that some of the API functions, i.e., NtOpenProcess starts in atypical way – from a jump to some different memory page:

The redirection leads to the injected code:

It is placed in added memory page with full access rights:

We can dump this page and open it in IDA, getting a view of 3 functions:

The code of the first function begins at offset 0x60:

The space before is filled with some other data, that will be discussed in a second part of the article.

Rootkit implementation

Let’s have a look at the implementation details now. As we saw before, hooking is executed in a function HookApplication.

Looking at the beginning of this function we can confirm, that the rootkit’s role is to install in-line hooks on particular API functions: NtReadVirtualMemory, NtOpenProcess, NtQuerySystemInformation. Those functions are imported from ntdll.dll.

Let’s have a look at what is required in order to implement such a simple rootkit.

The original decompiled class is available here: ROOT1.cs.

Preparing the data

First, the malware needs to know the base address, where ntdll.dll is loaded in the space of the attacked process. The base is fetched by a function GetModuleBase address, that employs enumerating through the modules loaded within the examined process (using: Module32FirstModule32Next).

Having the module base, the malware needs to know the addresses of the functions, that are going to be overwritten. The GetRemoteProcAddressManual searches those address in the export table of the found module. Fetched addresses are saved in an array:

//fetch addresses of imported functions: func_to_be_hooked[0] = (uint)((int)ROOT1.RemoteGetProcAddressManual(intPtr, (uint)((int)ROOT1.GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtReadVirtualMemory") ); func_to_be_hooked[1] = (uint)((int)ROOT1.RemoteGetProcAddressManual(intPtr, (uint)((int)ROOT1.GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtOpenProcess") ); func_to_be_hooked[2] = (uint)((int)ROOT1.RemoteGetProcAddressManual(intPtr, (uint)((int)ROOT1.GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtQuerySystemInformation") );

Code from the beginning of those functions is being read and stored in buffers:

//copy original functions' code (24 bytes): original_func_code[0] = ROOT1.ReadMemoryByte(intPtr, (IntPtr)((long)((ulong)func_to_be_hooked[0])), 24u); original_func_code[1] = ROOT1.ReadMemoryByte(intPtr, (IntPtr)((long)((ulong)func_to_be_hooked[1])), 24u); original_func_code[2] = ROOT1.ReadMemoryByte(intPtr, (IntPtr)((long)((ulong)func_to_be_hooked[2])), 24u);

The small 5-byte long array will be used to prepare a jump. The first byte, 233 is 0xE9 hex, and it represents the opcode of the JMP instruction. Other 4 bytes will be filled with the address of the detour function:

Another array contains prepared detours functions in form of shellcodes:

Shellcodes are stored as arrays of decimal numbers:

In order to analyze the details, we can dump each shellcode to a binary form and load it in IDA. For example, the resulting pseudocode of the detour function of NtOpenProcess is:

.gist table { margin-bottom: 0; }

So, what does this detour function do? Very simple filtering: “if someone ask about the malware, tell them that it’s not there. But if someone ask about something else, tell the truth”.

Other filters, applied on NtReadVirtualMemory and NtQuerySystemInformation (for SYSTEM_INFORMATION_CLASS types: 5 = SystemProcessInformation,  16 = SystemHandleInformation) – manipulates, appropriately: reading memory of the hooked process and reading information about all the processes.

Of course, the fiters must know, how to identify the malicious process that wants to remain hidden. In this rootkit it is identified by the process ID – so, it needs to be fetched and saved in the data that is injected along with the shellcode.

The detour function of NtReadVirtualMemory will also call from inside functions: GetProcessId and GetCurrentProcessId in order to apply filtering – so, their handles need to be fetched and saved as well:

getProcId_ptr = (uint)((int)ROOT1.RemoteGetProcAddressManual(intPtr, (uint)((int)ROOT1.GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetProcessId") ); getCuttentProcId_ptr = (uint)((int)ROOT1.RemoteGetProcAddressManual(intPtr, (uint)((int)ROOT1.GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetCurrentProcessId") ); Putting it all together

All the required elements must be put together in a proper way. First, the malware allocates a new memory area, and copies all the elements in order:

BitConverter.GetBytes(getProcId_ptr).CopyTo(array, 0); BitConverter.GetBytes(getCuttentProcId_ptr).CopyTo(array, 4); //... // copy the current process ID BitConverter.GetBytes(Process.GetCurrentProcess().Id).CopyTo(array, 8); //... // copy the original functions' addresses: BitConverter.GetBytes(func_to_be_hooked[0]).CopyTo(array, 12); BitConverter.GetBytes(func_to_be_hooked[1]).CopyTo(array, 16); BitConverter.GetBytes(func_to_be_hooked[2]).CopyTo(array, 20); //... //copy the code of original functions: original_func_code[0].CopyTo(array, 24); original_func_code[1].CopyTo(array, 48); original_func_code[2].CopyTo(array, 72);

After this prolog, the three shellcodes are being copied into the same memory page – and the page is injected into the attacked process.

Finally, the beginning of each attacked function is being patched with a jump, redirecting to the appropriate detour function within the injected page.

Bugs and Limitations

The basic functionality of a rootkit has been achieved here, however, this code contains also some bugs and limitations. For example, it causes an application to crash if the functions have been already hooked (for example in the case if the malware has been deployed for the second time). It is caused by the fact that the hook needs also a copy of the original function in order to work. The hooking function assumes, that the code in the memory of ntdll.dll is always the original one and it copies it to the required buffer (rather than copying it from the raw image of ntdll.dll). Of course this assumption is valid only in optimistic case, and fails if the function was hooked before.

There are also many limitations – i.e.

  • the hooking function is deployed only at the beginning of the execution, but when we deploy a monitoring program while the malware is running, we can still see it
  • set of hooked applications is small – we can still attach to the malware via debugger or view it by any tool that is not considered by the authors
  • the implemented code works  only for 32 bit applications

The demonstrated rootkit is very simple, probably created by a novice. However, it allows us to illustrate very well the basic idea behind API hooking and how it can be used in order to hide the process.

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

Categories: Techie Feeds

AdGholas malvertising: business as usual

Malwarebytes - Tue, 12/06/2016 - 20:57

The largest malvertising attacks are the ones you seldom hear about. A group identified as AdGholas by Proofpoint which has been involved in the stealthiest attacks we have seen in recent history, was caught again and exposed by Eset today. The last bit of activity from AdGholas after the Proofpoint exposé was July 20th of this year. However, according to our telemetry, less than two months later the group was back at it with some of the largest malvertising attacks we have ever documented.

This post intends to give additional background information on this campaign. For the technical details, please check out the great research done by our colleagues at ESET.

Quick overview

The rogue actors were once again using a façade to distribute malicious advertisements.  They created a website purporting to be a browser protection (for parental lock purposes) and also offered a Google Chrome extension that had made its way to the Chrome store. Under this disguise, they were pushing malicious code via SSL that included several layers of fingerprinting.

When we looked at the fingerprinting events designed to evade security researchers and sandboxes, we immediately connected this attack to AdGholas thanks to the Yara signatures provided by Proofpoint.

What followed the first level of fingerprinting checks was a redirection via SSL and the tinyURL service to what appeared to be a custom exploit kit with a landing page we had never seen before (click for larger view):

Shortly after ESET published, we learned that this was the Astrum exploit kit. The ensuing Flash file (well encoded) appeared to once again perform some fingerprinting before delivering the final payload:

One might draw conclusions on why AdGholas was using Astrum EK instead of RIG EK or other popular ones. Perhaps the threat actors deem those exploit kits too weak in comparison to predecessors like Angler EK. It also makes a lot of sense to only use a special weapon like Astrum EK, for high impact attacks such as the ones AdGholas is after and stay away from run-of-the-mill EKs.

Timeline of events

The first record we have of browser-defence[.]com involved in a malvertising attack was on September 5th. At the time, this attack was propagated via the SmartyAds network:{redacted}  ->{redacted}-US_EAST&u=url   ->

In October, there was the first instance of AdGholas going through Yahoo’s ad network to deliver their malicious ad. This one was delivered within the Yahoo mail interface (users checking their mail would be shown the rogue advert):{redacted}

It was not until much later (11/27) that we were finally able to reproduce the malvertising chain from a genuine residential IP address with a machine clean of any monitoring tools, only capturing traffic transparently. Up until then, we only had very strong suspicions that something was going on, but without a network capture, we simply did not possess the ‘smoking gun’ required to make an affirmative claim. As soon as we had evidence of malfeasance (November 27th), we informed Yahoo of our discovery.

It was quite revealing that only a few days (11/30) after our report to Yahoo, we saw AdGholas switch to another domain on the very same server (broxu[.]com) being used with the exact same tricks.

Large publishers such as the MSN network were once again serving malware: -> Referer:

At the time of posting the campaign still continues, although the major ad networks have been informed and ‘should’ no longer be involved.

A geo-targeted campaign avoiding the US

The interesting aspect about this malvertising campaign is that the US was not one of the targets. Instead we saw Canada, the UK, Australia, Spain, Italy, and Switzerland as the most active geolocations. We observed most attacks happen in Canada and the UK as seen below on this heat map:

Despite not targeting the US, the latest AdGholas campaign has once again reached epic proportions and unsuspecting users visiting top trusted portals like Yahoo or MSN (not to mention many top level publishers) were exposed to malvertising and malware if they were not protected.


We reported this attack and worked with other industry members to mitigate its effects. There is no doubt that the adversary is very advanced and has been clever to fly under the radar for long periods of time. However, with each exposure, we are learning more about their infrastructure and can in turn build ours to catch them again.

Malwarebytes users were protected ‘by default’ because AdGholas will not fire its exploit if it detects the presence of our software.

Categories: Techie Feeds

Explained: Domain Generating Algorithm

Malwarebytes - Tue, 12/06/2016 - 19:00

A Domain Generating Algorithm (DGA) is a program or subroutine that provides malware with new domains on demand or on the fly.


Kraken was the first malware family to use a DGA (in 2008) that we could find. Later that year, Conficker made DGA a lot more famous.

What’s the use?

The DGA technique is in use because malware that depends on a fixed domain or IP address is quickly blocked, which then hinders operations. So, rather than bringing out a new version of the malware or setting everything up again at a new server, the malware switches to a new domain at regular intervals.

An example of DGA in practice is C&C servers for botnets and ransomware. If we were able to block these or take them down, we would cut the link between the victims and the threat actor. Bots would no longer be able to fetch new instructions and machines infected with ransomware would be unable to request encryption keys and send user data.

The constant changing of the domain for the C&C server is also sometimes called “Domain Fluxing” or “Fast Fluxing”, which actually is a reference to an older technique based on abusing the DNS load balancing system.

More details about how it works

To better understand how these algorithms work, let’s look at the requirements they have to fulfill:

  • The routines have to generate domains that are predictable to both sides of the communication chain.
  • The routines have to be as unpredictable for security researchers as possible.
  • The domain registration fee has to be low, given the huge amounts of domains that will be used.
  • The need for speed can be enormous.
  • The registration process has to be anonymous or at least untraceable.

To achieve predictability, yet remain hard to research, the DGA routines use a few building blocks:

  • Seed, the base element
  • An element that changes with time
  • Top Level Domains (TLDs)

Image courtesy of Cisco Blog

The seed can be a phrase or a number. Practically anything that the threat actor can change at will (e.g. when they switch to a new version), and that can be used in an algorithm. The seed and the time-based element are combined in an algorithm to create the domain name and this “body” will be combined with one of the available TLDs.

Note that a time-based element need not be something like the date and time. It can be something else that varies with time, like for example the trending topic on Twitter in a certain country at the moment of the connection. Actually, something that is difficult to predict is preferred, as this makes it harder for researchers to register certain domains ahead of time and intercept traffic or do a takeover.

Another trick to throw off countermeasures is to not use all the domains that the algorithm produces, but only certain ones. This will drastically increase the number of domains necessary to register by researchers if they plan to intercept the traffic.

When it comes to TLDs, .xyz, .top, and .bid are very popular at the moment. This is due to the reasons mentioned earlier: low costs and quick availability, because the registrars allow automated and anonymous domain registrations.


Domain Generating Algorithms are in use by cybercriminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. The idea is that two machines using the same algorithm will contact the same domain at a given time, so they will be able to exchange information or fetch instructions.


For more technical details, we can recommend: Dissecting Domain Generation Algorithms

And an example: Threat Spotlight: Dyre/Dyreza: An Analysis to Discover the DGA

Pieter Arntz

Categories: Techie Feeds

Fake Forbes story becomes bearer of “smart drug” news

Malwarebytes - Mon, 12/05/2016 - 18:40

First, there are fake online Canadian pharmacies, and then fake diet supplements. Now, we have fake brain enhancers.

click to enlarge

Stephen Hawking Predicts, “This Pill Will Change Humanity” Stephen Hawking credits his ability to function and maintained [sic] focused [sic] on such a high level to a certain set of “smart drugs” that enhance cognitive brain function and neural connectivity, while strengthening the prefrontal cortex and boosting memory and recall. In an interview with Anderson Cooper, Stephen Hawking said that his brain is sharper than ever, more clear and focused and he credits a large part to using InteliGEN. Hawking went on to add “The brain is like a muscle, you got to work it out and use supplements just like body builders use, but for your brain, and that’s exactly what I’ve been doing to enhance my mental capabilities”. Everyone has taken this, from athletes like Tom Brady to musicians like Kanye West have nothing but praise for the brain booster, which doubles IQ, skyrockets energy levels and connects areas of the brain not previously connected. InteliGEN works so well for these guys, we had to ask…Is it safe?

Above is a bird’s-eye-view shot of the fake Forbes article that we encountered recently with its partial content excerpt. We came across this article after receiving a spam message from our honeypots, containing a Baidu URL that redirects to armasphoto[DOT]ru, then redirects for the second time to a random domain hosting the said fake Forbes article.

Scams of this nature don’t only arrive via email. They may also be shared via social networking platforms, chat sessions, public comments on forums, and blog posts, and (if legitimate websites aren’t careful) sometimes they’re inadvertently shared via ads on sites, especially if user browsing is done via mobile devices.

Once users click any of the multiple text links on the fake news page, they are redirected to a page about InteliGEN, the said “smart drug” in question. Below is a snapshot of one of its several purported official websites:

click to enlarge

The earliest account about the fake news stories featuring InteliGEN was in August of this year; however, according to an independent blog, a string of fake brain enhancers has been on the net months earlier. Below is a list of these “brands” the said blog has accumulated:

  • Addium
  • Alpha ZXT
  • Brainfire
  • BrainPlus IQ
  • BrainStorm (Elite)
  • Cogniq
  • Geniux
  • Intellux
  • Neurocell
  • Synagen

For those who want to read more about InteliGEN and its brain enhancement claims, Snopes has written this article back in September of this year.

If you encounter the above fake Forbes story via email, social media, or anywhere else on the Web, simply close that browser tab and avoid clicking the links on it. And for those who regularly surf the Web on their mobile devices, it would help if you disable JavaScript on your browsers to minimize unwelcomed redirects from sites that may be unaware that their visitors are being redirected to fake or scam pages.

Jovi Umawing

Categories: Techie Feeds

A week in security (Nov 27 – Dec 03)

Malwarebytes - Mon, 12/05/2016 - 17:00

Last week, we commented on Gooligan, homed in on a fake WhatsApp phishing email, and discussed about a rogue Chrome extension forcing itself to install in user browsers.

We also provided the second installment of three of our blog series on attribution, which you can read about here. We also featured Vindows [sic] Locker, another ransomware, and a unique calendar spam on Apple systems.

For Mobile Menace Monday, we pushed out a blog about Adups:

Mobile Menace Monday: Adups, old and new

Below are notable news stories and security-related happenings:

  • Tesco Bank Under Investigation For Possibly Ignoring Warning Of Potential Cyberattack. “A probe has been reportedly launched into Tesco Bank, in efforts to determine whether the bank failed to heed warnings of a security flaw in its payment systems, which may have allowed hackers to make away with millions of pounds. Authorities believe that the bank may have failed to act on a warning from Visa, issued out a year ago, according to reports. Investigators at the National Crime Agency (NCA) and the Financial Conduct Authority (FCA) believe that the hackers used customised computers to leverage an alleged Code 91 glitch, which allowed them access to customers’ card data.” (Source: The International Business Times)
  • Passengers Ride Free On SF Muni Subway After Ransomware Infects Network, Demands $73k. “Hard-drive-scrambling ransomware infected hundreds of computers at San Francisco’s public transit agency on Friday and demanded 100 bitcoins to unlock data, The Register has learned. Ticket machines were shut down and passengers were allowed to ride the Muni light-rail system for free on Saturday – a busy post-Thanksgiving shopping day for the city – while IT workers scrambled to clean up the mess.” (Source: The Register)
  • Microsoft Partners State Agencies to Fight Piracy. “Microsoft has partnered with some government agencies to promote Cyber safety and anti-piracy awareness in Ghana. Microsoft in collaboration with the National Communication Authority, Ministry of Communication, and National Security Secretariat with the support from the US Government is hosted a week-long awareness drive on Cyber Security.” (Source: CitiFMOnline)
  • Online Christmas Shoppers Could Be Under Cyber Attack As Experts Warn Of “Wild West” Conditions. “Cyber-crooks are set to exploit “Wild West” conditions online as shoppers splurge record amounts in the run-up to Christmas. Experts warn that starting with today’s Cyber Monday sales frenzy, bargain hunters will have every scam in the book thrown at them.” (Source: The Mirror)
  • ATM Insert Skimmers: A Closer Look. “KrebsOnSecurity has featured multiple stories about the threat from ATM fraud devices known as “insert skimmers,” wafer-thin data theft tools made to be completely hidden inside of a cash’s machine’s card acceptance slot. For a closer look at how stealthy insert skimmers can be, it helps to see videos of these things being installed and removed. Here’s a look at promotional sales videos produced by two different ATM insert skimmer peddlers. Traditional ATM skimmers are fraud devices made to be placed over top of the cash machine’s card acceptance slot, usually secured to the ATM with glue or double-sided tape. Increasingly, however, more financial institutions are turning to technologies that can detect when something has been affixed to the ATM. As a result, more fraudsters are selling and using insert skimming devices — which are completely hidden from view once inserted into an ATM.” (Source: KrebsOnSecurity)
  • Exclusive: Third Parties Leaking Email Addresses, Passwords From Leading Firms On Dark Web. “In August, security experts revealed that 68 million Dropbox user emails and passwords were leaked onto the dark web. For LinkedIn, the number was 167 million leaked credentials. For Yahoo: more than 500 million. Now, you may have heard about these breaches, but perhaps you haven’t considered how it involves you: What email did you use to sign up for these platforms? If you’re a law firm employee, and you used your company email address, you may have opened the law firm up to risk. If you use the same two or three passwords on multiple different accounts, particularly connected with your work log-in, this risk potential skyrockets.” (Source: LegalTech News)
  • National Lottery Accounts Feared Hacked. “About 26,500 National Lottery accounts are feared to have been hacked, according to its operator Camelot. The firm said it did not believe its own systems had been compromised, but rather that the players’ login details had been stolen from elsewhere. The company said that no money had been taken from or added to the compromised accounts.” (Source: The BBC)
  • GET Pwned: Web CCTV Cams Can Be Hijacked By Single HTTP Request. “An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves devices wide open to hijacking, it is claimed. The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we’re told. If your camera is one of the at-risk devices, and it can be reached on the web, then it can be attacked, infected with malware and spied on. Network cameras typically use UPnP to drill through to the public internet automatically via your home router.” (Source: The Register)
  • Newly Discovered Router Flaw Being Hammered By In-the-wild Attacks. “Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers. Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers.” (Source: Ars Technica)
  • Europol Takes Thousands Of Piracy And Fraud Sites Offline. “Law enforcement authorities from 27 countries, anti-counterfeiting associations and brand owner representatives participated in this huge action, which was coordinated and facilitated by Europol’s Intellectual Property Crime Coordinated Coalition (IPC³), the US National Intellectual Property Rights Coordination Center and Interpol.” (Source: InfoSecurity Magazine)
  • IRS Hires ‘White-hat’ Hackers To Help Protect IT Systems. “The IRS is employing a ‘white hat’ approach to improve its cybersecurity. The IRS awarded Synack Government a $2 million contract to provide penetration testing by ethical hackers or researchers with no knowledge of IRS systems.” (Source: Federal News Radio)
  • What Parents Don’t Get About Cyberbullying. “At a moment when many parents and school administrators are trying to deter internet bullying, at least one digital security expert called Mr. Trump’s online outbursts ‘a negative role model for America’s youth.’ But as educators, experts, and law enforcement agencies rush to try and thwart internet bullying, Nathan Fisk, a professor at the University of South Florida who studies the internet and youth culture, worries that some approaches may go too far. In his new book, ‘Framing Internet Safety: The Governance of Youth Online,’ he argues that kids still need safe and unsupervised spaces on the internet to figure out the right and wrong ways to communicate – without the prying eyes of parents or school officials.” (Source: The Christian Science Monitor’s Passcode)
  • What Will The Data Breach Landscape Look Like In 2017? “While many companies have data breach preparedness on their radar, it takes constant vigilance to stay ahead of emerging threats and increasingly sophisticated cybercriminals, according to Experian Data Breach Resolution. ‘Preparing for a data breach has become much more complex over the last few years,’ said Michael Bruemmer, VP at Experian Data Breach Resolution. ‘Organizations must keep an eye on the many new and constantly evolving threats and address these threats in their incident response plans.'” (Source: Help Net Security)
  • The Surprising Reason Why You Keep Getting Hacked. ” Cyber Monday is upon us — and one in four shoppers will get hacked this holiday season. If it’s already happened to you, the chances are that it will happen again. That’s because many people still aren’t motivated to protect their personal information, according to one new survey. The just-released 2016 Norton Cyber Security Insights Report, which surveyed 21,000 people in 21 countries found that seventy-six percent know they must actively protect themselves when they go online, but they still share passwords and engage in risky behaviors.” (Source: The NBC News)
  • PayPal Fixes OAuth Token Leaking Vulnerability. “PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. For its part, PayPal remedied the vulnerability about three weeks ago.” (Source: Kaspersky’s ThreatPost)
  • Cryptography Professor Warns About Android Security, Says Some Of It Is Six Years Behind The iPhone. “We are constantly barraged with sensationalist headlines of the “millions of Android phones are under threat” type that inform about this and that malware or security lapse that is usually pretty easy to avoid if you install decent apps from legit sources. The sole reason for so many Android security news, however, is that Android’s encryption is still not up to par, even the latest 7.0 Nougat version, reveals a cryptography professor from Johns Hopkins university.” (Source: Phone Arena)
  • How A Grad Student Found Spyware That Could Control Anybody’s iPhone From Anywhere In The World. “The night it happened, right after midnight on August 10, Bill Marczak and his girlfriend were staying up late to watch Star Trek reruns in their spare one-bedroom apartment, in El Cerrito, California, just north of the University of California at Berkeley campus. A trim Ph.D. candidate with dense brown hair and a disciplined beard, Marczak wasn’t just another excitable, fast-talking Berkeley grad student. He was a pioneering analyst in a new and unusual theater of cyber-warfare: the struggle between Middle Eastern freedom activists and authoritarian governments in countries such as Bahrain and Egypt.” (Source: Vanity Fair)
  • 380,000 xHamster Account Details Traded On Digital Underground. “Account details belonging to hundreds of thousands of users of porn website xHamster are being traded on the digital underground. That’s according to Vice’s Motherboard, who claimed it received a database of almost 380,000 users from for-profit breach notification site LeakBase which included usernames, email addresses and what looks like poorly-hashed passwords.” (Source: InfoSecurity Magazine)
  • Spammers Bombard iCloud Users With New Deluge. “Government-backed awareness raising organization, Get Safe Online, has issued new guidance for users bombarded with iCloud calendar and photos sharing spam. The irritation has become particularly pronounced of late over the Black Friday shopping weekend, according to multiple reports.” (Source: InfoSecurity Magazine)
  • NetWire RAT Back, Stealing Payment Card Data. “The remote access Trojan NetWire is back and this time making the rounds pilfering payment card data. The move is a shift for attackers behind notorious NetWire, that was once thought to be the first multi-platform RAT. Over the last couple of years payment card breaches have been mostly synonymous with point of sale (POS) malware that scrapes memory from credit and debit cards swiped through the infected system. A new variant of NetWire RAT scrapes card data and also boasts an integrated keylogger that can sniff data from devices like USB card readers, according to researchers at SecureWorks, who detailed on Monday the latest version of the RAT they came across back in September.” (Source: Kaspersky’s ThreatPost)
  • Two Hackers Appear To Have Created A New Massive Internet Of Things Botnet. “The massive cyberattacks that in the last few weeks have crippled several popular services like Twitter and Spotify, the website of a noted security journalist, and many more, may be about to get worse. Two hackers appear to have created a new powerful zombie army of hacked Internet of Things devices with a modified version of the infamous malware Mirai. The cybercriminals are offering the powerful botnet to anyone who’s willing to pay to launch crippling distributed denial of service (DDoS) cyberattacks.” (Source: Vice’s Motherboard)
  • Report: Most Cybercriminals Earn $1,000 To $3,000 A Month. “Most cybercriminals make between $1,000 and $3,000 a month, but 20 percent earn $20,000 a month or more, according to a recent report. The data is based on a survey conducted by a closed underground community, said report author Andrei Barysevich, director of advanced collection at cybersecurity firm Recorded Future.” (Source: Network World)
  • 600,000 Car-sharing Users’ Details Stolen In Cyber Attack. “The company Comuto Deutschland made the announcement on Tuesday, only a day after Telekom revealed that a cyber attack had knocked out the internet for almost a million of its customers. ‘We regret to inform you that there has been an illegal seizure of archives from the former platforms and,’ the statement read.” (Source: The Local)
  • Employees Rely Largely On Personally Owned Mobile Devices In The Workplace. “Mobile device adoption in the workplace is not yet mature, found a recent survey from Gartner. Although 80 percent of workers surveyed received one or more corporate-issued devices, desktops are still the most popular corporate device among businesses, with more than half of workers receiving corporate-issued desktop PCs. The survey findings are based on the 2016 Gartner Personal Technologies Study, which was conducted from June to August 2016 among 9,592 respondents in the U.S., the U.K. and Australia.” (Source: Help Net Security)
  • FriendFinder Networks Data Breach Demonstrates The Need For Passwords To Be Eliminated From The Security Puzzle. “The news that more than 412 million accounts and user credentials were exposed following the breach of FriendFinder Networks should serve as a reminder to both organisations and individuals about the weaknesses of passwords. Gideon Wilkins, VP of Sales and Marketing at Secure Cloudlink, believes that due to the high incentive for cyber-criminals to steal this information, passwords as a form of authentication should be eliminated completely from the security equation. According to LeakedSource, which acquired a copy of the leaked data set of the FriendFinder Networks breach, a million of the accounts have the password ‘123456’ and more than 100,000 have the password ‘password’.” (Source: IT Security Guru)
  • Shamoon Malware Returns To Again Wipe Saudi-owned Computers. “Thousands of computers in Saudi Arabia’s civil aviation agency and other Gulf State organisations have been wiped by the Shamoon malware after it resurfaced some four years after wiping thousands of Saudi Aramco workstations. Security firms FireEye, CrowdStrike, McAfee, Palo Alto, and Symantec reported on the advanced sabotage malware which United States intelligence officials say is Iran’s handiwork.” (Source: The Register)
  • It Will Soon Be Illegal To Punish Customers Who Criticize Businesses Online. “Congress has passed a law protecting the right of US consumers to post negative online reviews without fear of retaliation from companies. The bipartisan Consumer Review Fairness Act was passed by unanimous consent in the US Senate yesterday, a Senate Commerce Committee announcement said. The bill, introduced in 2014, was already approved by the House of Representatives and now awaits President Obama’s signature.” (Source: Ars Technica)
  • Microsoft Silently Fixes Kernel Bug That Led To Chrome Sandbox Bypass. “Microsoft appears to have silently fixed a two-year-old bug in in Windows Kernel Object Manager that could have allowed for the bypass of privileges in Google’s Chrome browser. James Forshaw, a researcher with Google’s Project Zero first reported the issue in December 2014. Microsoft responded to Google a month later saying it didn’t consider the issue worthy of a fix. Forshaw and Google marked the issue as ‘WontFix’ and removed the view restriction on the disclosure. It’s been more or less on ice since then.” (Source: Kaspersky’s ThreatPost)
  • Europol Red-faced As Terror Data Appears Online. “Europol admitted on Wednesday that confidential information on terror investigations were accidentally put online, as it launched a probe into what it called a ‘very serious incident.’ Dutch investigative TV programme Zembla, which broke the story, said around 700 pages on terror investigations — particularly analysis on terror groups — appeared online, including the names and contact details of hundreds of people with terror links.” (Source: Security Week)
  • Facebook Denies Researchers’ Claim Ransomware Spreading Via Images. “Researchers at security firm Check Point Software Technologies warned social media users that online criminals have begun using specially crafted image files to spread ransomware using a weakness in some social media services. The report, posted to the company’s website, came as attackers used Facebook and other services to spread images containing links to sites that would try to trick users into downloading the Locky ransomware.” (Source: eWeek)
  • New ‘TV’ App From Apple Raises Security And Net Neutrality Concerns. “The app, also to be made available for iOS, offers a solution to the currently disjointed state of video streaming on the Apple TV. Presently, Apple TV owners must sign into and open individual streaming applications to see what new media is available to watch. This compartmentalization prevents users from easily comparing the live and on-demand offerings of competing apps, a problem that Apple TV users have been vocalizing since Siri’s integration in 2015.” (Source: IP Vanish)
  • Major Cybercrime Network Avalanche Dismantled In Global Takedown. “Law enforcement agencies have dismantled a major cybercriminal network responsible for malware-based attacks that have been harassing victims across the globe for years. The network, called Avalanche, operated as many as 500,000 infected computers on a daily basis and was responsible for delivering malware through phishing email attacks. Avalanche has been active since at least 2009, but on Thursday, authorities in the U.S. and Europe announced they had arrested five suspects allegedly involved with it.” (Source: CSO)
  • Travelers Are ‘Easy Targets’ For Online Financial Crime When Abroad. “As holiday season begins, many are looking forward to spending some much needed time away from home. Others will be on vacations abroad and spending money is inevitable. Travelers need to be wary of online financial operations. According to research from Kaspersky Lab, consumers – including holiday makers and business travelers, conduct a lot of financial operations online when abroad, putting themselves at risk when they are not properly protected.” (Source: IT News Africa)

Safe surfing, everyone!

The Malwarebytes Labs Team

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds