Jan 10, 2018
John
Comments Off on Of princes and perpetrators: Beware of getting ensnared in 419 scams

Of princes and perpetrators: Beware of getting ensnared in 419 scams

We’ve mentioned before that 419 scams don’t always originate from Nigeria. It’s a very simple and popular scam that can be attempted by pretty much anyone with a flair for social engineering. Indeed, 419 scams are so associated with the region that many scammers in non-Nigerian countries know they have an additional layer of “It wasn’t me” potentially obfuscating their identity.

This may help the non-Nigeria based criminal better hide once life savings have been stolen. Law enforcement and the victims themselves are probably going to make assumptions about who’s doing the money swiping, which simply helps the actual criminal go deeper underground.

By the same token, 419 scammers seek to obfuscate their location further by making use of so-called money mules: innocent victims tangled up in scams, sending stolen money to and from a variety of bank accounts. More often than not, they’re enticed by the prospect of too-good-to-be-true job adverts posted online, typically in the field of remote work administration or “payroll management.”

A fancy-sounding title, the promise of big money for little work, and an awful lot of “we’ll explain how that thing works later,” and you have yourself a money mule.

What’s so good about having an army of disposable web flunkies at your disposal?

When the cops come calling, they make a beeline for the point of least resistance (the scammer pulling strings is supposed to be based in Nigeria, remember?) In practice, this probably means your recently retired grandfather looking for a bit of extra pocket cash, or your penniless friend at University is going to jail. If you’re a money mule, you’re engaged in illegal activity and can be prosecuted for it. “I didn’t know” won’t save you.

Take this individual, recently charged with no less than 269 counts of wire fraud and money laundering.

From the Slidell Police department Facebook page:

Slidell Police financial crimes investigators arrested , 67-year-old, Michael Neu (Slidell,LA), for 269 counts of Wire Fraud and Money Laundering. Neu is suspected to have been the “middle man”, and participated in hundreds of financial transactions, involving phone and internet scams, designed to con money from victims across the United States. Some of the money obtained by Neu was subsequently wired to co-conspirators in the Country of Nigeria.

The investigation is on-going, but is extremely difficult as many leads have led to individuals who live outside of the United States.

Slidell Police Chief Randy Fandal hopes this arrest serves as a reminder for Slidell residents to be leery of such scams. Chief Fandal said, “If it sounds too good to be true, it probably is. Never give out personal information over the phone, through e-mail, cash checks for other individuals, or wire large amounts of money to someone you don’t know. 99.9 percent of the time, it’s a scam.”

Reports are a little confused, as some articles claim he’s the mastermind while others (including the police statement up above) plainly state he’s the middleman. Additional details are thin on the ground, so we don’t really know at this stage if he was “merely” responsible for wiring money, or if he was physically typing out “Hello, I’m a Prince” emails to hoodwink potential victims.

Either way, he’s in a whole lot of trouble with law enforcement and though some of the pieces mention “co-conspirators in Nigeria,” it’s unlikely any of them will be caught. In effect, whether unaware of what was really going on, or an active participant (and it’s entirely possible some money mules will happily get involved for a bigger cut of the proceeds), what we have here is a fall guy within easy reach of the police.

Wait, did I just say “active participant?” I sure did. And guess what? It’s not just retirees wandering into trouble. Younger folks are also getting in on the act, often due to lack of cash and the idea that this might be a safe, fast way to make some money. Data from 2017 suggests that more than 8,500 people aged between 18 to 24 had their bank accounts used by criminals.

Given that a lot of money muling can tie directly into crimes such as drug distribution and people trafficking, those individuals will probably have a short, sharp dose of reality when the police come knocking. As Cifas, a UK fraud prevention service, points out, loans, contracts, and other financial services may be hard to come by should your bank account be closed due to laundering—and that’s before you get to the part where you could spend up to 14 years in prison for it.

All things considered, not a sensible career choice. If you’re approached by strangers offering too-good-to-be-true job opportunities—especially for remote work and handling money/sending said cash through various bank accounts—give it a wide berth. You’ll probably be very glad that you did.

The post Of princes and perpetrators: Beware of getting ensnared in 419 scams appeared first on Malwarebytes Labs.

Powered by WPeMatico

Jan 9, 2018
John
Comments Off on RIG exploit kit campaign gets deep into crypto craze

RIG exploit kit campaign gets deep into crypto craze

There isn’t a day that goes by without a headline about yet another massive spike in Bitcoin valuation, or a story about someone mortgaging their house to purchase the hardware required to become a serious cryptocurrency miner.

If many folks are thinking about joining the ‘crypto craze’ movement, they may be surprised to learn that they already have. We’ve documented in-browser miners before on this blog, or what we call drive-by cryptomining, but drive-by download attacks such as those via the RIG exploit kit want a piece of the action, too. While the latter is not a new trend, we have noticed an increase in malware payloads from EKs that are coin miners, and we think this is going to be something to follow for 2018.

Overview

Today, we take a look at a prolific campaign that is focused on the distribution of coin miners via drive-by download attacks. We started to notice larger-than-usual payloads from the RIG exploit kit around November 2017, a trend that has continued more recently via a campaign dubbed Ngay.

What happened is that the initial dropper contained additional binaries that contributed to its oversized nature as depicted below. Droppers from this campaign have contained one or more coin miners consistently, for at least Monero and lesser known but still popular other currencies such as Bytecoin.

One payload leads to two different coin miners.

For the same attack, these two processes will mine for the well-known Monero and Electroneum cryptocurrencies. When both executables are running, the CPU usage on the victim’s computer is maxed at 100 percent.

Distribution

The Ngay campaign, identified as such by Nao_Sec, is one of several malvertising chains that relies on the RIG exploit kit to distribute its payloads. Recently, we observed a more complex redirection chain involving bestadbid and various XML feeds upstream, eventually trickling down to the more familiar redirect to RIG.

Infection flow showing redirection to RIG EK, followed by coin miner payloads

iframe to RIG EK is inserted in Ngay’s template page

The dropped binary from RIG EK contains two other artifacts that each lead to a different coin miner and are launched in a rather unusual procedure. In the following sections, we will study their deployment mechanism.

Monero miner

Monero is one of the most well-known digital currencies that, contrary to Bitcoin, does not require special hardware and provides additional privacy benefits. Threat actors have jumped on it in via large-scale drive-by mining attacks, with the help of coin miner-purposed malware.

Here the Monero miner is downloaded after a convoluted process that also aims at registering it permanently as a running service. The extracted binary from the RIG EK payload (3yanvarya.exe) is an installer that drops several .NET modules:

.NET modules extracted from one of the two artifacts contained in RIG EK’s payload

starter.exe uses an exploit (Invoke-MS16-032) copied from this GitHub repository (It even re-uses the original license!) to elevate privileges:

Code snippet showing PowerShell code designed to elevate privileges

foxcon.exe contains two sub-modules inside: Hydra and Hand, which purport to protect and manage services:

Hydra and Hand: two modules in charge of miner services

services.exe is a service to download and manage the miner:

Miner is downloaded from a remote IP address

Finally, the Monero miner (series64.exe) is retrieved and can start the mining activity. The overall process can be summarized in the diagram below.

“C:WindowsTEMPseries64.exe” -o 5.23.48.207:5555 -u x -p x -k -B –max-cpu-usage=30 –safe

Overview of the Monero miner deployment

Electroneum miner

Electroneum, the “mobile friendly” digital currency, has only been recently introduced but became popular almost immediately. The Android app allows anyone to mine and manage their wallet, but miners running desktop platforms can also participate.

Malware authors are abusing it via a malicious coin miner binary that is dropped from dp.exe in yet another unusual redirection chain. Indeed, it involves the Bit.ly URL shortener to retrieve a fake PNG image containing instructions for the download and eventual launch of the miner itself.

“C:Users[username]AppDataRoamingbvhostbvhost.exe” -o etn-eu2.nanopool.org:13333 -u etnkKc…

Overview of the Electroneum miner deployment

Conclusion

As cryptocurrencies become more and more popular, we can only expect to see an increase in malicious coin miners, driven by the prospect of financial gains and increased anonymity. As the mining process has become cross-platform and achievable using regular computers, this has opened new possibilities for threat actors. Indeed, they can put hundreds of thousands of compromised machines to work mining for the latest and hottest digital currency around.

For end users, the threat of a coin miner infection may seem less impactful than, say, a banking Trojan, but perhaps that is only true in the short term. Not only can existing malware download additional payloads over the course of time, but the illicit gains from cryptomining contribute to financing the criminal ecosystem, costing billions of dollars in losses.

This particular RIG EK campaign is noteworthy for its focus on cryptominers and the way it unconventionally and at times inefficiently loads them. We will keep monitoring the drive-by download landscape to report on any change in payloads from other threat actors.

Many thanks to @hasherezade for help studying the binaries.

Indicators of compromise

RIG EK dropper

FD4A117EDFEA1075132CF7D0A2AD5376B174AFD1C924D91E9B0D124320E3177D

Redirections to downloader script

5.101.179.249
*.lolkekss[.]us
bit[.]ly/2lXCGUy

Downloader script for Electroneum miner (fake PNG)

lolkekss.usite[.]pro/DF.png
195.216.243.130

Electroneum miner (bvhost.exe)

74.115.50.111
115776615-884492032168661957.preview.editmysite[.]com/uploads/1/1/5/7/115776615/be
13CE8C6C8E9E4A06880A5F445A391E9E26BB23FCD0C6F4CC495AA5B80E626C0B

Monero miner (series64.exe)

188.225.46.219:3000/files/mh/series64.exe
F651B1C5AE7B55B765994EB6630C45A0A7F1E43EBABD801CB8B3B26BDDB09D17

Additional miner loaders via RIG EK (SHA256, size in bytes, date found):

24ff04ef166cbc94d88afd0c7a3cba78dfe2f2d9e02a273a60fcc45ced5cb484,1732969,2017-12-29
d68c5095bd7b82e28acd4df5514a54db6d6d340ada860b64b932cb014fe1ecb3,1513983,2018-01-02
5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f,1732965,2018-01-02
2876ceb760c5b37e03ebb3cabbfb25a175e8c3556de89af9dd9941fda183bc79,1840725,2018-01-03
bba35503156eee0aa6ecef7aa76bbe3e6d26791585aac328f895278cd1c09cb2,2819600,2018-01-04

The post RIG exploit kit campaign gets deep into crypto craze appeared first on Malwarebytes Labs.

Powered by WPeMatico

Jan 9, 2018
John
Comments Off on A week in security (January 1-8)

A week in security (January 1-8)

New year, new threats, as 2018 gets underway.

On our blog, we had dubious searches aplenty for those hunting for Malwarebytes information, and we also covered the huge Meltdown/Spectre bug, affecting hardware going back to 10 years.

Other news

  • Coin miners are at it again, with a proof of concept for hacking public Wi-Fi and injecting cryptomining code into browsing sessions. (source: The Register)
  • Around 240k people have been tied up in a “privacy incident” over at the DHS. (source: DHS)
  • Browser makers are looking to mitigate risks from Meltdown and Spectre. (Source: Help Net Security)
  • 36 rogue apps wound up on the Google Play store, reminding us to be extra vigilant even when on an official site. (Source: Trend Micro)
  • Yet another cryptominer doing the rounds, this time dragging Linux machines into a cash spinning botnet. (source: F5)
  • Face recognition: nice idea, but being fooled by photographs is a bit much. (source: Naked Security)
  • A well put together phishing mail is causing headaches for those who may have purchased items from retailer Debenhams. (Source: South Wales Argus)
  • Unusually, you may be able to reclaim money lost to wire fraud scams, regardless of where you live. This doesn’t happen often, so check it out if you’ve been stung! (Source: Birmingham Mail)
  • Malware-laden emails laced with more malware are being used to steal data related to the Winter Olympics. (Source: BBC)

Stay safe, everyone!

The post A week in security (January 1-8) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Jan 4, 2018
John
Comments Off on Meltdown and Spectre: what you need to know

Meltdown and Spectre: what you need to know

UPDATE (as of 1/04/18)Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown.

Overview

If you’ve been keeping up with computer news over the last few days, you might have heard about Meltdown and Spectre, and you might be wondering what they are and what they can do. Basically, Meltdown and Spectre are the names for multiple new vulnerabilities discovered and reported for numerous processors. Meltdown is a vulnerability for Intel processors while Spectre can be used to attack nearly all processor types.

The potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. For Meltdown, an actual malicious process needs to be running on the system to interact, while Spectre can be launched from the browser using a script.

Microsoft, Google, Mozilla, and other vendors have been releasing patches all day to help protect users from this vulnerability. Some of the updates from Microsoft may negatively interact with certain antivirus solutions. However, Malwarebytes is completely compatible with our latest database update. The best thing to do to protect yourself is to update your browsers and your operating system with these patches as soon as you see an update available.

For a quick guide on how to protect yourself from this threat, please check out “Meltdown and Spectre Vulnerabilities – what you should do to protect your computer” on the Malwarebytes support knowledge base.

Details

The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case. 

Mitigations

Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on LinuxmacOS, and all supported versions of Windows.

According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.

Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:

  1. Keep computers up to date.
  2. Install the applicable firmware update provided by OEM device manufacturers.

If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

Cloud providers (AmazonOnline.netDigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:

The post Meltdown and Spectre: what you need to know appeared first on Malwarebytes Labs.

Powered by WPeMatico

Jan 3, 2018
John
Comments Off on Search engine shenanigans: Malwarebytes mentions aren’t what they seem

Search engine shenanigans: Malwarebytes mentions aren’t what they seem

Thing might be a touch quiet at the moment as we ease into 2018, but that doesn’t mean dubious antics and dodgy dealings aren’t still making waves online. As a matter of fact, should you go searching for some of our researchers, their blog posts, or just a couple of notable quotables from news sources, you may find yourself redirected to all manner of websites you’d really rather avoid.

Here’s how it usually works: Scammers take some keywords, or maybe a few stand out sentences, or even just bits of a blog. They then insert the text into the sourcecode of a website. From there, they either use that as the final destination, or use the word-stuffed HTML as a landing page which redirects to the end website. That site could be harmless, or spam, or something filled with attacks on your computer.

Search engine poisoning used to be quite a problem whenever a major news incident occurred, and you’d regularly find pages of malware, hijacks, and fake antivirus cluttering up genuine search entries.

Search engines worked on their algorithms, and these days it’s surprisingly tricky to wind up on a fake batch of bogus results related to a breaking news story. Should a scammer avoid breaking new and focus on more general search queries, however, they may be able to dodge detection and seed the results they need. Case in point:

Bad results
More bad results
Yet more bad results
An endless pile of bad results

That last one, for example, leads to a redirect landing page. Here’s the HTML snippet in question:

source code

Click to enlarge

That site bounces visitors off to what appears to be a page masquerading as a forum. It’s a weird forum, given that every link on page simply leads to more advert URLs and a variety of sign ups.

forum?

Click to enlarge

Note that what the program asks for will change depending on how you arrive on the page, and also note that they claim you need to offer up credit card details to prove you’re not a bot.

all change

Click to enlarge

Here’s one of the final destinations we came across from the “forum” link:

movies

Click to enlarge

Other final destinations we’ve seen from some of the URLs floating around in search results include lots of “pay for social media prowess” type efforts:

Likes

Click to enlarge

We’ve also seen a few pornography redirects where my own name is concerned. For example:

dating ad

Click to enlarge

There’s also spamblogs, partly in English, partly in Russian, which contain a mixture of ripped security articles and random porn photographs.

Elsewhere, we even have memes getting in on the action:

meme result
source code quote
meme site

There’s nothing wrong with doing a bit of extra digging on content you may have enjoyed throughout the previous year, but please keep an eye on those URLs popping up in recent search results. If the sample text looks a bit like jibberish, or the website URL contains a .php or just looks a little random, you may wish to stick to either our own URL or that of a reputable news source you recognise. While we haven’t seen anything malicious in the sense of drive-by installs or other harmful activity, there’s a whole raft of rotating ad pages on offer here and no real way to know where you’re going to end up before clicking.

Here’s to a safe and secure 2018!

The post Search engine shenanigans: Malwarebytes mentions aren’t what they seem appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 27, 2017
John
Comments Off on IPv6, it’s waiting for you

IPv6, it’s waiting for you

IPv6 is an expression IT professionals are likely to have seen or heard at one time, but what exactly is it? Let us give you a quick introduction, and then try to explain what it does differently by comparing it to its predecessor, IPv4.

IPv4 and IPv6 are both Internet communications protocols designed as an identification and location systems for networked devices. This allows people to direct traffic to a specific address. IPv6 is short for Internet Protocol version 6. Naturally, that means IPv4 is version 4. In case you are wondering, version 5 was so short-lived that it never reached any importance.

Why the change?

One reason to replace IPv4 was the number of possible IP addresses associated, which was at approximately 4.2 billion. The authority that handed out the IPv4 blocks (IANA) ran out of IPv4 blocks in the beginning of 2011. The number of possible addresses was limited because the IPv4 addresses are only 32 bits long. With IPv6, the address is 128 bits long (both types are hexadecimal), so the number of possible addresses went up to 3.4 × 1038. That’s a lot of addresses.

compare IPv4 and IPv6

Pros and Cons of IPv6

Using IPv6 means that you don’t need Network Address Translating (NAT), which basically comes down to showing 1 external IP to the outside world. Regardless of which device you are using, others will always see the same IP with NAT. IPv6 gives every device a unique address, although the first 64 bits (the network address) are the same. So if you move the device into another LAN, you will get the first 64 bits of that network.

In the early days of IPv6, the last 64 bits were often based on the devices’ MAC address, but this opened possibilities to track devices across networks—which then posed a privacy issue. The lack of NAT also means with IPv6 you no longer need port-forwarding if you want to relay traffic to a certain node in the network. The contact can be established at the unique IPv6 address.

IPv6 offers data-security at the IP level. With IPv6, it is possible to use Internet Protocol Security (IPsec) during the data transport. This enables the use of encrypted traffic and authentication. The authentication means the receiver can be sure about who the sender is, there is no spoofing, and no man-in-the middle. End-to-end encryption was possible in IPv4, but only as an option (e.g. by using a VPN), and it was added as an afterthought. The Secure Neighbor Discovery (SEND) protocol plays an important role in the authentication part.

IPv6 offers the possibility of mobile nodes. The traffic intended for a node that (temporarily) has a different IP can be forwarded to the current IP.

Latency can be higher when using IPv6. In theory, it could be faster, but in real-world use it is slower because not every peer is able to use IPv6. Packets may have to travel around these peers because of this.

Bigger packet headers are caused by the longer addresses. The sender and receiver have a longer address so the headers grow accordingly.

Firewalls have to be considered at the device level. Since IPv6 addresses open up direct access to devices, not everything can be checked at the network router level. Especially when your servers have IPv6 enabled by default and your firewall is not configured accordingly, malware and breaches are not far away to take advantage.

Take action for a safe transition

  • Be ready for IPv6 before you start using it, as it may require a complete makeover of your network design. Study up on IPv6 before you’re forced to make the change.
  • Consider what needs to be done to maintain or better your current security posture.
  • Research how the transition can help you to improve security.
  • Plan the transition in a way so that your environment stays secure during each step of the process.
  • When purchasing new equipment, make sure it will still be useful after the transition to IPv6. Most new devices will be compatible, but will they still be needed?

Conclusion

Since there is no more room to continue using IPv4, we should get ready for IPv6. Several large ISPs and mobile operators are already migrating to IPv6 along with a lot of other major online services. It’s time It professionals do the same.

The post IPv6, it’s waiting for you appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 22, 2017
John
Comments Off on Facebook phishers want you to “Connect with Facebook”

Facebook phishers want you to “Connect with Facebook”

As we edge toward Christmas, scammers are throwing their own party—in the form of Facebook phishing pages linked to and from bogus landing pages hosted on sites(dot)google(dot)com URLs.

These landing pages, adorned with very large and very fake “Login with Facebook” buttons, may be extra convincing to the unwary, due to a combination of the trusted Google name and the fact that the sites are HTTPS rather than standard HTTP.

HTTPS is becoming increasingly popular with scammers as it adds an extra air of authenticity to the whole operation. As a result, you can’t just assume a “secure” site is also a safe one. There could well be a phisher lurking in the distance.

The landing pages are all themed around loss of Facebook access, with potential victims most likely directed there by phishing emails. (We haven’t seen any associated with this particular campaign, but given the messaging on the sites and the typical methods used to steer someone to them, it seems a reasonable bet to make.)

The bulk of the fakeouts look like either of the two examples below, with zero additional content on the page except for a big blue box asking you to “Login to Facebook” to “comfirmation your account!!!” [sic]

facebook phish landing page

Click to Enlarge

…or

another phish landing page

Click to Enlarge

…”Connect with Facebook.”

There’s a few other designs out there, but they’re nowhere near as common as the two above. Here’s one of the alt-designs:

Fake Facebook warning page

Click to Enlarge

The word salad on the fake Facebook security page reads as follows:

Dear Facebook users

Your account is reported to have violated the policies that are considered annoying or insulting Facebook users. Please confirm your account with accurate data to avoid blocking. Note: if you do not verify your account permanently disabled automatically. Thanks, the Facebook team

Regardless of which landing page you kickstart the process from, the end result is the same—you’ll be directed to a number of secondary websites hosting the pages where user data will be phished. First, scammers will ask for login details:

fake lock landing pageClick to Enlarge

After that, they go straight for security questions:

fake lock

Click to Enlarge

 

The text on the page reads as follows:

We will temporarily lock your account. Please answer a few security questions to ensure that the actual owner of your account. We will provide 1X24 hours, to verify the identity of your account. If you do not confirm, the system will automatically shut down your Facebook account permanently.

This information will help us to restore your Facebook account

Upon hitting the “Protect your account” button, victims will be sent to the legit Facebook login page, another common trick to make the victim think all is well—right up to the point the login mysteriously alters and they lose access. We’ve seen Facebook scams a lot less complicated than this also ask for payment information, so we’re a little surprised that none of the sites across both sets of websites— the landing pages, and the sites playing host to data collection—do this.

We’re certainly not complaining, mind.

At time of writing, many of the secondary sites appear to have been taken down, though there’s still a fair few landing pages still up and running. As such, it would be easy for the scammers to set up new phish pages and point the landing URLs to them instead.

URLs you should avoid:

sites.google.com/site/wwwpagesinfoterms12/

sites.google.com/site/info30021033700i/

sites.google.com/site/policyclaming767005/

sites.google.com/site/recoveryfbunblockingcenter/

(leads to) help-unblocking-fb(dot)site/contact/2017/index(dot)php

sites.google.com/site/wwwpagesconfirms1202/

sites.google.com/site/noticereportslogsinfoo050/

sites.google.com/site/wwwpagesinfonet/

sites.google.com/site/help151054141104105140/

sites.google.com/site/info20012001320i1/

We’re working on having the last of these sites taken offline, but please be careful around any websites claiming they’ll confirm, review, or connect your Facebook account, especially in relation to supposed security alerts or “bad behaviour” on your part. If in doubt, visit the official Facebook site directly and take things from there. There’s a good chance it’s just someone trying to ruin your festive fun, and that definitely doesn’t fall under the season for giving.

The post Facebook phishers want you to “Connect with Facebook” appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 21, 2017
John
Comments Off on The seven most colossal data breaches of 2017

The seven most colossal data breaches of 2017

By Logan Strain

If it seems like the words “leak,” “compromised data,” and “breach” are constantly in the news, it’s not just you. The frequency of major data breaches is increasing. According to the Identity Theft Resource Center, the number of breaches is expected to top 1,500 in 2017. That’s a 37 percent annual increase over 2016, which itself was a record year for exposed personal data.

But while most data breaches are small and contained, this year saw a handful of spectacularly bad security fails. Here are the most massive sets of compromised data and data breaches of 2017.

1. Equifax

Let’s start with the Mother of All Breaches.

Equifax, one of the four major credit reporting agencies, revealed in September that cybercriminals had penetrated their network. The breach exposed the data of 143 million Americans—basically, every single adult in the country. Exposed information included names, social security numbers, birthdates, addresses and, in some instances, driver’s license numbers.

It gets worse. Credit card numbers for about 209,000 consumers and documents related to credit reporting disputes for 182,000 people were also exposed.

In response, Equifax offered a suite of identity theft protection services to all Americans, regardless of whether they were impacted or not. The services, which include up to $1 million in ID theft insurance and social security number monitoring, are free for anyone who signs up by January 31, 2018. (Though we doubt the efficacy of these identity theft protection services and don’t recommend people purchase them.)

2. Uber

This data breach actually occurred in 2016. But due to general shadiness on Uber’s part, we didn’t learn about it until November of this year. Compromised data included the names, email addresses, and phone numbers of 50 million Uber customers. The personal data of about 7 million drivers were also exposed, including around 600,000 driver’s license numbers.

Hackers pulled off the data heist by first getting access to a private GitHub site used by Uber engineers. From there, they learned Uber’s Amazon Web Services login credentials and accessed the personal data. The hackers then used the data to blackmail Uber. In an attempt to keep the incident under wraps, Uber executives paid the hackers $100,000 to delete the data and keep quiet.

The incident only came to light after new Uber CEO Dara Khosrowshahi discovered it and reported the incident to regulatory authorities.

In a blog post, Khosrowshahi said that “None of this should have happened, and I will not make excuses for it.”

3. Edmodo

Adults aren’t the only ones getting their info compromised. In May, Motherboard reported that social learning platform Edmodo was hacked. The service, which is used by educators and students, has around 78 million users—and a hacker named “nclay” claimed that he acquired the account data of 77 million of them.

The data was put up for sale on the Dark Web, but apparently, accounts for a site that is primarily used to assign homework and create lesson plans aren’t particularly valuable. The hacker priced the entire database of data at just over $1,000.

4. Verizon

Did you call Verizon customer service in the first six months of 2017? Then it’s possible your data was inadvertently exposed.

ZDnet reported that Nice Systems, an Israel-based company, failed to secure an Amazon S3 storage server that contained records for 14 million Verizon customers. The compromised records include customer names, cell phone numbers, and account PINs.

Fortunately, Verizon was able to protect the data before anyone else could access it. In a statement to CNBC, a Verizon spokesperson said, “We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”

5. Deep Root Analytics

The data analytics firm Deep Root Analytics, which was contracted by the Republican National Committee, revealed that they the exposed data of 198 million citizens. That means almost two out every three Americans were impacted. Exposed information includes names, birthdates, phone numbers, and, most troubling, voter registration details.

The breach was discovered by security researcher Chris Vickery on June 12. His analysis revealed that the firm’s database was stored on an Amazon cloud server without password protection for about two weeks. Anyone had the ability to download the 1.1 terabytes worth of data.

6. Sonic Drive-In

Millions of customers who only wanted to order a cheeseburger and a shake may have inadvertently gave their credit card info to identity thieves.

The fast-food chain Sonic Drive-In acknowledged that an unknown number of restaurant payment systems were compromised and customer credit card information was breached. Security researcher Brian Krebs revealed that stolen credit card numbers made their way to underground markets where cybercriminals buy and sell sensitive financial data.

7. All WiFi devices

In 2017 we also discovered that essentially all data transmitted over WiFi networks is vulnerable. Computer scientist Mathy Vanhoef announced that a vulnerability in WPA2 encryption protocol made WiFi networks accessible without login credentials. Hackers are able to access WiFi data through a key reinstallation attack, or KRACK. It’s unknown if any data was actually stolen using this method, but the vulnerability has existed since the beginning of WiFi.

Fortunately, tech companies started releasing patches shortly after the problem was discovered. Earlier this month Apple fixed the security hole for all iPhones. And several routers manufacturers have released updated firmware that protects against KRACK attacks.

The growing number (and size) of data breaches indicates that threats are outpacing security measures taken by organizations. Until companies can improve their security posture, the responsibility for keeping data breaches from doing serious damage will fall on individuals.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

The post The seven most colossal data breaches of 2017 appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 20, 2017
John
Comments Off on Tech support scammers make browser lockers more resilient

Tech support scammers make browser lockers more resilient

Tech support scammers have been relying on fraudulent pop-ups for many years in order to scare potential victims into calling for remote assistance. These so-called browser lockers (or browlocks) typically originate from malicious ads (malvertising) that can appear on any website, including trusted online portals.

The purpose of browser lockers is not only to scare but also to create the illusion that the computer has been locked, which is not quite true. What’s happened is simply that the browser is stuck in between a flurry of alert dialogs that won’t seem to go away, no matter how many times they are clicked on.

Google Chrome is often the most-targeted browser because of its dominant market share, but pop-ups come in as many different flavors as browser types, with landing pages specific to those browsers. For example, a particularly vicious technique abused the history.pushState HTML5 API to literally freeze machines while displaying the fake pop-up.

Historically, browser makers have let users down by not being to handle those tricks cleanly. However, they appear to have taken note, fixing many of the issues that have to do with poor user experience, while also suggesting other ways for (legitimate) webmasters to send notifications, for example via the proper Notifications API.

Unfortunately, crooks are adapting as well. Despite browser developers’ best intentions, browlocks are still the best bet to scam innocent folks. The following shows a browser locker that went into full screen mode after the user clicked somewhere on the page. Pressing the Escape key to exit full screen (as instructed by the browser) triggered a malicious loop in the code that prevented closing the fraudulent pop-up (without resorting to Task Manager):

This is a similar technique to what we reported on recently with persistent drive-by mining attacks in that it uses a pop-under as a “helper.” There are actually three different layers in play to make this work:

  • a background window in full screen mode
  • another window that is superimposed (triggered on click or Escape key)
  • the pop-under (triggered on click)

The crooks have positioned and sized the pop-under in such a way that it only displays the “Stay” part of the “Leave” or “Stay” dialog window, leaving users very little choice.

Keep in mind that at the same time the user is trying to close the page, a constant reminder is being played on the computer speakers, to add to the victim’s distress:


From a technical stand point, browser lockers are on the low side of the scale compared to malware such as ransomware. However, they benefit from great distribution channels via malvertising, guaranteeing that millions of people are affected by them. Consider that scammers charge an average of $400 per victim, and you soon realize that this is a highly-profitable business.

On this blog, we have long said that awareness is critical in order to avoid falling for tech support scams, but we also recognize that browsers have a big role to play in how they handle and block such annoying alerts. Unfortunately, scammers try to trick people by abusing regular warnings and creating fake buttons. In the case mentioned above, it would have been possible to close the page from the beginning by clicking on the top window’s X before it went into full screen mode. But if a user can be enticed to perform a certain action, they essentially lock themselves out.

The rule of thumb here is to avoid panicking and simply close the browser via the Task Manager (if all else fails). Remember that the pop-ups themselves are usually harmless. You are safe as long as you haven’t dialed the toll-free number that is being advertised.

The post Tech support scammers make browser lockers more resilient appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 19, 2017
John
Comments Off on Lo lo lo Loapi Trojan could break your Android

Lo lo lo Loapi Trojan could break your Android

Kaspersky has found what they deem as a jack of all trades malicious app they call Trojan.AndroidOS.Loapi. Like the Trojan AsiaHitGroup we discovered last month on Google Play, this malware can do all the things—it’s a downloader, dropper, SMS Trojan, and can push ads all from the same malicious app. If left to its own devices, it could overheat the phone by taxing the processor, make the battery bulge, and essentially leave your Android for dead.

It seems creating Swiss army knife malware—lumping several uniquely malicious features into one catch-all malicious app—is becoming a trend. At least this time, the Loapi Trojan didn’t make it onto Google Play.

Loapi capabilities

For the purpose of hiding itself, Loapi poses (mostly) as a fake antivirus or, on the other end of the spectrum, adult content apps. It then asks for device administrator permissions to lock the screen of the mobile device, among other things. Furthermore, it takes the damage to another level by attempting to trick the user into thinking genuine anti-malware scanners are the real threat, and prompts to uninstall them if found. If that weren’t enough, it comes with a host of other features, including:

With everything going on in the background, Loapi puts an extreme load on the mobile device. This can lead to the Android literally blowing up from heat produced by the maxed-out processor and battery.

To state the obvious: This Loapi Trojan is quite nasty.

Darn it, tell me if you detect it or not already!

So, do we detect this monster? You bet we do! Our Malwarebytes for Android detection name is Android/Trojan.Dropper.Agent.BGT. You’ll be delighted to know that we’ve been on top of this bad boy since October.

In Malwarebytes for Android, detection of this infection is primarily done by our advanced deep scanner, which uses heuristic methodology to find malware, such as this Trojan, deeply embedded in the device. Deep scan is a feature in our Premium version. Therefore, if you want to stay protected in real time against Loapi, we recommend you upgrade to Premium after your free 30-day trial of Malwarebytes for Android. Stay safe out there!

The post Lo lo lo Loapi Trojan could break your Android appeared first on Malwarebytes Labs.

Powered by WPeMatico

Pages:«12345678...18»

Location and hours

1-401-366-2249
Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo