Malwarebytes

Subscribe to Malwarebytes feed Malwarebytes
The Security Blog From Malwarebytes
Updated: 1 week 1 day ago

Securing the managed service provider (MSP)

Fri, 10/11/2019 - 18:04
Categories: Techie Feeds

Explained: war shipping

Tue, 10/08/2019 - 19:15
Categories: Techie Feeds

Magecart Group 4: A link with Cobalt Group?

Thu, 10/03/2019 - 15:00
Categories: Techie Feeds

A week in security (September 23 – 29)

Mon, 09/30/2019 - 15:43
Categories: Techie Feeds

Insurance data security laws skirt political turmoil

Wed, 09/25/2019 - 22:44

Across the United States, a unique approach to lawmaking has proved radically successful in making data security stronger for one industry—insurance providers.

The singular approach has entirely sidestepped the prolonged, political arguments that have become commonplace when trying to pass federal and state data privacy laws today.

In California, for example, Big Tech lobbying groups have repeatedly supported legislative attempts to defang and diminish the consumer protections afforded by the state’s landmark data privacy law, the California Consumer Privacy Act.

In Maine, the state’s Chamber of Commerce published narrowly-defined statistics in an attempt to dissuade public favor for the state’s ISP privacy bill, one of several maneuvers that the ACLU of Maine labeled as “gaslighting”—the surreptitious act of purposefully feeding someone false information to destabilize their notions of truth and fact.

Yet, in Michigan, no immediate opposition rose to combat a law that will tighten the cybersecurity protections of insurance providers like Geico, Prudential, Progressive, AAA, Allstate, and Farmers.

The same peace washed over Mississippi earlier this year, when a similar insurance cybersecurity bill, cycling through the state’s legislature, received no comments in the public record, either for or against.

And in just eight days that spanned between July and August, the legislatures in Connecticut, Delaware, and New Hampshire passed similar cybersecurity laws, all aimed at improving the internal cybersecurity controls and processes for most workers that are licensed to sell insurance. Included in the laws are requirements to perform internal risk assessments and to maintain response plans in case of a cybersecurity incident, like a data breach.

While data privacy laws in the US have sparked repeated skirmishes, data security laws for insurance providers are enjoying a summertime ease: A bill gets introduced, is supported, and often receives an unanimous vote in passage.

This isn’t the product of sudden, benevolent bipartisanship across multiple states, though. Instead, it is the product of years-long forward planning and collaboration in the insurance industry, punctuated by a close-to-home data breach.  

It is the story of a different kind of lawmaking.  

Insurance and regulation—a backgrounder

Insurance regulation in the United States is, to put it lightly, strange.

In 1945, following a thorny Supreme Court case about whether or not the sale of insurance services could be labeled as “commerce,” Congress passed the McCarran Ferguson Act. The law, which still applies today, requires that “no Act of Congress shall be construed to invalidate, impair, or supersede any law enacted by any state for the purpose of regulating the business of insurance.”

What that means in practice is that the insurance industry is regulated almost entirely by individual states.

The same cannot be said for nearly any other industry in the United States, from healthcare to finance, both of which have national information security laws that apply to their sectors.

If that isn’t complicated enough, another wrinkle in the insurance industry is who can actually sell it.

In the United States, selling insurance isn’t like selling a used record player on Craigslist—selling insurance requires a license, and, depending on the type of insurance sold, there are different types of licenses. In California, for example, there are licenses for selling life insurance, property and casualty insurance, and accident and health insurance.

The requirements to get licensed also differ from state to state. In Georgia, Hawaii, and Idaho, for example, “licensees”—who are the people required to obtain a license—must get fingerprinted, while the same is not true in Indiana, Kansas, and Nebraska. The number of hours required for pre-exam training also varies, from zero hours required in Alaska to 200 hours in Florida for those who want to sell property and casualty insurance.

Jeffrey Taft, a partner at the law firm Mayer Brown who works in the firm’s financial services regulatory and enforcement group and its cybersecurity and data privacy practice, said that, for decades, insurance companies have simply put up with the state-by-state regulations. But, Taft added, these companies can rely on the help of a group called the National Association of Insurance Commissioners (NAIC) to make sure that every state law comes from an agreed-upon place.

“Historically, how it’s been, every state has its own insurance department, and every insurance company has to deal with 50 states if they’re a national business,” Taft said. “It’s somewhat cumbersome, as you might imagine, but NAIC tries to make it a more streamlined process to make state laws consistent.”

NAIC, which dates back to 1871 (for perspective, Ulysses S. Grant was president), is the association of the chief insurance regulators from each of the 50 states, plus Washington, DC, and five US territories. The regulators routinely work together to establish standards and best practices and to write what are called “model laws,” which are, essentially, draft pieces of legislation which the group publishes and leaves for individual states to adopt as they choose.

These model laws often address a certain need or threat for the insurance industry, from military sales practices to insider trading to corporate governance disclosures.

In 2014, that need was cybersecurity. That year, the NAIC Executive Committee established a “Cybersecurity Task Force” to review the association’s current model laws that touched on information security and consumer privacy protections, and to make a call on how to best address cybersecurity concerns through the association’s own model law process.

Jennifer McAdam, senior counsel for the NAIC, said that, because of the various kinds of important, private data that insurers collect, cybersecurity is a top concern.

“For NAIC members, it was important to address the unique issues insurers face regarding cybersecurity,” McAdam said. “Insurers collect sensitive consumer data including social security numbers, financial account information, and health care data. Because they collect and maintain this kind of data, insurers are at a high risk of being breached.”

One year later, that risk became an unavoidable reality.

The Anthem data breach and the Insurance Data Security Model Law

On February 4, 2015, the health insurance company Anthem disclosed that hackers had stolen the records of 37.5 million people. Names, birthdays, Social Security numbers, physical and email addresses, medical IDs, and employment and income information had all been harvested in the attack. Twenty days later, Anthem readjusted its victim estimate. It wasn’t 37.5 million, it was 78.8 million.

In 2016, in continuing its work on cybersecurity concerns, the NAIC task force began drafting its Insurance Data Security Model Law.

“Drafting started a year after Anthem disclosed its massive health care data breach,” McAdam said. “As insurance commissioners from across the country collaborated to address the Anthem breach, they began discussing what kind of model legislation would help them perform their jobs better in the event of future similar breaches.”

The model law took 18 months to draft, during which six versions were shared and opened to comment for a period of about 30–45 days each.

McAdam said that, after the second version of the model law received comments, six priorities were identified:

  1. State uniformity and exclusivity of the law
  2. Potential exemptions for licensees that are subject to current federal information security laws
  3. Whether to include a “harm trigger” in the definition of a “data breach”
  4. The definition of “personal information”
  5. Scalability of data protection requirements for smaller insurance licensees
  6. The oversight of third-party service providers that can access some of the data held by licensees

Starting in November 2016, a smaller “drafting group”—which included regulators from seven states, representatives from nine industry groups, a representative from one consumer group, and a professor of law at University of Connecticut—began ironing out these six priorities.

In February 2017, the drafting group found help in looking to New York. That month, the New York Department of Financial Services released its own rules on cybersecurity, called the NYDFS Cybersecurity Regulation.

The New York regulation addressed some of the very same priorities that the NAIC drafting group was set to solve, including when and how to notify consumers of a data breach, and what type of information to protect, which the NYDFS regulation described as “non-public information.”

After implementing a few ideas from the New York regulation, the NAIC Insurance Data Security Model Law reached a concrete shape.

The model law, in its final version, requires that licensees protect “non-public information,” which is defined as any information that belongs to a consumer which, because of their “name, number, personal mark, or other identifier” can reveal a consumer’s identity when combined with another part of their data, including their Social Security number, driver’s license number, credit or debit card number, and any security code, access code, or password that would permit access to a consumer’s financial account, along with their biometric records.

The model law mandates that licensees perform risk assessments to determine how to best protect their non-public information. Following the risk assessment, licensees should use what they’ve learned to develop on “Information Security Program” that comprises of administrative, technical, and physical safeguards to protect non-public information. Licensees can pick from a variety of measures to protect non-public information, from placing controls on who can access that information, to using encryption, to using multi-factor authentication, to developing procedures for securely disposing of non-public information.  

While the above mitigation and protection methods are suggestions, the model law requires that licensees provide cybersecurity awareness training to their personnel, and to “stay informed regarding emerging threats or vulnerabilities.”

Insurance licensees must also practice “due diligence” when hiring third party service providers that can access the insurance licensees’ non-public information.

Further, the model law makes exceptions for companies that are already subject to the Health Insurance Portability and Accountability Act (HIPAA).

In October 2017, the full NAIC membership and plenary adopted the Insurance Data Security Model Law.

The model law proved immediately popular with several states.

States take action

On January 23, 2018, two South Carolina lawmakers introduced the South Carolina Insurance Data Security Act into the state’s House of Representatives. In April, the state’s Senate voted unanimously in favor of the law, and on May 3, Governor Henry McMaster signed the act into law.

Ohio adopted its insurance data security law on December 19, 2018. Michigan did the same nine days later, following a legislative process in which several insurance trade associations—all of which represented the businesses that would be subject to new regulations—spoke in favor of the bill. In fact, Michigan’s bill received no industry group opposition; only the Department of Insurance and Financial Services demurred, in testifying “with concerns,” but without opposition.

Mississippi’s governor signed the state’s insurance data security law on April 3, 2019, after the state’s Senate voted unanimously in favor of it. And from July 26 through August 2, Connecticut, Delaware, and New Hampshire adopted their own insurance data security laws.

The state laws differ in small ways, but all of them, except for the Connecticut law, are modeled directly after the NAIC Insurance Data Security Model Law. Connecticut, instead, modeled its law after the New York Department of Financial Services Regulation.

Care to take this outside (of insurance)?

The NAIC’s model law, while successful, is the product of a one-of-a-kind framework. Because of a Supreme Court case that flipped the switch on how insurance could be regulated, Congress decided to pass a law to preserve the way it had always been regulated—by the states.  

Because those states each have a Department of Insurance and elected Insurance Commissioners, those commissioners can work together to draft laws that can then be taken to their state legislatures. Because industry insiders are involved in the drafting process, there is rarely a case when those insiders oppose a bill based on their own ideas.

All of those ingredients, this time, added up to make better data security laws for one industry. Those same ingredients cannot be added up to make a comprehensive data privacy law in the United States, unfortunately.

If anything, privacy advocates would likely balk at the idea of Big Tech insiders working together to write a bill that regulates their own activities.

In fact, that process has already happened. Earlier this month, some of the largest companies in America published a framework for what they wanted to see in a federal consumer privacy law. Included in their recommendations was the proposal that no private individual could sue them for violating the future law.

How predictable. Who wants to place a bet on whether Congress would unanimously approve such a bill?

So while the model for creating and passing insurance data privacy and cybersecurity laws results in consistent frameworks adopted across individual states, lawmakers cannot heed to the same process for other industries. Instead, they might consider using a different model law, the GDPR, to provide a framework for federal data privacy legislation.

Until then, expect plenty more opposition to data privacy and cybersecurity laws passed in any other states for any other industries.

The post Insurance data security laws skirt political turmoil appeared first on Malwarebytes Labs.

Categories: Techie Feeds

15,000 webcams vulnerable to attack: how to protect against webcam hacking

Tue, 09/24/2019 - 17:19

Webcams may have been around for a long time, but that doesn’t mean we know what we’re doing with them. Webcam hacking has been around for equally as long, yet new research from Wizcase indicates that more than 15,000 private, web-connected cameras are exposed and readily accessible to the general public.

So forget hacking, cybercriminals can just take a stroll through the Internet and grab whatever webcam footage they like for the taking.

Malware targeting web cameras is a mainstay of the malicious hacker’s toolkit. Sometimes it’s for profit and blackmail. Often the threat of footage that doesn’t exist is mashed up with old data breaches to force people to part with their money.

Other times, people would hack PCs and reveal shock meme footage on a victim’s desktop, then capture screenshots for posterity, sharing them on hacker forums for giggles and bragging rights.

Mainly, what seems to be happening a lot right now is a whole lot of negligence. People are connecting their cameras to the Internet without any security features enabled. Worse still, many cams don’t have any security features to enable in the first place.

A persistent problem

We’ve spoken at length as to why security features aren’t necessarily advertised front and centre in the instructions of IoT devices. Companies want to seduce buyers with cool tools and amazing features, not ram “SET UP A PASSWORD” down their throats on page one of the instruction booklet. It’s strange, considering how safety and security messaging is typically high priority for other products.

When was the last time you saw a car advertised without some sort of passing mention of seatbelts, or how good the rollcage is, or how many airbags they have, or words like “safety for the whole family”? Epilepsy, violence, and adult language warnings are now a prominent feature of video games, movies, and television. Even social media comes with trigger warnings.

Computer equipment, though? Somehow it seems to run the risk of making the cool toys very uncool indeed. You know what’s definitely worse than security warnings all over the place?

Default configurations exposing your webcam’s stream to the whole world.

Webcam hacking the planet

Researchers from Wizcase discovered the following:

Around 15,000 webcams located in homes, businesses, places of worship, and many more were placed online without additional security measures. Regions spanned the globe, from Argentina and Brazil to the UK and Vietnam. Both adults at work and children presumably at home were all easily viewable after the cams were accessed remotely. This is a clear privacy and security risk, especially in terms of potential damage threatened by phishing, blackmail, sextortion, and more.

The cams offered up problems such as unsecured P2P networking and lack of password authentication on devices with Universal Plug and Play (UPnP) enabled, and easily guessable default login passwords for admin. In situations where consumers expected products to work “out of the box,” this problem was exacerbated by a lack of security knowledge.

In addition, not only were the cam streams accessible, but there were also other areas where admin could be compromised by webcam hacking techniques. Geolocation and potential control of devices was also possible.

Some of the devices looked at in the research include the following:

  • AXIS net cameras
  • Cisco Linksys webcam
  • IP Camera Logo Server
  • IP WebCam
  • IQ Invision web camera
  • Mega-Pixel IP Camera
  • Mobotix
  • WebCamXP 5
  • Yawcam

There’s an astonishing amount of personally identifiable information (PII) up for grabs, then, and in many ways and formats. Screenshots, audio, moving images, things consumers shouldn’t be viewing deep in the heart of a business, things you shouldn’t have access to in a home environment—it’s all there. 

This certainly isn’t “just” a webcam hacking problem. Harassing toddlers via baby monitors? Sure, those stories come around regularly. Home hubs not locked down as well as they could be? The frankly bizarre sky’s the limit.

Webcam security tips

As with most Internet-connected devices, good security practices will help steer you clear of this danger. Keep your system up to date, along with your chosen selection of security tools, and perform regular scans to keep everything in ship shape condition.

If your cam is a USB connected to a desktop, you can always unplug when not in use.

If the cam is integrated into your laptop, you can turn it off completely via Device Manager.

You should also consider adding a webcam cover to your device if it doesn’t have one already fitted. If you need to cover a cam in a hurry, pretty much anything sticky will do the job. Masking tape is absolutely your friend.

If you’re worried about your conversations being recorded, you can also kill off the microphone should you so desire.

Most webcams should fire up a visible light to let you know when they’re in use. Some devices don’t do this, and so Windows 10 has the option to notify you when something is making use of it.

If you think files are being recorded, they could well be stored on your machine somewhere. It’d be well worth having a look around some common (and not so common) file locations. There’s also plenty of programs out there designed to see what’s eating up space on your hard drive, so you could use one of those to look for common video files or other large-sized files.

Cheap and nasty?

Standalone cams are notorious for not being secured properly. If you have a cheap IoT device in your home watching over your sleeping toddler, or a few handy cams serving as convenient CCTV when you head off to the shops, take heed. It may be that the price for accessing said device on your mobile or tablet is a total lack of security.

Always read the manual and see what type of security the device is shipping with. It may well be that it has passwords and lockdown features galore, but they’re all switched off by default. If the brand is obscure, you’ll still almost certainly find someone, somewhere has already asked for help about it online.

Tuning in to chaos

While this isn’t anything particularly new where webcams and devices in the home are concerned, it’s a timely reminder to be careful about what we invite into our homes. Even the best devices can run into an exploit, and it’s a fact that many webcam devices don’t come anywhere close to being “the best.” Indeed, security researchers run into devices thrown together as cheaply as possible with no thought given to security all the time.

Until security is baked right into these useful yet potentially dangerous tools, and marketing teams realise it’s okay to allow a little drag on the initial user experience to ensure everything is locked down, this will continue to happen.

If you’re unsure about a particular brand, it won’t hurt to have a little dig around online first before purchasing. Pay close attention to security features listed or (more problematically) no security features listed whatsoever. If the device looks appealing and on sale at a surprisingly cheap price, a lack of any brand name listed whatsoever may be the point where alarm bells start going off.

You simply can’t be sure what you’re taking home at that point, and even the various security tips up above may not be enough to keep things safe and clean at all times. Be on your guard, drop some tape on that ever-present eye in the corner of your room, and go about your day. It’s definitely a problem, but it isn’t one you need to let rule your day-to-day online experience.

The post 15,000 webcams vulnerable to attack: how to protect against webcam hacking appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Emotet malspam campaign uses Snowden’s new book as lure

Mon, 09/23/2019 - 18:40

Exactly one week ago, Emotet, one of the most dangerous threats to organizations in the last year, resumed its malicious spam campaigns after several months of inactivity. Based on our telemetry, we can see that the botnet started becoming chatty with its command and control servers (C2), about a week or so before the spam came through.

Figure 1: Communications with Emotet C2s over 90 days

To kick off its spam campaign last week, Emotet resumed spear phishing tactics it adopted in late spring 2019, hijacking old email threads with personalized subject lines and appearing as old invoices.

This week, Emotet is trying a different tactic, incorporating the news about NSA whistleblower Edward Snowden’s new book Permanent Record as a lure. The memoir, which is already on Amazon’s bestseller list, has been the subject of intense debates. In addition, the US government is also suing Snowden for violating non-disclosure agreements and publishing without prior approval.

Criminals are known to capitalize on newsworthy events for scams and other social engineering purposes. In this particular case, Emotet authors are supposedly offering Snowden’s memoir as a Word attachment. We collected emails from our spam honeypot in English, Italian, Spanish, German and French claiming to contain a copy of Snowden’s book in Word form.

Upon opening the document, a fake message that “Word hasn’t been activated” is displayed to victims who are prompted to enable the content with a yellow security warning. Once they do, nothing appears to happen. However, what users don’t see is the malicious macro code that will execute once they click on the button.

Figure 3: Fake document containing macro code

The macro triggers a PowerShell command that will retrieve the Emotet malware binary from a compromised WordPress site. After infection, the machine will attempt to reach out to one of Emotet’s many C2s:

Figure 4: Network traffic upon infection

As each new week rolls in, the threat actors behind Emotet are always punctual with delivering their spam messages, thanks to their large botnet. And once they’ve spammed and infiltrated an endpoint, their work is far from over. As we’ve said before, Emotet is a double or even triple threat if it is not quarantined right away.

Follow up payloads, such as TrickBot and Ryuk ransomware are those that can truly cripple any business that is not prepared.

Malwarebytes business users and Premium home users are already protected against this threat.

Indicators of Compromise (IOCs)

Malicious Word document

5ab7a5cf290ebf52647771f893a2fa322a9b1891e5a5e54811c500dd290c8477

Emotet payload

757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975

Network traffic

Emotet: www.cia.com[.]py/wp-content/uploads/2019/09/XNFerERN/ Emotet C2: 62.75.171.248:7080/chunk/window/ringin/ Emotet C2: 133.130.73[.]156 Emotet C2: 178.32.255[.]133


The post Emotet malspam campaign uses Snowden’s new book as lure appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 16 -22)

Mon, 09/23/2019 - 15:55

Last week on Labs, we sounded the alarm about the relaunch of Emotet, one of the year’s most dangerous forms of malware, with a new spam campaign. We also reported on how international students in UK are targeted by visa scammers, what CEOs think about a potential US data privacy law, and introduced Malwarebytes Browser Guard. Finally, we looked at the role of data destruction in cybersecurity.

Other cybersecurity news
  • A streak of hacked celebrity Instagram accounts continues as a group of cybercriminals target them to promote scam sites to their huge number of followers. (Source: BleepingComputer)
  • YouTube’s new verification system attempted to ensure that large channels were safe from impersonation but had the unintended consequence of removing other popular channels. (Source: TechSpot)
  • Ecuador has begun an investigation into a sprawling data breach in which the personal data of up to 20 million people was made available online. (Source: The New York Times)
  • Google has released an urgent software update for its Chrome web browser and is urging Windows, Mac, and Linux users to upgrade the application to the latest available version immediately. (Source: The Hacker News)
  • Researchers have uncovered two variants of information-stealing Mac malware that impersonate a legitimate stock and cryptocurrency trading application. (Source: SCMagazine)
  • A Bulgarian phishing criminal who created fake versions of legitimate companies’ websites as part of a £40m fraud has been jailed. (Source: The Register)
  • Nearly 50 school districts and colleges have been hit by ransomware in 2019 so far, and more than 500 individual K–12 schools have potentially been compromised. (Source: Dark Reading)
  • Modern TV has a modern problem: all of your Internet-connected streaming devices are watching you back and feeding your data to advertisers. (Source: ArsTechnica)
  • US authorities have indicted two suspects for hacking cryptocurrency exchange EtherDelta in December 2017, changing the site’s DNS settings, and redirecting traffic to a clone. (Source: ZDNet)
  • How data breaches forced Amazon to update S3 bucket security. (Source: HelpNet Security)

Stay safe!

The post A week in security (September 16 -22) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What role does data destruction play in cybersecurity?

Fri, 09/20/2019 - 18:18

When organization leaders think about cybersecurity, it’s usually about which tools and practices they need to add to their stack—email protection, firewalls, network and endpoint security, employee awareness training, AI and machine-learning technology—you get the idea. What’s not often considered is which items should be taken away.

Nearly as important to an organization’s security posture is data destruction, or what to do with data when it’s no longer necessary for the company…or when it falls into the wrong hands.

What exactly is data destruction?

The word “destruction” doesn’t always carry positive connotations. A person might worry about data destruction if their device fails and they haven’t made proper backups or don’t store their data in the cloud. However, organizations must destroy data on a nearly daily basis, whether that’s deleting emails to clean out an inbox or making room on a database by dumping old, no-longer-relevant files.

In days of yore, destroying data was a fairly simple task. Take old papers and run them through the shredder. Then dump at a recycling facility, wipe your hands, and smile at your empty file cabinets.

Modern data destruction is more complex. Data stored on tapes, disks, hard drives, USBs, and other physical hardware must be purged before old devices are thrown away, re-used, or sold. And data no longer in use that’s stored on networks and in the cloud should be systematically destroyed in the interest of organizing relevant data and keeping it out of the hands of criminals.

It’s a step companies must take whenever they stop using something that holds information. A thorough data destruction process involves making what was formerly on an electronic storage device unreadable. Businesses must do this, no matter if they intend to sell an old storage medium or throw it away.

What are the main types of data destruction?

To truly destroy data, merely deleting a file is insufficient. While the file may not be viewable in a particular folder, it is still likely stored in the device’s hard drive or memory chip. Therefore, organizations must take an extra step to ensure the data can no longer be read by an operating system or application.

Companies have a few main choices when deciding how to destroy their data properly:

  • Degaussing
  • Overwriting
  • Physically destroying the storage medium

Degaussing requires using a special tool called a degausser and choosing one designed for the particular storage device. The degausser removes or reduces the magnetic field associated with the storage disk, which renders the data inside unreadable and unrecoverable.

Overwriting means replacing the old data with new. This method only works when the storage medium is undamaged and writable—and of course when an organization plans to continue using the medium instead of throwing it away or reselling.

Physically destroying the storage hardware usually means striking it with a hammer or taking it into a field with a baseball bat, Office-Space style. This is a costly data destruction method, but one that gives exceptionally high confidence that someone could not access the information later.

There are also other types of destruction options within those broader categories. For example, data wiping is a form of overwriting and erasure is another example.

Which cybersecurity risks does data destruction tackle?

A breach is the cybersecurity threat most people probably think of when they ponder what could happen due to insufficient data destruction. Most organizations collect and store sensitive or personally identifying information on its employees and customers, for example. Yet, once those employees or customers move on, businesses may hold onto their data for a little while but eventually want to remove it from their systems so they are not liable for fallout from a breach.

Cybercriminals look to compromise organizations for this very reason; and they do not limit their efforts to data being actively used by an organization. Data at rest, in storage, and in transit are all at risk. And threat actors know that users and organizations often rid themselves of physical devices without completely wiping them of data. According to the BBC, 1 in 10 second-hand hard drives still contain users’ old information.

Obtaining the data may also happen innocently. An individual could buy a USB drive from a third-party source and notice there’s still information on it when they plug the device into a computer, for example. A person could also gain access to sensitive data by noticing that a company is throwing away some hard drives in an easily accessible dumpster, and take the disks out of the receptacle later.

Outside of the data breaches, organizations may be fined for mishandling the information in their care. Businesses can incur millions of dollars in penalties once regulators conclude they’re not meeting minimum standards for data safekeeping.

An IT company called Probrand conducted a data destruction poll a couple of months after the General Data Protection Regulation (GDPR) came into effect. It showed that 71 percent of United Kingdom trade sector businesses did not have an official protocol for getting rid of old computer equipment. Then, 47 percent of respondents admitted they would not know which person in their organization to approach about data destruction.

Companies cannot view data destruction and cybersecurity separately. They go together, and if an organization doesn’t take it seriously, its cybersecurity plan falls short, particularly when it comes to safeguarding information. Enterprises should consider a top-down approach when protecting and disposing of data—especially when the GDPR or other regulations apply to them.

What should organizations consider when choosing a destruction method?

Although the data destruction techniques mentioned above encompass the main options available to organizations, that doesn’t mean companies do or should choose only one option and use it for all cases. Instead, they need to think about time, cost, and and the validation and certification associated with each method.

Time comes into play because some techniques take longer than others to ensure old information is completely gone. The number of devices or drives an organization wants or needs to destroy at once also matters. For example, if a company only needs to delete the data from one or two endpoints, that’ll be a much shorter demand on time compared to dealing with hundreds of machines.

Cost is mainly a factor to keep in mind if an enterprise intends to use the hard drives again for different purposes, or it has limited financial resources. Perhaps their budgets do not allow for getting replacement computers, making physically destroying a hard drive out of the question.

Validation and certification are related. They address how companies many need to work with data destruction service providers that can validate their methods and provide certifications after doing the job. Having a certificate helps a business show its compliance.

For advice on which methods to follow in which scenarios, the National Institute for Standards in Technology (NIST) has published guidelines for data sanitation. Organizations are not legally required to follow the standards put forth by this US Department of Commerce–sponsored report, but they are helpful in outlining best practices for protecting data from infiltration, abuse, misuse, theft, and resale.

Should destroying data be high priority?

IT executives have a growing number of challenges to overcome regarding cybersecurity. Some of them may wonder if data destruction (or lack thereof) is a genuinely confirmed risk or merely a theoretical one. Substantial evidence shows that companies cannot afford to overlook data destruction as they iron out their cybersecurity plans.

Matt Malone is a dumpster diver who confirms that many hacks and identity thefts occur when people go through someone’s trash. Malone often targets the dumpsters of retailers and said that off-hours activity made more money for him than his day job.

Also, a tech company called Stellar performed a residual data study in 2019 that analyzed the information left on 311 devices. It found that more than 71 percent of them contained personally identifiable information (PII). Additionally, 222 of the devices went to the secondary market without their original owners conducting the appropriate information-erasing procedures first.

An earlier study from the National Association for Information Destruction revealed that 40 percent of devices received secondhand had PII on them. Researchers looked at more than 250 items for the study.

Furthermore, research published in 2015 highlighted the need to work with reputable data destruction companies that stand behind their results. The study examined 122 used devices bought from e-commerce sites. In addition to 48 percent of the hard drives containing residual data, 35 percent of the mobile phones had information such as call and text logs, images, and videos.

Even worse, previous deletion attempts occurred on most of the devices— 75 percent of the hard drives and 57 percent of the mobile phones. A closer look told the researchers that people tried to delete the information with widely available but unreliable data destruction methods. A lesson learned here is that it’s crucial to weigh the pros and cons of each option before tasking a reliable company with discarding the information.

Data destruction should not be overlooked

Cybersecurity is a hot topic for organizations, which are increasingly being targeted by cybercriminals for their troves of valuable PII. Data that is no longer useful to an organization is still a goldmine for threat actors. As the saying goes: One person’s trash is another person’s treasure.

And while organizations might spend a fortune on protecting their active data from getting into the wrong hands, what’s often overlooked is how inactive or old data is improperly secured or destroyed. Removing all traces of old data is important for saving consumers from continued exploitation, plus it sends a message to criminals that your organization has air-tight defense—even around its dumpsters.

The post What role does data destruction play in cybersecurity? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Browser Guard combats privacy abuse, tracking, clickbait, and scammers

Thu, 09/19/2019 - 18:27

In July 2018, we introduced the Malwarebytes Browser Extension, a beta plugin for Firefox and Chrome aimed at delivering a safer, faster, and more private browsing experience.

Our extension blocked tech support scams, hijackers, pop-up ads, trackers, and more to keep users secure and free from online harassment. And thanks to our loyal Malwarebytes community, we’ve been able to test and improve on this beta for more than a year. We’re pleased to release the full version, named Malwarebytes Browser Guard, which is now available in the Chrome and Firefox web stores.

In this post, we’ll cover the features included in Browser Guard, its main functionality, how to whitelist preferred websites, and the difference between our extension and flagship PC and Mac software, Malwarebytes for Windows and Malwarebytes for Mac.

What does Browser Guard do?

Browser Guard, a free extension, blocks unwanted ads and trackers that intrude upon users’ privacy, while also protecting against clickbait and scams. The extension prevents browser hijackers, lockers, and annoying and sometimes malicious pop-ups, all known scare tactics to trap consumers in tech support scams, exposing them to unwanted content and forcing them into purchasing unnecessary, expensive technical support.

Recent independent tests from AV Lab recently recognized Malwarebytes Browser Guard for having the best protection among competitive browser security offerings, blocking 98.07 percent of malware.

What’s new in Browser Guard?

After continuous testing of functionality with thousands of users for more than a year, the most prominent change we made from beta to final release is to the graphical user interface (GUI). While people were happy with the way the beta worked, many wished for more granular control in the settings, as well as more elaborate statistics on blocked ads, malware, scams and other items.

I have Malwarebytes Premium. Do I still need Browser Guard?

Browser Guard does have extra protection features, as well as benefits for privacy, including ad and tracker blocking. And of course, Malwarebytes Premium versions have anti-exploit technology, real-time malware protection, anti-ransomware, and stalkerware protections that Browser Guard does not.

Where the web blocking module of Malwarebytes Premium and Browser Guard share a database of blocked IPs and domain, there is an overlap.

Looking at Malwarebytes Premium, it blocks the IPs and domains for all running applications, where Browser Guard does this only for the browser the extension is installed on.

On the other hand, Browser Guard blocks more than just domains and IP addresses. Not only does it recognize malicious websites based on their behavior that are not in the database (yet), it also blocks advertisements and trackers. These are not always malicious, but they usually do not improve user experience and blocking them can speed up your browsing up to four times.

This gif shows a site before and after enabling Browser Guard and how much it blocked False positives

Behavioral detection is prone to false positives. Of course, we do our utmost to avoid them as much as we can, but they can’t be totally avoided. Luckily, the worst that can happen is that you will be initially denied access to a website that turns out to be harmless. But that doesn’t mean you’re blocked for good.

When you are sure the website is harmless, you can change the settings in Browser Guard to allow that specific site. That way, you can grant yourself access to the site without having to lower your global settings. Where some programs would require you to disable protection or lose your protection completely, our extension allows you to change site-specific settings without making your browser vulnerable on other sites.

Whitelisting items for a website

In Browser Guard, you can allow specific items by excluding them from certain types of protection and adding them to the “Allow list.” Here’s how to do it:

  • In the Browser Guard GUI, click the hamburger menu icon (the three vertical dots next to the gear icon).
  • In the dropdown menu, click Allow list.
  • Here you can specify the site(s) that the exception will apply to in the form of a URL or an IP address.
  • And you can choose the types of protection that you wish to disable for the site(s). These types are Ads/Trackers, Malware, Scams, and PUPs.
  • Then click Done to confirm the exclusion.
Browser Guard blocks items on Malwarebytes’ own website. How come?

We do not discriminate between trackers and websites. Our own Malwarebytes website uses trackers to monitor how readers engage so that we can offer better content, design, and functionality. We do not gather any personal information. But they are trackers, nonetheless, and if you don’t want them, we feel you should have the power to disable them everywhere, even on our own website.

No discrimination also means we do not take money from advertisers to allow their advertisements, like some other ad-blockers have been known to do.

Permissions

Malwarebytes Browser Guard needs to be able to read and change data on the websites you visit so it can remove advertisements and other unwanted elements. It also needs to be able to manage your downloads to protect you from downloading dangerous files on your system.

The Chrome installer prompt also mentions that our extension can “Communicate with cooperating websites.” What does that mean?

Certain sites use ad-serving techniques that are intrusive in nature, so when we block ads on those sites, it breaks the user experience. The permission “Communicate with cooperating websites” allows Browser Guard to work with sites to interactively block ads without affecting any content. This provides a better user experience than could be achieved without communication.

Browser Guard use case

Magecart is a group that specializes in stealing credit card information using a technique that is called skimming. They basically intercept traffic from payment sites to exfiltrate credit card information. Below you can see how Browser Guard can protect your information on a site that has been infiltrated by Magecart.

Support

If you need help or guidance for the install or settings of Malwarebytes Browser Guard, we are happy to refer you to our online support guide.

Happy surfing, everyone!

The post Browser Guard combats privacy abuse, tracking, clickbait, and scammers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

CEOs offer their own view of a US data privacy law

Thu, 09/19/2019 - 15:54

Last week, the chief executives of more than 50 mid- and large-sized companies urged Congress to pass a national data privacy law to regulate how companies collect, use, and share Americans’ data.

Buried deep within the chief executives’ recommendations for such a law, presented as a policy framework for guidance, was a convenient proposal: Private individuals should not be allowed to sue companies if those companies violate the data privacy law itself.

That idea is just one of a few from the CEOs’ framework that, if included in a federal data privacy law in the United States, would disenfranchise members of the public from asserting their data privacy rights. Other ideas offered by the CEOs include potential pay-for-privacy schemes and overriding the large number of state data privacy protections already signed into law in states including Vermont, Nevada, Maine, and California.

A representative for the CEO group did not respond to questions sent by Malwarebytes Labs.  

The involved CEOs are all members of the corporate public policy group “Business Roundtable.” They include Amazon’s Jeff Bezos, Comcast’s Brian Roberts, AT&T’s Randall Stephenson, IBM’s Ginni Rometty, Accenture’s Julie Sweet, and Qualcomm’s Steve Mollenkopf, along with the chief executives for Target, Visa, FedEx, Bank of America, and Dell.

In a letter addressed to the Majority and Minority Leaders of both the US Senate and the House of Representatives, the Business Roundtable CEOs urged Congress to pass, “as soon as possible, a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.”

As the country continues to grapple with how to appropriately codify data privacy into the law, here’s a look at what the Business Roundtable’s framework would allow in terms of data collection, use, and sharing.

No “private right of action”

The last item on the Business Roundtable’s framework is potentially the most important. The Roundtable does not want any federal data privacy law to include a “private right of action.”

That means that, should this proposal get worked into a national data privacy law, if a company violates that law, you, your neighbor, and your family would not have the right to sue the company.

This proposal goes directly against what Todd Weaver, founder and CEO of the company Purism, told Malwarebytes earlier this summer, when he described what should be included in a federal data privacy law. Without a private right of action, Weaver said, members of the public have no meaningful tools to defend their rights.

“If you can’t sue or do anything to go after these companies that are committing these atrocities, where does that leave us?” Weaver said.

The digital rights organization Electronic Frontier Foundation also supports a private right of action for any national consumer privacy law, as such a right would further enable members of the public to fight back against companies that violate the law.

“It is not enough for government to pass laws that protect consumers from corporations that harvest and monetize their personal data. It is also necessary for these laws to have bite, to ensure companies do not ignore them,” wrote EFF Associate Director of Reseach Gennie Gebhart and Senior Staff Attorney Adam Schwartz. “The best way to do so is to empower ordinary consumers to bring their own lawsuits against the companies that violate their privacy rights.”

In lieu of a private right of action, the Business Roundtable proposed that only state Attorneys General should be allowed to file lawsuits against companies on behalf of their state’s residents—a similar scheme visible in the lacking data privacy protections offered to consumers today.

The Business Roundtable also proposed that the US Federal Trade Commission serve as an enforcer, doling out fines to companies that violate the potential privacy law.

But, following the FTC’s recent slap-on-the-wrist fine issued against Facebook earlier this year—a fine that actually caused Facebook shares to increase in value—it is difficult to see how and why these enforcement measures would effectively curb would-be privacy violations. For instance, it didn’t stop YouTube from violating COPPA regulations.

Pre-emption of state laws

The Business Roundtable framework recommends that a national consumer privacy law “should pre-empt any provision of a statute, regulation, rule, agreement, or equivalent of a state or local government for organizations with respect to the collection, use, or sharing of personal data.”

Here, the Business Roundtable is asking that Congress pass a national consumer privacy law that tosses aside and in fact overrides the current data privacy laws cropping up across the nation.

That means recent state efforts to improve residents’ data privacy would be nullified, including California’s landmark privacy law—the California Consumer Privacy Act (CCPA)—Maine’s ISP privacy bill, Nevada’s new K-12 student data protection law, and Montana’s recent law to allow residents to opt-out of the sale of their data to third parties.

Further, legislative efforts in Hawaii, Massachusetts, New York, Pennsylvania, Rhode Island, and Texas, which have all introduced statewide data privacy bills modeled after the CCPA, and similar privacy efforts in Illinois, Minnesota, Connecticut, New Jersey, South Carolina, Louisiana, Oregon, and Washington, could likely be washed away.

Johnny Ryan, chief policy officer at the privacy-forward browser Brave, told Malwarebytes this summer that he did not support a weak federal data privacy bill that pre-empted state laws.

“The federal law should be of equal or higher standard to state laws, and should not undermine state laws,” Ryan said.

EFF also opposes any national data privacy law that would pre-empt state privacy laws.

“Avoiding such preemption of state laws is our top priority when reviewing federal privacy bills,” the organization said. It continued:

“State legislatures have long been known as ‘laboratories of democracy’ and they are serving that role now for data privacy protections. In addition to passing strong laws, state legislation also allows for a more dynamic dialogue as technology and social norms continue to change.”

Privacy opt-in consequences

The Business Roundtable’s national consumer privacy law framework includes recommendations for what rights should be afforded to the public. The individual rights include “transparency,” “consumer control,” “access and correction,” and “deletion.”

At first blush, these rights mirror many of the rights championed by some of the small, privacy-focused companies we interviewed in July. Upon closer inspection, though, the Business Roundtable’s proposed rights leave much to be desired.  

Under the umbrella term of “consumer control,” the Business Roundtable framework explains that consumers “should have opportunities to exert reasonable control with regard to the collection, use, and sharing of personal data.”

That’s good!

The framework then goes on to say that “consumers should understand under what circumstances their decision to opt-out (or not opt-in) may result in the organization no longer providing them certain goods and services (for example, free content).”

That’s bad.

This individual consumer right focuses on the wrong issue. It recommends that consumers simply be made aware of unfair treatment and does nothing to address the actual unfair treatment.

Malwarebytes Labs previously reported on a similar issue in the federal data privacy law introduced by US Senator Ron Wyden of Oregon. The Senator’s proposal, for all its positive data protections, also includes a “pay-for-privacy” stipulation, in which companies could literally charge consumers a fee for opting out of data collection and sharing.

Though it does not include any mention of a fee, the Business Roundtable framework does present a hypothetical in which consumers can face “circumstances” for opting out of a company’s data collection, and those circumstances can include “no longer providing them certain goods and services.”

That’s not just bad. It’s wrong.

Malwarebytes pushed back against pay-for-privacy schemes earlier this year, and we continue our stance against any legislative scheme that would allow companies to punish consumers for choosing to protect their privacy.

Areas of agreement

Despite the few areas we covered above, the Business Roundtable framework includes several recommendations that echo others made by smaller companies we interviewed this year when asking them about what should be included in a federal data privacy law.

For one, the framework asks that any new national data privacy law achieve “global interoperability,” which the framework describes as “[supporting] consumer privacy while also respecting and bridging differences between US and foreign privacy regimes.”

When Malwarebytes spoke with Ryan from Brave, he emphasized the importance of the world’s most famous data privacy law today—the European Union’s General Data Protection Regulation (GDPR). A national US data privacy law, Ryan added, could benefit from being modeled after GDPR.

“The standard of protection in a federal privacy law, and the definition of key concepts and tools in it, should therefore be compatible and interoperable with the emerging GDPR de facto standard that is being adopted globally,” Ryan said.  

The Business Roundtable framework also includes individual rights for consumers to access and correct data collected and stored on them, along with the right for consumers to require organizations to delete personal data collected on them.

Weaver, the CEO at Purism, spoke of similar concepts when describing a “digital bill of rights” that he would like to see codified into US law.

Purism’s implementation and interpretation of these concepts, however, goes much further, with recommendations that any federal data privacy law include a consumer right to change providers, a right to protect personal data—including the right to “own and control” the master keys to encrypt their data—and the right to not be tracked.

What’s next?

The Business Roundtable’s consumer privacy law framework is just the latest proposal for what data privacy should look like in the future US legal landscape. It is surrounded by other proposals, like the draft bill written by Center for Democracy and Technology, the current data privacy laws being considered in several states, and the no-less-than six data privacy bills introduced by US Senators this year.

Further, while the Business Roundtable may count some of the largest, most revenue-driving, marquee corporations in America as members, when it comes to data privacy legislation, big money does not always mean big success.

Earlier this year, the technology industry lobbying group TechNet, which includes some of the exact same companies as Business Roundtable members (Amazon, AT&T, Comcast, Dell, General Motors, Visa, and Accenture), failed to convince California lawmakers to pass two bills that would have weakened the CCPA before it goes into effect on January 1, 2020.

On September 13, TechNet released a statement by Executive Director Courtney Jensen about the fate of California’s data privacy law. In the statement, Jensen sounded like she was asking for pre-emption:

“While we hope the rulemaking process will allow for additional improvements [to CCPA], the importance of federal action to avoid a patchwork of privacy laws has never been clearer, and we urge Congress to act,” Jensen said.

A quick look at the US Senate’s upcoming calendar shows a different reality: No scheduled votes on data privacy. No scheduled hearings on any of the six current, submitted bills.

Instead, individual US states continue to press forward.

The post CEOs offer their own view of a US data privacy law appeared first on Malwarebytes Labs.

Categories: Techie Feeds

International students in UK targeted by visa scammers

Wed, 09/18/2019 - 16:49

A new visa scam has come to light targeting international students from China studying in the UK. At least, it’s being presented as new. In truth, it comes around every so often and has been on the radar for a few years.

The scam works by presenting a threat to students’ immigration status and uses various techniques to extract sizable payments from the victims. In the worst cases, it also embroils them in money mule scams and that’s a bad result for the students.

Many of these attacks target specific regions in the UK with a high density of overseas students, and because all manner of immigration-related statistics are published regularly in the UK, it’s an open-source goldmine for people wishing to create a list of targets.

A broad surface area of attack

The UK is hugely popular with international T4 visa students from China, with applications up some 30 percent since 2018. Data available from the Higher Education Statistics puts this trend into sharp perspective. As they mention: 

Since 2012/13 the number of entrants from China each year has exceeded the number from all EU countries combined.

In the 2017/18 academic year alone, the biggest international cohort was from China, with 106,530 first year students. India was a distant second with just 19,750. What’s particularly interesting is you can break this data down further and see which universities have the most students from specific regions.

Some of those universities, as well as others with a strong Chinese student community, have had to give out repeated warnings to students about these attacks.

Why are scammers targeting Chinese students?

Being a student in the UK on a T4 student visa is expensive, so every penny counts. As one student notes in the article linked above regarding application increases, there is a persistent incorrect stereotype that Chinese students in the UK all come from wealthy families. As many of these attacks result in large payouts for scammers, they’ll simply keep doing what they see is working whether the target is actually wealthy or just surrounded by multiple student loans. After all, they only need to strike it lucky once.

So, now that we’ve looked at why these particular students are hot targets, let’s take a walk through a timeline of attacks stretching back to 2007.

Back in the day

In 2007, student Jaiyue Wang was tricked into handing over £6,000 to scammers based in Nigeria who’d convinced her of half a million pounds in lottery winnings. When the prize didn’t turn up, it hit her hard and she eventually committed suicide at her residence in Nottingham. An absolutely tragic end to a commonplace scam, and notable for potentially being one of the first well-known confirmed UK deaths off the back of one of these groups (here’s another awful one from 2004).

These two attacks probably weren’t targeting students specifically; they just landed in people’s mailboxes, like so many scams did way back when. However, targeting specific groups of people (students, workers, people from a certain region, and so on) would soon become commonplace.

Wind forward a decade, and students are treated as an amazing opportunity for bad people to exploit and ruin while making a tidy profit in the bargain.

2018–2019

2018 and 2019 have been fertile years for money mules. A typical scam usually plays out like this, with students caught passing stolen sums of cash between various bank accounts. Elsewhere, the scale of the crimes committed are quite significant. Criminal gangs don’t just exploit one or two students; they’ll make use of as many as they can, resulting in hundreds of bank accounts being frozen by the National Crime Agency and students galore brought in for questioning.

Because these scams often rely on unwitting students, many are found to have already returned to China long after the fraud is discovered, which makes investigating even more difficult. And US$4.6 million in money mule shenanigans is not pocket change. Here’s a similar scam from August of this year, which involved another Chinese student, a “business opportunity,” and a US$19 million money laundering operation targeting multiple students.

The visa scam makes its move

The earliest reference I found to this visa threat targeting Chinese students is from 2015, though there are quite likely others prior to that. The UK Council for International Student Affairs warn of the following:

  • Criminals pretending to be in education, UKCISA itself, or the Home Office
  • Fictitious claims of immigration problems related to their visa, resulting in a claim
  • Potential mention of some personal information to make the scam seem more genuine
  • Payment demanded via Western Union to avoid problems or deportation

The attack tactics may vary, but most of the common elements repeat themselves with minor variations.

By 2018, the scam has widened to target Indian students, too. The scammers switch things up a little and instead of vague claims of problems with immigration status, they now mention dubious packages addressed to the student. The only way out, of course, is to send a sizable chunk of money to fake police officers, who are cloning numbers to make it appear as though they’re really the Shanghai police department.

Renewing a visa scam

In 2019, the fake visa threat scam adds an unexpected development into the mix. A first year student had their laptop stolen at Heathrow Airport, and then shortly after the phone calls began.

The scammers claimed to be the Chinese embassy, insisting the student had been referred by Chinese police officials claiming they were involved in a money laundering scam. At that point, they were passed onto the “police” themselves. So far, so typical. The only real odd thing up to this point is the stolen laptop. If you’re wondering how it fits into things, wonder no more.

Bogus websites and data uploads

A website purporting to belong to the prosecutor general’s office contained uploads of the student’s personal details, including her national ID card and photograph. All this information plus banking details had been left unsecured on the stolen device, and now the criminals were determined to make full use of it.

By the time they’d forced the student to upload a recorded statement to the social media site QQ and threatened her with deportation and imprisonment via web streams of men dressed up as police, they were likely too panicked to realise where they’d obtained all this information from in the first place.

A dent in your personal finances

£30,000 was sent to the fake police/embassy officials, and the money was gone forever. Organisations have warned of similar attacks taking place on Chinese students, but the airport connection is particularly disturbing. It’s possible students are being targeted on arrival, with the stolen details sent to mainland China where the groups set up the fake websites then set about contacting potential victims.

It could, of course, be an entirely random theft, though it stretches probability somewhat to think the laptop stealer randomly decided to hand over personal information—quite randomly—to random scammers in China, who then very randomly indeed start dressing up as policemen.

In my humble opinion, this seems…unlikely.

Pressure points

This attack is particularly insidious, as there are a huge amount of changes to take in for a new arrival to the UK, and new students would just put a laptop theft down to bad luck. They almost certainly wouldn’t know about the targeting taking place or have had a chance to see one of many warning pages on university websites.

They’ll just receive a strange, terrifying phone call one day and then see themselves plastered all over fake embassy websites. At that point, they’re almost certainly doomed to send fraudsters large sums of money. Even without the bogus threat of jail time on return to China, penalties for visa holders in the UK can severely impact future career prospects.

Portable device security tips

We’ve published a lot of advice on the Labs blog over the years regarding physical device security, and quite a bit of it is applicable here for students who are always out and about with devices galore. While none of these will neatly fit into your own personal threat model, you’ll hopefully be able to pick and choose the tips most relevant to your needs.

Do you have an iPhone you need to lock down? Passwords, screen notifications, and event loss procedures are all covered here.

Do you want some methods for securing sensitive data? Look no further, especially if you need some advice for secure messaging apps, locking down data, and whether to store it in the cloud.

Would you like some general travel tips? We’ve got you covered.

If you really want to make sure nobody has tampered with your device while away from your dorm, there’s an awful lot of options to choose from. Be warned, not all of these are probably warranty friendly.

Finally, don’t forget the old classic of putting your leg through a laptop bag strap when sitting at a busy location to prevent chance snatch and grab attacks.

Keep visa scam thieves at bay

These are terrible attacks aimed at people who spend a small fortune to be able to go to the UK and study, often with significant student debt—even if some do come from rich families. Universities aren’t often best equipped to know about sophisticated scams, much less warn students about them. Indeed, it’s to their credit that so many do.

Even so, criminals don’t just target students in the UK. They also go after students from mainland China studying in Hong Kong, with one unfortunate victim handing over just shy of half a million dollars to scammers.

This is one attack where not only education is key, but a little bit of preventative action, too. The Home Office via UKVI will never cold call you demanding money for vague-sounding immigration problems, nor will they tell you about suspicious packages addressed in your name. Neither will law enforcement agencies jump into a quick VoiP chat asking for cash. Should you run into anything like this, don’t send them a thing and report what happened to your university immediately.

Students have enough to worry about without this adding to their woes, so let’s see if we can help steer them safely in the direction of “not today, thanks” and keep their money exactly where it should be. 

The post International students in UK targeted by visa scammers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Emotet is back: botnet springs back to life with new spam campaign

Mon, 09/16/2019 - 17:04

After a fairly long hiatus that lasted nearly four months, Emotet is back with an active spam distribution campaign. For a few weeks, there were signs that the botnet was setting its gears in motion again, as we observed command and control (C2) server activity. But this morning, the Trojan started pumping out spam, a clear indication it’s ready to jump back into action.

The malicious emails started in the wee hours of Monday morning, with templates spotted in German, Polish, and Italian. Our Threat Intelligence team started seeing phishing emails sent in English as well with the subject line “Payment Remittance Advice.”

Figure 1: Our spam honeypot receiving Emotet emails

Note the personalization in the email subject lines. Borrowing a tactic from North Korean nation-state actors, Emotet’s creators are bringing back highly sophisticated spear phishing functionality introduced in April 2019, which includes hijacking old email threads and referencing to the user by name.

Figure 2: The phishing email masquerading as a statement

Victims are lured to open the attached document and enable the macro to kick-start the infection process.

Figure 3: Word document employs social engineering to convince users into running a macro. Figure 4: Obfuscated macro code responsible for launching PowerShell

The PowerShell command triggered by the macro attempts to download Emotet from compromised sites, often running on the WordPress content management system (CMS).

There are alternate delivery techniques as well. For example, some instances of the malicious document rely on a downloader script instead.

Figure 5: Script blocked upon macro execution

Once the download is successful and Emotet is installed on the endpoint, it begins propagating by spreading laterally to other endpoints in the network and beyond. It also steals credentials from installed applications and spams the user’s contact list. Perhaps the biggest threat, though, is that Emotet serves as a delivery vector for more dangerous payloads, such as TrickBot and other ransomware families.

Emotet is most notorious for collateral damage inflicted as part of a blended attack. Dubbed the “triple threat” by many in security, Emotet partners with TrickBot and Ryuk ransomware for a knockout combo that ensures maximum penetration through the network so that valuable data may be stolen and sold for profit, while the rest is encrypted in order to extort organizations into paying the ransom to retrieve their files and systems.

Alternatively, compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will demand large sums of money—up to US$5 million—from their victims. In the past, we’ve seen the infamous Ryuk ransomware deployed in this way.

While Emotet is typically focused on infecting organizations, individual consumers may also be at risk. Malwarebytes business customers and Malwarebytes for Windows Premium home users are already guarded against this campaign, thanks to our signature-less anti-exploit technology. As always, we recommend users be cautious when opening emails with attachments, even if they appear to come from acquaintances.

Figure 6: Malwarebytes Endpoint protection blocking the attack Protection and remediation

Users who are not Malwarebytes customers or who use the free scanner will want to take additional steps to protect against Emotet or clean up the infection, if they’ve already been hit. Businesses and organizations that may currently be battling an Emotet infection can contact Malwarebytes for immediate help. Or, for more background information on how Emotet works and a list of tips for remediation and tips, download our Emotet emergency kit.

As this campaign is not even a day old, we don’t yet know the impact on organizations and other users. We will continue to update this post as we learn more throughout the day. In the meantime, warn your coworkers, friends, and family to be wary of emails disguised as invoices or any other “phishy” instances.

Indicators of Compromise (IOCs)

Email subject lines

Payment Remittance Advice
Numero Fattura 2019…

Malicious Word documents

eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
fb25f35c54831b3641c50c760eb94ec57481d8c8b1da98dd05ba97080d54ee6a
bee23d63404d97d2b03fbc38e4c554a55a7734d83dbd87f2bf1baf7ed2e39e3e
5d9775369ab5486b5f2d0faac423e213cee20daf5aaaaa9c8b4c3b4e66ea8224

Hacked websites hosting the Emotet binary

danangluxury[.]com/wp-content/uploads/KTgQsblu/
gcesab[.]com/wp-includes/customize/zUfJervuM/
autorepuestosdml[.]com/wp-content/CiloXIptI/
covergt[.]com/wordpress/geh7l30-xq85i1-558/
zhaoyouxiu[.]com/wp-includes/vxqo-84953w-5062/
rockstareats[.]com/wp-content/themes/NUOAajdJ/
inwil[.]com/wp-content/oyFhKHoe
inesmanila[.]com/cgi-bin/otxpnmxm-3okvb2-29756/
dateandoando[.]com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/

Emotet binaries

8f05aa95aa7b2146ee490c2305a2450e58ce1d1e3103e6f9019767e5568f233e
7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205
61e0ac40dc2680aad77a71f1e6d845a37ab12aa8cd6b638d2dbcebe9195b0f6
f5af8586f0289163951adaaf7eb9726b82b05daa3bb0cc2c0ba5970f6119c77a
6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5

Post-infection traffic (C2s)

187[.]155[.]233[.]46
83[.]29[.]180[.]97
181[.]36[.]42[.]205
200[.]21[.]90[.]6
123[.]168[.]4[.]66
151[.]80[.]142[.]33
159[.]65[.]241[.]220
109[.]104[.]79[.]48
43[.]229[.]62[.]186
72[.]47[.]248[.]48
190[.]1[.]37[.]125
46[.]29[.]183[.]211
91[.]205[.]215[.]57
178[.]79[.]163[.]131
187[.]188[.]166[.]192
181[.]188[.]149[.]134
125[.]99[.]61[.]162
77[.]245[.]101[.]134
138[.]68[.]106[.]4
187[.]242[.]204[.]142
190[.]19[.]42[.]131
213[.]120[.]104[.]180
149[.]62[.]173[.]247
181[.]48[.]174[.]242
80[.]85[.]87[.]122
183[.]82[.]97[.]25
185[.]86[.]148[.]222
90[.]69[.]208[.]50
91[.]83[.]93[.]124
183[.]87[.]87[.]73
62[.]210[.]142[.]58
186[.]83[.]133[.]253
109[.]169[.]86[.]13
179[.]62[.]18[.]56
81[.]169[.]140[.]14
187[.]144[.]227[.]2
69[.]163[.]33[.]82
88[.]250[.]223[.]190
190[.]230[.]60[.]129
37[.]59[.]1[.]74
203[.]25[.]159[.]3
79[.]143[.]182[.]254
200[.]57[.]102[.]71
217[.]199[.]175[.]216
201[.]219[.]183[.]243
196[.]6[.]112[.]70
200[.]58[.]171[.]51
5[.]77[.]13[.]70
217[.]113[.]27[.]158
46[.]249[.]204[.]99
159[.]203[.]204[.]126
170[.]247[.]122[.]37
200[.]80[.]198[.]34
62[.]75[.]143[.]100
89[.]188[.]124[.]145
143[.]0[.]245[.]169
190[.]117[.]206[.]153
77[.]122[.]183[.]203
46[.]21[.]105[.]59
181[.]39[.]134[.]122
86[.]42[.]166[.]147
23[.]92[.]22[.]225

179[.]12[.]170[.]88
182[.]76[.]6[.]2
201[.]250[.]11[.]236
86[.]98[.]25[.]30
198[.]199[.]88[.]162
178[.]62[.]37[.]188
92[.]51[.]129[.]249
92[.]222[.]125[.]16
142[.]44[.]162[.]209
92[.]222[.]216[.]44
138[.]201[.]140[.]110
64[.]13[.]225[.]150
182[.]176[.]132[.]213
37[.]157[.]194[.]134
206[.]189[.]98[.]125
45[.]123[.]3[.]54
45[.]33[.]49[.]124
178[.]79[.]161[.]166
104[.]131[.]11[.]150
173[.]212[.]203[.]26
88[.]156[.]97[.]210
190[.]145[.]67[.]134
144[.]139[.]247[.]220
159[.]65[.]25[.]128
186[.]4[.]172[.]5
87[.]106[.]136[.]232
189[.]209[.]217[.]49
149[.]202[.]153[.]252
78[.]24[.]219[.]147
125[.]99[.]106[.]226
95[.]128[.]43[.]213
47[.]41[.]213[.]2
37[.]208[.]39[.]59
185[.]94[.]252[.]13
212[.]71[.]234[.]16
87[.]106[.]139[.]101
188[.]166[.]253[.]46
175[.]100[.]138[.]82
85[.]104[.]59[.]244
62[.]75[.]187[.]192
91[.]205[.]215[.]66
136[.]243[.]177[.]26
190[.]186[.]203[.]55
162[.]243[.]125[.]212
91[.]83[.]93[.]103
217[.]160[.]182[.]191
94[.]205[.]247[.]10
211[.]63[.]71[.]72
41[.]220[.]119[.]246
104[.]236[.]246[.]93
117[.]197[.]124[.]36
75[.]127[.]14[.]170
31[.]12[.]67[.]62
169[.]239[.]182[.]217
179[.]32[.]19[.]219
177[.]246[.]193[.]139
31[.]172[.]240[.]91
152[.]169[.]236[.]172
201[.]212[.]57[.]109
222[.]214[.]218[.]192
87[.]230[.]19[.]21
46[.]105[.]131[.]87
182[.]176[.]106[.]43

The post Emotet is back: botnet springs back to life with new spam campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 9 – 15)

Mon, 09/16/2019 - 15:35

Last week  on the Labs blog, we looked at free VPN offerings, how malware can hinder vital emergency services, and explored how the Heartbleed vulnerability is still causing problems. We also talked about a large FTC settlement involving Google, and how to keep an eye out for leaky AWS buckets.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (September 9 – 15) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages