Nov 7, 2017
Comments Off on Part 2: All rise! Mind these digital crimes and arm your business against them

Part 2: All rise! Mind these digital crimes and arm your business against them

In the first installment of this two-part series, we advised consumers to stay on top of a selection of up-and-coming crimes to significantly lessen the chances of encountering them in the future. For this post, we’re going to look into digital crimes that keeps small businesses and large enterprises on their toes: cloud attacks, attacks over SSL, ATM malware, and RDoS attacks.

It’s important to note that regardless of any digital attack an organization might face, fostering a culture of cybersecurity plays a massive role in arming employees with knowledge of what these attacks are and how they should respond if and when such incidents happen.

Let’s begin!

Cloud attacks

Many are surprised with how quick cloud computing has taken hold. In fact, Internet users who may not have heard about “the cloud” likely have no idea how much they rely on it when they check updates on Facebook, their work mail, or their online bank statement. Indeed, cloud services have made our lives a lot more manageable, to the point that we think everything we need is just within reach of our fingertips, wherever we are in the world.

Unfortunately, online criminals have caught on and started using cloud services as lures to dupe people into handing over their account and personal details. Retrieved credentials—say, for work email—are then used to access the account to gain further access to other repositories the credential owner has rights to, primarily company files stored in other cloud services. And this is just one of the many possibilities that could happen to compromised enterprise accounts.

How to protect your business

  • Take advantage of your cloud provider’s two-factor authentication (2FA) feature. They are used by the majority of cloud vendors today—using it is no longer optional. And that should be great news for any business looking into beefing up their security but only have a vague idea of where to start. Just remember that 2FA comes in various forms.
  • Know who accesses what information stored in the cloud. Not everyone in the company should be able to read or obtain sensitive files. Audit your access list and, if possible, restrict access to more sensitive data to a smaller group of decision makers.
  • Limit access to company resources based on user context. Employees in the office who use the internal network should be able to access files based on privileges assigned to them. Remote workers, on the other hand, should have limited access to company files, or they must go through additional sign-on steps to ensure that the person accessing the data is indeed who they say they are.
  • Encrypt highly sensitive files stored in the cloud. Offsite backups work well, too.
  • Use a cloud vendor that provides encrypted data transfers. (Not all of them offer this.)
  • Toughen up on passwords. Make sure that employee passwords have an acceptable rating of complexity. The system should straight up reject ones that are easily guessed like “admin,” “password,” or “123456.”
  • Regularly update your software to keep exploits at bay.

Attacks over SSL/TLS

Secure Socket Layer (SSL) or Transport Layer Technology (TLS) is a protocol wherein transmissions between a server and a browser are authenticated and encoded. While an increasing number of companies are learning and adopting encryption as part of their security and privacy strategies, using secure communication over the network to hide malicious antics is how threat actors level up the playing field. We’ve seen this in multiple malvertising campaigns in previous years. Malware being sent over an encrypted channel is not new either. Phishers, on the other hand, mainly use SSL as a way to make their campaigns more believable, seeing that more Internet users are clued in on what to look for on a potential phishing page.

Some threat actors use free SSL certificates, while others have breached company sites with them already installed. Regardless, organizations have a big hand to play in stopping the bad guys by securing their websites and also educating their employees on current, more sophisticated criminal tactics.

How to protect your business

  • Keep server OS and other software running on your website up to date.
  • Strengthen the passwords of your website admin accounts.
  • Make sure that text boxes on your website where users can post content to them, such as a search box, comment window, or forum post, are SQL injection- and cross-site scripting (XSS)-proof. You can install tools to prevent scripts not hosted on your server from running on your website. Or you can tinker with the server-side code to make it difficult for the bad guy’s script injection to run even if it were successfully posted to the page.
  • Install a Web Application Firewall. There are niche brands that offer this, with some of them being cloud-based. So do your research and choose a service that fits your company’s needs.
  • If you allow users to upload files—say, a screenshot—to your website, make sure that limitations are explicitly set to prevent users from uploading other file types.
  • Switch to HTTPS. You may also want to consider using SSL inspection.
  • Restrict physical access to your server.
  • Conceal your admin directories. Hackers have been known to scan web servers for conspicuous directories they can focus on gaining access to, such as the admin folder. Choose new names for your administrator folders, and make sure you and your webmasters are the only ones who know them.
  • Back up your website. Always.

ATM malware

Crimes involving ATMs don’t necessarily require physical skimming devices. Sometimes, there’s malware—and a bit of phishing—in there, too. And these two combined form network-based ATM attacks. Europol’s European Cybercrime Centre (EC3) and Trend Micro’s Forward-Looking Threat Research (FTR) Team have circulated a 40-page report, warning banks about the rise of ATM targeting. Based on this report, not only is ATM malware becoming commonplace, it has evolved remarkably through the years.

EC3 and FTR have also revealed that there are two objectives of ATM malware: (1) empty the affected machine from cash, which is called “jackpotting,” and (2) record card data from clients using the affected ATM, effectively acting as a virtual skimming device.

Below is a video shared by Bleeping Computer about the latest ATM malware sold on the Dark Web in action:

How to protect your business

  • The majority of malware that infiltrates a bank’s network starts off as phishing emails. As such, it’s more important than ever for senior managers to focus on running awareness programs and surprise simulations within the organization on a regular basis.
  • To prevent crooks from delivering malware via the ATM’s USB and CD drives, fortify the machine by replacing the default generic locks on the shell to prevent thieves from purchasing generic keys for these locks. Also, make sure that the location where the ATM machine is situated is well-lit and has a security camera in place (that cannot be easily tampered with).
  • Ensure that the communication between the interbank network and the ATMs are encrypted and have integrity controls.
  • Religiously update all software installed on the ATM. Also, whitelist software that are only allowed to run on ATM machines.
  • By default, use two-factor or multi-factor authentication between devices and software.
  • Employ whole disk encryption for hard disks.
  • Secure the ATM BIOS against unauthorized access.

Ransom DDoS (RDoS) attacks 

A distributed denial of service attack, or DDoS, involves the use of hundreds, if not thousands, of electronic devices controlled by a botmaster. These devices are then used to attack an organization by overwhelming their network with garbage traffic, resulting in websites being shut down and clients not being able to access them for an indefinite period. This translates to a significant loss of profit and disruption of productivity. An RDoS attack happens when an organization is threatened with a DDoS attack but fails to deliver or ignores a threat actor’s demands for money, which is usually in the form of cryptocurrencies. According to a Kaspersky report, a majority of threat actors behind these attacks are beginners and not organized hacker groups. Regardless, a DDoS attack is not something any company with an online presence would want to get entangled with.

Although RDoS attacks on enterprises regularly make the news, small businesses shouldn’t be lax as they have more to lose in the event of such attacks. Unfortunately, a vast number of small business are ill-equipped to handle DDoS and RDoS attacks.

How to protect your business

  • Plan ahead. Little can be done once an attack is already taking place. Prevention is critical in this case. Assess the potential DDoS risk, exposure, and severity to the business and come up with mitigation strategies to address them.
  • Monitor bandwidth for spikes on the network. This could mean an oncoming attack or the presence of malware.
  • Have security software in place. Install anti-malware, email and URL filtering, firewall, and other security software to beef up your company’s computer, device, and network protection. Make sure that they are also whitelisted and regularly patched. Some companies even offer DDoS protection.

Regardless of the nature of the business, as long as you have an online presence—if we guess correctly, almost all SMEs have this—securing your assets, which are either stored in the cloud or on-premise, should be an essential part of any business plan. Organizations of all sizes can no longer afford to overlook security and privacy matters regarding how they should handle confidential company and client information, especially with the arrival of GDPR.

On the other hand, users are also responsible for making sure that their electronic devices are protected both from unauthorized physical and electronic access, their sensitive information kept behind digital lock and key, and that the resources and assets they use for work are maintained within acceptable security standards.

The post Part 2: All rise! Mind these digital crimes and arm your business against them appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 7, 2017
Comments Off on A look into the global drive-by cryptocurrency mining phenomenon

A look into the global drive-by cryptocurrency mining phenomenon

An important milestone in the history of cryptomining happened around mid-September when a company called Coinhive launched a service that could mine for a digital currency known as Monero directly within a web browser.

JavaScript-based mining is cross-platform compatible and works on all modern browsers. Indeed, just about anybody visiting a particular website can start mining for digital currency with eventual profits going to the owner’s wallet (in the best case scenario). In itself, browser-based cryptomining is not illegal and could be seen as a viable business model to replace traditional ad banners.

To differentiate browser-based mining from other forms of mining, many started to label these instances as JavaScript miners or browser miners. The simplicity of the Coinhive API integration was one of the reasons for its immediate success, but due to several oversights, the technology was almost instantly abused.

However, many web portals started to run the Coinhive API in non-throttled mode, resulting in cases of cryptojacking—utilizing 100 percent of the victims’ CPU to mine for cryptocurrency with no knowledge or consent given by the user.

We decided to call this new phenomenon drive-by mining, due to the way the code is delivered onto unsuspecting users, very much like drive-by downloads. There’s one important caveat, though: There is no malware infection at the end of the chain.

While the harm may seem minimal, this is not the kind of web experience most people would sign up for. To make matters worse, one does not always know if they are mining for the website owner or for criminal gangs that have found a new monetization tool for the hacked sites they control.

In our full reportA look into the global drive-by cryptocurrency mining phenomenon, we review the events that led to this new technology being abused and explore where users involved in cryptomining against their will are located.

To give you an idea of the scope of drive-by mining, Malwarebytes has been blocking the original Coinhive API and related proxies an average of 8 million times per day, which added up to approximately 248 million blocks in a single month.

With their new mandatory opt-in API, Coinhive hopes to restore some legitimacy to the technology and, more importantly, push it as a legal means for site owners to earn revenues without having to worry about ad blockers or blacklists. This could also benefit users who might not mind trading some CPU resources for an ad-free online experience.

Time will tell how criminals react, but in the meantime, drive-by mining continues unabated.

For more information on this latest trend in the cryptocurrency world, please download our report.

The post A look into the global drive-by cryptocurrency mining phenomenon appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 6, 2017
Comments Off on Stay away from the Bitcoin multiplier scam

Stay away from the Bitcoin multiplier scam

It is well known that hot commodities tend to attract scammers and online criminals. The continuous rise of Bitcoin over the past year (valued at over USD $7,188 at the time of writing) is generating frenzy amongst fans of cryptocurrencies as well as those watching from the sidelines.

While the threat of Bitcoin theft from hackers or rogue operators remains high, we also see many scams inspired by the classic Ponzi scheme. Such is the case of the Bitcoin multiplier scheme, where victims are enticed to send some of their Bitcoin to a particular wallet and be given x times the amount they invested.

Multiply your loss

There are a few different ways users are drawn to this scam. One of them is searching online for sites that offer such a service (and you can find many). Some people are even asking the million dollar question: “Is there any genuine Bitcoin multiplier?” which scammers immediately pounce on and use for Search Engine Optimization (SEO) purposes.

Another tactic is to use advertising to redirect users to such sites:

The offer sounds too good to be true and should raise an immediate red flag. Even the “confidence” indicators displayed at the bottom of the page are fake and just for show.

However, the scam artists are using an interesting ploy by first asking the user for their email address and Bitcoin address, suggesting that the service might actually send them something. But the opposite happens. When the user submits their information, they are taken to a different page asking them to send BTC to the perpetrator’s wallet:

This might make some people feel uneasy, but the crooks have an answer for any doubts that might arise. They keep a page with previous payments they have sent, although this information is bogus.

In trying to deconstruct this scam, one question that comes to mind is why such a service would exist in the first place, especially considering that nowhere on the site do they mention any kind of commission for their effort. Well, apparently, these guys are doing it for the altruistic love of technology.

Sadly, many people have fallen for this scam and have never seen their money again. The criminals behind this are setting up temporary websites and keep on resurfacing after they have been taken down.

The best piece of advice we can give you is to stay away from too good to be true promises, especially when it involves something like Bitcoin or other cryptocurrencies. And if you need any more guidance, the answer to the million dollar question is: No, there are no genuine Bitcoin multipliers.

The post Stay away from the Bitcoin multiplier scam appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 6, 2017
Comments Off on A week in security (October 30 – November 5)

A week in security (October 30 – November 5)

Last week on our blog, we told you what to expect at the upcoming Irisscon security conference in Dublin. We gave you a quick introduction into the why and how of analyzing malware based on their API calls. And we issued a warning about some lesser-known cybercrimes. Plus we explained why emerging APAC markets are prime targets for cybercriminals.

We also introduced you to some of the scariest malware monsters that could come knocking on your door for more than just candy. And finally, we explained how cryptocurrencies work and why all the cybercriminals love them.

Other news

Safe surfing, everyone!

The post A week in security (October 30 – November 5) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 6, 2017
Comments Off on Explained: blockchain technology

Explained: blockchain technology

Last week, we talked about what cryptocurrency is and why cybercriminals love it. We mentioned that cryptocurrency was founded on a technology called blockchain, which is a tight system that, when applied correctly, is more secure than most other financial transactions. In this post, we’ll explain the basics of blockchain technology, including its origin, development, and what makes it secure.

Origin of blockchain

One of the prime and most well-known examples of blockchain technology is Bitcoin. In 2008, the founder and spiritual father of Bitcoin (acting under the name of Satoshi Nakamoto) laid the groundwork for blockchain technology when he presented his solution for the “double spending problem” in digital currency. Double spending can be seen as copying and pasting money so you would never run out of it. In the non-digital world, we’d call this counterfeiting.

This countermeasure against double spending is essentially the foundation of our current blockchain technology, a method of record keeping that is essentially a decentralized, distributed, historical database.

looking at a fork

The linchpin of blockchain technology is its decentralization. There is no central authority. Anybody can be a user or participant. This makes the system more open and less vulnerable than traditional ledgers.

Blockchain security

How is the blockchain made secure? Good question! Without making this too complicated, consider a system that only works in one direction. That system calculates the hash value that is the unique answer to a math problem based on the data contained in the block. Every time you feed the system the same data in the block, the hash value will be the same. Every change in the block results in a different hash value.

Take for example adding up the numbers in a long value like 123456789, which will result in 45. Changing the first value will have an effect on the result, but from knowing 45 alone it is impossible to figure out the value we used as input. This is the basically the same idea as blockchain, only the its hashes and input are much more complicated.

So there is no way (short of centuries of bruteforcing) to go in reverse and find the data of the block based on a hash value. This provides miners, or those who maintain the transactions in the blockchain, with a method to check the validity of a transaction without being able to create a block with false information. This is what solves the double spending problem. It makes it impossible to make up a transaction and feed the false information into the blockchain. You can not find the hash that would make that transaction look legitimate.

How new blocks are created

Every so often a new block is created—as a set of transactions recorded over a given period of time. This block contains all the transactions that were made on the blockchain since the previous block was closed. Miners then calculate the hash value of the current block. The first one to get it right gets a reward.

Now the nodes come into play. A node is a machine that is broadcasting all the transactions across the peer-to-peer network that is the base of the blockchain. The nodes check and broadcast the hash of this proposed block until agreement is reached about the new block. Then this block will be accepted as the new starting point for the transactions in the next block. The block is saved in many different places so that no one entity has total control over it.

The transactions we mention do not have to be money transfers, as the blockchain can be used for many other applications. Consider, for example, smart contracts that can be programmed to pay the supplier when a condition has been met, such as the delivery of goods. This moves the trust in the completion of the transaction from an intermediary like a bank or a website to the blockchain.

How mining works on the blockchain

Why would miners bother with appending to the blockchain and verifying new blocks? The “proof of work” method gives rewards to miners for calculating the hashes. So basically they get paid for the energy they put into the work. However, the proof of work method used in Bitcoin and other digital currencies is causing an energy consumption level that could run an entire country.

The number of  processing cycles needed to mine effectively has made CPU mining a thing of the past. Instead, miners moved on to GPU mining and then to ASIC, or application-specific integrated circuit, which is highly specialized and much more effective at what it does.

Although the number of Bitcoin that are given out each day as rewards stays the same over a given period of time, the number of mining farms has taken the number of cycles needed for one Bitcoin through the roof. Imagine huge server farms with racks upon racks of ASICs mining away, and that will give you a good idea of what the professional miners are doing. This is not “Joe at Home” anymore, but serious business. 

One alternative method that is in planning for the Ethereum Project is “proof of stake.” Proof of stake rewards those that have the most invested in the currency or gas (gas is the internal pricing for running a transaction or contract in Ethereum). Some fear this will turn blockchain into “the rich get richer” system, so there may be some new problems to be solved on the horizon.

But if it’s so secure, how come I heard…

Even though the blockchain technology itself is secure, the applications that may be built on or around this technology are not necessarily inheriting its security. So you may have heard of criminals acquiring Bitcoins illegally in various ways, but these crimes usually take place before the cryptocurrency was acquired, for example by having others mine for the threat actor. Or afterwards, for example by stealing wallets or even robbing a Bitcoin exchange.

Extra reading

For more information on blockchain, take a look at this explanation using easy to understand examples: The ultimate 3500-word guide in plain English to understand Blockchain.

A comparison between proof of work and proof of stake can be found here: Proof of Work vs Proof of Stake: Basic Mining Guide

The post Explained: blockchain technology appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 3, 2017
Comments Off on What is cryptocurrency and why do cybercriminals love it?

What is cryptocurrency and why do cybercriminals love it?

Ever pretend you know what your friends are talking about because you want to sound smart and relevant—and then trap yourself in a lie?

“Wow, looks like those hackers were mining for cryptocurrency. You know what cryptocurrency is, right?”

“Oh yeah, totally. Cryptocurrency. Bad stuff. You know. Currency? In the crypt? Bad.”


Okay, so the next time someone asks, “What is cryptocurrency, anyway?” instead of awkwardly shrugging, be prepared to dazzle them with your insider knowledge.

What is cryptocurrency, in a nutshell?

In its simplest form, cryptocurrency is digital money. It’s currency that exists in the network only—it has no physical form. Cryptocurrency is not unlike regular currency in that it’s a commodity that allows you to pay for things online. But the way it was created and managed is revolutionary in the field of money. Unlike dollars or euros, cryptocurrency is not backed by the government or banks. There’s no central authority.

If that both excites and scares you, you’re not alone. But this technology train has left the station. Will it be a wreck? Or will it be the kind of disruptive tech that democratizes the exchange of currency for future generations?

Let’s take a closer look at what cryptocurrency is, how it works, and what are the possible pitfalls.

What makes cryptocurrency different from regular money?

If you take away all the techno-babble around cryptocurrency, you can reduce it down to a simple concept. Cryptocurrency is entries in a database that no one can change without fulfilling specific conditions. This may seem obtuse, but it’s actually how you can define all currency. Think of your own bank account and the way transactions are managed—you can only authorize transfers, withdrawals, and deposits under specific conditions. When you do so, the database entries change.

The only major difference, then, between cryptocurrency and “regular” money is how those entries in the database are changed. At a bank, it’s a central figure who does the changing: the bank itself. With cryptocurrency, the entries are managed by a network of computers belonging to no one entity. More on this later.

Outside of centralized vs. decentralized management, the differences between cryptocurrency and regular currency are minor. Unlike the dollar or the yen, cryptocurrency has one global rate—and worth a lot. As of November 2017, one Bitcoin is equal to $6,942.77. Its value has increased exponentially this year, exploding from around $800 in January 2017.

How does cryptocurrency work?

Cryptocurrency aims to be decentralized, secure, and anonymous. Here’s how its technologies work together to try and make that happen.

Remember how we talked about cryptocurrency as entries in a database? That database is called the blockchain. Essentially, it’s a digital ledger that uses encryption to control the creation of money and verify the transfer of funds. This allows for users to make secure payments and store money anonymously, without needing to go through a bank.

Information on the blockchain exists as a shared—and continuously reconciled—database. The blockchain database isn’t stored in a single location, and its records are public and easily verified. No centralized version of this information exists for a cybercriminal to corrupt. Hosted by millions of computers simultaneously, its data is accessible to anyone on the Internet.

So how, exactly, is cryptocurrency created and maintained on the blockchain? Units are generated through a process called mining, which involves harnessing computer power (CPU) to solve complicated math problems. All cryptocurrencies are maintained by a community of miners who are members of the general public that have set up their machines to participate in validating and processing transactions.

And if you’re wondering why a miner would choose to participate, the answer is simple: Manage the transactions, and earn some digital currency yourself. Those that don’t want to mine can purchase cryptocurrency through a broker and store it in a cryptocurrency wallet.

When was cryptocurrency developed?

In the wake of Occupy Wall Street and the economic crash of 2008, Satoshi Nakamoto created Bitcoin, a “peer-to-peer electronic cash system.” Bitcoin was a slap in the face to the “too big to fail” banks because it operated outside of a central authority, with no server and no one entity running the show. Bitcoin pioneers had high hopes of eliminating the middle man in order to cancel interest fees, make transactions transparent, and fight corruption.

While Bitcoin was the first and remains the most popular cryptocurrency, others saw its potential and soon jumped on the bandwagon. Litecoin was developed in 2011, followed by Ripple in 2012. In 2015, Ethereum joined the fray and has become the second most-popular cryptocurrency. According to CoinMarketCap, there are now more than 1,000 cryptocurrencies on the Internet.

different cryptocurrencies

Cryptocurrency’s popularity on the Internet soon bled into other real-world applications. Japan has adopted Bitcoin as an official currency for commerce. Banks in India are using Ripple as an alternative system for transactions. JP Morgan is developing its own blockchain technology in partnership with Quorum, an enterprise version of Ethereum.

However, as with any new and relatively untested technology, the cybercriminals wanted in. And it wasn’t long before Bitcoin and other cryptocurrencies fell victim to their own democratic ideals.

How has cryptocurrency been abused?

As secure as a Bitcoin address is, the application of its technology is often fumbled; usually by unpracticed programmers looking to get in on the action and creating faulty code. Fundamentally, the system is superior to centralized database systems, but poor coding practices among its thousands of practitioners have created a multitude of vulnerabilities. Like vultures to carrion, cybercriminals flocked to exploit. According to Hacked, an estimated 10 to 20 percent of all Bitcoin in existence is held by criminals.

While cryptocurrency was initially hailed as the next big thing in money, a savior for folks who just lost everything in steep recession (but watched as the banks that screwed them over walked away unscathed), a hack in 2011 showed how insecure and easily stolen cryptocurrency could be. Soon, the criminal-minded rushed in, looking to take advantage of the cheap, fast, permission-less, and anonymous nature of cryptocurrency exchange. Over the last nine years, millions of Bitcoin, worth billions of dollars, have been stolen—some events so major that they drove people to suicide.

On a smaller but much more frequent scale, cryptocurrency is used on the black market to buy and sell credit card numbers and bot installs, fund hacktivism or other “extra-legal” activity, and launder money. It’s also the payment method of choice for ransomware authors, whose profits are made possible by collecting money that can’t be traced. Certainly makes getting caught that much more difficult.

ransom note asking for bitcoin

Ransom note asking for Bitcoin

And if that weren’t enough to call cryptocurrency unstable, the process of mining itself is vulnerable and has already attracted some high-profile hacks. Services such as CoinHive allow those that deploy it to mine the CPU of their site visitors—without the visitors’ knowledge or permission. This process, known as cryptojacking, is robbery-lite: Users may see an impact to their computer’s performance or a slight increase in their electric bill, but are otherwise unaffected. Or that is, they were, until cybercriminals figured out how to hack CoinHive.

Future applications

So where does that leave us with cryptocurrency? Surely its popularity is skyrocketing and its value is spiking so hard it could win a gold medal for beach volleyball at the Olympics. But is it a viable, safe alternative to our current currencies? Cryptocurrency could democratize the future of money—or it could end up in technology hell with AskJeeves and portable CD players.

We can see the technological applications for the future that demonstrate the clear advantages of cryptocurrency over our current system. But right now, cryptocurrency is good in theory, bad in practice. Volatile and highly hackable, we’ll have to move to create security measures that can keep up with the development of the tech, otherwise cybercriminals will flood the market so heavily that it never moves beyond the dark web.

If you want to learn even more about cryptocurrency, stay tuned for a deeper dive on blockchain technology and a full report on cryptojacking.

The post What is cryptocurrency and why do cybercriminals love it? appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 2, 2017
Comments Off on Why emerging APAC markets are prime targets for the malware of the future

Why emerging APAC markets are prime targets for the malware of the future

In many ways, Asia has led the way in technological development. Robotics, video games, dizzyingly fast Internet speeds. But when it comes to cybersecurity, several APAC countries, especially those in emerging markets, are severely lacking. And while, according to the 2017 State of Malware Report, cybercriminals are still focusing the bulk of their nefarious efforts on North America and Europe, it’s not long before they turn their full attention to the vulnerable targets of the East.

To be clear, that doesn’t mean that there’s no cybercriminal activity in Asia-Pacific. Quite the contrary. According to research by March & McLellan Companies, APAC is an ideal environment for cybercriminals to thrive in due to high digital connectivity contrasted with low cybersecurity awareness and weak regulations. However, lack of transparency from Asian governments and businesses leads to the potentially inaccurate perception that threat levels in the APAC region are lower than everywhere else. We just don’t know what we don’t know.

That being said, our data shows that the most dangerous and pervasive forms of malware and the highest frequency of attacks are not happening yet in Asia-Pacific. Why? If you need an answer for why cybercriminals do anything, look no further than this: money. Threat actors target countries with the strongest economies in order to get the biggest return on their investments. In countries where the Internet is just being introduced, criminals would not expect to extort the same amount of money or data as in countries where the Internet rules almost all commerce, banking, data storage, and financial transactions.

Countries such as the Philippines, Malaysia, and Indonesia are already seeing widespread use of mobile banking and social media via smartphones, rapidly bringing Internet access to citizens. With widespread Internet adoption, it is only a matter of time before cybercriminals turn their attentions toward these markets.

In fact, just yesterday virtually every person in Malaysia had their personal data swiped in hacks of government servers and telco databases. After all, when market share increases, the sharks smell blood. To avoid the feeding frenzy, emerging APAC markets need to increase cybersecurity awareness and take active steps to mitigate risks as Internet access and adoption increases.

Let’s take a closer look at the factors that leave emerging markets in APAC vulnerable to attack.

Lack of regulation online

With the rapid growth of Internet usage in the APAC region, it’s likely that we’ll see a relative increase in malware detections. The aforementioned lack of transparency has resulted in weak cyber regulations by authorities in certain geographies, as well as a marked lack of security investment amongst businesses—perhaps partially due to the Internet security market still being heavily targeted toward US and European markets.

A relative lack of regulation leads to an Internet that resembles the wild west of early years—yet with the technological sophistication of today. This results in third-party app stores selling malicious apps unchecked, and pirated software often left unpatched due to lack of official support. It also leaves PCs ripe for takeover, which is why 50 percent of all botnet detections by Malwarebytes were centered in Asia. Outdated prevention security, the use of pirated software, lack of remediation or response, and poor cyber hygiene habits leave these systems open to online attacks.

Increased adoption of Internet without awareness

According to ESET’s Asia Cyber-Savviness Report, 78 percent of Internet users in Asia have not received any education on cybersecurity. Collectively, Asia’s level of awareness is comparably lower than other regions of the world. This general lack of awareness bleeds over into business, with 70 percent of Asian firms saying they don’t have a strong understanding of their cyber posture (Marsh & McLellan).

Without background information on the dangers inherent in cyberthreats, individuals and companies are less likely to consult cybersecurity resources, invest in security products, or respond quickly to breaches.

Some Asian economies such as Singapore, Hong Kong, and Taiwan boast excellent cybersecurity postures; all have government-linked cybersecurity agencies that sponsor education, outreach, and response to cyberthreats. The entire region must make a unified effort, however, to ensure that cybersecurity awareness is given greater emphasis.

Increased adoption of Android

Android devices are vulnerable to malware attack because of their high market share and ability to download third-party apps from vendors outside of Google. These vendors often don’t require that developers submit to strict security regulations, which leaves them vulnerable to infection (or, in many cases, results in malicious apps making their way into the marketplace unobscured). Unfortunately, the region of the world with the highest rate of Android adoption is, you guessed it, Asia.

In addition, local phone manufacturers in emerging Asian markets have been known to skimp on security features in order to reduce manufacturing costs. This leaves Asian Android users even more open to attack.

Increased adoption of IoT devices

Asia-Pacific leads the IoT market, having pioneered the adoption of IoT and machine-to-machine technology. Yet IoT is still a relatively new technology, for which security has not be adequately developed. Because of this, we’re already seeing IoT devices being compromised for botnet attacks, which are rampant in the APAC region.

While Internet usage in the region continues to grow, legislation and cybersecurity awareness is lagging behind; users are leaving themselves vulnerable to increasing attacks from cybercriminals. Individuals, businesses, and government bodies must learn more about cybersecurity, educate their friends, family, and coworkers, and take steps to secure their environments now before the inevitable tsunami of cyberattacks hits.

The post Why emerging APAC markets are prime targets for the malware of the future appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 2, 2017
Comments Off on IRISSCON security conference comes to Dublin in November

IRISSCON security conference comes to Dublin in November

It’s that time of the year when IRISSCON—the biggest security conference in Ireland, in my humble opinion—springs into life with a great collection of talks and Capture the Flag events. Held on November 23 in Dublin, there will be a strong focus on working in Infosec this year, alongside some of the problems faced by industry practitioners. For my part, I’ll be giving a retooled run-through of my talk Makhra Ni Orroz, which received a great response at SteelCon. I’m looking forward to seeing how it goes down with a new audience!

Elsewhere at IRISSCON, the theme of breaking into Infosec via non-traditional routes is prominent—and this has been a hot topic this year, thanks to Equifax and music degrees. With that in mind, “Getting into the infosec industry from different directions,” by Lee Munson and Thom Langford will be a must watch. There’s a huge range of people working in Infosec with no technology qualifications (myself included), and presentations like this are a great way to explain why and how there are so many diverse skill sets on offer.

Elsewhere, we have “Would the real imposter please stand up?” by Dr. Jessica Barker, which looks at the very real problem of “Imposter Syndrome” suffered by those working in security fields—something I suspect may have been exacerbated as a direct result of the explosion of angry shouting related to non-tech qualifications.

In another handy talk for those in the Infosec field, we have “Three security professionals walk into a bar” by Javvad Malik, which will show you how to make yourself a more attractive proposition for both your 0rg and the industry in general. A little self improvement goes a long way!

Quentyn Taylor will add further insight into the daily dealings of a CISO with “The sights, the sounds, the smells of a hard working CISO on the road.” Last but not least, FreakyClown will be giving a deep dive into the world of social engineering and weaknesses in physical and digital security with the wonderfully titled “How I rob banks.”

If you haven’t been to a security conference before, or even if you’re a seasoned hand on the conference circuit, this is definitely one of the best value events you can attend, so please come along and say hello!

The post IRISSCON security conference comes to Dublin in November appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 1, 2017
Comments Off on All rise! Mind these digital crimes and arm yourself against them

All rise! Mind these digital crimes and arm yourself against them

Have you noticed that, in this year alone, headlines are inundated with words that contain “cyber”?

Cybercrime. Cyberattack. Cybersecurity. Cyberwarfare. The cyber. (Okay, that was last year.)

Frankly, with so much going on, we hardly remember a time when the term “cyber” seemed quaint and a little retro.

Indeed, cybercrime as a whole has been steadily on the increase these past few years, and not one expert has predicted it ebbing anytime soon. This is daunting, but not exactly unexpected. As we progress in adopting new technologies—with more of the world’s population online now than not—more and more people are exposed to potential threats.

Are we then to embrace the inevitable? Not really. Assuming the worst is to come—and we think you should—it’s more important than ever to arm yourself against digital crimes. This means putting security measures in place that aim to prevent or mitigate specific threats, tinkering with some habits that are actually quite dangerous, and talking about security candidly with friends, family, and peers.

So, let’s prioritize. We’ve scoured through scores of reports and identified digital crimes that are on the rise. In the list below, we’ll explain them and what you can do to protect yourself against them.

(1) Card skimming. This is a type of electronic fraud where criminals use a device called a skimmer to steal card information from users. The skimmer is usually installed onto devices where one can swipe or feed their credit or debit card, such as ATMs, point-of-sale (POS) devices, and gas pumps. Brian Krebs of KrebsOnSecurity covered card skimming extensively in a fascinating and eye-opening series of blog posts that we suggest you read through here.

How to protect yourself: There are two rules of thumb:

Always check. KrebsOnSecurity has provided ways on how one could recognize tampered devices so users can protect their bank cards from getting skimmed. “If you see something that doesn’t look right—such as an odd protrusion or off-color component on an ATM—consider going to another machine,” wrote Krebs in one article. “Also, stay away from ATMs that are not located in publicly visible and well-lit areas.”

More sophisticated setups, on the other hand, show nominal to no signs of obvious tampering. This is true for gas stations, where threat actors generally plant their skimming device within the pump’s interior. We don’t advocate consumers to start dismantling gas pumps to check if they’re clean or not; however, we do advice users to keep a close eye on their bank statements for any expenditures they don’t remember paying for.

In September of this year, an Android app called Skimmer Scanner was made available on Google Play to download and use for free. This app is supposed to detect skimmer-tainted gas pumps, which use Bluetooth technology to steal user information. If you’re interested, the developer of the app wrote a technical post that you can read in this SparkFun page.

Never let your bank card out of your sight. If you’re in a restaurant or small shop where they use a handheld payment terminal, ask the waiter or cashier to swipe the card in front of you. A lot of businesses already do this, but it won’t hurt to ask if you see that the establishment you’re in needs to catch up on this practice.

It’s also important to make sure contact details are updated for each card you own and use so you can be easily reached if the bank spots potential fraudulent transactions.

(2) Android malware. Ever since mobile usage exceeded PC and laptop usage combined, we’ve been expecting that criminals would begin targeting the mobile market. And since Android is the dominant mobile OS worldwide, they are the most targeted mobile devices. This has been and continues to be the trend, year after year. Trojans lead the mobile malware infection count, followed by potentially unwanted programs (PUPs). Meanwhile, mobile ransomware is growing at a rapid rate.

How to protect yourself: If you haven’t already, begin practicing basic computing hygiene the same way you would when you’re on a desktop or laptop. This includes regular firmware and app updates, backing up phone data, locking the device when not in use, setting up remote wipe, installing apps that help protect you from threats when you browse the web, and playing it smart on public Wi-Fi networks.

It’s also essential that users regularly audit mobile devices for apps that they no longer use—these they can uninstall—and those that, for some reason, started doing things they’re not supposed to—these they must uninstall.

We pushed out several articles about mobile security on the Labs blog. Now would be a good time to go back and review them.

(3) Mac malware. Apple has gained favor in the eyes of threat actors, but this didn’t happen overnight. Its user base has been increasing steadily over the years, and we can surmise some reasons why. For one thing, its partnerships with other tech giants like IBM and Cisco have significantly expanded Apple’s reach in the enterprise world. Not only that, human behavior and logic play a factor, too: iPhone and iPad users are known to consider buying a Mac instead of a PC to complement their devices.

There wasn’t much Mac malware out there at first, but our recent telemetry data reveals that it is becoming noticeably problematic, along with adware and PUPs. We’d be remiss not to point out that Mac OS users may encounter various malvertising and scam campaigns, too.

How to protect yourself: Our recommendations to Mac users are not that different from what we advise Windows users. Again, following safe browsing habits is a constant best practice for any platform, operating system, or device. Don’t forget to back up files and, if you can, try to avoid downloading torrent files, which are sometimes bundled with programs you wouldn’t want to be installed on your system.

Below are some posts you may want to go back to and re-read about Mac safety:

(4) Linux malware. Here’s another OS that was first deemed “immune” from digital crime but is now making headlines, thanks to the proliferation of electronic devices and appliances that use software based on the Linux kernel, such as Android phones and tablets, routers, and the Internet of Things (IoT). In the Internet Security Report Q1 [PDF] by our friends at WatchGuard, they noted the three current types of malware targeting Linux: exploits, downloaders, and flooders.

Anecdotal evidence points to a number of reasons why threat actors are now going after Linux-powered devices. First, vendors and developers didn’t take the time or effort to incorporate a patched kernel onto their products. Second, most of these devices and appliances have little to no security protections in place, and updating them over-the-air (OTA) is almost nonexistent. Last, consumers don’t use passwords—and if they do, they use poor ones—to protect such devices and appliances.

How to protect yourself:

Let’s start with passwords: Create one, now, or let a password manager do the creating for you. Make sure that the software and firmware on your IoT devices/appliances are updated.For those who have Linux servers, regularly update the OS. Implement firewall rules that block unsolicited inbound traffic and SSH access from the Internet and internal network. And finally, consider protecting devices with multiple security technologies, including anti-spam, URL filtering, anti-malware, and intrusion prevention, to name a few.

(5) Cyberbullying. The only Internet crime on this list that is aimed directly at actual people.

We’ve written about cyberbullying through the years, and we know that this act does not only involve kids and teens but also adults. And online bullying incidents are more prevalent now than ever. Why? While it’s true that the Internet has made it easier for anyone to talk to someone on the other side of the globe, let’s not remove from the equation people’s poor choices, misunderstood notions on anonymity, and the false assumption that real life is separate from digital life.

How to protect yourself: Prevention is always better than treatment, so how does one prevent cyberbullying? Consider limiting what you share online, or at least limit who sees what you share. Your social media feeds don’t have to be public, especially if you’re sharing something that is meant for close family and friends. Speaking of sharing, avoid sending intimate or private photos to anyone. This could not only lead to bullying but also revenge porn.

We have more preventive steps here, wherein we mostly touched on debunking myths surrounding cyberbullying.

Here’s more from our series during Anti-Bullying Week:

(6) Contactless card fraud. As we all know, a contactless card does not require one to enter their PIN, much less slotting it through a PoS terminal. All one has to do is wave it or keep it stationary in front of a contactless reader for a few seconds and you’re all set. Many users have opted to use contactless cards due to their ease of use. So easy, in fact, that one might correctly surmise that criminals can easily commit fraud as well.

Note that this particular digital crime is only relevant in regions of the world that use contactless cards, such as the UK and most European countries.

How to protect yourself:

Always handle your card yourself. Handing someone your card to be waved increases the risk of it getting skimmed. To keep track of spending when you use the contactless payment feature of your card, ask for a receipt. Compare these with your bank statements. Regularly check your statements for unusual transactions. And if you lose your card, report the loss to your bank immediately. Finally, consider using a digital wallet as an alternative to contactless cards.

While we focused on digital crimes that directly affect consumers here, in Part 2 of this series, we’ll be homing in on crimes that are after enterprises. See you then!

The post All rise! Mind these digital crimes and arm yourself against them appeared first on Malwarebytes Labs.

Powered by WPeMatico

Oct 31, 2017
Comments Off on Analyzing malware by API calls

Analyzing malware by API calls

Over the last quarter, we’ve seen an increase in malware using packers, crypters, and protectors—all methods used to obfuscate malicious code from systems or programs attempting to identify it. These packers make it very hard, or next to impossible to perform static analysis. The growing number of malware authors using these protective packers has triggered an interest in alternative methods for malware analysis.

Looking at API calls, or commands in the code that tell systems to perform certain operations, is one of those methods. Rather than trying to reverse engineer a protectively packed file, we use a dynamic analysis based on the performed API calls to figure out what a certain file might be designed to do. We can determine whether a file may be malicious by its API calls, some of which are typical for certain types for malware. For example, a typical downloader API is URLDownloadToFile. The API GetWindowDC is typical for the screen-grabbers we sometimes see in spyware and keyloggers.

Let’s look at an example to clarify how this might be helpful.

Trojan example

Our example is a well-known Trojan called 1.exe with SHA256 0213b36ee85a301b88c26e180f821104d5371410ab4390803eaa39fac1553c4c

detection packed

The file is packed (with VMProtect), so my disassembler doesn’t really know where to start. Since I’m no expert in reverse engineering, I will try to figure out what the file does by looking at the API calls performed during the sandboxed execution of the file.

This is the list of calls that we got from the sandbox (Deepviz):

API list

For starters, let’s have a look at what all these functions do. Here’s what I found out about them on Microsoft:

GetModuleHandle function

Retrieves a module handle for the specified module. The module must have been loaded by the calling process. GetModuleHandleA (ANSI)

GetProcAddress function

Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).


Convert a string to integer.

CreateStreamOnHGlobal function

This function creates a stream object that uses an HGLOBAL memory handle to store the stream contents.  This object is the OLE-provided implementation of the IStream interface.

StrStr function

Finds the first occurrence of a substring within a string. The comparison is case-sensitive. StrStrA (ANSI)

wsprintf function

Writes formatted data to the specified buffer. Any arguments are converted and copied to the output buffer according to the corresponding format specification in the format string. wsprintfA (ANSI)

WinHttpOpen function

This function initializes, for an application, the use of WinHTTP functions and returns a WinHTTP-session handle.

GetModuleFileName function

Retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process. GetModuleFileNameW (Unicode)

LoadLibrary function

Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded. LoadLibraryA (ANSI)

LocalAlloc function

Allocates the specified number of bytes from the heap.

LocalFree function

Frees the specified local memory object and invalidates its handle.

GetModuleFileName function

Retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process. GetModuleFileNameA (ANSI)

ExitProcess function

Ends the calling process and all its threads.

The key malicious indicators

Not all of the functions shown above are indicative of the nature of an executable. But the API WinHttpOpen tells us that we can expect something in that area.

Following up on this function, we used URL Revealer by Kahu Security to check the destination of the traffic and found two URLs that were contacted over and over again.



This POST is what the VirusTotal API expects when you want to submit a file for a scan.

The link to an old and abandoned Twitter handle was a bigger mystery, until I decided to use the Advanced Search in Twitter and found this Tweet that must have been removed later on.

removed tweet

In base64, this Tweet says: Unfortunately that site no longer resolves, but it used to be an underground board where website exploits were offered along with website hacking services around the same time the aforementioned Twitter profile was active.


This was a dead end on trying to figure out what the malware was trying to GET. So we tried another approach by figuring out what it was trying to scan at VirusTotal and used Wireshark to take a look at the packets.

VT packet

In the packet, you can see the API key and the filename that were used to scan a file at the VirusTotal site. So, reconstructing from the API calls and from the packets we learned that the malware was submitting copies of itself to VirusTotal, which is typical behavior for the Vflooder family of Trojans. Vflooder is a special kind of Flooder Trojan. Flooder Trojans are designed to send a lot of information to a specific target to disrupt the normal operations of the target. But I doubt this one was ever able to make a dent in the VirusTotal infrastructure. Or the one on Twitter for that matter.

The Vflooder Trojan is just a small and relatively simple example of analyzing API calls. It’s not always that easy: We’ve even seen malware that added redundant/useless API calls just to obfuscate the flow. But analyzing API calls is a method to consider for detecting malware trying to hide itself. Just keep in mind that the bad guys are aware of it too.

The post Analyzing malware by API calls appeared first on Malwarebytes Labs.

Powered by WPeMatico

Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo