Browsing articles in "Internet Security"
Nov 30, 2017
Comments Off on An IRISSCON 2018 roundup

An IRISSCON 2018 roundup

Last week, some 400-plus attendees listened to a wide variety of infosec topics at the ninth annual IRISSCON, Ireland’s longest-running security event.

I already talked a fair bit about this one a few weeks back, so rather than repeat myself, I’ll let the videos do the talking. First up, the Keynote:

Next, a great and brutally honest talk by Quentyn Taylor about the day-to-day dealings of a CISO. Humorous and filled with truth bombs—What could be better?

Back in July, I gave my Mahkra ni Orroz talk at SteelCon, and I was lucky enough to give a retooled version for IRISSCON, now with revised slides, additional content, extra information, and a few of the wrinkles mentioned in this blog post ironed out.

If you want a good introduction to the world of physical security and social engineering your way into places you shouldn’t be, then this talk by FreakyClown will likely be just what the tailgating doctor ordered:

The tale of how Lee Munson got into security—and stayed there—is definitely worth checking out, especially as it shines a light on how many people with no security qualifications make valuable contributions to the industry.

A splash of human nature to go with your computer security, courtesy of Dr. Jessica Barker:

There’s a few pieces of coverage for the event over on The Register [1], [2], [3], and you can catch the rest of the talks on the official IRISSCERT Youtube channel.

The post An IRISSCON 2018 roundup appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 29, 2017
Comments Off on Persistent drive-by cryptomining coming to a browser near you

Persistent drive-by cryptomining coming to a browser near you

Since our last blog on drive-by cryptomining, we are witnessing more and more cases of abuse involving the infamous Coinhive service that allows websites to use their visitors to mine the Monero cryptocurrency. Servers continue to get hacked with mining code, and plugins get hijacked and affect hundreds or even thousands of sites at once.

One of the major drawbacks of web-based cryptomining we mentioned in our paper was its ephemeral nature compared to persistent malware that can run a miner for as long as the computer remains infected. Indeed, when users close their browser, the cryptomining activity will also stop, thereby cutting out the perpetrators’ profit.

However, we have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed. Our tests were conducted using the latest version of the Google Chrome browser. Results may vary with other browsers. What we observed was the following:

  • A user visits a website, which silently loads cryptomining code.
  • CPU activity rises but is not maxed out.
  • The user leaves the site and closes the Chrome window.
  • CPU activity remains higher than normal as cryptomining continues.

The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule:

  • Horizontal position = ( current screen x resolution ) – 100
  • Vertical position = ( current screen y resolution ) – 40

If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:

A look under the hood

This particular event was caught on an adult site that was already using aggressive advertising tricks. Looking at the network traffic, we can see where the rogue browser window came from and what it loaded.

The pop-under window (elthamely[.]com) is launched by the Ad Maven ad network (see previous post about bypassing adblockers), which in turn loads resources from Amazon (cloudfront[.]net). This is not the first cryptominer being hosted on AWS, but this one does things a little bit differently by retrieving a payload from yet another domain (

We notice some functions that come straight from the Coinhive documentation, such as .hasWASMSupport(), which checks whether the browser supports WebAssembly, a newer format that allows users to take full advantage of the hardware’s capability directly from the browser. If it doesn’t, it would revert to the slower JavaScript version (asm.js).

The WebAssembly module (.wasm) is downloaded from hatevery[.]info and contains references to cryptonight, the API used to mine Monero. As mentioned above, the mining is being throttled to have a moderate impact on users’ machines so that it stays under the radar.


This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.

More abuse on the horizon

Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons. Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement. History shows us that trying to get rid of ads failed before, but only time will tell if this will be any different.

Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers.

Indicators of compromise,yourporn[.]sexy,Adult site,elthamely[.]com,Ad Maven popunder,d3iz6lralvg77g[.],Advertiser's launchpad,hatevery[.]info,Cryptomining site

Cryptonight WebAssembly module:


The post Persistent drive-by cryptomining coming to a browser near you appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 29, 2017
Comments Off on Serious macOS vulnerability exposes the root user

Serious macOS vulnerability exposes the root user

Update: 9:29 am PT: Apple has now released a fix for the bug described here. That fix is part of Security Update 2017-001, which is available from the Mac App Store, in the Updates tab, with the label “Install this update as soon as possible.” (Somewhat confusingly, there have already been previous Security Update 2017-001 releases, for unrelated issues, for Sierra, El Capitan and Yosemite.) This update should be installed as soon as possible, and does not require a restart.

