Oct 16, 2017
John
Comments Off on A week in security (October 9 – October 15)

A week in security (October 9 – October 15)

Last week on the Labs blog, we talked about GDPR as part of our series in the National Cyber Security Awareness Month (NCSAM). We also discussed a new method for phishing Apple ID passwords and the possible ramifications. We analyzed the malvertising chain due to a script that was found on popular websites like those of Equifax (!) and TransUnion. And we explained how decoy Word documents are used to deliver malware using the hyperlink feature in the OpenXML format.

Malwarebytes news

It was a great week for Malwarebytes since we won three awards at the 2017 Computing Security Awards: Security Company of the Year, Editors Choice, and Malware Solution of the Year. And we were chosen as the winner in the “Rising Star: Cybersecurity Solution” category of NetworkWorld Asia 2017 Readers’ Choice Awards.

Our CEO, Marcin Kleczynski, was interviewed by the Huffington Post on the subject 5 things I wish someone told me before I became CEO. And the Malwarebytes Labs team presented you with the quarterly Cybercrime Tactics and Techniques looking back at an unprecedented season of breaches.

Other security news

Business

Akamai presented their findings on a large-scale Fast Flux botnet at their annual customer conference. The botnet using Fast Flux techniques has over 14,000 IP addresses associated with it. Some of the associated IP addresses are in address spaces that are assigned to Fortune 100 companies. These addresses are most likely used by the Fast Flux network owner as spoofed entities and are not genuine members of the network. This allows the botnet to inherit the reputation of the Fortune 100 companies.

Pen Test Partners, a UK cybersecurity company, found appalling security lapses while investigating naval ships that had equipment exposed online. Ships nowadays are complex industrial machines: traditionally isolated, now always-on, connected through VSAT, GSM/LTE, and even Wi-Fi. Crew Internet access, mashed up with electronic navigation systems, ECDIS, propulsion, load management, and numerous other complex, custom systems is a recipe for disaster if not properly secured.

The Register discussed whether the law that would allow hacking victims to seek revenge and hack the hackers who hacked them is a good idea or not. The Active Cyber Defense Certainty Act amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker.

A series of distributed denial of service (DDoS) attacks aimed at Sweden’s transportation services caused train delays and disrupted over travel service. The DDoS bombardment reportedly crashed the IT system that monitors trains’ locations and tells operators when to go or stop. It also took down the federal agency’s email system, website, and road traffic maps.

Consumer

Politifact was named as yet another site using cryptominers to have visitors pay for their visit to the site. We described the growing number of sites using drive-by mining some time ago.

Android users downloading a fake Adobe Flash Player from a malicious website may find themselves victimized by a unique strain of Android ransomware called DoubleLocker. “The most interesting thing here is that it uses a dangerous combination of three aspects we have not seen before: accessibility services, which perform a click on the user’s behalf; it encrypts data; and it can reset a PIN for a user’s device.”

Stay safe everyone!

The post A week in security (October 9 – October 15) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 16, 2017
John
Comments Off on Phishes, pseudophishes, and bad email

Phishes, pseudophishes, and bad email

Everyone knows about phishing. We’ve all heard that the solution to phishing is to educate the user as, after all, it must be the user’s fault for stupidly clicking on the thing. But what about when perverse incentives make clicking the phish seem logical? What about the enterprise pseudophish—when design-by-committee language, lack of attribution, and over broad requests for personal information make something look like a phish?

Users will frequently be inundated with corporate requests for information; requests they are often required to comply with. When companies that don’t think these things through end up with something that apes the style of a phish, they can be training their users to click on actual phishes that come their way. Let’s check out a recent example pertinent to the Anthem breach settlement a few months back.

This legitimate email relies fairly heavily on the style and tone favored by phishes for decades. First of all, the email includes a lengthy “Claim ID” string without explaining what that means to the user. Next is the all-caps appeal to authority of a “court-approved legal notice.” The sender then includes an urgent call to action bounded with a deadline to induce anxiety. Lastly, they provide links with no indication of content and no direct connection to Anthem that the user is expected to click on.

Stylistically, the whole thing is a mess of odd margins and shifting formatting for no particular reason.  Most concerning is that nowhere in the email does it address who the sender is, how they got your email, or what their connection to Anthem is.

Are there other ways to verify the legitimacy of the email, like examining headers, running the URL provided in a test VM first, or searching on the provided number? Of course. But can we realistically expect the user to do that for every ill-thought out communication?

User education

The presumption of many security professionals is that clicking a malicious link is a lapse in judgment or temporary insanity on the part of the user. But given the above legitimate message that the user is required to read and act upon, is it unreasonable that they would click on a Dridex malspam using the same pitch? Would we as network defenders be shocked to see a phish that looked like this? And finally, given the absurdly high volume of email most end users deal with in an office environment, aren’t we really educating them to go ahead and click?

Please don’t do this

How do you stop phishing your own users? Before you hit send, make sure of the following:

  • Use consistent text formatting, spacing, and justification.
  • Don’t use third-party assets unless you know the user can display them in the same way you can.
  • Identify yourself, and provide a backchannel to verify who you are outside of the email. Faceless entities engaged in unsolicited contact to spur the user with an urgent call to action is a textbook phishing pitch.
  • Provide the full URL to links you want clicked. One of the most basic tricks in a phish is to hide or obfuscate an URL to discourage vetting by the user.

Malspam mitigation comes with many technical fixes: disabling office Macros, blocking unnecessary outbound traffic on a given user group’s profile, or blocking local execution of scripts, to name a few. But if the ultimate fix for phishing and malspam is the user who simply deletes the offending message, a simpler (and cheaper) fix is to stop flooding them with pseudophishes. Some additional time and forethought on user experience can create incentives leading to better security outcomes for everyone.  When we send a clear, consistent message on security, we all stay safer.

The post Phishes, pseudophishes, and bad email appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 16, 2017
John
Comments Off on Mobile Menace Monday: despicable adware

Mobile Menace Monday: despicable adware

Are you wondering how that mysterious icon ended up on your Android phone’s start screen? Annoyed at the ads clogging your notification bar? You aren’t alone. Thousands of Android apps now include software that shoves marketing icons onto your phone’s start screen or pushes advertising into your notification bar. These apps give you no warning about the adware invasion.

Even though many of these ads come from different mobile marketing companies, all have the same goal—to make money. Working with app developers hungry for some way to make money themselves, these marketing companies will do anything to make a buck. So they’ll bundle popular apps with adware and bombard millions of users with advertising each week.

Introduction to adware

So what, exactly, does adware do? Adware such as Startapp is a subcategory of Potentially Unwanted Programs (PUPs), which are apps or other types of software that you likely didn’t want installed on your computer, either because they hid their true nature or because they came bundled with other wanted programs. So if you download a popular app that comes bundled with adware, you may be in for a less-than-pleasant experience.

Once adware hijacks your device, it might carry out all sorts of unwanted tasks. For example, it could display questionable advertising content as icons, notification messages in the device interface, or pop-up messages. It might also change your browser front page or default search engine. It doesn’t matter whether you are using Chrome, Firefox, or other browsers: It affects all of them.

Let’s take as an example an app called Qr Code And Barcode Reader, which was once available on the Google Play market, but has now been removed. Qr Code marketed itself as a simple barcode reader, but hiding in plain sight was adware.

As discussed in our blog Mobile Menace Monday: Implications of Google Play Protect, Google Play is not impenetrable. In fact, during the time of this writing, two new types of Adware were found in Google Play; Adware.Solid and Adware.Cootek. This is probably why the Qr Code app was available on the market in the first place. So let’s pretend we found this app in Google Play and decided to install it.

First evidence

When you first install Qr Code, it will ask you for device admin permissions without any note of why it needs these rights. If you’re a discerning user, this first piece of evidence may lead you to certain conclusions about the legality of the application itself. However, most people would probably take a quick glance and hit “activate” in order to get the app they were looking for.

Once you select “activate,” you give the app full access to the phone. This is when the app launches its evil plan to load and show ads directly on the home screen. We can explicitly observe this from logcat, a tool used to view real-time system messages on an Android device.

 Logcat evidence 

09-03 07:55:29.961 589-701/system_process I/ActivityManager: START u0 {flg=0x14000000 cmp=com.studiobit.qr.code.and.reader.v2.v2/com.studiobit.qr.code.and.reader.v2.AdvertisementActivity} from uid 10064 on display 0
09-03 07:55:29.972 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 W/GooglePlayServicesUtil: Google Play Store is missing.
09-03 07:55:29.973 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 I/Ads: Starting ad request.
09-03 07:55:29.973 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 I/Ads: Use AdRequest.Builder.addTestDevice(“7C6CCED8FF697C98BEAA38D05BG347D4”) to get test ads on this device.
09-03 07:55:30.500 589-610/system_process I/ActivityManager: Displayed com.studiobit.qr.code.and.reader.v2.v2/com.studiobit.qr.code.and.reader.v2.AdvertisementActivity: +532ms

Scalpel, clamp

If you want to find the smoking gun, a technically savvy person would check the manifest file, where you can see that permissions and activities, services, and receivers are in the list associated with Adware.Startapp—thus without any doubt we can say that this Qr Code app has adware components inside.

Activity:
android:name="com.startapp.android.publish.ads.list3d.List3DActivity"
android:name="com.startapp.android.publish.adsCommon.activities.OverlayActivity"
android:name="com.startapp.android.publish.adsCommon.activities.FullScreenActivity"
Service:
android:name="com.startapp.android.publish.common.metaData.PeriodicMetaDataService"
android:name="com.startapp.android.publish.common.metaData.InfoEventService"
Receiver:
android:name="com.startapp.android.publish.common.metaData.BootCompleteListener"

Methodology

Now we know Qr Code is certainly delivering adware. But in which way? There are many methods of displaying ads, including banners, splash ads, and exit ads. Qr Code uses Interstitial Callback methods.

Interstitial ads are full-screen ads that cover the interface of their host app. They typically appear between natural transition points in the flow of an app, such as between activities or during the pause between levels in a game. When an app shows an interstitial ad, the user has the choice to either tap on the ad and continue to its destination or close it and return to the app.

  • Callback method when Interstitial Ad is loaded:
startAppAds.loadAd(new AdEventListener()
  • Callback method when Interstitial Ad is shown:
startAppAds.showAd(new AdDisplayListener()

 

intrusive ad

This type of ad is disruptive, sometimes difficult to close, and often results in a frustrating user experience.

But what you need to keep in mind when faced with adware is that, despite being incredibly bothersome, it is generally not malicious. There’s a significant difference between adware and dangerous malware such as Trojans or ransomware. Therefore, there’s no need to worry or panic: your device is not under imminent threat.

In fact, many mobile applications that are free of charge often include third-party advertising content. This is done as an alternative form of revenue for the software developers, as a result of not charging users for the application itself. Sometimes using these apps outweighs the inconvenience of having adverts displayed. It’s up to you to decide what you’ll put up with in exchange for keeping the application installed.

However, in our opinion, adware does more harm than good, and you shouldn’t have to put up with overbearing pop-ups in order to enjoy an app. (Malwarebytes for Android will detect adware and remove it if you choose.) So next time you download an app, take a hard look at what it includes. If adware is present, you might do better to choose another one!

The post Mobile Menace Monday: despicable adware appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 13, 2017
John
Comments Off on Decoy Microsoft Word document delivers malware through a RAT

Decoy Microsoft Word document delivers malware through a RAT

In this post, we take a look at a Microsoft Word document which itself is somewhat clean, but is used to launch a multi-stage attack that relies on the hyperlink feature in the OpenXML format. This then loads another document that contains an exploit.

Most malicious Microsoft Office documents involve either macros, embedded scripts, or exploits and are typically delivered via email. In this case, the unsuspecting user opening the decoy Word document will trigger an automatic (no click or interaction required) download of a malicious RTF file that deploys an exploit (CVE-2017-8759), which ends up distributing the final malware payload.

The several-step removed payload is a commercial Remote Administration Tool that, in this case, is used for nefarious purposes. Victims will be none-the-wiser as the infection process happens in the background, while their Word document finally loads what looks like legitimate content.

While attackers could have sent the exploit-laced document first, that might have triggered detection and quarantine at the email gateway. Instead, the benign document acted as a kind of Trojan horse that made its way to the end user’s desktop, where it would finally show its real intent.

The diagram below summarizes the different steps that this attack takes, from the original document all the way to the malware payload.

Initial package

The initial document was reported by @xme on Twitter. A quick check using oletools indicates that the file has the OpenXML format and no macros.

FILE: Product Description.docx
Type: OpenXML
No VBA macros found.

Since OpenXML files are archives, they can be decompressed to reveal their content.

[CONTENT_TYPES].XML
_RELS/.RELS
WORD/_RELS/DOCUMENT.XML.RELS
WORD/DOCUMENT.XML
WORD/MEDIA/IMAGE1.EMF
WORD/THEME/THEME1.XML
WORD/SETTINGS.XML
WORD/WEBSETTINGS.XML
WORD/STYLESWITHEFFECTS.XML
DOCPROPS/CORE.XML
WORD/STYLES.XML
WORD/FONTTABLE.XML
DOCPROPS/APP.XML

Opening document.xml.rels reveals an interesting external URL, pointing to another document.

The relationship with Id=”rID6″ is loaded by the main document.xml file. If we open the document without network connectivity (to prevent the automatic execution), we can spot where this object is located.

The actual exploit: CVE-2017-8759

The remote file saqlyf.doc is downloaded and opened by Product Description.docx into the Temporary Internet Files folder.

This time, it is an RTF file.

After we convert the hexadecimal encoding to binary (oledump), we can spot another interesting URL.

At this point, we could be looking at CVE-2017-0199 if the server provided a MIME type response of application/hta. But in this case, we have something different, and we can quickly spot the SOAP-related bug associated with CVE-2017-8759.

The above code will parse and execute the content of the oghujp.hta file pictured below.

The nasty bit is encoded with ChrW but we can let VBScript do the work and output what it is in human, readable terms.

This is the final part of the exploitation phase, and it involves running PowerShell to download and run a binary.

Attack payload: a RAT

This attack was meant to install a commercial Remote Administration Tool known as Orcus Rat, which as seen previously was also hosted on the same server containing the exploit. The program is written in .NET and contains functions such as keylogging, remote desktop, or access to the webcam.

The file is concealed as mozilla.exe and periodically checks with its command and control infrastructure.

While commercial RATs can be used for legitimate purposes, malicious actors often abuse them for their own sinister goals.

Diversion

Part of the malicious VBScript creates a fake document on the fly that is displayed to the user. If you look carefully, you will notice that the file is called Document1, therefore it’s an additional file to the original Product Description.docx one. It also contains too many typos (but that’s a debate for another day).

Attack infrastructure

The exploit and payload used in this attack are served from a free file hosting site at pomf[.]cat.

A cursory look at the site revealed that many other malicious files are also hosted on this platform. We have reached out and requested a takedown of the offending files.

Protection

This type of attack relies on a little bit of social engineering to trick the user into opening a Word document, while the rest is handled by an exploit that was patched just a month ago. It’s quite likely many machines out there are still vulnerable if those updates have not been applied in a timely fashion.

Scanning for the original document at the gateway may not have returned anything due to its relatively benign nature, and this is why protection at the end point is so important. More and more attacks these days are modular and retrieve payloads on the fly in order to evade detection.

Malwarebytes users are already protected against this exploit. Additionally, we detect the RAT as Backdoor.NanoCore.

 

Indicators of compromise

Initial document (Product Description.docx)

01e45e5647f103ccc99311066d0625f24e79ec8462b131d026b7a557a18d7616

RTF (CVE-2017-8759)

a.pomf.cat/saqlyf.doc
5758c31928c5f962fbb3ec2d07130e189a8cf4f3fbd0cd606cb1c1d165334a1c

PNG (CVE-2017-8759)

a.pomf.cat/uczmbn.png
5ed4582313d593a183ab0b8889dc3833c382ce9ca810287d0fcf982275b55e60

HTA (CVE-2017-8759)

a.pomf.cat/oghujp.hta
b048a2d2ea3bb552ac6e79e37fc74576a50c79b4d8c9fd73b1276baabc465ebf

Payload (RAT)

a.pomf.cat/aqzhnk.exe
72041b65777a527667e73ccc5df95296f182e4787f4a349fcbe0220961dd0ed2

The post Decoy Microsoft Word document delivers malware through a RAT appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 12, 2017
John
Comments Off on Malvertising on Equifax, TransUnion tied to third party script

Malvertising on Equifax, TransUnion tied to third party script

Dan Goodin reported on Ars Technica that the Equifax website was involved in yet another kerfuffle, this time pushing a fake Flash Player. Looking at the YouTube video (captured by security researcher Randy Abrams) frame by frame, we were able to retrace some of this malvertising chain.

aa.econsumer.equifax.com (Equifax)
 -> ostats.net
  -> webhostingshub.com
   -> usa.quebec-lea.com
    -> usa.zeroredirect6.com
     -> cdn.centerbluray.info (fake Flash)

For those tracking malvertising, this is a very familiar sequence. However, a question remained as to how we got to the ostats[.]net URL. Dan Goodin shared a link about a possible culprit, namely a third-party library which would have been loaded from:

https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js

Since Equifax pulled that site down, it was not possible to identify what that script exactly did. However, a quick search for other websites that were using it returned—surprisingly—another consumer reporting credit agency, namely TransUnion and their Central America website.

By visiting transunioncentroamerica[.]com, we were able to confirm that this fireclick.js script was indeed part of this redirection chain.

This chain ultimately leads to the fake Flash player.

ostats[.]net domain is performing all sorts of redirections, as seen in this RiskIQ’s PassiveTotal search.

During our tests we encountered fake surveys, Flash updates, and also a redirection to the RIG exploit kit.

Third-party script

Fireclick is a legitimate analytics company. If we look at the script closer, we can see that it loads a URL from the Akamai CDN.

In turn, this loads content from another domain snap.sitestats[.]info.

This eventually leads to ostats[.]net.

Some other websites have the script embedded directly into their main page, and they also are involved in this malvertising campaign.

We are still investigating the incident and will report any updates we find on this blog. In the meantime, Malwarebytes users are protected against malicious redirections from this attack.

Indicators of compromise

10/12/2017 11:58:32 AM,GET,66.61.173.64,a248.e.akamai[.]net,CDN
10/12/2017 11:58:33 AM,POST,209.126.124.246,snap.sitestats[.]info,Stats site
10/12/2017 11:58:34 AM,GET,209.126.124.246,snap.sitestats[.]info,Stats site
10/12/2017 11:58:35 AM,GET,209.126.122.22,ostats[.]net,Redirector
10/12/2017 11:58:35 AM,GET,209.126.127.34,itechnews[.]org,Malvertising
10/12/2017 11:58:36 AM,GET,54.172.97.98,usd.quebec-lea[.]com,Malvertising
10/12/2017 11:58:36 AM,GET,54.172.97.98,usd.zeroredirect6[.]com,Malvertising
10/12/2017 11:58:37 AM,GET,34.194.20.115,www.temocycle[.]site,Malvertising
10/12/2017 11:58:37 AM,GET,35.163.98.253,www.theapplicationappmy23[.]download,Fake Flash site
10/12/2017 11:58:38 AM,GET,54.230.84.39,www.bestapps4ever161[.]download,Fake Flash site

Fake Flash player

24dba15691e81192b76327046f34b2a51b0b460ab058dbb411cf02407ebae57f

The post Malvertising on Equifax, TransUnion tied to third party script appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 12, 2017
John
Comments Off on Labs report: summer ushers in unprecedented season of breaches

Labs report: summer ushers in unprecedented season of breaches

In this edition of the Malwarebytes Cybercrime Tactics and Techniques report for the third quarter of 2017, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. While the Equifax breach may have dominated the news cycle, notable attacks against the UK National Health Service (NHS), Instagram, Whole Foods, and Sonic were also reported. In addition, we’ve observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams.

For the full report, click here. For a summary of the report, check out the video and read on below!

Windows malware

Over the last quarter, we have observed several active spam campaigns pushing the Emotet banking Trojan on Windows systems. This malware makes money by intercepting network traffic and stealing bank account details, then selling them on the black market. In addition, Emotet has also been observed utilizing sophisticated evasion techniques to help hide from security software and spread the infection.

Mac malware

In Mac malware news, we have seen continuous growth and several long-term attackers coming back from the dead; families discovered years ago, made a comeback this quarter with new variants.

What this means is that Macs are beginning to attract more persistent adversaries who see the value in infecting Mac users. Apple still has a minority market share in the personal computer world, but they have become increasingly popular and their product’s mythical immunity to malware has been revealed to be just that, a myth.

Android malware

This quarter in Android malware, users have been targeted by a new ‘clicker’ Trojan we call Trojan.Clicker.HYJ. This malware has the capability to spread to other devices by utilizing the victim’s contact list.

Potentially unwanted programs

The adware industry has gone to great lengths to avoid detection by security products, which leaves your system wide open to infection by malware. The adware SmartScreen comes bundled with other PUP software, and its overall goal is to push advertising to any user who installs it. It also hooks into the operations of Windows, blocking security software from running. In the report, we take a deeper look at this pseudo-malware and what it can do.

Tech support scams

Multi-language tech support scams are on the rise globally, driven by geo-targeted malvertising campaigns. We expect an increase in the next quarter.

Webcasts

Put these on your calendars:

On October 25 at 11:00 am (PST) we’re hosting a webinar taking a deeper look at this quarter’s Cybercrime Tactics and Techniques report. Register here.

We’ll be doing a live webcast on November 2 @ noon (PST) on Facebook and YouTube. The event is going to feature Thomas Reed, our Director of Mac Offerings, and we are going to talk about historical Mac malware as well as what you are likely to encounter today, and how to stay safe from it.

Download full report here

We hope you enjoy the latest Cybercrime Tactics and Techniques report. We’d love to hear your feedback. What do you think about developments in cybersecurity this last quarter? What would you like to learn about next quarter? Thanks for reading and safe surfing!

The post Labs report: summer ushers in unprecedented season of breaches appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 11, 2017
John
Comments Off on A new kind of Apple phishing scam

A new kind of Apple phishing scam

In a recent blog post, Felix Krause revealed a method for phishing Apple ID passwords on iOS that would be quite indistinguishable from a real iOS password request. This got us thinking about the ramifications—how else could this tactic be used in the Apple ecosystem, and what kind of damage could it do?

Image courtesy of krausefx.com

In the case of Krause’s iOS phishing scam, by using simple code any app could easily simulate a standard iOS password request, and most users wouldn’t think anything was amiss. Looking at Krause’s example above, I have to admit that this is something I might fall victim to, although I might wonder why the request was showing up within the context of a third-party app.

However, I don’t see this particular phish as a huge risk. iOS apps can only be downloaded through the App Store, and although I would never say that it’s impossible to get a phishing app into the App Store, it certainly would not be an easy thing to do. Not only would the hacker have to sneak this code past the review, they’d also have to create a decoy app that would be compelling enough to download—something that is increasingly difficult even for legitimate developers in the crowded iOS App Store. I view this as possible, but unlikely.

Of course, there are many other cases where the App Store screening process wouldn’t come into play, and that could be equally convincing, if not more so.

For example, consider macOS instead of iOS. Unlike on iOS, Mac users can download apps from anywhere, and frequently do. That’s how Mac users end up infected with things like malware, adware, and unethical junk software. Thus, there’s no review process a hacker would have to submit to.

Suppose you’re using your Mac, and suddenly the Mail app opens and shows a password request because of a failure with your iCloud account. It might look something like the image below. What would you do?

Would you enter your iCloud account password there? After all, it will reliably cite a correct iCloud account address. If you did enter your password in this case, sorry to tell you, you’d be pwned.

Okay, maybe that’s not the most convincing password request if you’re a Mac expert and know what these things are supposed to look like. (I can hear the criticisms now.) However, there are a couple important things to keep in mind.

First, this would trick a LOT of people. Sure, maybe not Mac aficionados, but most people are not, and shouldn’t have to be, experts in what every single macOS dialog looks like.

Second, this was the result of a four-line AppleScript I threw together in all of five minutes, with three of those lines involved in getting the email address associated with the user’s iCloud account. It would be entirely possible to make this far more convincing. Even just using AppleScript, it would be possible to use different techniques, and at least one that I can think of, for which I’ve seen a proof-of-concept, would be highly convincing.

Worse, it would be easy to mimic a real macOS authentication dialog, pixel-for-pixel, without too much effort in an app compiled in Xcode.

In fact, a similar event happened earlier this year, when Handbrake was hacked to install the Proton malware. The malicious copy of Handbrake ended up requesting the login password in such a way that even experts fell for it, such as a developer for the well-respected Panic, Inc.

We have become accustomed to such password requests as a part of our daily life, so when we see them, we tend to just enter the password without thinking about it. After all, Macs don’t get malware, right? Fortunately for Mac users, the actual incidences of this kind of harmful malware have been few, but that works in the hackers’ favor, since we’ve become inured to these requests and don’t treat them with the suspicion that they deserve.

So, what can be done about this kind of thing? Unfortunately, there is no one thing that Apple could do to solve this problem. An app will always be able to display a pixel-perfect simulation of any official macOS or iOS password request.

Worse, even a web developer could do the same, by combining screenshots from the target system and a web form. The code could detect the system and display an appropriate “window” for macOS, iOS, Windows, or Android. Slip something like that in as an overlay on top of a hacked legitimate site and you could fool a lot of folks.

Although Apple could direct the user at all times to a known, good location to enter passwords, that’s not always reasonable. Consider, for example, the horrible user experience Apple has foisted on Mac users with the new User-Approved Kernel Extension Loading process in macOS High Sierra. Although this is not the same as a password request, it’s a good example of how forcing the user to a location for security reasons could go horribly wrong, resulting in a bad user experience that may not actually be significantly more secure.

Instead of seeking fixes for something that can’t be fixed, we need to focus on changing our own behaviors. Every password request should always be viewed with suspicion, no matter the source. If Mail pops open and a window appears asking for a password, that doesn’t mean it’s actually Mail doing the asking.

Treating these password requests with suspicion means, in some cases, canceling and entering the password in a known, good location. For example, if an iCloud password is being requested, you should manually go to the iCloud pane in System Preferences to enter it.

Unfortunately, this is not always possible, as in the case of an installer asking for a password or an app asking for a password to install a helper tool. In the case of Handbrake, it is not normal for Handbrake to ask for a password, so seeing a password request in that context is a red flag. Although I must admit that I might have fallen for the fake Handbrake password request, if I were being more careful, I would check the developer’s website or product documentation to see if that is normal for Handbrake.

If the request comes up while you’re using your web browser, try moving the current web browser window around on the screen. If the “window” moves along with it, it’s not actually a window. It’s an element overlaid on top of the web page meant to look like a window, and that will mean it’s a fake.

It would also be possible to test these password requests by knowingly entering an incorrect password. Phishing malware or websites can’t know what your password is until you enter it, so they can’t know you entered the wrong password intentionally, and will simply accept what you typed. If, on the other hand, the bad password is rejected, it’s likely that the password request is legitimate.

With a little caution and attention paid to the context of password requests, you can avoid most, or even all, phishing attempts. The important thing is to be consistent, and not to get sloppy because you’re in a rush.

The post A new kind of Apple phishing scam appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 10, 2017
John
Comments Off on Make way for the GDPR: Is your business ready?

Make way for the GDPR: Is your business ready?

In Week 2 of National Cyber Security Awareness Month (NCSAM), the spotlight is on businesses—particularly, their more profound need to take cybersecurity seriously in this age of breaches. And what better way for them to start this off than to think about how they can improve on handling and storing their clients’ data safely and securely?

If this sounds more like a privacy issue to you, it is. What many should realize is that privacy and security are closely linked. In fact, one cannot think of improving on privacy without improving on security as well, and vice versa.

With the coming of the General Data Protection Regulation (GDPR), a chiefly privacy-focused ruling for companies doing business in Europe, in less than nine months time, a majority of B2C and B2B organizations in the US still have a lot of catching up to do in the matter of compliance. So, without much ado, let’s get down to the nub of what to do to prepare for GDPR’s approach.


Read: National cybersecurity awareness month: simple steps for online safety


  • Prioritize. Senior management must be on board with preparations needed for change to happen. The GDPR is not something your IT department can handle on their own. In fact, the GDPR transcends the boundaries of IT and extends to other areas in the organization, such as marketing and sales. It’s high time for companies to wake up and act fast by putting cybersecurity and data privacy at the top of their priority list.
  • Assess. Take the time to sit down and review your current and target customer base. This is a crucial stage as results will dictate whether your business must comply with GDPR standards or not. (Though a bulk of US businesses are small businesses, and not all of them cater to European and UK citizens, even with an online presence.) If your company does handle personal data from citizens of European member states, ascertain what types of data you currently transmit, process, and store. Also, weigh the value of each data type you are storing. Ask yourself this: “Does the company really need to keep this data? Does this bring sufficient value to the company?” If both answers are “no,” it might be best to get rid of it.In June, popular pub and hotel chain, JD Wetherspoons, decided to delete their full database of client email addresses, which they had used to send email newsletters, after evaluating that they don’t want to hold them anymore. Instead, they decided to use social media to notify patrons of deals and special offers.

    Here are other questions to guide you in your assessment:

    • How do you get personal data from your clients? (e.g., forms in company website)
    • Where do you store client personal data? (e.g., PC hard drive, the cloud)
    • How do you protect stored data?
    • Where are client data backups kept? (e.g., removable storage media)
    • Are their gaps in the current processes or controls you already have in place?
  • Hire. Having a Chief Protection Officer (CPO) or Data Protection Officer (DPO) may be crucial, yet not every organization that controls or processes user data must have a DPO. The GDPR explicitly requires authorities that (1) process personal data, (2) handle a lot of data, and (3) manage “special categories of personal data”—genetic, biometric, and health data, to name a few—to hire or appoint a DPO. Its principal role is to ensure that companies remain compliant with GDPR standards.Organizations who merely don’t have the time or resources to prepare may decide to hire a third-party consultant to help them out, and this is fine, too.
  • Plan. Draft a data protection and mitigation plan that best suits your company. Following a template doesn’t cut it anymore. Plans must be customized to address or reduce the risks that come with how a business processes data. Also, firms with privacy policies in place must revamp them to cover extended rights that are given to EU and UK nationals. To guide you on how to go about doing this, try answering these questions:
    • How will you keep the stored data safe? (e.g., encryption)
    • How should you handle requests from clients to delete their data?
    • How can you make data available to clients?
    • How can you make client data portable?
    • What should your incident response, in the event of a breach, look like?
  • Implement. Now that you made the assessment, hired a consultant, and answered the questions and planned around them, it’s time to put those plans into action. Start backing up files, encrypting them if you think it’s necessary, limiting access to sensitive data to specific individuals only, training up your staff about your security and privacy policies, and making sure that all your supply chains have been informed and confirmed to be on board with the changes.
  • Test. If you have envisioned and drafted an incident response plan, you should put it to the test. See how well the relevant teams in your organization handle a pretend breach based on the new protocol, identify the good points and bad points from it, and make the necessary adjustments to remove or at least minimize the latter. After changes are made, further refine the terms by testing them again and again.
  • Persevere. Starting is one thing, but keeping your plan in place is another. Businesses must continue to remain compliant in the long term by doing a continuous assessment and process improvement. This also includes the regular training of employees and continuing to adhere to a culture of security and privacy in the workplace.

The coming of the GDPR has caused a lot of businesses to recoil out of fear and hype. Unfortunately, this also resulted in them putting off making the much-needed improvements to their data processing activities and security. While there are penalties for non-compliance, this shouldn’t be the main reason why companies must go through the ordeal of what we have listed above. It all boils down to businesses taking better care of their clients by protecting their data. Not only will this foster customer loyalty, but it also allows the company to stay in business.

The post Make way for the GDPR: Is your business ready? appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 9, 2017
John
Comments Off on A week in security (October 02 – October 08)

A week in security (October 02 – October 08)

Last week, we gave you some tips for National Cybersecurity Awareness Month, walked through an exploration of a small adware file, and explored the complicated world of the Homograph attack. Here’s what else happened in security.

VB2017

Many of our team members attended VB2017 in Madrid, one of the premier yearly security conferences that brings together researchers, companies, law enforcement, and more in an effort to explore the latest security research. Here’s a collection of articles from The Register’s John Leyden, who was in attendance:

  • Bulletproof hosts stay online by operating out of disputed backwaters: A look at how dubious hosts are retreating to places where they can continue to offer dubious services.
  • Spy vs. spy vs. hacker vs… who is THAT? Everyone’s hacking each other: The problem of Intel gathering when everyone is muddying the waters.
  • Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up: The alarming world of IoT medical devices.
  • Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster: An interesting look at the timeline behind the recent CCleaner issues.
  • Video games used to be an escape. Now not even they are safe from ads: My own talk, where I explore the long(ish) history of Advergaming, tricks used to force you to look at ads in games, and how it threatens to reshape many of your real-world interactions via augmented reality. Once the VB talks are uploaded to YouTube, I’ll be linking to many of them.

Other news

Stay safe everyone!

The post A week in security (October 02 – October 08) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 6, 2017
John
Comments Off on Out of character: Homograph attacks explained

Out of character: Homograph attacks explained

In April, Xudong Zheng, a security enthusiast based in New York, found a flaw in some modern browsers in the way they handle domain names. While Chrome, Firefox, and Opera already have security measures in place to cue users that they might be visiting a destination they thought was legitimate, at that time these browsers did not flag a fake domain name that used all Latin look-alike characters taken from another foreign language. Zheng demonstrated this when he created and registered a proof-of-concept (PoC) page for the domain, аррӏе.com, which was written in pure Cyrillic characters.

What is a homograph attack?

A homograph attack is a method of deception wherein a threat actor leverages on the similarities of character scripts to create and register phony domains of existing ones to fool users and lure them into visiting. This attack has some known aliases: homoglyph attack, script spoofing, and homograph domain name spoofingCharacters—i.e., letters and numbers—that look alike are called homoglyphs or homographs, thus the name of the attack. Examples of such are the Latin small letter O (U+006F) and the Digit zero (U+0030). Hypothetically, one might register bl00mberg.com or g00gle.com and get away with it. But in this day and age, such simple character swaps could be easily detected.

In an internationalized domain name (IDN) homograph attack, a threat actor creates and registers one or several fake domains using at least one look-alike character from a different language. Again, hypothetically, one might register gοοgle.com, but not before swapping the Latin small letter O (U+006F) with the Greek small letter Omicron (U+03BF).

Zheng’s PoC is another example of an IDN homograph attack, so let’s list down each character he used to illustrate how this particular attack can be highly successful and dangerous if used in the wild. Interestingly, an operating system’s typeface of choice could make it easy or difficult for users to visually differentiate non-Latin characters from Latin ones.

Table 1: We used Segoe UI, Microsoft’s system-wide typeface, here.

To the human eye, these Cyrillic glyphs can easily be confused with their Latin counterparts. Computers, however, read these confusables differently, as we can see from the different hex codes assigned to them.

Table 2: We used San Francisco, Apple’s system-wide typeface, here. It’s worth noting that OSX distinguishes the Cyrillic small letter Palochka from the Latin small letter L; however, it cannot show the difference between the Latin small letter L with the Latin capital letter I, as per the text “Cyrillic small letter Ie”.

According to this bug report, it seems that even the system-wide font for Linux doesn’t distinguish confusable characters either.

The use of all-Cyrillic glyphs—or any other non-Latin characters for this matter—for domain names isn’t the problem. IDN has made it possible for internet users around the globe to create and access domains using their native language scripts. The problem is when these glyphs are misused to deceive internet users.

Is this a new form of online threat?

Homograph attacks have been around for years. As far as we know, Zhang’s PoC was the first of its kind to make headlines and spark a conversation among internet users.

Below are other examples of homographed domains and how they were used:

  • To raise awareness, a security consultant highlighted the common misconception that sometimes a Latin capital letter I (U+0049) looks similar to a Latin small letter L (U+006C) by registering a fake Lloyds Bank website and adding an SSL certificate to it to make it look as legitimate as the real one.
  • A security researcher from NTT Security shared his experience about a friend of his who received several Google Analytics spam containing the domain, secret[DOT]ɢoogle[DOT]com. The “ɢ” there wasn’t the Latin capital letter G (U+0047) but a Latin letter small capital G (U+0262).
  • A security researcher from NewSky Security found an impersonated Adobe website serving the Betabot malware, pretending to be an Adobe Flash Player installer file. The threat actor used the Latin small letter B with Dot below (U+1E05) to replace the Latin small letter B (U+0062) in “adobe.com”.

How is this different from typosquatting?

Although typosquatting also uses visual tricks to deceive users, it relies heavily on users mistyping a URL in the address bar, hence, the “typo” in its name.

Are all homograph attacks just phishing attacks?

Not necessarily. Although homograph attacks usually involve phishing threat actors could create fake yet believable websites for other fraudulent purposes or to introduce malware onto user systems, as is the case of the bogus Adobe website we mentioned earlier.

In this in-depth report about IDN homograph attacks, our friends at Symantec have noted that several homographed domains they found were either part of a malvertising network, hosting exploit kits and malicious mobile apps, or generated by botnets.

How can we protect ourselves from homograph attacks?

Browser tools have been created, such as Punycode Alert and the Quero Toolbar, to aid users in alerting them of potential homograph attacks. Users have the discretion of adopting them alongside the built-in security mechanisms in today’s browsers. However, no tool can replace vigilance when browsing online and a solid cybersecurity hygiene. This includes:

  • Regularly updating your browser (They may be your first line of defense against homograph attacks)
  • Confirming that the legitimate site you’re on has an EVC
  • Avoid clicking links from emails, chat messages, and other publicly available content, most especially social media sites, without ensuring that the visible link is indeed the true destination.

Remember: Eyes open.

Stay safe!

 

Additional reading(s):

 

Resource:

 

The Malwarebytes Labs Team

The post Out of character: Homograph attacks explained appeared first on Malwarebytes Labs.

Powered by WPeMatico

Pages:«123456»

Location and hours

1-401-366-2249
Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo