Nov 27, 2017
Comments Off on Week in security (November 20 – November 26)

Week in security (November 20 – November 26)

Last week we warned you about a new method by which the Mac malware OSX.Proton is being spread, we informed you where all those free Bitcoins you were texted about were being held up, how the EU intends to battle fake news, and how the Terdot Trojan likes social media. We also revealed our 2018 security predictions.

Other news

  • Due to zero entropy implementation of Address Space Layout Randomization (ASLR), the Windows 10 defense is ‘worthless’ and this bug dates back to Windows 8. (source: ZDNet)
  • A new tech support scam technique streamlines the entire scam experience, leaving the potential victims only one click or tap away from speaking with a scammer. (Source: Microsoft blog)
  • You have less than 90 days to claim your share of $586 million refund if you were scammed via (not by) Western Union. (Source: Tripwire)
  • Firefox 59 to make it a lot harder to use data URIs in phishing attacks, as it will stop rendering them in certain scenarios. (Source: Virusbulletin blog)
  • An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK. (Source: SecurityWeek)
  • Regulators to press Uber after it admits covering up a data breach containing some personal information of 57 million Uber users around the world. (Sources: Reuters and Uber press release)
  • Security researchers have discovered a potentially dangerous vulnerability in the firmware of various Hewlett Packard (HP) enterprise printer models that could be abused by attackers to run arbitrary code on affected printer models remotely. (Source: The Hacker News)
  • Facebook will soon be creating a portal to enable people to learn which of the Internet Research Agency (Russian activity)Facebook pages or Instagram accounts they may have liked or followed. (Source: Facebook Newsroom)
  • Imgur came clean about a security breach that took place in 2014. During the incident, Imgur says an unknown attacker managed to steal details on 1.7 million users. (Source: Bleeping Computer and Imgur blog)
  • KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data. The user only needs to know a handful of static details about a person that are broadly for sale in the cybercrime underground. (Source: KrebsonSecurity)

Stay safe everyone!

The post Week in security (November 20 – November 26) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 27, 2017
Comments Off on Mobile Menace Monday: Chrome declares war on unwanted redirects

Mobile Menace Monday: Chrome declares war on unwanted redirects

As it was introduced earlier this year, Google is initiating their plan to implement a few new changes in Chrome to defend against unwanted web redirects. A redirect happens when a different website from the URL that was entered opens in the browser. Sometimes redirects are intentional, as in when an organization/website is bought out by another entity and their traffic is redirected to the new owner. However, sometimes redirects are malicious and unwanted.

An unwanted redirect happens when a webpage unintentionally opens in the browser due to maliciously embedded JavaScript code. These unintended redirects often come from third-party content, and they are conducted unbeknownst to the webpage’s author. The most common method of a malicious redirect is the following: After clicking a link, the desired webpage is opened in a new tab, but then an additional redirected (unwanted) webpage is opened in the main window.

Google will be rolling out updates with three new solutions to block unwanted redirects. These updates will be in addition to features that already exist, such as Chrome’s pop-up blocker and autoplay protections.

Google’s new anti-redirect features

Google’s first step in dealing with redirects is with a new way of handling iframes in Chrome 64. All redirects originating from third-party iframes will show an infobar instead of redirecting, unless the user is interacting with that frame. If the user ignores the infobar and interacts with the content, it will lead to a case where it will still redirect.

An example of a redirect blocked on a test site. The iframes embedded in the site are attempting to navigate the page to an unintended destination, but Chrome prevents the redirect and shows an Infobar.

Another new feature, implemented in Chrome 65, will detect the common behavior of redirecting the main window, described above. Once again, the infobar will trigger and prevent the main window from redirecting. This will keep the user on the page they intended, and prevent receiving annoying or intrusive advertisements, such as videos that autoplay with sound or interstitials ads that take up the entire screen.

Some other Google Chrome protection features

In addition to preventing redirects, Google will also protect against several other types of abusive experiences, such as links that send users to unexpected destinations, including links to third-party websites deceptively veiled. Historically, these have been hard to automatically detect. The links can hide as fake Google Play buttons, fake site controls, or transparent overlays on websites. These malicious links capture all clicks and open new tabs or windows.

Google announced that in early January, Chrome’s pop-up blocker will also get an update. It will start preventing sites with these types of abusive experiences from opening new windows or tabs. Basically, it will serve much the same function as Google Safe Browsing does, protecting users from malicious content and making sure that ad offenders don’t frustrate or take advantage of users.

Google is helping site owners prepare for these changes with a new Abusive Experiences Report. Site owners can use the report feature to check if any of these abusive experiences have been found on their site and make proper changes accordingly. Otherwise, they have 30 days before Chrome will begin blocking the site from opening new tabs and windows.

In Google we (are forced to) trust

We all know that where there are benefits, there are also consequences. How Google handles its bigger ad-blocking initiative will be something to watch closely. There are of course drawbacks to building an ad blocker into Chrome, the most egregious being the amount of power it gives Google. Chrome ad blocker doesn’t just help publishers, it also helps Google maintain its dominance.

Eventually, it means Google gets to decide what qualifies as an acceptable ad (even though it’s basing this on standards set by the Coalition for Better Ads). That’s a good thing if you trust Google, but let’s keep in mind that Google is an ad company. Nearly 89 percent of its revenue comes from displaying ads. Just some food for thought.

Solutions for mobile

Malicious redirects are becoming common place on mobile devices. Most mobile browsers, like Chrome, don’t do a great job of preventing these redirects, which also cause ad pop-ups. Advertising affiliates are aware of this and exploit this weakness. Even when an advertising affiliate is shut down for using redirect exploits, it doesn’t stay shut down. All they need to do is get a different affiliate ID, and they are right back in business.

We are crossing our fingers that the new features in Chrome will finally stop redirects. If not, though, we can offer a couple of other solutions to help. These other solutions are to disable JavaScript, install a browser with ad blocking (like Opera), and/or install Ad-block Plus. If all else fails, and you are still encountering pop-ups, you back out of them using Android’s back key. Also, clearing your history and cache will help stop the ads from reoccurring.

Detecting phishing URLs

Malwarebytes for Android also contributes in the fight against frustrating unwanted websites with a couple of features. First, we automatically detect if phishing URLs are in an any incoming text message (SMS). Next, we detect phishing URLs in any text provided by the user. You can do this by simply selecting any text you’d like to scan in your mobile device. After selecting, just share the selected text with Malwarebytes for Android and we’ll alert you of phishing URLs.

Lastly, we have a great feature that aids in a safer browsing experience. It scans for phishing URLs in Chrome and alerts you when any are detected. Disclaimer: we can only alert, not block. We do this by using the accessibility service built into the Android OS. Thus, when you see Malwarebytes for Android asking for accessibility service permissions, it’s strictly for our phishing URL scanner. As always, we dedicate ourselves to keeping you safe, even from unwanted links.

The post Mobile Menace Monday: Chrome declares war on unwanted redirects appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 22, 2017
Comments Off on Terdot Trojan likes social media

Terdot Trojan likes social media

We usually advise people that have fallen victim to banker Trojans to change all their passwords, especially the ones that are related to their financial sites and apps. Besides the dangers of re-used passwords, there are other reasons why this is important. This advice is especially applicable to a Trojan making the rounds called Terdot.

Our friends at Bitdefender wrote a white paper about the Terdot Trojan that shows how this offspring of Zeus can not only monitor and modify your Facebook, Twitter, YouTube, and Google Plus traffic, but also spy on webmail platforms like Microsoft’s login page, Yahoo Mail, and Gmail.

Hasherezade already saw this coming at the start of this year when she warned us that Terdot spies and also modifies the displayed content by “WebInjects” and “WebFakes.”

The Terdot Trojan is both spread by email, using infected attachments, as well as by the Sundown exploit kit. It uses a complex method to download and activate the malware on the targeted system, most likely to throw security researchers off the scent. Once established, it uses its own security certificate to bypass TLS restrictions and set up a man-in-the-middle (MitM) proxy.

This Terdot variant only targets Windows systems that don’t run a Russian operating system. Its main targets are in the US, Canada, the UK, Germany, and Australia. The added functionality for social media might be used in different ways. Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender, told ZDNet:

“Social media accounts can be also used as a propagation mechanism once the malware is instructed to post links to downloadable copies of the malware. Additionally, the malware can also steal account login information and cookies, so its operators can hijack the social network account and re-sell access to it, for instance,”

Malwarebytes detects the installers as Trojan.Terdot:


And blocks the download URLs:

blocked URL

Stay safe out there and get protected.

The post Terdot Trojan likes social media appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 21, 2017
Comments Off on How the EU intends to battle fake news

How the EU intends to battle fake news

Last week the European Union issued a press release to announce their next steps against fake news.

These steps will be the launch of a public consultation and the setup of a high-level expert group representing academics, online platforms, news media, and civil society organizations.

The first results of the information gathered by the consultation are expected in April 2018. Despite other initiatives against fake news and online disinformation like the First Draft Coalition (that has the cooperation of Twitter and Youtube among others), or International Fact Checking Day (April 2), the amount of fake news being generated and disseminated is still on the rise, especially on social media.

example question

One of the questions in the public consultation

The reason for action

A Eurobarometer survey published on November 17, 2016 showed that European citizens are worried about the independence of the media, and levels of trust in media are low. For example, 55 percent of Europeans stated that they lost their trust in the news presented on social media. Personally, I feel that number should even be higher—and it probably is after what has happened in the year that passed since the survey was published.