On Tuesday afternoon, a tweet about a vulnerability in macOS High Sierra set off a firestorm of commentary throughout the Twitterverse and elsewhere.

It turns out that the issue in question works with any authentication dialog in High Sierra. For example, in any pane in System Preferences, click the padlock icon to unlock it and an authentication dialog will appear. Similarly, if you try to move a file into a folder you don’t have access to, you’ll be asked to authenticate:

Enter “root” as the username, and leave the password field blank. Try this a few times, and it may work on the first try, but more likely you’ll have to try two or a few more times.

When the authentication window disappears, whatever action you were attempting will be done, without any password required.

Let’s take a step back for just a moment and consider what this means. On a Unix system, such as macOS, there is one user to rule them all. (One user to find them. One user to bring them all and in the darkness bind them. /end obligatory nerdy Lord of the Rings reference>)

That user is the “root” user. The root user is given the power to change anything on the system. There are some exceptions to that on recent versions of macOS, but even so, the root user is the single most powerful user with more control over the system than any other.

Being able to authenticate as the root user without a password is serious, but unfortunately, the problem gets worse. After this has bug has been triggered, it turns out you can do anything as root on the first try, without a password.

The root user, which has no password by default, is normally disabled. While the root user is disabled, it should not be possible for anyone to log in as root. This is how macOS has worked since day one, and it has never been an issue before, but this vulnerability causes the root user to become enabled… with no password.

Unfortunately, this means that anyone will be able to log into your Mac using user “root” and no password!

Note that this does not require that the login window be set to always ask for a username and password. If you have it set to display a list of user icons instead, after triggering this vulnerability, there will be an “Other…” icon that will be present on the login screen. Clicking that will allow you to manually enter “root” with no password.

Remote access

This bug does not appear to be exploitable through some of the remote access services that can be enabled in the Sharing pane of System Preferences. Remote Login, which enables access via SSH, does not appear to be exploitable in our testing, nor does File Sharing. Even after triggering the bug and, thus, enabling the root user with no password, we were not able to connect to the vulnerable Mac through these methods.

Unfortunately, it looks like Screen Sharing, which allows you to view and remotely control the screen of your Mac, is vulnerable to this bug. In fact, it can actually be used to trigger this bug, without needing to rely on the root user already having been enabled!

In the screen sharing authentication window on a remote Mac, the same technique can be used. We were able to connect via screen sharing, using “root” as the username and no password, on the second attempt. At that point, the root user was enabled on the remote Mac, and we were able to log in to the root account via screen sharing without any blatant indication that we were doing so appearing on the screen shown to the logged in user on the target Mac. (An icon does appear in the menu bar on the target Mac, but it is not immediately obvious what that icon means. The average user will likely never notice the new icon.)

Unforeseen consequences

Once someone is logged into your Mac as root, they can do whatever they want, including accessing your files, installing spyware, you name it. So, in other words, if you were to leave your Mac unattended for 30 seconds, someone could backdoor it and have a very powerful way in later.

Suppose that you are Suzy, an average office worker in a cubicle farm. You step away from your desk for a moment to grab a cup of coffee. You’ll only be gone for about a minute, and don’t bother locking your screen. While you’re gone, Bob from the next cubicle comes over and “roots” your computer.

Later, you go to lunch. You’re gone for an hour, and Bob knows this because he’s familiar with your routine. He uses the root user to log into your Mac and install spyware—perhaps something to peep through the webcam, hoping to catch you in a compromising position later on when you’ve taken your MacBook Pro home with you.

Of course, all that’s even easier if you have screen sharing turned on, and he can install the spyware remotely, without ever touching your Mac.

Creeped out yet?

Fortunately, if you have your Mac’s hard drive encrypted with FileVault, this will prevent the attacker from having a persistent backdoor. In order to log in, the attacker would have to know the password that will unlock FileVault. Not even the all-powerful root user can access an encrypted FileVault drive without the password.

It’s also worth pointing out that a well-prepared attacker with access to your unlocked Mac could install spyware in less than a minute without relying on this vulnerability and without needing an admin password of any kind (depending on what the spyware does). Some spyware can be installed with normal user privileges.

Further, with a longer interval of unsupervised physical access to any Mac that doesn’t have FileVault turned on, an attacker can install spyware of any kind without needing an admin password.

Avoiding an attack using this vulnerability is actually fairly trivial. Just turn on FileVault, and always lock your Mac’s screen or log out when you’re away from it. While you’re at it, set a firmware password. And, to prevent remote access, turn off all services in System Preferences -> Sharing as a precaution.

Still, this is a very serious vulnerability, which Apple needs to address as quickly as possible. We contacted Apple for comment, but by the time of this writing, had not heard back.

Undoing the damage

If you, like many, have tried this out on your own Mac, you’ve opened up a potential backdoor. Fortunately, closing that door isn’t particularly hard, if you know the door is there and that it’s open.

First, open the Directory Utility application. It’s buried deep in the system where it’s hard to find, but there’s an easy way to open it. Just use Spotlight. Click the magnifying glass icon at the right side of the menu bar, or press command-space, to invoke Spotlight. Then start typing Directory Utility in the search window. Once the application is found, simply double-click it in the list to open it. (Or, even easier, press return once it’s selected in the search results.)

Once Directory Utility opens, click the lock icon in the bottom left corner of the window to unlock it. Then, pull down the Edit menu.

If you see an item reading Enable Root User, as shown in the screenshot above, you’re good. Whatever you did, the root user wasn’t enabled. Quit Directory Utility, and go about your business.

If, instead, you see an item reading Disable Root User, choose that. The root user will be disabled again, as it should be, and it will no longer be possible to log in as the root user from the login screen. Just be aware that this does nothing to protect against the vulnerability, so the root user could easily be enabled again.

Be sure to take the other measures described above to secure your system against unauthorized physical access. Namely,  turn on FileVault, always lock your Mac’s screen or log out when you’re away from it, set a firmware password, and turn off all services in System Preferences -> Sharing.

The post Serious macOS vulnerability exposes the root user appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 28, 2017
Comments Off on Please don’t buy this: identity theft protection services

Please don’t buy this: identity theft protection services

With an ever-increasing tempo of third-party breaches spilling consumer data all across the dark web, a natural impulse for a security-savvy user is to do something proactive to protect their sensitive information. After Equifax, there was an explosion of interest in credit monitoring and identity theft protection services. But most of these services offer limited value for the money, and in many cases, are subsidiaries of entities prone to leaking information in the first place. Sometimes doing something isn’t always the best option.

What do they do?

Before we get into the problems with identity theft protection services, let’s break down which services are actually offered, and in exchange for what. Identity protection services usually start by collecting your personal information, including the following:

  • your birthdate
  • your social security number
  • your address
  • your email address(es)
  • your phone number(s)

A company like Lifelock would then use “proprietary technology that searches for a wide range of threats to your identity.” (Sidenote: Subsuming an entire discussion of one’s product under “technology that searches” is usually a red flag, albeit a small one.) If any threats are found, they will notify you and provide some handholding to rectify the situation. In addition, they offer an insurance policy that provides reimbursement of any monetary losses. Starting price for these services runs around $109 per year.

IdentityWorks is another service run by one of the major credit bureaus, Experian. IdentityWorks has an introductory product for $9.99 per month that offers credit monitoring, a credit lock (something different from a freeze), identity theft insurance, and a customer service line for fraud resolution.

IdentityForce tends to be ranked higher in comparison to other services. They provide credit monitoring, bank account monitoring (not found in most other products), change of address monitoring, court record monitoring, as well as general personal information protection. Their recovery services are mostly the same though, including a customer service line for fraud resolution, identity theft protection insurance, and stolen funds replacement up to $1 million, depending on where you live. Standard cost is $17.95 per month.

Why shouldn’t I buy it?

Brian Krebs, a security researcher who’s arguably one of the biggest public targets for identity theft and financial crime, wrote a blog on credit monitoring services, stating that while some of these and other ID protection services are helpful for those who’ve already been snaked by ID thieves, they don’t do much to prevent the crime from happening in the first place.

Searching the darknet for your personal information is something advertised by almost all of these companies. What they don’t disclose is that a darknet site is almost always hosted on a “bulletproof” hosting service that will not respond to takedown requests or legal threats. So while essentially anybody can fire up the TOR browser and find your social security number on a dark website, almost nobody (including those in ID protection services) can actually do anything about it. All they can do is alert you.

Our big issue with paying for an identity theft protection service—besides the fact that the service doesn’t actually protect against identity theft—is that the insurance you would be forking out for is coverage most users already have under Visa and Mastercard zero liability rules. Another is the narrow focus on credit, typically to the exclusion of bank accounts, mortgage loans, and tax fraud. Lastly, account application notifications can’t actually prevent creditors from doing a “hard pull” on your credit, which dings your credit score.

Who else is looking at your data?

Somewhat more concerning is the lack of transparency concerning where these companies draw their data for analysis and alerting. Lifelock, in particular, outsources its credit monitoring services to… Equifax. In September of this year, the LA Times reported the relationship with Lifelock and Equifax, noting that in some instances, purchasing services would require the end user to give Equifax more information than it would otherwise have.

Does anyone, anywhere, want to give more personal data to Equifax?

How many competing companies also rely on the credit bureaus for monitoring services? While Equifax was the loudest and most recent breach in memory, odds are good that the other credit bureaus operating on an identical business model have identical security practices. As a reminder, Experian offers its own service, IdentityWorks, backed by data services it does not disclose and personal information you did not consent to give.

As well as the red flags above, there’s some slightly more ambiguous questions regarding these services that users should evaluate before purchase. For example: Is it a responsible threat model to protect against third-party data breaches by handing over, even more, data to a third party? Doesn’t that create ostensibly the biggest online target in the world?

And looking at the problem from another angle: If the biggest players in the industry rely on agreements with credit bureaus to do at least a portion of their monitoring, why aren’t the bureaus doing this for all of us? Given that Transunion, Equifax, and Experian took it upon themselves to collect our financial data without consent, don’t they have a responsibility to protect it with industry standard best practices? As a reminder, Equifax was not breached by an arcane APT attack. They were breached by negligence.


Identity theft monitoring services sound great on the surface. They’re not that expensive and seem to provide peace of mind against an avalanche of ever-more damaging breaches. But they don’t, at present, protect against the worst impacts of identity theft—the theft itself. Instead, they duplicate free services and, worst of all, let the credit bureaus off the hook for improving their security.

Please don’t buy this. Instead, you can stay relatively safe by learning about credit freezes and other steps to take in order to protect your identity when data is stolen or tax fraud is committed.

The post Please don’t buy this: identity theft protection services appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 27, 2017
Comments Off on Terror exploit kit goes HTTPS all the way

Terror exploit kit goes HTTPS all the way

We’ve been following the Terror exploit kit during the past few months and observed notable changes in both its redirection mechanism and infrastructure, which have made capturing it in the wild a more challenging task.

Unlike the RIG exploit kit, which uses predictable URI patterns and distribution channels, Terror EK is constantly attempting to evade detection by using malvertising chains without any static upper referrers (at least to our knowledge) combined with multi-step filtering in some cases, as well as HTTPS throughout the delivery sequence.

Traffic redirection

We’ve noticed consistent malvertising incidents via the Propeller Ads Media ad network, followed by the advertiser’s campaign, which we were able to recognize through URI patterns and other identifying creative choices. Ultimately, the ad redirected to the exploit kit’s first check-in page, which acts as both a decoy and launchpad.

Over time, the threat actors behind Terror have been trying to hide the call to the exploit kit. In one example, they created overly long URLs and used obfuscation to mask their iframe. Interestingly, in other sequences, we witnessed an additional type of filtering that uses unique subdomains. The user is first taken to a page whose current theme is cheap flights and hotels, containing what looks like an affiliate link to the travel site

But the main point of focus here is the additional invisible iframe, created with a unique 15-digit subdomain and refreshed for each new visit:

This iframe is what creates the final call to the exploit kit landing page. We believe this setup may be to prevent replays that attempt to step over the normal redirection flow, although it was only used for a short period of time.

HTTPS all the things

In late August 2017, we saw Terror EK make an attempt at HTTPS by using free SSL certificates, although it kept switching back and forth between HTTP and HTTPS. At times, there also seemed to be problems with domains that had the wrong certificate:

However, in recent days we’ve observed a constant use of SSL, not only for the exploit kit itself but also at the upper redirection stage.

This is what the traffic looks like using a customized version of the Fiddler web debugger set up as a man-in-the-middle proxy:

Without using a MITM proxy, network administrators will see the SSL handshake with the corresponding server’s IP address, but not the full URIs or content being sent:

Terror EK is one of few exploit kits to have used SSL encryption this year, the other well-documented one being Astrum EK, used in large malvertising attacks via the AdGholas group. Also, unlike RIG EK, which appears to have permanently switched to IP literal URIs after operation ShadowFall, Terror is making full use of domains using new/abused TLDs.

As usual, Terror EK is dropping Smoke Loader, which in turn downloads several more payloads, likely to generate a lot of noise on the network:


Despite no significant advancement with more powerful vulnerabilities being integrated, exploit kit authors are nonetheless still leveraging malvertising as their primary distribution method and attempting to evade detection from the security community, which they monitor closely.

In light of these new challenges, security defenders must also understand the malicious techniques that are used by threat actors in order to adapt their tools and procedures and keep tracking the new campaigns taking place.

Indicators of compromise

Terror EK-related IP addresses and domains:

SSL certificates:

CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

[Serial Numbers]



Smoke Loader


Other drops:


The post Terror exploit kit goes HTTPS all the way appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 27, 2017
Comments Off on Week in security (November 20 – November 26)

Week in security (November 20 – November 26)

Last week we warned you about a new method by which the Mac malware OSX.Proton is being spread, we informed you where all those free Bitcoins you were texted about were being held up, how the EU intends to battle fake news, and how the Terdot Trojan likes social media. We also revealed our 2018 security predictions.

Other news

  • Due to zero entropy implementation of Address Space Layout Randomization (ASLR), the Windows 10 defense is ‘worthless’ and this bug dates back to Windows 8. (source: ZDNet)
  • A new tech support scam technique streamlines the entire scam experience, leaving the potential victims only one click or tap away from speaking with a scammer. (Source: Microsoft blog)
  • You have less than 90 days to claim your share of $586 million refund if you were scammed via (not by) Western Union. (Source: Tripwire)
  • Firefox 59 to make it a lot harder to use data URIs in phishing attacks, as it will stop rendering them in certain scenarios. (Source: Virusbulletin blog)
  • An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK. (Source: SecurityWeek)
  • Regulators to press Uber after it admits covering up a data breach containing some personal information of 57 million Uber users around the world. (Sources: Reuters and Uber press release)
  • Security researchers have discovered a potentially dangerous vulnerability in the firmware of various Hewlett Packard (HP) enterprise printer models that could be abused by attackers to run arbitrary code on affected printer models remotely. (Source: The Hacker News)
  • Facebook will soon be creating a portal to enable people to learn which of the Internet Research Agency (Russian activity)Facebook pages or Instagram accounts they may have liked or followed. (Source: Facebook Newsroom)
  • Imgur came clean about a security breach that took place in 2014. During the incident, Imgur says an unknown attacker managed to steal details on 1.7 million users. (Source: Bleeping Computer and Imgur blog)
  • KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data. The user only needs to know a handful of static details about a person that are broadly for sale in the cybercrime underground. (Source: KrebsonSecurity)

Stay safe everyone!

The post Week in security (November 20 – November 26) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 27, 2017
Comments Off on Mobile Menace Monday: Chrome declares war on unwanted redirects

Mobile Menace Monday: Chrome declares war on unwanted redirects

As it was introduced earlier this year, Google is initiating their plan to implement a few new changes in Chrome to defend against unwanted web redirects. A redirect happens when a different website from the URL that was entered opens in the browser. Sometimes redirects are intentional, as in when an organization/website is bought out by another entity and their traffic is redirected to the new owner. However, sometimes redirects are malicious and unwanted.

An unwanted redirect happens when a webpage unintentionally opens in the browser due to maliciously embedded JavaScript code. These unintended redirects often come from third-party content, and they are conducted unbeknownst to the webpage’s author. The most common method of a malicious redirect is the following: After clicking a link, the desired webpage is opened in a new tab, but then an additional redirected (unwanted) webpage is opened in the main window.

Google will be rolling out updates with three new solutions to block unwanted redirects. These updates will be in addition to features that already exist, such as Chrome’s pop-up blocker and autoplay protections.

Google’s new anti-redirect features

Google’s first step in dealing with redirects is with a new way of handling iframes in Chrome 64. All redirects originating from third-party iframes will show an infobar instead of redirecting, unless the user is interacting with that frame. If the user ignores the infobar and interacts with the content, it will lead to a case where it will still redirect.

An example of a redirect blocked on a test site. The iframes embedded in the site are attempting to navigate the page to an unintended destination, but Chrome prevents the redirect and shows an Infobar.

Another new feature, implemented in Chrome 65, will detect the common behavior of redirecting the main window, described above. Once again, the infobar will trigger and prevent the main window from redirecting. This will keep the user on the page they intended, and prevent receiving annoying or intrusive advertisements, such as videos that autoplay with sound or interstitials ads that take up the entire screen.

Some other Google Chrome protection features

In addition to preventing redirects, Google will also protect against several other types of abusive experiences, such as links that send users to unexpected destinations, including links to third-party websites deceptively veiled. Historically, these have been hard to automatically detect. The links can hide as fake Google Play buttons, fake site controls, or transparent overlays on websites. These malicious links capture all clicks and open new tabs or windows.

Google announced that in early January, Chrome’s pop-up blocker will also get an update. It will start preventing sites with these types of abusive experiences from opening new windows or tabs. Basically, it will serve much the same function as Google Safe Browsing does, protecting users from malicious content and making sure that ad offenders don’t frustrate or take advantage of users.

Google is helping site owners prepare for these changes with a new Abusive Experiences Report. Site owners can use the report feature to check if any of these abusive experiences have been found on their site and make proper changes accordingly. Otherwise, they have 30 days before Chrome will begin blocking the site from opening new tabs and windows.

In Google we (are forced to) trust

We all know that where there are benefits, there are also consequences. How Google handles its bigger ad-blocking initiative will be something to watch closely. There are of course drawbacks to building an ad blocker into Chrome, the most egregious being the amount of power it gives Google. Chrome ad blocker doesn’t just help publishers, it also helps Google maintain its dominance.

Eventually, it means Google gets to decide what qualifies as an acceptable ad (even though it’s basing this on standards set by the Coalition for Better Ads). That’s a good thing if you trust Google, but let’s keep in mind that Google is an ad company. Nearly 89 percent of its revenue comes from displaying ads. Just some food for thought.

Solutions for mobile

Malicious redirects are becoming common place on mobile devices. Most mobile browsers, like Chrome, don’t do a great job of preventing these redirects, which also cause ad pop-ups. Advertising affiliates are aware of this and exploit this weakness. Even when an advertising affiliate is shut down for using redirect exploits, it doesn’t stay shut down. All they need to do is get a different affiliate ID, and they are right back in business.

We are crossing our fingers that the new features in Chrome will finally stop redirects. If not, though, we can offer a couple of other solutions to help. These other solutions are to disable JavaScript, install a browser with ad blocking (like Opera), and/or install Ad-block Plus. If all else fails, and you are still encountering pop-ups, you back out of them using Android’s back key. Also, clearing your history and cache will help stop the ads from reoccurring.

Detecting phishing URLs

Malwarebytes for Android also contributes in the fight against frustrating unwanted websites with a couple of features. First, we automatically detect if phishing URLs are in an any incoming text message (SMS). Next, we detect phishing URLs in any text provided by the user. You can do this by simply selecting any text you’d like to scan in your mobile device. After selecting, just share the selected text with Malwarebytes for Android and we’ll alert you of phishing URLs.

Lastly, we have a great feature that aids in a safer browsing experience. It scans for phishing URLs in Chrome and alerts you when any are detected. Disclaimer: we can only alert, not block. We do this by using the accessibility service built into the Android OS. Thus, when you see Malwarebytes for Android asking for accessibility service permissions, it’s strictly for our phishing URL scanner. As always, we dedicate ourselves to keeping you safe, even from unwanted links.

The post Mobile Menace Monday: Chrome declares war on unwanted redirects appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 22, 2017
Comments Off on Terdot Trojan likes social media

Terdot Trojan likes social media

We usually advise people that have fallen victim to banker Trojans to change all their passwords, especially the ones that are related to their financial sites and apps. Besides the dangers of re-used passwords, there are other reasons why this is important. This advice is especially applicable to a Trojan making the rounds called Terdot.

Our friends at Bitdefender wrote a white paper about the Terdot Trojan that shows how this offspring of Zeus can not only monitor and modify your Facebook, Twitter, YouTube, and Google Plus traffic, but also spy on webmail platforms like Microsoft’s login page, Yahoo Mail, and Gmail.

Hasherezade already saw this coming at the start of this year when she warned us that Terdot spies and also modifies the displayed content by “WebInjects” and “WebFakes.”

The Terdot Trojan is both spread by email, using infected attachments, as well as by the Sundown exploit kit. It uses a complex method to download and activate the malware on the targeted system, most likely to throw security researchers off the scent. Once established, it uses its own security certificate to bypass TLS restrictions and set up a man-in-the-middle (MitM) proxy.

This Terdot variant only targets Windows systems that don’t run a Russian operating system. Its main targets are in the US, Canada, the UK, Germany, and Australia. The added functionality for social media might be used in different ways. Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender, told ZDNet:

“Social media accounts can be also used as a propagation mechanism once the malware is instructed to post links to downloadable copies of the malware. Additionally, the malware can also steal account login information and cookies, so its operators can hijack the social network account and re-sell access to it, for instance,”

Malwarebytes detects the installers as Trojan.Terdot:


And blocks the download URLs:

blocked URL

Stay safe out there and get protected.

The post Terdot Trojan likes social media appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 21, 2017
Comments Off on How the EU intends to battle fake news

How the EU intends to battle fake news

Last week the European Union issued a press release to announce their next steps against fake news.

These steps will be the launch of a public consultation and the setup of a high-level expert group representing academics, online platforms, news media, and civil society organizations.

The first results of the information gathered by the consultation are expected in April 2018. Despite other initiatives against fake news and online disinformation like the First Draft Coalition (that has the cooperation of Twitter and Youtube among others), or International Fact Checking Day (April 2), the amount of fake news being generated and disseminated is still on the rise, especially on social media.

example question

One of the questions in the public consultation

The reason for action

A Eurobarometer survey published on November 17, 2016 showed that European citizens are worried about the independence of the media, and levels of trust in media are low. For example, 55 percent of Europeans stated that they lost their trust in the news presented on social media. Personally, I feel that number should even be higher—and it probably is after what has happened in the year that passed since the survey was published.

European Commission First Vice-President Frans Timmermans said:

The freedom to receive and impart information and the pluralism of the media are enshrined in the EU’s Charter of Fundamental Rights. We live in an era where the flow of information and misinformation has become almost overwhelming. That is why we need to give our citizens the tools to identify fake news, improve trust online, and manage the information they receive.

It has become clear that fake news and online disinformation have become a deliberate method to taint the reputations of public persons and institutions, to influence the outcome of democratic processes, and to change the public opinion on important matters like health care, environmental changes, immigration, and terrorism.

The latest technologies and the number of people that are active on social media has increased not only the impact of fake news, but also the speed with which it’s being spread.

The countermeasures of the EU

The first step outlined by the EU is a public consultation. Citizens, social media platforms, news organizations (broadcasters, print media, news agencies, online media and fact-checkers), researchers, and public authorities are all invited to share their views in the public consultation until mid-February 2018.

The consultation is set up as a number of multiple choice questions and only addresses fake news and disinformation online when the content is not illegal, per se,  and thus not covered by existing legislative and self-regulatory actions.

The commission is inviting experts to apply for the high-level group on fake news to advise on scoping the phenomenon, defining the roles and responsibilities of relevant stakeholders, grasping the international dimension, taking stock of the positions at stake, and formulating recommendations. The commission aims at a balanced selection of the experts from each field, be it academia or civil society.

The results are expected to:

  • Determine the scope of the problem, i.e. how fake news is perceived by citizens and stakeholders, how they are aware of online disinformation, or how they trust different media.
  • Give a first assessment of measures already taken by platforms, news media companies, and civil society organizations to counter the spread of fake news online, as well as positions on the roles and responsibilities of the relevant stakeholders.
  • Advise on possible future actions to strengthen citizens’ access to reliable and verified information and prevent the spread of disinformation online.

What can we expect

As mentioned before, private initiatives have been undertaken in the battle against fake news and online disinformation, but with the authority to implement legislation, the EU can have a bigger impact, and create measures that other institutions can’t enforce. For example, it could:

  • Force social media to close fake accounts.
  • Claim back revenues of websites that utilize online disinformation (and maybe even clickbait) to attract visitors.
  • Set up organizations that look for and flag fake news.
  • Collaborate with existing fact checking organizations to establish a code of conduct for fact-checking.

So far, measures in use by online platforms and news media organizations to counter the spread of fake news only seem to capture a small fraction of the disinformation, plus it involves time-consuming human verification of content. Legislation in the field that makes verification mandatory may speed up the development of such methods. One may hope that Artificial Intelligence (AI) can do a more adequate job in the future.

To counter the speed involved in the propagation of fake news, we should act quickly and with accuracy in order to protect against it. On the other hand, we need to be aware of the danger that comes with employing any such methods and not let them fall into the realm of censorship.

Recent examples

If you have any doubts about how serious the problem of fake news has become, and how it leads to unrest and distrust, we invite you to read some of these articles.

Kenya’s election proves fake news is a serious threat to international security

Czech elections show how difficult it is to fix the fake news problem

Russia has launched a Fake News war on Europe. Now Germany is fighting back

Ukraine says it warned Facebook of Russia fake news in 2015

Spain Catalonia: did Russian ‘fake news’ stir things up?

If you are a EU citizen and want to make your voice heard, participate in the public consultation by clicking here to learn more and complete the questionnaire as either a citizen, legal entity, or journalist.

The post How the EU intends to battle fake news appeared first on Malwarebytes Labs.

Powered by WPeMatico

Nov 21, 2017
Comments Off on Text messages and the Bitcoin Code: follow the money trail

Text messages and the Bitcoin Code: follow the money trail

I was a bit surprised to receive lots of messages similar to the one below this past week:

free coins?

I mean, we’ve all done it—managed a bulk text spam campaign offering free Bitcoins in your spare time, while completely forgetting said business exists. Maybe I did it in my sleep? It’s all gone a bit Fight Club. And as we all know, the first Rule of Fight Club is “Don’t run a free Bitcoin bulk text spam campaign in your spare time, while completely forgetting said business exists.”

Or maybe not.

Either way, I decided to find out what was going on. Had someone taken a cheeky jab at a security researcher by placing my contact details into the pipeline somewhere, did I actually set up a bulk spam campaign with free Bitcoins at the end of it, or was there a more mundane explanation that didn’t require people to yell at me via capslock?

oh dear

There’s only so much “dashing expectations on the shore” a guy can take. Or, to put it another way…





No wonder everyone was so grumpy.

First up, the text. The only examples I had sent to me were written in Dutch:

text message

“You have 1 Bitcoin in your account. Confirm here: [URL] Current market value: €6064.”

Bitcoin value is through the roof at the moment, so it’s no wonder someone might want to jump on the opportunity. I’d love to see how many people clicked from the text to the URL with the promise of riches already in the bank.

The short link in the text is a text(dot)id URL. The site is registered to an address in Jakarta, Indonesia, but it’s the email address that’s of interest (well, to me, anyway):

email address

Unfortunately, lots of people thought this was me, instead of any of the other numerous Chris Boyds floating around the Internet, hence the confused and occasionally angry, “Where are my coins? Also drones deployed” messages. As it turns out, that email address—mrmessaging—is tied to a bulk mail service, and the Chris Boyd in question appears to own the default address listed for the registered URL. He’s an actual person and everything, and easily found with about 10 seconds of Googling. But he’s not me.

So that’s that short mystery put to bed. Also please stop asking me for Bitcoins.

well hello there

No, really. I insist.

Choice insults aside, the URL redirects to another site located at[snip].

What do we have here? Something called The Bitcoin Code, which bears zero relation to paintings, Tom Hanks, or ancient prophecy.

The Bitcon Code

Time to fire up Google Translate:

Join The Bitcoin Code

The Bitcoin Code is exclusively intended for people who have responded to the outrageous returns Bitcoin offers and who have earned a fortune with it.

The Bitcoin Code Members enjoy month-in-month outs of the most beautiful stays around the world, while they earn their money on their laptop every day with just a few minutes ‘work.’

Actually, this sounds way better than Tom Hanks.

smiling bitcoin man


Hi, I am a former software developer at a large company that I do not want to mention.

I designed the Bitcoin Trading software that generated more than € 18,484,931.77, just in the last 6 months.

This software makes more millionaires faster than the first investors in Uber, Facebook or AirB&B.

If you want to earn a million with Bitcoin, watch the video above and learn how it works.

The short version is, you sign up via email then add in a mobile number and some other pieces of information. After that, you deposit “250 Euro” to get things moving and then it’s automated stock exchange programs and Bitcoin all the way down.

how it works

We can’t vouch for how effective said software may be, but we can definitely confirm it’s nothing to do with my good self, and generally speaking I’d be wary of signing up to random text messages with 250 euros of my hard earned money—and you should be, too.

As the disclaimer at the bottom of the splash page says:

Significant Risk Reporting: Trading in binary options can lead to major gains, but also entails the risk that part or all of the capital will be lost and this has to be recognized by budding investors. We advise you to read the terms and conditions and the indemnity before making any investment. Customers must inform themselves about the tax rules in the country of establishment. US residents should not be approached to trade commodity options, even when it comes to ‘predictive’ contracts, except when it concerns contracts registered with a CFTC-registered stock exchange or in case of a legal exception.

I’m no Wall Street banker, but that sounds a bit dodgy. My coins—metal, digital, and chocolate—will be staying in my pocket for the time being (apart from the chocolate ones, which are at significant risk of melting, and also the digital ones which only exist in your computer. Not mine. I don’t own any, sorry). Should you receive one of these texts claiming you’re somehow in possession of a Bitcoin, do the block / report / delete dance as fast as your fingers will allow.

The post Text messages and the Bitcoin Code: follow the money trail appeared first on Malwarebytes Labs.

Powered by WPeMatico


Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo