Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 16 hours 43 min ago

10 tips for safe online shopping on Cyber Monday

Fri, 11/17/2017 - 17:33

Shoppers familiar with the Cyber Monday circus know they’re stepping into the lion’s den. The Internet has always been a lawless place, but it becomes particularly rough during the holiday shopping season.

In preparation for the frenzy, cyber villains have crafted a virtual onslaught of social engineering scams, malspam, and malicious, spoofed websites in order to dupe the droves of people expected to spend nearly $4 billion online this year.

So, bargain hunters, it’s important to know the warning signs. Here’s your guide to safe online shopping on Cyber Monday and beyond.

  1. Go directly to a store’s website instead of using search engines to look for deals. If you happen to find a deal using a search engine, try to verify it by searching for the exact name of the deal in quotes. If it’s a scam, then it’s likely someone will have already put out a warning.
  2. Give pop-ups and other digital ads the stank eye. Many pop-ups could contain fake coupons, redirect you to malicious sites, or expose you to cross-site scripting attacks. If a coupon seems to come out of nowhere with a too-good-to-be-true offer, don’t think twice. Just click that “x” and shut it down.
  3. Watch out for social media scams, especially on Facebook. Cybercriminals are using fake or compromised Facebook accounts in order to post links to amaaaaaazing deals that don’t actually exist. They’re especially prone to dropping links on the walls of open groups dedicated to shopping. “One of the top shopping scams to avoid in the run-up to Cyber Monday is the social media fakeout,” says Chris Boyd, Lead Malware Analyst at Malwarebytes. “During any given holiday period there will be an excess of fake offers, deals, and supposed freebies which tend to have a sting in the tail. If you’re being asked to share something on Facebook in order to get your hands on something too good to be true, you can bet there’s a scam involved.”
  4. Dump Cyber Monday emails with attachments in the virtual garbage. Cyber Monday emails with attachments, especially zip files, are super suspect—it’s possible, in fact likely, that they contain malware. Delete them immediately. Not only that, but you should review any other Cyber Monday-related emails with a hawk eye. If you get an email from a store claiming to have a deal, type the store’s URL directly into your browser instead of clicking on the link. If the site doesn’t verify the deal, you know it’s a fake.
  5. Make sure you’re on a secure connection. Look for the padlock icon to the left of the URL when you go to check out. If it’s there, then that means the information passed between a store’s server and your browser remains private. In addition, the URL should read “https” and not just “http.”
  6. Do not use debit cards to shop online. Want to give cybercriminals direct access to your bank account? Then by all means, use your debit card! Otherwise, play it safe by using credit cards or a PayPal account that’s linked to a credit card. While many banks are cracking down on fraudulent withdrawals, you’ll still have to wait for your money while they investigate the charges.
  7. Avoid using public wifi to shop. All a cybercriminal needs to do to get a public wifi password and wreak havoc is order a coffee. If you’re shopping and entering personal data, best to do it on your secure wifi connection at home.
  8. Watch out for malicious QR codes. Q what now? QR codes are small, pixelated codes meant to be scanned by a smartphone’s camera. They often contain coupons, links to websites, or other product marketing materials. Some hackers have started creating codes that link to a phishing or malware site, printing them on stickers, and placing them on top of the legit QR codes. Best to avoid them.
  9. Don’t fork over extra info. If a site starts asking for out-of-the-ordinary personal data, like Social Security numbers or password security questions, slam on the brakes and get the heck out of Dodge.
  10. Tighten up security before you shop on Cyber Monday. Make sure all software on your computer is up-to-date, including your OS, browser, and other apps. And if you don’t already have it, install a cybersecurity program on your desktop (whether it’s a Mac or PC) that prevents malware infection to insure maximum coverage. In addition, since mobile shopping is set to outpace desktop shopping for the first time this year, it’s a smart idea to download a cybersecurity program for your phone. If you’ve already covered your cybersecurity bases, make sure you run updates on all those programs as well.

Happy, and safe, holiday shopping everyone!

The post 10 tips for safe online shopping on Cyber Monday appeared first on Malwarebytes Labs.

Categories: Techie Feeds

When you shouldn’t trust a trusted root certificate

Thu, 11/16/2017 - 17:30

Root certificates are the cornerstone of authentication and security in software and on the Internet. They’re issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are. We have talked about certificates in general before, but a recent event triggered our desire for further explanation about the ties between malware and certificates.

In a recent article by RSA FirstWatch, we learned that a popular USB audio driver had silently installed a root certificate. This self-signed root certificate was installed in the Trusted Root Certification Authorities store. Under normal circumstances, you would have to agree to “Always trust software from {this publisher}” before a certificate would be installed there.

However, the audio driver skipped this step of prompting for approval (hence “silently” installing).  The silent install was designed to accommodate XP users, but it had the same effect in every Windows operating system from XP up to Windows 10. The installer was exactly the same for every Windows version. Ironically enough, the certificate wasn’t even needed to use the software. It was just introduced to complete the installation on Windows XP seamlessly.

Why is this a bad thing?

Root certificates can be installed for purposes such as timestamping, server authentication, code-signing, and so on. But this particular driver installed a certificate valid for “All” purposes. So any system with these drivers installed from any of the vendors will trust any certificate issued by the same CA—for “All” purposes. Under normal circumstances, only a certificate issued by Microsoft would have “All” in the root certificates “Intended Purposes” field.

Having a certificate in the Trusted Root Certification Store for “All” intended purposes on a Windows system gives anyone that has the private key associated with the certificate the ability to completely own the system on which it is installed. The impact is the same as for any Certificate Authority (CA) behind certificates installed on Windows systems.

An exception is that in some instances large companies may choose to do the same with the intent to perform SSL decryption at the perimeter for outbound traffic. So, not only does silently adding a root certificate break the hierarchical trust model of Windows. It also gives any owner of the private key that goes with that certificate a lot of options to perform actions on a computer with that certificate installed.

How can they be abused?

An attacker who gets ahold of the private key that belongs to a root certificate can generate certificates for his own purposes and sign them with the private key. Any certificate with the root certificate already in their Trusted Root Certification Store on a Windows system will trust any certificate signed with the same private key for “All” purposes. This applies to software applications, websites, or even email. Anything from a Man-in-the-Middle (MitM) attack to installing malware is possible. And as if this wasn’t bad enough, security researchers at the University of Maryland found that simply copying an authenticode signature from a legitimate file to a known malware sample can cause antivirus products to stop detecting it, even though it results in an invalid signature.

Methods of abuse

There are several ways of abusing certificates by criminals. They can:

Of all these methods, it stands to reason that stolen certificates, especially those intended for “All” purposes, are the most dangerous. So introducing one of these just because you want to install a driver or to enable easier customer support, and not letting the user know, is inadvisable at best.

If you think that the number of certificates in use by malware authors can’t be that large, have a look at the suspects that have been reported at the CCSS forum.

How can I remove certificates I don’t need or trust?

A list of known signing certificates that are being abused by threat actors has been made available at As explained earlier, using signing certificates gives criminals a lot of options to bypass system protection mechanisms, which is why you might want to remove those from your machine. There is also a test site where you can check if any of the software programs that are open to an MitM attack are active on your system.

To delete a trusted root certificate:

  • Open the certificates snap-in for a user, computer, or service. You can do this by running certmgr.msc from your Run/Searchprograms box or from a command prompt.
  • Select Trusted Root Certification Authorities.
  • Under this selection, open the Certificates store.
  • In the details pane on the right-hand side, select the line of the certificate that you want to delete. (To select multiple certificates, hold down control and click each certificate.)
  • Right click the selection you made and in the action menu, click delete.
  • Confirm your choice by clicking yes if you are completely sure that you want to permanently delete the certificate.

Please note that user certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

You might want to back up the certificate by exporting it before you delete it. For the procedure to export a certificate, see export a certificate.

If you want to look at the Thumbprint, aka serial number, of the certificates, you can use this Powershell command to list the non-Microsoft certificates in the Trusted Root Certification Authorities:

Get-ChildItem -Path cert:\currentuser\AuthRoot -Recurse | select Thumbprint, FriendlyName, Subject | ConvertTo-Html | Set-Content c:\users\public\desktop\certificates.html

This will create a html file on the public desktop that shows the list by Thumbprint (in reverse order) and where you can look up the Friendly Name and Subject that belongs to a Thumbprint.

For those that do like to keep an eye on things, there is a guide by Xavier Mertens for a piece of code that alerts you about changes in the certificate store.


Since root certificates are intended to heighten security, it should be clear to those issuing them that they should be treated as such, and not as something that they can install willy-nilly whenever it suits their needs. The whole point of prompting users is to establish a chain of trust that they should be able to rely on. And in this case, the prompt was bypassed only to enable installation on a no-longer-supported operating system. That both ruins user trust and introduces unnecessary security risk for a rather shallow reason.

The post When you shouldn’t trust a trusted root certificate appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bad romance: catphishing explained

Wed, 11/15/2017 - 17:46

You’ve heard or read about some variant of this story before: Girl meets Boy on a dating website. Girl falls in love. Boy claims he does, too. Girl is excited to meet Boy soon. But at the last minute, Girl finds out that Boy (1) had an accident and broke a hip; (2) has a very sick relative he needs to look after; (3) is going away to a secluded place to “find himself”—you’re not the problem, he is, right?; or (4) (through a helpful and mournful friend) is dead.

Suddenly suspect, Girl digs a little deeper. Girl finds out that Boy isn’t the dreamboat he portrays himself to be. Boy is, in fact, her female colleague’s timid 13-year old son whom she met once at a work function.

Bummer, right? Here’s another one:

Two months ago, Deloitte revealed that it was breached by hackers, who most likely already had access to compromised servers since November 2016. Around the same time, a cybersecurity staffer at Deloitte was convinced to open a booby-trapped Excel file from a female friend he met on Facebook months before. Her name was “Mia Ash,” a London-based photographer. She was described as lovely and disarming.

She was also 100 percent fake.

Mia Ash is the latest in a lengthening line of online femme fatales who successfully infiltrated corporate systems by targeting and successfully duping smart men working in IT and cybersecurity—people who everyone expects to practice what they preach. Her equally fake predecessors went by the names of Robin Sage and Emily Williams. Although all three were created as social engineering lures, one significant difference stood out: Sage and Williams were the brainchildren of cybersecurity experts who wanted to expose the human weakness in the national defense and intelligence communities. Ash, on the other hand, was the product of a known Iranian APT group who deliberately took advantage of that weakness to achieve their nation-state goals.

Two very different stories, one common theme: romantic deception.

What is catphishing?

Catfishing (spelled with an “f”) is a kind of online deception wherein a person creates a presence in social networks as a sock puppet or a fictional online persona for the purpose of luring someone into a relationship—usually a romantic one—in order to get money, gifts, or attention. Catphishing (spelled with a “ph”) is similar, but with the intent of gaining rapport and (consequently) access to information and/or resources that the unknowing target has rights to.

Simply put, the former is out to break hearts (and bank accounts), while the latter is out to compromise individuals, organizations, and quite possibly even countries.

Can we say that catphishing has gone beyond bad romancing for money? Absolutely.

What motivates catphishers to do what they do?

The motivations behind the act are likely similar to why spies steal secrets: to make use of the stolen information to gain the upper hand against the target or organization they belong to. As we all know, stolen information in the hands of criminals can be used in many ways—for extortion, for sale on the black market. However, in the end, the organization that was compromised loses integrity, clients, business opportunities, and gets fined if they were found to be non-compliant with security and privacy regulations.

Catphishing is dangerous enough that most companies consider it a business threat.

On the other hand, those catphishing individuals might also use the information they gather from individuals to create even more social media profiles. Sometimes, catphishers mislead simply to bully people online.

Read: Tackling the myths surrounding cyberbullying

Blimey. Those catphishers ought to pay for what they’ve done!

Unfortunately, in many countries, catphishing (and catfishing) isn’t illegal. In the UK, “catfishing” is not even a legally-defined term. Although at present, the practice is pretty much legal, active campaigns are aiming to change this.

In the US, Oklahoma is the only state that made catfishing illegal.

Although one cannot lawfully pin catfishing/catphishing against someone, there are other legal areas that those affected by the practice can look into and decide whether they want to pursue these instead. They are (but are not limited to) the following:

  • Copyright violation (for photos stolen and used in the deception)
  • Criminal impersonation
  • Defamation
  • Identity fraud
  • Espionage
How can we protect ourselves from this?

Start by familiarizing yourselves with the following red flags, which indicate that you may be dealing with a catphisher online:

  • Everything that they claim to be seems too good to be true.
  • If you meet them on a dating website, and they suggest getting in touch with you via other means, such as email and other chat services.
  • They show no interest in a face-to-face meeting or even in using voice chat services.
  • Most (if not all) photos they use don’t include other people.
  • Quite a number of their social media followers appear to be sockpuppet accounts.
  • They ask a lot of information about you early on in the relationship like how much you earn, what kind of home you live in, and where your parents are (to name a few).

Stay safe out there!

Recommended reading for parents:

The post Bad romance: catphishing explained appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Android Trojan malware discovered in Google Play

Wed, 11/15/2017 - 00:07

A new piece of mobile malware has been discovered in Google Play masquerading as multiple apps: an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. According to Google Play data, all were last updated between October and November 2017.  These dates are likely when they were added to Google Play, based on their low version numbers (e.g. 1.0, 1.0.1).

We named this new malware variant Android/Trojan.AsiaHitGroup based on a URL found within the code of these malicious APKs.

Click to view slideshow.

For the sake of discussion as we analyze this malware, let’s concentrate on just one of its associated apps, since they all share the same behavior. We will focus on a malicious QR scanner app named Qr code generator – Qr scanner.

Surface analysis of Trojan AsiaHitGroup

AsiaHitGroup has several layers of maliciousness. It starts innocently enough with an icon created on the mobile device after install. Click on the icon, and it opens a functioning QR scanner, as promised.

Click to view slideshow.

However, this QR scanner is short lived. You only get one chance to use the app, because after clicking out of it, the icon disappears! Out of frustration, you may immediately go to your apps list to uninstall this bizarre-behaving QR scanner, but good luck finding it. If you are looking under the Q’s for Qr coder generator or Qr scanner, it’s not there. It’s not even under the icon’s name, Barcode reader, which is shown briefly before vanishing. Instead, this deceiving app is called Download Manager in the app list. Unless you know all the apps on your mobile device exceptionally well, it’s near impossible to discover this app name.

Diving deeper into Trojan AsiaHitGroup

If the behaviors listed above weren’t enough to conclude this QR app is malicious, it gets worse. The first step performed by the malicious app in the background is checking the location of the mobile device. This is done by using the website which provides Geolocation using IP. If the location is in an area that satisfies rules within the code, then it proceeds to the next step. This next step is to download an APK by visiting a website that contains download instructions.

Code from http://[hidden_domain]/api/custom/dynamic-fragment with instructions to download an APK

{"id": "duy.van.dao.dynamicduy.20171005.16", "files": [{"id": "duy.van.dao.dynamicduy.20171005.16", "md5": "4662e8537751c49beb06309a989796fc", "url": "https://[hidden_domain]/hoanghai27/dynamic-fragment/raw/master/dynamic-plugin-v22.apk"}], "version": "20171005.16", "fragments": [{"code": "duy.van.dao.dynamicduy.20171005.16", "name": "duy.van.dao.dynamicduy.MainFragment", "host": "dynamicfragment"}]}

Unfortunately during testing, the APK could not be downloaded via the malicious QR app—most likely due to my location. However, I was able to manually download the APK using the URL provided within the download instructions. The behavior of this downloaded APK was that of a Trojan SMS (which is why I subsequently named it Android/Trojan.SMS.AsiaHitGroup). Based on all the references to Asia within the code, my assumption is you must be in Asia for this malware to fully function.

Add some adware into the mix

Even if the malicious Trojan SMS fails to download, there is yet another layer to the malevolence.  Hidden within the malicious QR app is another APK waiting to do its biding. However, this hidden APK is a less threatening, adware-pushing app.

The hidden adware app comes with an unusual service name: vn.solarjsc.fakeads.ShowAdsService.  Within this service, there is reference to the same domain that was used to gain download instructions of the Trojan SMS. Although I was unable to verify, this domain may also contain the “fakeads” referenced in the service name. Regardless, rest assured we are detecting this hidden adware app as well as Android/Adware.AsiaHitGroup.

Google Play: not quite flawless

Even with the introduction of Google Play Protect, there appears to be no fail-proof way to stop malware from entering the Play store. This is where a second layer of protection is strongly recommended. By using a quality mobile anti-malware scanner, you can stay safe even when Google Play Protect fails. We (obviously) recommend Malwarebytes for Android. Stay safe out there!


Malicious APK samples: use at own risk Android/Trojan.AsiaHitGroup

MD5: 178E6737A779A845B8F2BAF143FDEA15, Package Name: duy.van.dao.qrcode
MD5: 7EEC1C26E60FEDE7644187B0082B6AC4, Package Name: com.varvet.barcodereader
MD5: 7CEDA121F9D452E9A32B8088F50012B8, Package Name: com.maziao.alarm
MD5: B481CE9D0B7295CDA33B15F9C7809B95, Package Name: com.magiaomatday.editimage
MD5: 60A71632004EE431ABB28BF91C3A4982, Package Name: com.maziao.speedtest
MD5: N/A, Package Name: com.ruzian.explorer


MD5: 3CC02E4FECEB488B084665E763968108, Package Name: duy.van.dao.dynamicduy


MD5: 995D5DC873104B5E42B3C0AF805359DB, Package Name: com.offer.flashcall

The post New Android Trojan malware discovered in Google Play appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: the cloud

Tue, 11/14/2017 - 18:24

Even if you are reading this post because you have no idea what the cloud is, you might be using it more often than you realize. Twitter, LinkedIn, Dropbox, Google Drive, and Microsoft Office 365 are some of the most well-known cloud apps.

Let’s start with a definition of the cloud to get a grip on things:

Cloud computing, often referred to as simply “the cloud,” is the delivery of on-demand computing resources—everything from applications to data centers—over the Internet.

Cloud resources are often split up in three different ways:

  • Public: cloud services are delivered over the Internet and sold on demand, which provides customers with a great amount of flexibility. You only pay for what you need.
  • Private: cloud services are delivered over the business network from the owner’s data center. You have control over the hardware, as well as the management and related costs.
  • Hybrid: a mix of the above. Businesses can choose to have control over the most sensitive data or their average user and use public services to cover the rest of their needs.

Multi-cloud is another expression you may have come across. This means that companies use more than one public cloud provider, maybe for specific applications or as a method to cover outages. When using hybrid and multi-cloud solutions, it is important to spread the workload in a cost-effective manner.

Perceptions of the cloud

There are a few expressions about saving your data in the cloud that are not completely true, but will give you an idea of people’s perception of the cloud and what risks might be involved.

  • Your data is on someone else’s computer.
  • Your data is in a huge server farm.
  • You can’t be sure where your data is right now.

As you can probably tell from these statements, the main concern about the cloud is a lack of control over the data. This is not surprising, given the number of breaches that have occurred in recent times. According to an article on CSO, more data records were lost or stolen in the first half of 2017 than in all of 2016.

So what we really want to know is: Who actually has access to our data? This is not only relevant with regards to cybercriminals that can gain access through breaches. The Patriot Act gives the US government a lot of freedom to access and investigate data that is stored in cloud infrastructures. And of course, the cloud provider who stores that data can see it. Depending on the provider, they can even advertise to you based on your data, as is the case with most social media platforms.

And in case of a breach? Is your data stored and sent encrypted? What if someone manages to intercept the traffic? These questions may not all be relevant in your case, but they are worth thinking about.

Pros and cons

As with all technology, there are pros and cons to using the cloud. Here are a few:


  • scalable and flexible, so you can quickly react to ups and downs
  • cost effective—you pay for what you use
  • off-site backup, so no need to worry about losing it all in a fire or other catastrophe
  • access to data in any location


  • less direct control
  • potential for privacy and security violations (breaches)
  • different security measures from what you may be used to
  • access dependent on access to the Internet, which means services outages could lock you out of your data

Choosing the right cloud service

First and foremost, when looking for a cloud service provider, you should consider one that not only suits your data storage needs, but also is a reliable partner. Look at their track record and ask for references. With public cloud solutions, you need to consider the possibilities of traffic being intercepted, maybe even being altered, and data being stolen. And always look for providers that offer encryption and multi-factor authentication.

Because running cloud applications requires more attention then straightforward data storage, it’s helpful to distinguish Infrastructure-as-a-Service (IaaS) from Platform-as-a-Service (PaaS) when you are talking about cloud security.

  • IaaS is when your systems are running on virtual servers in the cloud.
  • PaaS is when your applications are running on cloud environments.

For IaaS situations, the security problems that are left up to you to take care of are not that different from the ones in your regular environment. You should be able to treat the servers as if  they were in your own network. They require the same security solutions as your own, which could be anything from anti-malware software to a firewall.

For a PaaS environment, application hardening will be different as it may require a web-application firewall. As the applications are not running from the systems within your intranet, they will very likely be using different Internet connections to send and receive traffic. This is something to determine with the cloud service provider. Who takes care of what?

One other thing to consider when choosing your cloud service provider is the physical location of your data. It is your responsibility to make sure you remain compliant with laws and industry regulations. This can also be an important consideration when you are about to decide which data you will move to the cloud and which should be kept in-house.


The cloud is in essence a method to use other resources than your own to run applications or store any kind of data. It offers users flexibility, scalability and puts the care of systems in other hands than yours. The price, besides the fees, is a loss of control over the resources and data. For businesses, compliance is another factor to weigh. When talking to potential cloud service providers, security should always be a point on the agenda. It has to be clear who takes care of which aspects of cloud security, otherwise it could slip through the cracks.

The post Explained: the cloud appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (November 6 – November 12)

Mon, 11/13/2017 - 20:47

After coming out victorious in a case against PUPs, Malwarebytes CEO Marcin Kleczynski has this to say:

We fought for our users and we won.

— Marcin Kleczynski (@mkleczynski) November 9, 2017

And my, do we feel like champions!

You can read more about this here.

Last week, we looked into the cryptocurrency mining phenomenon, rising digital crimes that target businesses—the final supplement of a two-part series—a bogus WhatsApp app that got through the Google Play store because the actor behind it used Unicode, and puppy scams. We also revealed a Bitcoin multiplier scam that actors behind the Magnitude EK were banking on and the coming back of the Disdain EK, this time delivering a Neutrino bot.

Lastly, we put out word about potential fakeries from cybercriminals targeting those shopping on Singles’ Day and a little exercise for the talented guys and gals who like to tinker with code, which we followed with a step-by-step tut on how to solve it.

Other news
  • Paradise lost? Breach of law firm, Appleby, exposes information of the rich. And so are their tax schemes. (Source: Quartz)
  • There’s a flaw in Tor that allows user IP address to leak. This affects macOS and Linux users. (Source: Computing)
  • Proofpoint reveals a multi-prong attack against Android users, wherein users are first faced with a phishing campaign, and then convinces users to install malware, then finally attempted to steal card details. (Source: InfoSecurity Magazine)
  • To hack back or not to hack back: this has been a longstanding debate from within and without the security industry. Keith Alexander, ex-NSA Director, weighed in on the debate, advising companies to never hack back as this might start wars. (Source: Motherboard)
  • According to a DHS testing, the Boeing 757 aircraft is found to be vulnerable to hackers. (Source: Aviation Today)
  • Companies granting a lot of admin rights to employees can actually leave them vulnerable to cyber attacks. (Source: TEISS)
  • Mozilla’s “Privacy Not Included” guide reveals gadgets and devices one might not acquire for loved ones as they can spy on them. (Source: CSO)
  • No, your Netflix account has been suspended. If you see an email saying otherwise, watch out! It’s a phishing campaign. (Source: Wired)

Safe surfing, everyone!

The post A week in security (November 6 – November 12) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Augmented Reality games and real-world trolling

Mon, 11/13/2017 - 19:46

Augmented Reality games—where you wave a device around and the digital collides with reality— have been booming in popularity ever since Pokemon GO! rolled into mobile storefronts. However, many AR games haven’t really been designed with the possible consequences of real-world safety in mind. Take this hurricane howler, for example.

Even games that aren’t AR often include some sort of real-world activity. Black Watchmen is an Alternate Reality Game that involves solving puzzles both online and off, and depending on how much personal information you volunteer, you’ll gain access to more involved gameplay aspects.

At the absolute other end of the scale are games which (by accident or design) don’t include enough information ingame to explain how to achieve certain goals or tasks. In those cases, you’ll find a whole boatload of third-party tools, services, and community-driven sites that help keep the game fully functional from a “How do I do this?” perspective. Elite: Dangerous, for example [1], [2], [3]. This could also bring risks in the shape of fake/malicious downloadable programs.

In all of this, the potential for people to abuse tools outside of the game itself is high. And that’s exactly what happened to players of Ingress, the AR sci-fi game about aliens and capturing portals. The game relies on lots of player data, including location, which is a big part of how it works. And despite the data being anonymous (and stacked alongside piles of other player information), there are limits.

Geolocation is a huge driver for the game, and when a third-party tool designed to prevent players spoofing location was put to use by cheaters, it resulted in players finding themselves blocked into their property by vehicles, notes left on their doorstep, and even players on the other team knowing the “victim” was going out of town on holiday.

Many AR games are dead in the water without geolocation, as without it you may as well be sitting at home. The challenge for developers is to ensure games where players are in competition aren’t abused and turned into weird cases of real-world harassment. For now, these (hopefully isolated) stalker cases will likely put some folks off taking the plunge into competitive AR titles, and that’s a shame.

At a time when games are becoming more sociable, it’s ironic that a tool designed to stop cheaters has ended up becoming another sneaky way to grief people both online and off. “Be mindful of the information you post online and reveal in games” doesn’t really help much when the culprit is data being scraped outside of your control. So unless the games you play can prevent this kind of activity, you may wish to simply leave some mobile titles on the shelf for the time being.

The post Augmented Reality games and real-world trolling appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to solve the Malwarebytes CrackMe: a step-by-step tutorial

Fri, 11/10/2017 - 13:00

The topic of this post is a Malwarebytes CrackMe—an exercise in malware analysis that I recently created. First, the challenge was created to serve internal purposes, but then it was released to the community on Twitter and triggered a lot of positive response. Thanks to all of you who sent in your write ups! Some of the links are included in the appendix.

I got several questions from people who were stuck and needed some more explanation/guidance. So I promised to present my own solution in a step-by-step tutorial to the CrackMe. I am going go into detail so that even someone with little experience in reverse engineering will not feel lost. But if you still find something unclear, please don’t hesitate to ask in the comments.

The CrackMe was intended to be simple, yet to demonstrate various techniques commonly used by malware—that’s why we hoped it would be a good learning experience for the beginner malware analyst. Like always, the demonstrated solution is just one of many possible approaches.

Techniques demonstrated

The techniques/skills that we wanted to exercise in the CrackMe are:

  • Noticing common evasion tricks (antidebug, anti-vm, etc.) and bypassing the checks
  • Detecting XOR-obfuscated payload and decoding it
  • Basic understanding of the RunPE technique
  • Finding a way to debug/load shellcode
Environment and tools used

For the analysis environment, I used Windows 7 32bit on Virtual Box, with an Internet connection.

During the analysis, I used the following tools:

Stage 1

When we run the CrackMe, the first thing we see is the following banner:

So far, we know that the CrackMe is finished when we get a flag in the following format:


There is no password prompt whatsoever—we just see the failure message on the screen. The only way to understand it more is by looking inside. For this purpose, I am going to use IDA.

Finding the decisive variable

The code is not obfuscated, and we can easily see that this message comes after the check:

The success of the check will depend on the value of AL registry (AL=0 leads to failure). This value is set in the function above: sub_4014F0. Let’s go inside the function and see where exactly is it set:

So there is some variable (IDA automatically named it szUrl, suggesting that it will be used somewhere as a URL) that is passed to a function sub_403380. The output of this function (at this point we can guess that it is some checksum) is going to be compared with the hardcoded one. If it matches, AL is being set. So, our goal is to have szUrl filled in such a way that it will give us the valid checksum: 0x3B47B2E6.

Finding references

First, let’s have a look at the external references (xrefs) of the variable szUrl to find out how is it used and where is it set. We can view them by pressing CTRL+X in IDA:

As you can see, it is referenced from three places in the code. The second (highlighted) one is the place where we came from (szUrl being passed to the checksum calculation).

How is the variable used?

The third xref will probably refer to the usage of this variable. So, let’s see it:

Entering in the function sub_4033D0, we can see some API calls related to reading the content from the given URL, such as:


At this point, we can be sure that the content of the szUrl, if filled correctly, will be used to download some content from the Internet.

How is the variable filled?

Now let’s have a look at the first reference and find out where the value of szUrl comes from:

We can see it is one of the parameters passed to the function sub_4031C0. This function takes also an array of DWORDs. Let’s look inside the function. We can see that Windows Crypto API is being used:

The passed content is decrypted with the help of Windows API, using AES algorithm.

Following the order of the passed parameters, it is easy to guess that this function is going to decrypt the passed buffer (the array of DWORDs) and the szUrl will be used to store the output. So the only thing that we need to take care of is a valid key for the decryption. Then we will get the proper URL that has the defined checksum 0x3B47B2E6.

Finding the decryption key

The key is derived from the hash another buffer, passed as one of the function’s parameters. We can see that Windows Crypto API is used to derive the hash. The used hashing function is SHA256 (algorithm ID: 0x800C = CALG_SHA_256):

This hash is used to derive the AES128 key (algorithm ID: 0x660E = CALG_AES_128):

We find that the buffer used as the base of the key is passed as a 4-th parameter to the function:

Let’s name it key_buf and find out where is is passed to the function:

Again, xfers can tell us more about where is it set:

We find out that the full buffer consists of pieces that are set DWORD by DWORD in various functions. Let’s have a look at each of those functions.

At this point, things are getting easy: We have various environment checks that malware often uses for recognizing if it is run in a controlled environment or not. For example, checking if it runs under the debugger:

While malware detecting the debugger often terminates the execution, in this case the conditions are reversed. Having each check passed/item detected gives us one more piece of data to the buffer. We need to catch them all!

We may achieve it by following each check and patching it out (removing the conditional jump) so that the chunk will be added to the buffer unconditionally. You can use IDA for patching, but IMHO it is not convenient, so I usually do it with the help of some other tools (debuggers like OllyDbg, or PE-bear), and use IDA just to find the branches.

Example: removing conditional checks in PE-bear:

Follow the offset of the check (CTRL+R):

Select the bytes on the hex view and modify them:


After following and removing all the checks, we can save the patched file:

If we deploy the patched version, we see some progress! The message “You are on the right track!” is printed on the screen. We can also see a hint that something is being uncompressed.

Examining the traffic

We already know that something was downloaded from the Internet (using the decrypted URL), so it may be helpful to have a closer look at the network traffic. There are many ways of checking the URL that was queried. We can do it with the help of Wireshark or Fiddler:

Request and response:

We see that the content was downloaded from the pastebin from the URL:

The content is in Base64, but decoding it by a Base64 decoder does not give us any sensible result. (We guess that the reason is the content is compresses and/or further encrypted). So, let’s go inside the applications again!

Understanding the payload

First, let’s do some static analysis to understand what exactly this payload is supposed to be and how is it going to be used. Let’s search first where the “Nope :(” message box is being shown. We see that before there is a check if the buffer starts from “MZ,” it is a well-known magic number starting DOS applications and also Windows Executables (PE files).

Taking a closer look at this function, we find out that the downloaded file is processed by few functions.

First, it is base64 decoded. Then, the output is uncompressed:

We understand that this function is responsible for decompression by looking inside and finding the relevant API calls, such as RtlDecompressBuffer:

Then, we notice a function that reads like something from the clipboard:

Going inside it, we can also easily find relevant API calls, such as:

We find that the format that is being read from the clipboard is one that measures text (CF_TEXT).

Then, we find that the content that was read from the clipboard is being used by another function. It becomes an XOR key to decrypt the downloaded content:

After all this, the result starts from the “MZ” magic number. It is being injected into rundll32.

Following inside the function sub_4011F0, we see exactly how the injection was made. It is a classic RunPE technique. The new process is created as suspended. The payload is being written into its memory space, linked to its PEB and resumed:

More detailed explanation of this well-known technique is out of scope of this article (you can find it here). However, unpacking it is very easy—we just need to dump the payload after it is decrypted but before it is converted into the virtual format and written to the remote process. I will show some of the possible unpacking methods next.

Decrypting the payload

During the static analysis, we found out the following information:

  • The payload is downloaded from the decrypted URL
  • It is Base64-decoded
  • It is decompressed with RtlDecompressBuffer
  • It is XOR-decrypted with the help of some key that is read from the clipboard

To pass this level, we must find the XOR key. It will not be difficult, knowing that the XOR operation is self-reversible. But first, let’s dump the payload after it is decompressed so that we can get the material for further analysis.

I will run the patched version of the CrackMe under the debugger (e.g. ImmunityDbg) and go to the API call RtlDecompressBuffer:

I am setting the breakpoint at the end of the decompression function and then running the CrackMe.

We can see on the stack the variable that was passed to the function. Let’s follow the buffer that was uncompressed:

We can see some repetitive patterns and the string “malwarebytes.” It is easy to guess that it will be the XOR key passed via clipboard. At this point, we can choose various approaches of unpacking it. I will demonstrate just one of them.

Decoding the XOR-obfuscated payload

After the buffer is decompressed, we dump it to file and decode by our external tool

First, we dump the buffer:

Then, we have to trim it so that it will start from the proper offset. We can do so by opening the dumped memory page in XVI32 hexeditor, navigating to the beginning of out buffer, and choosing:

Edit->Dump to cursor

Then, we can easily decode it by the script, supplying the XOR key. In this case, we could easily guess that the key is “malwarebytes” because this string repeats multiple times in the decoded buffer (XOR key is visible in those fragments of file when it was applied on NULL bytes). --file dump.bin --key "malwarebytes"

You can see the steps taken on the video below:

As we expected, based on the earlier findings, the decoded output is a new PE file.

Stage 2

Stage 2 is inside the new executable. After we dumped it, we can run it as a fully independent module. We see that it pops up the following message:

Let’s open it in IDA and have a look. It is not obfuscated and the structure is pretty simple.

Understanding the checked conditions

First of all, we can see why the “Fail” message was displayed. The first thing that is checked is the module path, compared with the path to rundll32.exe. The check is not done by direct comparison of the strings, but instead, the checksums of the paths are calculated and compared:

In short, if the current PE is not injected into the rundll32.exe, the check should fail and lead to the mentioned message box. At the moment, we want to run this PE file as an independent unit, not via rundll32. So we need to get rid of this check. We can do it by simply patching out the conditional jump (the same way as we patched out the conditional jumps in Stage 1).

Alternatively, we can load the executable under a debugger, set the breakpoint on the check, and change the flag to bypass it.

In order for the final flag to pop-up, two more conditions have to be met:

1. A process with a window of given class has to be running in the system.

First, the EnumWindows function is called. The searched checksum is given in the parameter to the callback:

Inside the callback function, each window’s class name is compared to the checksum. If it matches, the particular process is being opened for further injection:

Someone may notice that this check is implemented similar to this one. The searched window class belongs to ProcessExplorer.

2. The application must be loaded under the debugger.

The presence of the debugger is being checked, and sets the flag that further on influences the value of the XOR key.

If we run the executable under the debugger and if we have a ProcessExplorer (32-bit) running, the MessageBox with the flag will be injected there and we will get the solution instantly. Example:

Dumping and running the shellcode

If we have luck, we may get it very quickly. But in real life, finding the proper process that has to be injected could be problematic. Also, people who were running the CrackMe on the 64bit version of Windows will encounter problems because the shellcode is 32bit and can be injected only to the 32bit version of Process Explorer. However, in order to solve it, knowing the process name is not at all required. We can just dump the shellcode before it is injected and load it by our own loader.

First, we have a look in IDA and see the part of the code where the injection is made. Before, the checksum of the shellcode is calculated:

So at this point we already have the valid shellcode stored in the buffer. We don’t really care where it is injected—we can just dump it and run it on our own. To reach this place, we only need to bypass the search of the window with the given checksum. We can do it by simply patching the condition (or changing the flag under debugger). This is the condition that must be patched out:

On the attached video we can see the full solution: dumping the shellcode and running it independently. In the given example, the shellcode was added as a new section to the original CrackMe with the help of PE-bear:

That’s how we got the final flag:


In this tutorial, I tried to explain step-by-step one of the possible solutions to the CrackMe. I recommend you to have a look at the write ups below to see different perspectives and learn more. And of course, I encourage you to try on your own and describe your own solution, because this is the best way to learn.


Received write ups: – by – by – by @ShAd0wHuNt3r_0 – by @ValthekOn

The post How to solve the Malwarebytes CrackMe: a step-by-step tutorial appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Singles’ Day deal seekers beware

Fri, 11/10/2017 - 03:00

Originally a day set aside for singles in China to be proud of their singlehood, Singles’ Day has been transformed into what is arguably the world’s single largest e-commerce festival, thanks to the involvement of The Alibaba Group. In fact, the Alibaba Group alone reported $17.8 billion in sales; six times higher than what was spent on Black Friday (around $3 billion).

Today, Singles’ Day has evolved into a shopping phenomenon that has gained traction beyond the shores of China, with shoppers across Southeast Asia eagerly awaiting previews, hoping to make a killing on the deals set to land on November 11.

However, also waiting to make a killing are cybercriminals, who see e-commerce festivals and heavy shopping holidays such as Singles’ Day, Black Friday, and Christmas as huge opportunities to dupe unsuspecting deal seekers and steal their hard-earned cash. Traditionally, cybercrime activity tends to pick up during festive periods, especially those that involve increased online shopping.

As we await Singles’ Day, many retailers will be sharing promotional links via email, social media, or mobile. Based on past experience, cybercriminals will also be ready to disseminate their own versions of fake promotional links through these channels. These emails from hackers, known as “phishing emails,” could be so well designed as to accurately mimic an email from legitimate and renowned retailers.

Phishing emails would likely contain links to fake promotions, which, instead of giving shoppers a great deal, would instead link directly to malware or ask users to provide personal details that can be abused for nefarious purposes later.

Taking it one step further, entire web pages built to look like legitimate online shopping sites are often built by cybercriminals to take advantage of shoppers. Sometimes hackers even build random e-commerce sites from scratch. These sites are used to steal personal data and even credit card information. And with many deals being time-based in the form of “flash” deals, shoppers sometimes fail to stop and consider the authenticity of a site before rushing to make a purchase.

A quick guide to safe online shopping during Singles’ Day

To ensure you can celebrate Singles’ Day safely and smoothly, here are some basic guidelines to protect oneself from being a victim on Singles’ Day.

1. Beware of spoofed links

Don’t simply click on a link if you can’t be a hundred percent sure it is indeed from the retailer, even if you know the “sender.” To make sure the link is legit, check the sender’s email header and message context. Display the full email address and reply-to address instead of looking at the sender’s name alone. An additional step you can take is to hover over the link to ensure it directs to a legitimate site. Also, be doubly wary of social media posts and texts that offer deals that are too good to be true.

2. Shop at retail websites directly

Instead of keying in personal details into a coupon link in direct emailers or on social media posts, it is wiser to go directly to a retailer’s main website. If the offers are legitimate, chances are more often than not you would be able to find them on the website itself.

3. Check the validity of retailers’ websites

Choosing to shop directly at a retailer’s website is a great first step, but always remember to ensure you are, in fact, on the right website before beginning to shop. Check the URL of the website. If it ends with a “.net” or has a different name in the URL, there is a good chance the site is not legitimate. Also, make sure the sites include “https” at the beginning of the URL. This indicates your data is encrypted whilst browsing or purchasing. Furthermore, check the website copy. If there are numerous grammatical errors and typos, this might not be the website you’re looking for.

4. Install the latest antivirus software

Aside from laptops, shopping through smartphones and tablets has become commonplace nowadays. Therefore, make sure to have a next-generation antivirus software installed, and preferably one that offers multi-layered protection. While having antivirus solutions installed on desktops is relatively common, many of us are guilty of failing to do the same for our mobile devices.  Maintaining a multi-layered security solution across all devices will help protect you from all sorts of malware such as worms, Trojans, spyware, ransomware, and more.

While consumers should stay alert of potential cyberattacks when shopping online throughout the year, one should pay extra attention during festive shopping periods such as Singles’ Day. Cybercriminals are ramping up their attempts to target hungry shoppers, who are rushing for the limited hours deep discounts. So stay calm and think twice before taking any actions. Don’t just rush for the best deals and forget the basic concepts of Internet safety. If you keep your head, you can protect yourself from being a victim of cybercriminals during Singles’ Day.


The post Singles’ Day deal seekers beware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Disdain exploit kit and a side of social engineering deliver Neutrino Bot

Fri, 11/10/2017 - 00:23

Today we picked up new activity from an exploit kit that was first discovered back in August of this year. The Disdain exploit kit, simply identified by a string of the same name found in its source code, is being distributed again after a short interruption via malvertising chains.

Disdain EK relies on older vulnerabilities that have long been patched and some that do not appear to be working properly. From a traffic to infection point of view, this means that the conversion rates are going to be lower than, say, RIG EK, the other most common exploit kit at the moment.

This may explain why we are seeing Disdain being used as a drive-by download alongside a social engineering attack to increase the likelihood of infections. Case in point, the following site was compromised to serve Disdain EK while also distributing a fake Flash Player update:

What’s interesting is that both payloads (Disdain’s malware drop and the so-called Flash update) are actually the same malicious binary, just delivered by different methods. The former is loaded via an iframe injected into the page which triggers the exploit kit and delivers the payload automatically, while the latter is a regular download that requires user interaction to download and run it.

Disdain’s landing page exploits older Internet Explorer vulnerabilities and attempts to load Flash exploits as well, although in our tests these did not work.

That payload is Neutrino Bot, which we have documented on this blog before when it was served in malicious spam campaigns as well as via the now defunct Neutrino exploit kit. Neutrino Bot, AKA Kasidet , is a multi-purpose piece of malware famous for its information stealing abilities.

In the past few weeks, there have been a few developments in the exploit kit scene beyond the long running RIG exploit kit, where threat actors are attempting new tricks both from an evasion and distribution point of view. Despite this, there remains a lack of innovation in what really matters at the end of the day: the exploits being used to deliver drive-by infections.

While some groups have switched to pure social engineering-based attacks, others are attempting either or both methods at once. In the current threat landscape, the campaigns that have the most success are those that can draw a lot of traffic and use clever techniques to fool users.

Systems that have been patched regularly would not be affected by this exploit kit, but at the same time users should beware of non-legitimate software updates. Many of the so-called “Flash Player” or “Video Player” updates typically push adware and, as we saw recently with the BadRabbit outbreak, even ransomware.

Malwarebytes users are protected from the Disdain exploit kit and Neutrino Bot malware.

The post Disdain exploit kit and a side of social engineering deliver Neutrino Bot appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Winning the battle against PUPs on your computer and in court

Thu, 11/09/2017 - 13:00

I know very few people, other than lawyers, that get excited about corporate court cases. But, I want to share with you a recent decision that I believe is cause for every computer user to celebrate.

This week, a United States District Court judge ruled in Malwarebytes’ favor, dismissing a lawsuit brought against us by Enigma Software Group USA LLC (“Enigma”). Essentially, they sued us because we classified two of their software programs as Potentially Unwanted Programs (PUPs).

Sounds mundane, but the reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users. This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn’t.

Those of you that follow this blog know that for years, we have taken an aggressive stance against PUPs. We continue to monitor all known software against Malwarebytes’ PUP criteria to give our users the choice to select which programs you want to keep or remove from your computer. We strongly believe that you should be allowed to make this choice, and we will continue to defend your right to do so.

This company was founded on a real problem I experienced and a dream that everyone at Malwarebytes still affirms: that computer users have a right to choose what’s on their computers. As PUPs became more prevalent and problematic, we began offering protection against them too, a choice that is now backed by the United States District Court.

If you are interested in the brief news release we shared today, it can be found here.

A copy of the US District Court Clerk’s filing (Case 5:17-cv-02915-EJD Document 105) can be found online here.

The post Winning the battle against PUPs on your computer and in court appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Of scammers and cute puppies

Wed, 11/08/2017 - 18:37

We’ve followed tech support scammers for quite a while at Malwarebytes. They’ve been of particular interest because of their preference for scamming the poor, the elderly, and the developmentally disabled.  But there’s a diverse spectrum of online scams a criminal can profit from, and today we’re going to take a look at one of the more despicable ones: puppy scams.

The basic gist of the scam is that the crook will find photos of beautiful purebred dogs, put them up on Craigslist or a private website, and advertise them for adoption. Once a buyer is found, they’re on the hook for fees including fake vet bills, registration, kennel fees, and transport to the victim’s location. Suffice it to say: there is no dog. Average losses for this scam run from US$800 to $5,000.

Shopping for a fake dog

For our investigation, we started with pomeranianhouse[.]com. Clicking on puppies for sale, we get Paulie, an unbelievably cute dog that looks happy to see us.

This dog is not actually for sale.

The “About us” page has extensive copy on the care and upkeep of these beautiful dogs designed to make your heart melt. But when we reverse image search on Paulie, we get another site entirely:

This site has the same dog:

It includes the same copy, but contains identifying details of the breeder, along with a lengthy diatribe against scammers who steal her photos.

Having confirmed that the first site is a huge scam, we decided to give them a call and see what happens.


Unsurprisingly, instead of a woman from Oklahoma, we get a man with a south Asian accent requesting a Walmart-2-Walmart money transfer. If you’re unfamiliar, Walmart-2-Walmart is a money transfer that allows a recipient to collect funds with an ID and a reference number. Most commonly, scammers will recruit money mules to do the collections as part of a work from home scheme. This particular scammer wanted to take us for $850 for the non-existent dog, but that probably would have gone up over time with assorted “unforeseen” costs.

So what about the perpetrator? is WHOIS protected, with no significant pDNS, but the email they used with us, dydydav849@gmail[.]com, was partially reused on their last scam iteration in July, as seen below on a scam information website:

Once pomeranianhouse[.]com is taken down for fraud, the scammer will most likely set up a new site with fresh stolen pictures in another three months.

How to stay safe

Please do not use unconventional payment methods with people you do not know, or cannot find a reputable history on. Money wire, ACH transfer, and any sort of gift card should all be enormous red flags for “maybe I should not do business with this person.” You can also decrease your chances of getting scammed by buying pets locally from shelters or breeders who allow you to meet the dog first (to make sure it exists). Stay safe, and stay suspicious—no matter how cute the puppy is.

The post Of scammers and cute puppies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Phony WhatsApp used Unicode to slip under Google’s radar

Wed, 11/08/2017 - 17:13

After a troubling week for Google not so long ago, the company is under the spotlight once more for missing another app that, after further investigations by several members of Reddit, was found laden with adware.

This app, which was called “Update WhatsApp Messenger,” used the logo and developer name of the real WhatsApp app—two elements that a user familiar with the app expects to see. However, the developer name for this bogus app had an extra space at the end, so it looked like this:

WhatsApp, Inc.{space}

To aid users in realizing this deception, Redditor Megared17 posted snapshots of a code section belonging to the real WhatsApp and the fake app to compare the two. We have reproduced the shots below for your convenience.

That bit in the box is the percent coding equivalent of a blank space, which translates to U+00A0, the Unicode value of a no-break space. Although this is something our normal eyes may have a difficult time spotting, many decried that Google’s scanner should have quickly picked this up.

Read: Out of character: Homograph attacks explained

Once downloaded and installed, Redditor Dextersgenius pointed out that “Update WhatsApp Messenger” hid from users by “not having a title and having a blank icon,” which he then supplemented with screenshots that we also reproduced below.

From Dextersgenius’s testing, they also pointed to a piece of code that indicated this bogus app appears to access a hardcoded shortened URL that presumably downloads an update APK named whatsapp.apk. Upon closer inspection, however, the URL led to another shortened URL—this time Google’s URL shortener,—that then led to a Google search result for a WhatsApp Messenger APK file.

Essentially, users are told to “Look for the APK file from these search results. It’s got to be in one of them!” No updates are sent to the phones at all, so they’re just left with a PUP app.

“Users need to be more vigilant,” advised Armando Orozco, Lead for the Mobile Protection Team at Malwarebytes. “If they want to update WhatsApp, they need to use the update mechanism in the Play Store app, not a secondary app.”

Apart from reading app reviews for any reports of questionable behavior, it also pays for users to check the link to the developer of the app, which might have helped catch “Update WhatsApp Messenger” and possibly lessen the number of affected devices.

Stay safe!

Other related post(s):

The post Phony WhatsApp used Unicode to slip under Google’s radar appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Part 2: All rise! Mind these digital crimes and arm your business against them

Tue, 11/07/2017 - 19:53

In the first installment of this two-part series, we advised consumers to stay on top of a selection of up-and-coming crimes to significantly lessen the chances of encountering them in the future. For this post, we’re going to look into digital crimes that keeps small businesses and large enterprises on their toes: cloud attacks, attacks over SSL, ATM malware, and RDoS attacks.

It’s important to note that regardless of any digital attack an organization might face, fostering a culture of cybersecurity plays a massive role in arming employees with knowledge of what these attacks are and how they should respond if and when such incidents happen.

Let’s begin!

Cloud attacks

Many are surprised with how quick cloud computing has taken hold. In fact, Internet users who may not have heard about “the cloud” likely have no idea how much they rely on it when they check updates on Facebook, their work mail, or their online bank statement. Indeed, cloud services have made our lives a lot more manageable, to the point that we think everything we need is just within reach of our fingertips, wherever we are in the world.

Unfortunately, online criminals have caught on and started using cloud services as lures to dupe people into handing over their account and personal details. Retrieved credentials—say, for work email—are then used to access the account to gain further access to other repositories the credential owner has rights to, primarily company files stored in other cloud services. And this is just one of the many possibilities that could happen to compromised enterprise accounts.

How to protect your business

  • Take advantage of your cloud provider’s two-factor authentication (2FA) feature. They are used by the majority of cloud vendors today—using it is no longer optional. And that should be great news for any business looking into beefing up their security but only have a vague idea of where to start. Just remember that 2FA comes in various forms.
  • Know who accesses what information stored in the cloud. Not everyone in the company should be able to read or obtain sensitive files. Audit your access list and, if possible, restrict access to more sensitive data to a smaller group of decision makers.
  • Limit access to company resources based on user context. Employees in the office who use the internal network should be able to access files based on privileges assigned to them. Remote workers, on the other hand, should have limited access to company files, or they must go through additional sign-on steps to ensure that the person accessing the data is indeed who they say they are.
  • Encrypt highly sensitive files stored in the cloud. Offsite backups work well, too.
  • Use a cloud vendor that provides encrypted data transfers. (Not all of them offer this.)
  • Toughen up on passwords. Make sure that employee passwords have an acceptable rating of complexity. The system should straight up reject ones that are easily guessed like “admin,” “password,” or “123456.”
  • Regularly update your software to keep exploits at bay.
Attacks over SSL/TLS

Secure Socket Layer (SSL) or Transport Layer Technology (TLS) is a protocol wherein transmissions between a server and a browser are authenticated and encoded. While an increasing number of companies are learning and adopting encryption as part of their security and privacy strategies, using secure communication over the network to hide malicious antics is how threat actors level up the playing field. We’ve seen this in multiple malvertising campaigns in previous years. Malware being sent over an encrypted channel is not new either. Phishers, on the other hand, mainly use SSL as a way to make their campaigns more believable, seeing that more Internet users are clued in on what to look for on a potential phishing page.

Some threat actors use free SSL certificates, while others have breached company sites with them already installed. Regardless, organizations have a big hand to play in stopping the bad guys by securing their websites and also educating their employees on current, more sophisticated criminal tactics.

How to protect your business

  • Keep server OS and other software running on your website up to date.
  • Strengthen the passwords of your website admin accounts.
  • Make sure that text boxes on your website where users can post content to them, such as a search box, comment window, or forum post, are SQL injection- and cross-site scripting (XSS)-proof. You can install tools to prevent scripts not hosted on your server from running on your website. Or you can tinker with the server-side code to make it difficult for the bad guy’s script injection to run even if it were successfully posted to the page.
  • Install a Web Application Firewall. There are niche brands that offer this, with some of them being cloud-based. So do your research and choose a service that fits your company’s needs.
  • If you allow users to upload files—say, a screenshot—to your website, make sure that limitations are explicitly set to prevent users from uploading other file types.
  • Switch to HTTPS. You may also want to consider using SSL inspection.
  • Restrict physical access to your server.
  • Conceal your admin directories. Hackers have been known to scan web servers for conspicuous directories they can focus on gaining access to, such as the admin folder. Choose new names for your administrator folders, and make sure you and your webmasters are the only ones who know them.
  • Back up your website. Always.
ATM malware

Crimes involving ATMs don’t necessarily require physical skimming devices. Sometimes, there’s malware—and a bit of phishing—in there, too. And these two combined form network-based ATM attacks. Europol’s European Cybercrime Centre (EC3) and Trend Micro’s Forward-Looking Threat Research (FTR) Team have circulated a 40-page report, warning banks about the rise of ATM targeting. Based on this report, not only is ATM malware becoming commonplace, it has evolved remarkably through the years.

EC3 and FTR have also revealed that there are two objectives of ATM malware: (1) empty the affected machine from cash, which is called “jackpotting,” and (2) record card data from clients using the affected ATM, effectively acting as a virtual skimming device.

Below is a video shared by Bleeping Computer about the latest ATM malware sold on the Dark Web in action:

How to protect your business

  • The majority of malware that infiltrates a bank’s network starts off as phishing emails. As such, it’s more important than ever for senior managers to focus on running awareness programs and surprise simulations within the organization on a regular basis.
  • To prevent crooks from delivering malware via the ATM’s USB and CD drives, fortify the machine by replacing the default generic locks on the shell to prevent thieves from purchasing generic keys for these locks. Also, make sure that the location where the ATM machine is situated is well-lit and has a security camera in place (that cannot be easily tampered with).
  • Ensure that the communication between the interbank network and the ATMs are encrypted and have integrity controls.
  • Religiously update all software installed on the ATM. Also, whitelist software that are only allowed to run on ATM machines.
  • By default, use two-factor or multi-factor authentication between devices and software.
  • Employ whole disk encryption for hard disks.
  • Secure the ATM BIOS against unauthorized access.
Ransom DDoS (RDoS) attacks 

A distributed denial of service attack, or DDoS, involves the use of hundreds, if not thousands, of electronic devices controlled by a botmaster. These devices are then used to attack an organization by overwhelming their network with garbage traffic, resulting in websites being shut down and clients not being able to access them for an indefinite period. This translates to a significant loss of profit and disruption of productivity. An RDoS attack happens when an organization is threatened with a DDoS attack but fails to deliver or ignores a threat actor’s demands for money, which is usually in the form of cryptocurrencies. According to a Kaspersky report, a majority of threat actors behind these attacks are beginners and not organized hacker groups. Regardless, a DDoS attack is not something any company with an online presence would want to get entangled with.

Although RDoS attacks on enterprises regularly make the news, small businesses shouldn’t be lax as they have more to lose in the event of such attacks. Unfortunately, a vast number of small business are ill-equipped to handle DDoS and RDoS attacks.

How to protect your business

  • Plan ahead. Little can be done once an attack is already taking place. Prevention is critical in this case. Assess the potential DDoS risk, exposure, and severity to the business and come up with mitigation strategies to address them.
  • Monitor bandwidth for spikes on the network. This could mean an oncoming attack or the presence of malware.
  • Have security software in place. Install anti-malware, email and URL filtering, firewall, and other security software to beef up your company’s computer, device, and network protection. Make sure that they are also whitelisted and regularly patched. Some companies even offer DDoS protection.

Regardless of the nature of the business, as long as you have an online presence—if we guess correctly, almost all SMEs have this—securing your assets, which are either stored in the cloud or on-premise, should be an essential part of any business plan. Organizations of all sizes can no longer afford to overlook security and privacy matters regarding how they should handle confidential company and client information, especially with the arrival of GDPR.

On the other hand, users are also responsible for making sure that their electronic devices are protected both from unauthorized physical and electronic access, their sensitive information kept behind digital lock and key, and that the resources and assets they use for work are maintained within acceptable security standards.

The post Part 2: All rise! Mind these digital crimes and arm your business against them appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A look into the global drive-by cryptocurrency mining phenomenon

Tue, 11/07/2017 - 13:00

An important milestone in the history of cryptomining happened around mid-September when a company called Coinhive launched a service that could mine for a digital currency known as Monero directly within a web browser.

JavaScript-based mining is cross-platform compatible and works on all modern browsers. Indeed, just about anybody visiting a particular website can start mining for digital currency with eventual profits going to the owner’s wallet (in the best case scenario). In itself, browser-based cryptomining is not illegal and could be seen as a viable business model to replace traditional ad banners.

To differentiate browser-based mining from other forms of mining, many started to label these instances as JavaScript miners or browser miners. The simplicity of the Coinhive API integration was one of the reasons for its immediate success, but due to several oversights, the technology was almost instantly abused.

However, many web portals started to run the Coinhive API in non-throttled mode, resulting in cases of cryptojacking—utilizing 100 percent of the victims’ CPU to mine for cryptocurrency with no knowledge or consent given by the user.

We decided to call this new phenomenon drive-by mining, due to the way the code is delivered onto unsuspecting users, very much like drive-by downloads. There’s one important caveat, though: There is no malware infection at the end of the chain.

While the harm may seem minimal, this is not the kind of web experience most people would sign up for. To make matters worse, one does not always know if they are mining for the website owner or for criminal gangs that have found a new monetization tool for the hacked sites they control.

In our full reportA look into the global drive-by cryptocurrency mining phenomenon, we review the events that led to this new technology being abused and explore where users involved in cryptomining against their will are located.

To give you an idea of the scope of drive-by mining, Malwarebytes has been blocking the original Coinhive API and related proxies an average of 8 million times per day, which added up to approximately 248 million blocks in a single month.

With their new mandatory opt-in API, Coinhive hopes to restore some legitimacy to the technology and, more importantly, push it as a legal means for site owners to earn revenues without having to worry about ad blockers or blacklists. This could also benefit users who might not mind trading some CPU resources for an ad-free online experience.

Time will tell how criminals react, but in the meantime, drive-by mining continues unabated.

For more information on this latest trend in the cryptocurrency world, please download our report.

The post A look into the global drive-by cryptocurrency mining phenomenon appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stay away from the Bitcoin multiplier scam

Mon, 11/06/2017 - 18:30

It is well known that hot commodities tend to attract scammers and online criminals. The continuous rise of Bitcoin over the past year (valued at over USD $7,188 at the time of writing) is generating frenzy amongst fans of cryptocurrencies as well as those watching from the sidelines.

While the threat of Bitcoin theft from hackers or rogue operators remains high, we also see many scams inspired by the classic Ponzi scheme. Such is the case of the Bitcoin multiplier scheme, where victims are enticed to send some of their Bitcoin to a particular wallet and be given x times the amount they invested.

Multiply your loss

There are a few different ways users are drawn to this scam. One of them is searching online for sites that offer such a service (and you can find many). Some people are even asking the million dollar question: “Is there any genuine Bitcoin multiplier?” which scammers immediately pounce on and use for Search Engine Optimization (SEO) purposes.

Another tactic is to use advertising to redirect users to such sites:

The offer sounds too good to be true and should raise an immediate red flag. Even the “confidence” indicators displayed at the bottom of the page are fake and just for show.

However, the scam artists are using an interesting ploy by first asking the user for their email address and Bitcoin address, suggesting that the service might actually send them something. But the opposite happens. When the user submits their information, they are taken to a different page asking them to send BTC to the perpetrator’s wallet:

This might make some people feel uneasy, but the crooks have an answer for any doubts that might arise. They keep a page with previous payments they have sent, although this information is bogus.

In trying to deconstruct this scam, one question that comes to mind is why such a service would exist in the first place, especially considering that nowhere on the site do they mention any kind of commission for their effort. Well, apparently, these guys are doing it for the altruistic love of technology.

Sadly, many people have fallen for this scam and have never seen their money again. The criminals behind this are setting up temporary websites and keep on resurfacing after they have been taken down.

The best piece of advice we can give you is to stay away from too good to be true promises, especially when it involves something like Bitcoin or other cryptocurrencies. And if you need any more guidance, the answer to the million dollar question is: No, there are no genuine Bitcoin multipliers.

The post Stay away from the Bitcoin multiplier scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 30 – November 5)

Mon, 11/06/2017 - 18:00

Last week on our blog, we told you what to expect at the upcoming Irisscon security conference in Dublin. We gave you a quick introduction into the why and how of analyzing malware based on their API calls. And we issued a warning about some lesser-known cybercrimes. Plus we explained why emerging APAC markets are prime targets for cybercriminals.

We also introduced you to some of the scariest malware monsters that could come knocking on your door for more than just candy. And finally, we explained how cryptocurrencies work and why all the cybercriminals love them.

Other news

Safe surfing, everyone!

The post A week in security (October 30 – November 5) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: blockchain technology

Mon, 11/06/2017 - 17:45

Last week, we talked about what cryptocurrency is and why cybercriminals love it. We mentioned that cryptocurrency was founded on a technology called blockchain, which is a tight system that, when applied correctly, is more secure than most other financial transactions. In this post, we’ll explain the basics of blockchain technology, including its origin, development, and what makes it secure.

Origin of blockchain

One of the prime and most well-known examples of blockchain technology is Bitcoin. In 2008, the founder and spiritual father of Bitcoin (acting under the name of Satoshi Nakamoto) laid the groundwork for blockchain technology when he presented his solution for the “double spending problem” in digital currency. Double spending can be seen as copying and pasting money so you would never run out of it. In the non-digital world, we’d call this counterfeiting.

This countermeasure against double spending is essentially the foundation of our current blockchain technology, a method of record keeping that is essentially a decentralized, distributed, historical database.

The linchpin of blockchain technology is its decentralization. There is no central authority. Anybody can be a user or participant. This makes the system more open and less vulnerable than traditional ledgers.

Blockchain security

How is the blockchain made secure? Good question! Without making this too complicated, consider a system that only works in one direction. That system calculates the hash value that is the unique answer to a math problem based on the data contained in the block. Every time you feed the system the same data in the block, the hash value will be the same. Every change in the block results in a different hash value.

Take for example adding up the numbers in a long value like 123456789, which will result in 45. Changing the first value will have an effect on the result, but from knowing 45 alone it is impossible to figure out the value we used as input. This is the basically the same idea as blockchain, only the its hashes and input are much more complicated.

So there is no way (short of centuries of bruteforcing) to go in reverse and find the data of the block based on a hash value. This provides miners, or those who maintain the transactions in the blockchain, with a method to check the validity of a transaction without being able to create a block with false information. This is what solves the double spending problem. It makes it impossible to make up a transaction and feed the false information into the blockchain. You can not find the hash that would make that transaction look legitimate.

How new blocks are created

Every so often a new block is created—as a set of transactions recorded over a given period of time. This block contains all the transactions that were made on the blockchain since the previous block was closed. Miners then calculate the hash value of the current block. The first one to get it right gets a reward.

Now the nodes come into play. A node is a machine that is broadcasting all the transactions across the peer-to-peer network that is the base of the blockchain. The nodes check and broadcast the hash of this proposed block until agreement is reached about the new block. Then this block will be accepted as the new starting point for the transactions in the next block. The block is saved in many different places so that no one entity has total control over it.

The transactions we mention do not have to be money transfers, as the blockchain can be used for many other applications. Consider, for example, smart contracts that can be programmed to pay the supplier when a condition has been met, such as the delivery of goods. This moves the trust in the completion of the transaction from an intermediary like a bank or a website to the blockchain.

How mining works on the blockchain

Why would miners bother with appending to the blockchain and verifying new blocks? The “proof of work” method gives rewards to miners for calculating the hashes. So basically they get paid for the energy they put into the work. However, the proof of work method used in Bitcoin and other digital currencies is causing an energy consumption level that could run an entire country.

The number of  processing cycles needed to mine effectively has made CPU mining a thing of the past. Instead, miners moved on to GPU mining and then to ASIC, or application-specific integrated circuit, which is highly specialized and much more effective at what it does.

Although the number of Bitcoin that are given out each day as rewards stays the same over a given period of time, the number of mining farms has taken the number of cycles needed for one Bitcoin through the roof. Imagine huge server farms with racks upon racks of ASICs mining away, and that will give you a good idea of what the professional miners are doing. This is not “Joe at Home” anymore, but serious business. 

One alternative method that is in planning for the Ethereum Project is “proof of stake.” Proof of stake rewards those that have the most invested in the currency or gas (gas is the internal pricing for running a transaction or contract in Ethereum). Some fear this will turn blockchain into “the rich get richer” system, so there may be some new problems to be solved on the horizon.

But if it’s so secure, how come I heard…

Even though the blockchain technology itself is secure, the applications that may be built on or around this technology are not necessarily inheriting its security. So you may have heard of criminals acquiring Bitcoins illegally in various ways, but these crimes usually take place before the cryptocurrency was acquired, for example by having others mine for the threat actor. Or afterwards, for example by stealing wallets or even robbing a Bitcoin exchange.

Extra reading

For more information on blockchain, take a look at this explanation using easy to understand examples: The ultimate 3500-word guide in plain English to understand Blockchain.

A comparison between proof of work and proof of stake can be found here: Proof of Work vs Proof of Stake: Basic Mining Guide

The post Explained: blockchain technology appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is cryptocurrency and why do cybercriminals love it?

Fri, 11/03/2017 - 14:00

Ever pretend you know what your friends are talking about because you want to sound smart and relevant—and then trap yourself in a lie?

“Wow, looks like those hackers were mining for cryptocurrency. You know what cryptocurrency is, right?”

“Oh yeah, totally. Cryptocurrency. Bad stuff. You know. Currency? In the crypt? Bad.”


Okay, so the next time someone asks, “What is cryptocurrency, anyway?” instead of awkwardly shrugging, be prepared to dazzle them with your insider knowledge.

What is cryptocurrency, in a nutshell?

In its simplest form, cryptocurrency is digital money. It’s currency that exists in the network only—it has no physical form. Cryptocurrency is not unlike regular currency in that it’s a commodity that allows you to pay for things online. But the way it was created and managed is revolutionary in the field of money. Unlike dollars or euros, cryptocurrency is not backed by the government or banks. There’s no central authority.

If that both excites and scares you, you’re not alone. But this technology train has left the station. Will it be a wreck? Or will it be the kind of disruptive tech that democratizes the exchange of currency for future generations?

Let’s take a closer look at what cryptocurrency is, how it works, and what are the possible pitfalls.

What makes cryptocurrency different from regular money?

If you take away all the techno-babble around cryptocurrency, you can reduce it down to a simple concept. Cryptocurrency is entries in a database that no one can change without fulfilling specific conditions. This may seem obtuse, but it’s actually how you can define all currency. Think of your own bank account and the way transactions are managed—you can only authorize transfers, withdrawals, and deposits under specific conditions. When you do so, the database entries change.

The only major difference, then, between cryptocurrency and “regular” money is how those entries in the database are changed. At a bank, it’s a central figure who does the changing: the bank itself. With cryptocurrency, the entries are managed by a network of computers belonging to no one entity. More on this later.

Outside of centralized vs. decentralized management, the differences between cryptocurrency and regular currency are minor. Unlike the dollar or the yen, cryptocurrency has one global rate—and worth a lot. As of November 2017, one Bitcoin is equal to $6,942.77. Its value has increased exponentially this year, exploding from around $800 in January 2017.

How does cryptocurrency work?

Cryptocurrency aims to be decentralized, secure, and anonymous. Here’s how its technologies work together to try and make that happen.

Remember how we talked about cryptocurrency as entries in a database? That database is called the blockchain. Essentially, it’s a digital ledger that uses encryption to control the creation of money and verify the transfer of funds. This allows for users to make secure payments and store money anonymously, without needing to go through a bank.

Information on the blockchain exists as a shared—and continuously reconciled—database. The blockchain database isn’t stored in a single location, and its records are public and easily verified. No centralized version of this information exists for a cybercriminal to corrupt. Hosted by millions of computers simultaneously, its data is accessible to anyone on the Internet.

So how, exactly, is cryptocurrency created and maintained on the blockchain? Units are generated through a process called mining, which involves harnessing computer power (CPU) to solve complicated math problems. All cryptocurrencies are maintained by a community of miners who are members of the general public that have set up their machines to participate in validating and processing transactions.

And if you’re wondering why a miner would choose to participate, the answer is simple: Manage the transactions, and earn some digital currency yourself. Those that don’t want to mine can purchase cryptocurrency through a broker and store it in a cryptocurrency wallet.

When was cryptocurrency developed?

In the wake of Occupy Wall Street and the economic crash of 2008, Satoshi Nakamoto created Bitcoin, a “peer-to-peer electronic cash system.” Bitcoin was a slap in the face to the “too big to fail” banks because it operated outside of a central authority, with no server and no one entity running the show. Bitcoin pioneers had high hopes of eliminating the middle man in order to cancel interest fees, make transactions transparent, and fight corruption.

While Bitcoin was the first and remains the most popular cryptocurrency, others saw its potential and soon jumped on the bandwagon. Litecoin was developed in 2011, followed by Ripple in 2012. In 2015, Ethereum joined the fray and has become the second most-popular cryptocurrency. According to CoinMarketCap, there are now more than 1,000 cryptocurrencies on the Internet.

Cryptocurrency’s popularity on the Internet soon bled into other real-world applications. Japan has adopted Bitcoin as an official currency for commerce. Banks in India are using Ripple as an alternative system for transactions. JP Morgan is developing its own blockchain technology in partnership with Quorum, an enterprise version of Ethereum.

However, as with any new and relatively untested technology, the cybercriminals wanted in. And it wasn’t long before Bitcoin and other cryptocurrencies fell victim to their own democratic ideals.

How has cryptocurrency been abused?

As secure as a Bitcoin address is, the application of its technology is often fumbled; usually by unpracticed programmers looking to get in on the action and creating faulty code. Fundamentally, the system is superior to centralized database systems, but poor coding practices among its thousands of practitioners have created a multitude of vulnerabilities. Like vultures to carrion, cybercriminals flocked to exploit. According to Hacked, an estimated 10 to 20 percent of all Bitcoin in existence is held by criminals.

While cryptocurrency was initially hailed as the next big thing in money, a savior for folks who just lost everything in steep recession (but watched as the banks that screwed them over walked away unscathed), a hack in 2011 showed how insecure and easily stolen cryptocurrency could be. Soon, the criminal-minded rushed in, looking to take advantage of the cheap, fast, permission-less, and anonymous nature of cryptocurrency exchange. Over the last nine years, millions of Bitcoin, worth billions of dollars, have been stolen—some events so major that they drove people to suicide.

On a smaller but much more frequent scale, cryptocurrency is used on the black market to buy and sell credit card numbers and bot installs, fund hacktivism or other “extra-legal” activity, and launder money. It’s also the payment method of choice for ransomware authors, whose profits are made possible by collecting money that can’t be traced. Certainly makes getting caught that much more difficult.

Ransom note asking for Bitcoin

And if that weren’t enough to call cryptocurrency unstable, the process of mining itself is vulnerable and has already attracted some high-profile hacks. Services such as CoinHive allow those that deploy it to mine the CPU of their site visitors—without the visitors’ knowledge or permission. This process, known as cryptojacking, is robbery-lite: Users may see an impact to their computer’s performance or a slight increase in their electric bill, but are otherwise unaffected. Or that is, they were, until cybercriminals figured out how to hack CoinHive.

Future applications

So where does that leave us with cryptocurrency? Surely its popularity is skyrocketing and its value is spiking so hard it could win a gold medal for beach volleyball at the Olympics. But is it a viable, safe alternative to our current currencies? Cryptocurrency could democratize the future of money—or it could end up in technology hell with AskJeeves and portable CD players.

We can see the technological applications for the future that demonstrate the clear advantages of cryptocurrency over our current system. But right now, cryptocurrency is good in theory, bad in practice. Volatile and highly hackable, we’ll have to move to create security measures that can keep up with the development of the tech, otherwise cybercriminals will flood the market so heavily that it never moves beyond the dark web.

If you want to learn even more about cryptocurrency, stay tuned for a deeper dive on blockchain technology and a full report on cryptojacking.

The post What is cryptocurrency and why do cybercriminals love it? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Why emerging APAC markets are prime targets for the malware of the future

Fri, 11/03/2017 - 02:00

In many ways, Asia has led the way in technological development. Robotics, video games, dizzyingly fast Internet speeds. But when it comes to cybersecurity, several APAC countries, especially those in emerging markets, are severely lacking. And while, according to the 2017 State of Malware Report, cybercriminals are still focusing the bulk of their nefarious efforts on North America and Europe, it’s not long before they turn their full attention to the vulnerable targets of the East.

To be clear, that doesn’t mean that there’s no cybercriminal activity in Asia-Pacific. Quite the contrary. According to research by March & McLellan Companies, APAC is an ideal environment for cybercriminals to thrive in due to high digital connectivity contrasted with low cybersecurity awareness and weak regulations. However, lack of transparency from Asian governments and businesses leads to the potentially inaccurate perception that threat levels in the APAC region are lower than everywhere else. We just don’t know what we don’t know.

That being said, our data shows that the most dangerous and pervasive forms of malware and the highest frequency of attacks are not happening yet in Asia-Pacific. Why? If you need an answer for why cybercriminals do anything, look no further than this: money. Threat actors target countries with the strongest economies in order to get the biggest return on their investments. In countries where the Internet is just being introduced, criminals would not expect to extort the same amount of money or data as in countries where the Internet rules almost all commerce, banking, data storage, and financial transactions.

Countries such as the Philippines, Malaysia, and Indonesia are already seeing widespread use of mobile banking and social media via smartphones, rapidly bringing Internet access to citizens. With widespread Internet adoption, it is only a matter of time before cybercriminals turn their attentions toward these markets.

In fact, just yesterday virtually every person in Malaysia had their personal data swiped in hacks of government servers and telco databases. After all, when market share increases, the sharks smell blood. To avoid the feeding frenzy, emerging APAC markets need to increase cybersecurity awareness and take active steps to mitigate risks as Internet access and adoption increases.

Let’s take a closer look at the factors that leave emerging markets in APAC vulnerable to attack.

Lack of regulation online

With the rapid growth of Internet usage in the APAC region, it’s likely that we’ll see a relative increase in malware detections. The aforementioned lack of transparency has resulted in weak cyber regulations by authorities in certain geographies, as well as a marked lack of security investment amongst businesses—perhaps partially due to the Internet security market still being heavily targeted toward US and European markets.

A relative lack of regulation leads to an Internet that resembles the wild west of early years—yet with the technological sophistication of today. This results in third-party app stores selling malicious apps unchecked, and pirated software often left unpatched due to lack of official support. It also leaves PCs ripe for takeover, which is why 50 percent of all botnet detections by Malwarebytes were centered in Asia. Outdated prevention security, the use of pirated software, lack of remediation or response, and poor cyber hygiene habits leave these systems open to online attacks.

Increased adoption of Internet without awareness

According to ESET’s Asia Cyber-Savviness Report, 78 percent of Internet users in Asia have not received any education on cybersecurity. Collectively, Asia’s level of awareness is comparably lower than other regions of the world. This general lack of awareness bleeds over into business, with 70 percent of Asian firms saying they don’t have a strong understanding of their cyber posture (Marsh & McLellan).

Without background information on the dangers inherent in cyberthreats, individuals and companies are less likely to consult cybersecurity resources, invest in security products, or respond quickly to breaches.

Some Asian economies such as Singapore, Hong Kong, and Taiwan boast excellent cybersecurity postures; all have government-linked cybersecurity agencies that sponsor education, outreach, and response to cyberthreats. The entire region must make a unified effort, however, to ensure that cybersecurity awareness is given greater emphasis.

Increased adoption of Android

Android devices are vulnerable to malware attack because of their high market share and ability to download third-party apps from vendors outside of Google. These vendors often don’t require that developers submit to strict security regulations, which leaves them vulnerable to infection (or, in many cases, results in malicious apps making their way into the marketplace unobscured). Unfortunately, the region of the world with the highest rate of Android adoption is, you guessed it, Asia.

In addition, local phone manufacturers in emerging Asian markets have been known to skimp on security features in order to reduce manufacturing costs. This leaves Asian Android users even more open to attack.

Increased adoption of IoT devices

Asia-Pacific leads the IoT market, having pioneered the adoption of IoT and machine-to-machine technology. Yet IoT is still a relatively new technology, for which security has not be adequately developed. Because of this, we’re already seeing IoT devices being compromised for botnet attacks, which are rampant in the APAC region.

While Internet usage in the region continues to grow, legislation and cybersecurity awareness is lagging behind; users are leaving themselves vulnerable to increasing attacks from cybercriminals. Individuals, businesses, and government bodies must learn more about cybersecurity, educate their friends, family, and coworkers, and take steps to secure their environments now before the inevitable tsunami of cyberattacks hits.

The post Why emerging APAC markets are prime targets for the malware of the future appeared first on Malwarebytes Labs.

Categories: Techie Feeds