European Commission First Vice-President Frans Timmermans said:

The freedom to receive and impart information and the pluralism of the media are enshrined in the EU’s Charter of Fundamental Rights. We live in an era where the flow of information and misinformation has become almost overwhelming. That is why we need to give our citizens the tools to identify fake news, improve trust online, and manage the information they receive.

It has become clear that fake news and online disinformation have become a deliberate method to taint the reputations of public persons and institutions, to influence the outcome of democratic processes, and to change the public opinion on important matters like health care, environmental changes, immigration, and terrorism.

The latest technologies and the number of people that are active on social media has increased not only the impact of fake news, but also the speed with which it’s being spread.

The countermeasures of the EU

The first step outlined by the EU is a public consultation. Citizens, social media platforms, news organizations (broadcasters, print media, news agencies, online media and fact-checkers), researchers, and public authorities are all invited to share their views in the public consultation until mid-February 2018.

The consultation is set up as a number of multiple choice questions and only addresses fake news and disinformation online when the content is not illegal, per se,  and thus not covered by existing legislative and self-regulatory actions.

The commission is inviting experts to apply for the high-level group on fake news to advise on scoping the phenomenon, defining the roles and responsibilities of relevant stakeholders, grasping the international dimension, taking stock of the positions at stake, and formulating recommendations. The commission aims at a balanced selection of the experts from each field, be it academia or civil society.

The results are expected to:

  • Determine the scope of the problem, i.e. how fake news is perceived by citizens and stakeholders, how they are aware of online disinformation, or how they trust different media.
  • Give a first assessment of measures already taken by platforms, news media companies, and civil society organizations to counter the spread of fake news online, as well as positions on the roles and responsibilities of the relevant stakeholders.
  • Advise on possible future actions to strengthen citizens’ access to reliable and verified information and prevent the spread of disinformation online.

What can we expect

As mentioned before, private initiatives have been undertaken in the battle against fake news and online disinformation, but with the authority to implement legislation, the EU can have a bigger impact, and create measures that other institutions can’t enforce. For example, it could:

  • Force social media to close fake accounts.
  • Claim back revenues of websites that utilize online disinformation (and maybe even clickbait) to attract visitors.
  • Set up organizations that look for and flag fake news.
  • Collaborate with existing fact checking organizations to establish a code of conduct for fact-checking.

So far, measures in use by online platforms and news media organizations to counter the spread of fake news only seem to capture a small fraction of the disinformation, plus it involves time-consuming human verification of content. Legislation in the field that makes verification mandatory may speed up the development of such methods. One may hope that Artificial Intelligence (AI) can do a more adequate job in the future.

To counter the speed involved in the propagation of fake news, we should act quickly and with accuracy in order to protect against it. On the other hand, we need to be aware of the danger that comes with employing any such methods and not let them fall into the realm of censorship.

Recent examples

If you have any doubts about how serious the problem of fake news has become, and how it leads to unrest and distrust, we invite you to read some of these articles.

Kenya’s election proves fake news is a serious threat to international security

Czech elections show how difficult it is to fix the fake news problem

Russia has launched a Fake News war on Europe. Now Germany is fighting back

Ukraine says it warned Facebook of Russia fake news in 2015

Spain Catalonia: did Russian ‘fake news’ stir things up?

If you are a EU citizen and want to make your voice heard, participate in the public consultation by clicking here to learn more and complete the questionnaire as either a citizen, legal entity, or journalist.

The post How the EU intends to battle fake news appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 21, 2017
Comments Off on Text messages and the Bitcoin Code: follow the money trail

Text messages and the Bitcoin Code: follow the money trail

I was a bit surprised to receive lots of messages similar to the one below this past week:

free coins?

I mean, we’ve all done it—managed a bulk text spam campaign offering free Bitcoins in your spare time, while completely forgetting said business exists. Maybe I did it in my sleep? It’s all gone a bit Fight Club. And as we all know, the first Rule of Fight Club is “Don’t run a free Bitcoin bulk text spam campaign in your spare time, while completely forgetting said business exists.”

Or maybe not.

Either way, I decided to find out what was going on. Had someone taken a cheeky jab at a security researcher by placing my contact details into the pipeline somewhere, did I actually set up a bulk spam campaign with free Bitcoins at the end of it, or was there a more mundane explanation that didn’t require people to yell at me via capslock?

oh dear

There’s only so much “dashing expectations on the shore” a guy can take. Or, to put it another way…





No wonder everyone was so grumpy.

First up, the text. The only examples I had sent to me were written in Dutch:

text message

“You have 1 Bitcoin in your account. Confirm here: [URL] Current market value: €6064.”

Bitcoin value is through the roof at the moment, so it’s no wonder someone might want to jump on the opportunity. I’d love to see how many people clicked from the text to the URL with the promise of riches already in the bank.

The short link in the text is a text(dot)id URL. The site is registered to an address in Jakarta, Indonesia, but it’s the email address that’s of interest (well, to me, anyway):

email address

Unfortunately, lots of people thought this was me, instead of any of the other numerous Chris Boyds floating around the Internet, hence the confused and occasionally angry, “Where are my coins? Also drones deployed” messages. As it turns out, that email address—mrmessaging—is tied to a bulk mail service, and the Chris Boyd in question appears to own the default address listed for the registered URL. He’s an actual person and everything, and easily found with about 10 seconds of Googling. But he’s not me.

So that’s that short mystery put to bed. Also please stop asking me for Bitcoins.

well hello there

No, really. I insist.

Choice insults aside, the URL redirects to another site located at[snip].

What do we have here? Something called The Bitcoin Code, which bears zero relation to paintings, Tom Hanks, or ancient prophecy.

The Bitcon Code

Time to fire up Google Translate:

Join The Bitcoin Code

The Bitcoin Code is exclusively intended for people who have responded to the outrageous returns Bitcoin offers and who have earned a fortune with it.

The Bitcoin Code Members enjoy month-in-month outs of the most beautiful stays around the world, while they earn their money on their laptop every day with just a few minutes ‘work.’

Actually, this sounds way better than Tom Hanks.

smiling bitcoin man


Hi, I am a former software developer at a large company that I do not want to mention.

I designed the Bitcoin Trading software that generated more than € 18,484,931.77, just in the last 6 months.

This software makes more millionaires faster than the first investors in Uber, Facebook or AirB&B.

If you want to earn a million with Bitcoin, watch the video above and learn how it works.

The short version is, you sign up via email then add in a mobile number and some other pieces of information. After that, you deposit “250 Euro” to get things moving and then it’s automated stock exchange programs and Bitcoin all the way down.

how it works

We can’t vouch for how effective said software may be, but we can definitely confirm it’s nothing to do with my good self, and generally speaking I’d be wary of signing up to random text messages with 250 euros of my hard earned money—and you should be, too.

As the disclaimer at the bottom of the splash page says:

Significant Risk Reporting: Trading in binary options can lead to major gains, but also entails the risk that part or all of the capital will be lost and this has to be recognized by budding investors. We advise you to read the terms and conditions and the indemnity before making any investment. Customers must inform themselves about the tax rules in the country of establishment. US residents should not be approached to trade commodity options, even when it comes to ‘predictive’ contracts, except when it concerns contracts registered with a CFTC-registered stock exchange or in case of a legal exception.

I’m no Wall Street banker, but that sounds a bit dodgy. My coins—metal, digital, and chocolate—will be staying in my pocket for the time being (apart from the chocolate ones, which are at significant risk of melting, and also the digital ones which only exist in your computer. Not mine. I don’t own any, sorry). Should you receive one of these texts claiming you’re somehow in possession of a Bitcoin, do the block / report / delete dance as fast as your fingers will allow.

The post Text messages and the Bitcoin Code: follow the money trail appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 20, 2017
Comments Off on OSX.Proton spreading through fake Symantec blog

OSX.Proton spreading through fake Symantec blog

Sunday night, a series of tweets from security researcher @noarfromspace revealed a new variant of the OSX.Proton malware, spreading in a concerning new method—spoofing security company Symantec’s blog.

Method of infection

The malware is being promoted via a fake Symantec blog site at symantecblog[dot]com. The site is a good imitation of the real Symantec blog, even mirroring the same content. The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway, however:

Even more suspicious is the certificate used by the site. It is legitimate SSL certificate, but was issued by Comodo rather than Symantec’s own certificate authority.

The fake site contains a blog post about a supposed new version of CoinThief, a piece of malware from 2014. The fake post claims that a new variant of CoinThief has been spotted. In fact, as far as I’ve been able to determine, this is a made-up story, and no such new variant of CoinThief actually exists.

The fake post promotes a program called “Symantec Malware Detector,” supposedly to detect and remove the malware. No such program actually exists.

Unfortunately, links to the fake post have been spreading on Twitter. Some of the accounts tweeting the link appear to be fake accounts, but others seem to be legitimate. Given the fact that the primary goal of the Proton malware is to steal passwords, these could be hacked accounts whose passwords were compromised in a previous Proton outbreak. However, they could also simply be the result of people being tricked into thinking the fake blog post is real.

Users who download and run the “Symantec Malware Detector” will instead be infected with malware.

Malware behavior

When run, the malicious Symantec Malware Detector application displays a very simple window, using the Symantec logo:

If the user quits the application at this point, the malware does not actually get installed. However, let’s be honest—if you’ve been tricked into downloading and opening this application, you probably won’t bail out at this point.

Clicking the “Check” button results in a request for an admin password:

The average Mac user has seen these kinds of password request many times before, so again, this is unlikely to raise suspicions among users who have gotten this far. In reality, this is a very well-done fake and will give the malware your password. (Unlike the legitimate password request this is designed to imitate, which does not give the requesting software the user’s password.)

If an admin password is provided, the application displays a progress bar claiming to be scanning the computer.

In reality, however, the application has installed the Proton malware.

The malware will begin capturing information, including logging the user’s admin password in clear text, among a lot of other personally-identifying information (PII) to a hidden file:


 test%E2%80%99s Mac


The malware also captures and exfiltrates things like keychain files, browser auto-fill data, 1Password vaults, and GPG passwords. Since the malware has phished the user’s password, the hackers will be able to decrypt the keychain files at a minimum.

Indicators of compromise

The Symantec Malware Detector application is, as far as I’m able to determine, a completely made-up name. If you see such an application—perhaps in the Downloads folder, or perhaps in the Applications folder, depending on where the user puts it—it should be deleted.

If you are unsure of whether the application is actually malicious, you can check the code signature. Enter the following command in the Terminal, substituting the actual path:

codesign -dvvv "path/to/Symantec Malware"

The malicious application has been signed by someone named Sverre Huseby, using a certificate with a team identifier of E224M7K47W. Anything signed with this certificate should be considered malicious.

Once this malicious “dropper” application has been run, the following paths will be found on the system:


The .random directory holds the malicious Proton executable, which is kept running by the launch agent. The .cachedir folder contains data that has been or will be exfiltrated.

In addition to these files, the /private/etc/sudoers file will have been modified. The following line will have been added to the end:

Defaults !tty_tickets

That line should be removed from the sudoers file.

Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected.


Malwarebytes for Mac will detect and remove Proton infections for free. If you find your Mac to be infected, it’s quite easy to remove the malware. However, removing the malware is only a part of the solution.

Since Proton is designed to steal login credentials, you will need to take some emergency actions post-infection. You should treat all online passwords as compromised and change them all. Be sure, while you’re at it, to use different passwords on every site, and use a password manager (such as 1Password or LastPass) to keep track of them. Since 1Password vaults are a target of Proton, be sure that you don’t store your password manager’s master password in your keychain or anywhere else on the computer. That should be the one and only password that you memorize, and it should be strong.

You should also enable two-factor authentication on every account that will allow you to do so. That will minimize the impact of such breaches in the future by ensuring that a hacker will need more than just your password to access your accounts.

In addition to passwords, you should consider any other information that may have been part of the compromise. For example, if you store credit card numbers or other sensitive data in the keychain, it should be treated as compromised and you should respond accordingly.

As always, if the machine that was compromised was issued to you by your employer, or has company data on it, you should notify IT immediately. Failure to do so could lead to a very serious breach of your company’s systems.


Proton has been circulating for quite some time after its initial appearance in March. It has previously been distributed via a compromise of the Handbrake application and a similar compromise of a couple Eltima Software applications. It is highly likely that Proton will continue to circulate, and similar incidents will continue to occur.

Proton illustrates an increasing problem in the Mac community. The prevailing attitude that you can avoid Mac malware if you’re careful enough is failing in the face of supply chain attacks, such as the hacks of the Handbrake and Eltima Software systems.

Further, so-called “fake news” being used to distribute malware is a highly dangerous threat. Many people these days are looking to download malware removal software for the Mac, due to the increasing prevalence of annoying Mac adware. Unfortunately, it is often the case that such software will be downloaded after a search that gives questionable results, or after seeing a recommendation from a hacked or fake account on social media or forums.

Macs are the targets of an increasing amount of malware. They can no longer be assumed to be safe. The old advice that “Macs don’t get viruses,” which can still be found echoing in many Mac-centric forums, has never been true, and this is becoming increasingly obvious to those following such events. Do not fall victim due to a false sense of security caused by the fact that you have a Mac!

The post OSX.Proton spreading through fake Symantec blog appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 20, 2017
Comments Off on A week in security (November 13 – November 19)

A week in security (November 13 – November 19)

Last week, we gave you some tips for the inevitable online chaos that is Cyber Monday, explained how “trusted” root certificates can sometimes be anything but, and explored the strange world of catphishing. We also pulled apart some malware found on Google Play and laid out the specifics of the cloud in simple terms.

Other news

  • London Metropolitan Police aren’t massively keen on facial recognition technology. (source: The Register)
  • Fake News is a bigger problem than just in the realm of the political. (source: Digital Shadows)
  • Banking Trojans won’t be going away anytime soon—here’s another one! (source: Security Intelligence)
  • Why do bug bounty hunters, er, hunt bug bounties? Study available here. (source: Help Net Security)
  • That camera in your home may have a vulnerability lurking. (source: Talos Security)
  • A legitimate email appears to be phishy fun with the Punisher. (source: io9)
  • Hide your Facebook and Twitter from this piece of malware. (source: CNet)

Stay safe everyone!

The post A week in security (November 13 – November 19) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 17, 2017
Comments Off on 10 tips for safe online shopping on Cyber Monday

10 tips for safe online shopping on Cyber Monday

Shoppers familiar with the Cyber Monday circus know they’re stepping into the lion’s den. The Internet has always been a lawless place, but it becomes particularly rough during the holiday shopping season.

In preparation for the frenzy, cyber villains have crafted a virtual onslaught of social engineering scams, malspam, and malicious, spoofed websites in order to dupe the droves of people expected to spend nearly $4 billion online this year.

So, bargain hunters, it’s important to know the warning signs. Here’s your guide to safe online shopping on Cyber Monday and beyond.

  1. Go directly to a store’s website instead of using search engines to look for deals. If you happen to find a deal using a search engine, try to verify it by searching for the exact name of the deal in quotes. If it’s a scam, then it’s likely someone will have already put out a warning.
  2. Give pop-ups and other digital ads the stank eye. Many pop-ups could contain fake coupons, redirect you to malicious sites, or expose you to cross-site scripting attacks. If a coupon seems to come out of nowhere with a too-good-to-be-true offer, don’t think twice. Just click that “x” and shut it down.
  3. Watch out for social media scams, especially on Facebook. Cybercriminals are using fake or compromised Facebook accounts in order to post links to amaaaaaazing deals that don’t actually exist. They’re especially prone to dropping links on the walls of open groups dedicated to shopping. “One of the top shopping scams to avoid in the run-up to Cyber Monday is the social media fakeout,” says Chris Boyd, Lead Malware Analyst at Malwarebytes. “During any given holiday period there will be an excess of fake offers, deals, and supposed freebies which tend to have a sting in the tail. If you’re being asked to share something on Facebook in order to get your hands on something too good to be true, you can bet there’s a scam involved.”
  4. Dump Cyber Monday emails with attachments in the virtual garbage. Cyber Monday emails with attachments, especially zip files, are super suspect—it’s possible, in fact likely, that they contain malware. Delete them immediately. Not only that, but you should review any other Cyber Monday-related emails with a hawk eye. If you get an email from a store claiming to have a deal, type the store’s URL directly into your browser instead of clicking on the link. If the site doesn’t verify the deal, you know it’s a fake.
  5. Make sure you’re on a secure connection. Look for the padlock icon to the left of the URL when you go to check out. If it’s there, then that means the information passed between a store’s server and your browser remains private. In addition, the URL should read “https” and not just “http.”
  6. Do not use debit cards to shop online. Want to give cybercriminals direct access to your bank account? Then by all means, use your debit card! Otherwise, play it safe by using credit cards or a PayPal account that’s linked to a credit card. While many banks are cracking down on fraudulent withdrawals, you’ll still have to wait for your money while they investigate the charges.
  7. Avoid using public wifi to shop. All a cybercriminal needs to do to get a public wifi password and wreak havoc is order a coffee. If you’re shopping and entering personal data, best to do it on your secure wifi connection at home.
  8. Watch out for malicious QR codes. Q what now? QR codes are small, pixelated codes meant to be scanned by a smartphone’s camera. They often contain coupons, links to websites, or other product marketing materials. Some hackers have started creating codes that link to a phishing or malware site, printing them on stickers, and placing them on top of the legit QR codes. Best to avoid them.
  9. Don’t fork over extra info. If a site starts asking for out-of-the-ordinary personal data, like Social Security numbers or password security questions, slam on the brakes and get the heck out of Dodge.
  10. Tighten up security before you shop on Cyber Monday. Make sure all software on your computer is up-to-date, including your OS, browser, and other apps. And if you don’t already have it, install a cybersecurity program on your desktop (whether it’s a Mac or PC) that prevents malware infection to insure maximum coverage. In addition, since mobile shopping is set to outpace desktop shopping for the first time this year, it’s a smart idea to download a cybersecurity program for your phone. If you’ve already covered your cybersecurity bases, make sure you run updates on all those programs as well.

Happy, and safe, holiday shopping everyone!

The post 10 tips for safe online shopping on Cyber Monday appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 16, 2017
Comments Off on When you shouldn’t trust a trusted root certificate

When you shouldn’t trust a trusted root certificate

Root certificates are the cornerstone of authentication and security in software and on the Internet. They’re issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are. We have talked about certificates in general before, but a recent event triggered our desire for further explanation about the ties between malware and certificates.

In a recent article by RSA FirstWatch, we learned that a popular USB audio driver had silently installed a root certificate. This self-signed root certificate was installed in the Trusted Root Certification Authorities store. Under normal circumstances, you would have to agree to “Always trust software from {this publisher}” before a certificate would be installed there.

However, the audio driver skipped this step of prompting for approval (hence “silently” installing).  The silent install was designed to accommodate XP users, but it had the same effect in every Windows operating system from XP up to Windows 10. The installer was exactly the same for every Windows version. Ironically enough, the certificate wasn’t even needed to use the software. It was just introduced to complete the installation on Windows XP seamlessly.

Why is this a bad thing?

Root certificates can be installed for purposes such as timestamping, server authentication, code-signing, and so on. But this particular driver installed a certificate valid for “All” purposes. So any system with these drivers installed from any of the vendors will trust any certificate issued by the same CA—for “All” purposes. Under normal circumstances, only a certificate issued by Microsoft would have “All” in the root certificates “Intended Purposes” field.

Having a certificate in the Trusted Root Certification Store for “All” intended purposes on a Windows system gives anyone that has the private key associated with the certificate the ability to completely own the system on which it is installed. The impact is the same as for any Certificate Authority (CA) behind certificates installed on Windows systems.


An exception is that in some instances large companies may choose to do the same with the intent to perform SSL decryption at the perimeter for outbound traffic. So, not only does silently adding a root certificate break the hierarchical trust model of Windows. It also gives any owner of the private key that goes with that certificate a lot of options to perform actions on a computer with that certificate installed.

How can they be abused?

An attacker who gets ahold of the private key that belongs to a root certificate can generate certificates for his own purposes and sign them with the private key. Any certificate with the root certificate already in their Trusted Root Certification Store on a Windows system will trust any certificate signed with the same private key for “All” purposes. This applies to software applications, websites, or even email. Anything from a Man-in-the-Middle (MitM) attack to installing malware is possible. And as if this wasn’t bad enough, security researchers at the University of Maryland found that simply copying an authenticode signature from a legitimate file to a known malware sample can cause antivirus products to stop detecting it, even though it results in an invalid signature.

Methods of abuse

There are several ways of abusing certificates by criminals. They can:

Of all these methods, it stands to reason that stolen certificates, especially those intended for “All” purposes, are the most dangerous. So introducing one of these just because you want to install a driver or to enable easier customer support, and not letting the user know, is inadvisable at best.

If you think that the number of certificates in use by malware authors can’t be that large, have a look at the suspects that have been reported at the CCSS forum.

How can I remove certificates I don’t need or trust?

A list of known signing certificates that are being abused by threat actors has been made available at As explained earlier, using signing certificates gives criminals a lot of options to bypass system protection mechanisms, which is why you might want to remove those from your machine. There is also a test site where you can check if any of the software programs that are open to an MitM attack are active on your system.

To delete a trusted root certificate:

  • Open the certificates snap-in for a user, computer, or service. You can do this by running certmgr.msc from your Run/Searchprograms box or from a command prompt.
  • Select Trusted Root Certification Authorities.
  • Under this selection, open the Certificates store.
  • In the details pane on the right-hand side, select the line of the certificate that you want to delete. (To select multiple certificates, hold down control and click each certificate.)
  • Right click the selection you made and in the action menu, click delete.
  • Confirm your choice by clicking yes if you are completely sure that you want to permanently delete the certificate.

Please note that user certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

You might want to back up the certificate by exporting it before you delete it. For the procedure to export a certificate, see export a certificate.

If you want to look at the Thumbprint, aka serial number, of the certificates, you can use this Powershell command to list the non-Microsoft certificates in the Trusted Root Certification Authorities:

Get-ChildItem -Path cert:currentuserAuthRoot -Recurse | select Thumbprint, FriendlyName, Subject | ConvertTo-Html | Set-Content c:userspublicdesktopcertificates.html

This will create a html file on the public desktop that shows the list by Thumbprint (in reverse order) and where you can look up the Friendly Name and Subject that belongs to a Thumbprint.

exported certificates list

For those that do like to keep an eye on things, there is a guide by Xavier Mertens for a piece of code that alerts you about changes in the certificate store.


Since root certificates are intended to heighten security, it should be clear to those issuing them that they should be treated as such, and not as something that they can install willy-nilly whenever it suits their needs. The whole point of prompting users is to establish a chain of trust that they should be able to rely on. And in this case, the prompt was bypassed only to enable installation on a no-longer-supported operating system. That both ruins user trust and introduces unnecessary security risk for a rather shallow reason.

The post When you shouldn’t trust a trusted root certificate appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 15, 2017
Comments Off on Bad romance: catphishing explained

Bad romance: catphishing explained

You’ve heard or read about some variant of this story before: Girl meets Boy on a dating website. Girl falls in love. Boy claims he does, too. Girl is excited to meet Boy soon. But at the last minute, Girl finds out that Boy (1) had an accident and broke a hip; (2) has a very sick relative he needs to look after; (3) is going away to a secluded place to “find himself”—you’re not the problem, he is, right?; or (4) (through a helpful and mournful friend) is dead.

Suddenly suspect, Girl digs a little deeper. Girl finds out that Boy isn’t the dreamboat he portrays himself to be. Boy is, in fact, her female colleague’s timid 13-year old son whom she met once at a work function.

Bummer, right? Here’s another one:

Two months ago, Deloitte revealed that it was breached by hackers, who most likely already had access to compromised servers since November 2016. Around the same time, a cybersecurity staffer at Deloitte was convinced to open a booby-trapped Excel file from a female friend he met on Facebook months before. Her name was “Mia Ash,” a London-based photographer. She was described as lovely and disarming.

She was also 100 percent fake.

Mia Ash is the latest in a lengthening line of online femme fatales who successfully infiltrated corporate systems by targeting and successfully duping smart men working in IT and cybersecurity—people who everyone expects to practice what they preach. Her equally fake predecessors went by the names of Robin Sage and Emily Williams. Although all three were created as social engineering lures, one significant difference stood out: Sage and Williams were the brainchildren of cybersecurity experts who wanted to expose the human weakness in the national defense and intelligence communities. Ash, on the other hand, was the product of a known Iranian APT group who deliberately took advantage of that weakness to achieve their nation-state goals.

Two very different stories, one common theme: romantic deception.

What is catphishing?

Catfishing (spelled with an “f”) is a kind of online deception wherein a person creates a presence in social networks as a sock puppet or a fictional online persona for the purpose of luring someone into a relationship—usually a romantic one—in order to get money, gifts, or attention. Catphishing (spelled with a “ph”) is similar, but with the intent of gaining rapport and (consequently) access to information and/or resources that the unknowing target has rights to.

Simply put, the former is out to break hearts (and bank accounts), while the latter is out to compromise individuals, organizations, and quite possibly even countries.

Can we say that catphishing has gone beyond bad romancing for money? Absolutely.

What motivates catphishers to do what they do?

The motivations behind the act are likely similar to why spies steal secrets: to make use of the stolen information to gain the upper hand against the target or organization they belong to. As we all know, stolen information in the hands of criminals can be used in many ways—for extortion, for sale on the black market. However, in the end, the organization that was compromised loses integrity, clients, business opportunities, and gets fined if they were found to be non-compliant with security and privacy regulations.

Catphishing is dangerous enough that most companies consider it a business threat.

On the other hand, those catphishing individuals might also use the information they gather from individuals to create even more social media profiles. Sometimes, catphishers mislead simply to bully people online.

Read: Tackling the myths surrounding cyberbullying

Blimey. Those catphishers ought to pay for what they’ve done!

Unfortunately, in many countries, catphishing (and catfishing) isn’t illegal. In the UK, “catfishing” is not even a legally-defined term. Although at present, the practice is pretty much legal, active campaigns are aiming to change this.

In the US, Oklahoma is the only state that made catfishing illegal.

Although one cannot lawfully pin catfishing/catphishing against someone, there are other legal areas that those affected by the practice can look into and decide whether they want to pursue these instead. They are (but are not limited to) the following:

  • Copyright violation (for photos stolen and used in the deception)
  • Criminal impersonation
  • Defamation
  • Identity fraud
  • Espionage

How can we protect ourselves from this?

Start by familiarizing yourselves with the following red flags, which indicate that you may be dealing with a catphisher online:

  • Everything that they claim to be seems too good to be true.
  • If you meet them on a dating website, and they suggest getting in touch with you via other means, such as email and other chat services.
  • They show no interest in a face-to-face meeting or even in using voice chat services.
  • Most (if not all) photos they use don’t include other people.
  • Quite a number of their social media followers appear to be sockpuppet accounts.
  • They ask a lot of information about you early on in the relationship like how much you earn, what kind of home you live in, and where your parents are (to name a few).

Stay safe out there!

Recommended reading for parents:

The post Bad romance: catphishing explained appeared first on Malwarebytes Labs.

Powered by WPeMatico


Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo