Archive for NEWS

Caught in the payment fraud net: when, not if?

Sometimes, I think there are three certainties in life: death, taxes, and some form of payment fraud. Security reporter Danny Palmer experienced this a little while ago, and has spent a significant amount of time tracking the journey of his card details from the UK to Suriname. His deep-dive confirmed that it is easy to become tangled up in fraud, even if you’re very careful. I myself have experienced one of the more peculiar forms of credit card theft, detailed below.

Sometimes it’s you…

Right off the bat, let’s clarify that there are ways to both help and hinder the security of your payment information.

Maybe you switched something off while traveling for easy access and forgot to turn it back on at the other end. Perhaps there was some ancient Hotmail account still tied to something important with a password on six hundred thousand password dumps. Maybe you did one of those “Without giving your exact date of birth, please tell us something you’d recognise from your childhood and also your exact date of birth and credit card number” things bouncing around on social media.

These are all ways you can inadvertently generate problems for yourself at a later date.

Sometimes it isn’t you

On the other hand, instead of winding up in one of the above examples, let’s say you successfully navigated all perils.

You secured your desktop, installed some security software, followed the advice to keep your system up to date, and avoided all dubious installs. Locking down your phone was a great idea. Reading some blogs on password managers was the icing on the cake. You’ve done it all, and anything going wrong after this will have to be one heck of a fight.

There is, however, a third path outside of what you do or don’t do to keep data secure.

Occasionally, the issue is elsewhere

Maybe people you don’t know, who you entrusted with the well-being of your card data, did something wrong. Perhaps a Point of Sale terminal is missing vital patches. The store across town didn’t keep an eye on their ATM, and the company responsible for it didn’t have a means to combat the skimmer strapped across the card slot. The clothing store you bought your jacket from did a terrible job of locking down payment data and everything is sitting in the clear.

This is absolutely one of those “whatever will be, will be” moments.

The…good?…news about hacks outside of your control is, they can happen to anyone. Including people who work in security. As a result, you shouldn’t feel like you’ve done something wrong. In many cases, you almost certainly haven’t. It’s way beyond time to normalise the notion that huge servings of guilt aren’t a pre-requisite for data theft.

Setting the scene: My experience with card fraud

When I received my fraud missive through the post, it was shortly after an incredibly time consuming and complicated continent-spanning house move. Did I make a multitude of payments in all directions? You bet. Shipping, storage, local transportation, and a terrifyingly long list of general administrative and paperwork duties from one end of a country to another.

I avoided using my banking debit card throughout the process, relying on my credit card instead. There’s a reason for this.

Interlude: why I used a credit card

If you buy something with your debit card and it ends up with a scammer, you may have problems recovering your funds. You may well have to endure a lengthy dispute process, or prove you weren’t being negligent in order to get your money back.

Increasingly, banks are making this a little harder to do.

If you bank online, you’ll almost certainly have seen a digital caveat any time you go to transfer money. They’re usually along the lines of waiving the ability to reclaim your money back if tricked into sending your cash to a scammer. They’ll ask you to confirm you know who you’re sending the money to or place the responsibility for transferring funds directly on your own shoulders. Perhaps they’ll try and get out of paying up if your PC was compromised by malware. If you pay by cheque, you could get into all sorts of tedious wrangling behind the scenes too.

Even without all of the above, your bank may well have a number of minimum best practices for you to follow. Unless you want to run into potential pitfalls, try and keep things ship-shape there too.

Meanwhile, the credit card is a fast-track to getting your money back, because it’s the incredibly large and powerful credit company getting their money back. You’re just there for the ride, as it were. This in no way removes your requirement to be responsible with your details, but from experience, I’ve had more success righting a cash-related wrong where it involved credit rather than debit. It’s an added form of leverage and protection. The real shame is that isn’t usually the case when paying with your own money. Once again, we’re back in the land of “whatever will be, will be”.

End of interlude: when things go wrong

I don’t know exactly what happened with my card, or who took the details. I’ve no idea if the details were swiped from an insecure database, or a store had Point of Sale malware on a terminal. I can’t say if it was cloned from one of the few times I had to use an ATM.

Stop and think about the places you frequently buy items from. Maybe even draw up a list on a map. You’ll almost certainly have a handful of stores you use regularly, with a few random places thrown in for good measure. Perhaps you avoid ATMs completely, opting for cashback in stores instead. You probably shop online at the same places too, with a few more off-the-beaten-track sites popping up here and there, too.

You may get lucky and discover one of them has had a breach. If they’re small shops or family businesses, sorry…you probably won’t read about it in the news. Website compromises can lay undetected for a long time. Same for Point of Sale malware on physical terminals. Your shopping circle of trust only extends so far and is only useful for figuring out a breach up to a point. After that, it’s guesswork and for various reasons, your bank/credit card company won’t disclose investigation information.

The scammers strike

What I do know, is that a letter came through the door telling me someone had tried to make a purchase of around 14 thousand pounds on my credit card. Their big plan was to order a huge supply of wine from a wine merchant. What I was told by the bank, is that these aren’t places you can typically wander in off the street and throw some wine in a shopping trolley. These are organisations which sell directly to retailers.

Logic suggests that card fraud circles around small, inconspicuous transactions to remain off the grid. Nothing screams small, inconspicuous transactions like “a purchase more than the limit on your card for a bulk supply of rare, expensive wine from a direct to store wine merchant unavailable to the public”.

Though this is outside my realm of experience, my guess is a successful purchase would’ve resulted in the wine being sold on in ways which obscure the source of the original funds. By the time anyone has figured out what happened, the scammer has turned a profit and I’m left holding the incredibly large wine bag.

Luckily for me, “Make small inconspicuous transactions” doesn’t appear to have been in their playbook. Even if the fraud detection team had somehow missed this utterly out of character purchase, the scammers also managed to blow past my credit card limit. I assume the big fraud detection machine exploded and required a bit of a lie down afterwards to recover.

Dealing with the aftermath

I was very lucky, if you can call it that, because of the baffling way the scammers tried to rip me off. If the ludicrous size of the attempted payment hadn’t set alarm bells ringing, the unusual items purchased probably would have given the same end result. Similarly, Danny Palmer’s card flagged the fraud tripwires before any money was taken. Banks and credit card companies are constantly adding new ways to detect dubious antics and also make logging into banking portals a safer experience.

All the same, we shouldn’t rely on others too much to ensure our metaphorical bacon is saved at the last minute. Keep locking things down, be observant when using ATMs, and familiarise yourself with the security procedures for your payment method of choice. We can’t stop everything from going wrong, but we can certainly help tip the odds a little bit more in our favour.

I probably won’t crack open a bottle of wine to celebrate, though.

The post Caught in the payment fraud net: when, not if? appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Lock and Code S1Ep16: Investigating digital vulnerabilities with Samy Kamkar

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Samy Kamkar, chief security officer and co-founder of Open Path, about the digital vulnerabilities in our physical world.

If you look through a recent history of hacking, you’ll find the clear significance of experimentation. In 2015, security researchers hacked a Jeep Cherokee and took over its steering, transmission, and brakes. In 2019, researchers accessed medical scanning equipment to alter X-ray images, inserting fraudulent, visual signs of cancer in a hypothetical patient.

Experimentation in cybersecurity helps us learn about our vulnerabilities.

Today, we’re discussing one such experiment—a garage door opener called “Open Sesame,” developed by Kamkar himself.

Tune in to hear about the “Open Sesame,” how it works, what happened after its research was presented, and how the public should navigate and understand a world rife with potential vulnerabilities on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

Other cybersecurity news:

  • Threat intelligence researchers from Group-IB has outed a new Russian-speaking ransomware gang called OldGremlin, and it has been targeting big companies in Russia. (Source: CyberScoop)
  • Tyler Technologies, a product vendor of US states and counties during election seasons, recently admitted that an unknown party has hacked their internal systems. (Source: Reuters)
  • Graphika unearthed a campaign they called Operation Naval Gazing, which is aimed at supporting China’s territorial claim in the South China Sea. (Source: TechCrunch)
  • As the US elections draw near, the FBI and CISA warn voters against efforts and interference from foreign actors potentially spreading disinformation regarding election results. (Source: The Internet Crime Complaint Center (IC3))
  • Activision, the video game publisher for Call of Duty (CoD), denied that it had been hacked after reports that more than 500,000 accounts have had their login information leaked. (Source: Dexerto)

Stay safe, everyone!

The post Lock and Code S1Ep16: Investigating digital vulnerabilities with Samy Kamkar appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Taurus Project stealer now spreading via malvertising campaign

For the past several months, Taurus Project—a relatively new stealer that appeared in the spring of 2020—has been distributed via malspam campaigns targeting users in the United States. The macro-laced documents spawn a PowerShell script that invokes certutil to run an autoit script ultimately responsible for downloading the Taurus binary.

Taurus was originally built as a fork by the developer behind Predator the thief. It boasts many of the same capabilities as Predator the thief, namely the ability to steal credentials from browsers, FTP, VPN, and email clients as well as cryptocurrency wallets.

Starting in late August, we began noticing large malvertising campaigns, including, in particular, one campaign that we dubbed Malsmoke that distributes Smoke Loader. During the past few days we observed a new infection pushing the Taurus stealer.

Campaign scope

Like the other malvertising campaigns we covered, this latest one is also targeting visitors to adult sites. Victims are mostly from the US, but also Australia and the UK.

Traffic is fed into the Fallout exploit kit, probably one of the most dominant drive-by toolsets at the moment. The Taurus stealer is deployed onto vulnerable systems running unpatched versions of Internet Explorer or Flash Player.

Figure 1: Traffic capture showing the malvertising chain into Fallout EK loading Taurus

Because of code similarities, many sandboxes and security products will detect Taurus as Predator the thief.

Figure 2: The string ‘TAURUS’ as seen in the malware binary

The execution flow is indeed pretty much identical with scraping the system for data to steal, exfiltrating it and then loading additional malware payloads. In this instance we observed SystemBC and QBot.

Stealer – loader combo continues to be popular

Stealers are a popular malware payload these days and some families have diversified to become more than plain stealers, not only in terms of advanced features but also as loaders for additional malware.

Even though the threat actors behind Predator the thief have appeared to have handed over a fork of their original creation and disappeared, the market for stealers is still very strong.

Malwarebytes users are protected against this threat via our anti-exploit layer which stops the Fallout exploit kit.

We would like to thank Fumik0_ for background information about Predator the thief and Taurus.

Indicators of Compromise

Malvertising infrastructure

casigamewin[.]com

Redirector

89.203.249[.]76

Taurus binary

84f6fd5103bfa97b8479af5a6db82100149167690502bb0231e6832fc463af13

Taurus C2

111.90.149[.]143

SystemBC

charliehospital[.]com/soc.exe
c08ae3fc4f7db6848f829eb7548530e2522ee3eb60a57b2c38cd1bdc862f5d6f

QBot

regencymyanmar[.]com/nt.exe
3aabdde5f35be00031d3f70aa1317b694e279692197ef7e13855654164218754

The post Taurus Project stealer now spreading via malvertising campaign appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Sandbox in security: what is it, and how it relates to malware

To better understand modern malware detection methods, it’s a good idea to look at sandboxes. In cybersecurity, the use of sandboxes has gained a lot of traction over the last decade or so. With the plethora of new malware coming our way every day, security researchers needed something to test new programs without investing too much of their precious time.

Sandboxes provide ideal, secluded environments to screen certain malware types without giving that malware a chance to spread. Based on the observed behavior, the samples can then be classified as harmless, malicious, or “needs a closer look.”

Running programs in such a secluded environment is referred to as sandboxing and the environment the samples are allowed to run in are called sandboxes.

Definition of sandboxing

Let’s start with a definition so we know what we are talking about. There are many definitions around but I’m partial to this one:

“Sandboxing is a software management strategy that isolates applications from critical system resources and other programs. Sandboxing helps reduce the impact any individual program or app will have on your system.”

I’m not partial to this definition because it is more correct than other definitions, but because it says exactly what we want from a sandbox in malware research: No impact on critical system resources. We want the malware to show us what it does, but we don’t want it to disturb our monitoring or infect other important systems. Preferably, we want it to create a full report and be able to reset the sandbox quickly so it’s ready for the next sample.

Malware detection and sandboxing

Coming from that definition, we can say that a cybersecurity sandbox is a physical or virtual environment used to open files or run programs without the chance of any sample interfering with our monitoring or permanently affecting the device they are running on. Sandboxing is used to test code or applications that could be malicious before serving it up to critical devices.

In cybersecurity, sandboxing is used as a method to test software which would end up being categorized as “safe” or “unsafe” after the test. In many cases, the code will be allowed to run and a machine learning (ML) algorithm or another type of Artificial Intelligence (AI) will be used to classify the sample or move it further upstream for closer determination.

Malware and online sandboxes

As sandbox technology development further progressed and as the demand for a quick method to test software arose, we saw the introduction of online sandboxes. These are websites where you can submit a sample and receive a report about the actions of the sample as observed by the online sandbox.

It still takes an experienced eye to determine from these reports whether the submitted sample was malicious or not, but for many system administrators in a small organization, it’s a quick check that lets them decide whether they want to allow something to run inside their security perimeter.

Some of these online sandboxes have even taken this procedure one step further and allow user input during the monitoring process.

Any.run interactive sandbox

This is an ideal setup for those types of situations where the intended victim needs to unzip a password-protected attachment and enable content in a Word document. Or those pesky adware installers that require you to scroll through their End User License Agreement (EULA) and click on “Agree” and “Install.” As you can imagine. these will not do much on a fully automated sandbox, but for a malware analyst, these samples would fall into the category that requires human attention anyway.

Sandbox sensitivity

In the ongoing “arms race” between malware writers and security professionals, malware writers started to add routines to their programs that check if they are running in a virtual environment. When the programs detect that they are running in a sandbox or on a virtual machine (VM), they throw an error or just stop running silently. Some even perform some harmless task to throw us off their track. Either way, these sandbox-evading malware samples don’t execute their malicious code when they detect that they are running inside a controlled environment. Their main concern is that researchers would be able to monitor the behavior and come up with counter strategies, like blocking the URLs that the sample tries to contact.

Some of the methods that malware uses to determine whether it is running in a sandbox are:

  • Delaying execution to make use of the time-out that is built into most sandboxes.
  • Hardware fingerprinting. Sandboxes and Virtual Machines can be recognized as they are typically different from physical machines. A much lower usage of resources, for example, is one such indicator.
  • Measuring user interaction. Some malware requires the user to be active for it to run, even if it’s only a moving mouse-pointer.
  • Network detection. Some samples will not run on non-networked systems.
  • Checking other running programs. Some samples look for processes that are known to be used for monitoring and refuse to run when they are active. Also the absence of other software may be considered an indicator of running on a sandbox.

Sandboxes and virtual machines

In the previous paragraph we referenced both virtual machines and sandboxes. However, while sandboxes and virtual machines share enough characteristics to get them confused for one another, they are in fact two different technologies.

What really sets them apart is that the Virtual Machine is always acting as if it were a complete system. A sandbox can be made much more limited.  For instance, a sandbox can be made to run only in the browser and none of the other applications on the system would notice it was even there. On the other hand, a Virtual Machine that is entirely separated from the rest of the world, including its host, would be considered a sandbox.

To make the circle complete, so to speak, we have seen malware delivered in the form of a VM. This type of attack was observed in two separate families, Maze and Ragnar Locker. The Maze threat actors bundled a VirtualBox installer and the weaponized VM virtual drive inside a msi file (Windows installer package). The attackers then used a batch script called starter.bat to launch the attack from within the VM.


If you’d like to know more technical details about these attacks, here’s some recommended reading: Maze attackers adopt Ragnar Locker virtual machine technique


The future of sandboxing

Keeping in mind that containerization and virtual machines are becoming more common as a replacement for physical machines, we wonder whether cybercriminals can afford to cancel their attack when they find out they are running on a sandbox or virtual machine.

On the other hand, the malware detection methods developed around sandboxes are getting more sophisticated every day.

So, could this be the field where the arms race is in favor of the good guys? Only the future will be able tell us.

Stay safe, everyone!

The post Sandbox in security: what is it, and how it relates to malware appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Phishers spoof reliable cybersecurity training company to garner clicks

“It happens to the best of us.”

And, indeed, no adage is better suited to a phishing campaign that recently made headlines.

Fraudsters used the brand, KnowBe4—a trusted cybersecurity company that offers security awareness training for organizations—to gain recipients’ trust, their Microsoft Outlook credentials, and other personally identifiable information (PII). This is according to findings from our friends at Cofense Intelligence, who did a comprehensive analysis of the campaign, and of course, KnowBe4, who first reported about it.

Screenshot of phishing email courtesy of KnowBe4

Email details are as follows:

Subject: Training Reminder: Due Date

Message body:

Good morning

Your Security Awareness Training will expire within the next 24hrs. You only have 1 day to complete the following assignment:

– 2020 KnowBe4 Security Awareness Training

Please note this training is not available on the employee training Portal. You need to use the link below to complete the training:

hxxps://training[.]knowb[.]e4[.]com/auth/saml/4d851fef35c0f

This training link is also available on Security Awareness Training.

Use the URL: training[.]knowbe[.]4[.]com/login if you like to access the training outside of the network. Please use your email on the initial KnowBe4 login screen. Once the browser directs you to authentication page, please enter your username, password, and click the “Sign in” button to access the training.

Your training record will be available within 30 days after the campaign is concluded.

Thank you for helping to keep our organization safe from cybercrime.

Information Security Officer

“Poor English” is usually a hallmark of a scam email, according to majority of cybersecurity experts, and phishing emails are notoriously known for it. The above training-themed email may have fooled several recipients who are quite forgiving to some English errors—after all, typos do happen.

However, we should remember to also look at the URLs closely, both on the email and where it really leads to when you hover a mouse pointer over each one of them. Granted this is a straightforward, unsophisticated scam, which makes discerning it easier. It also gives us the notion that whoever the campaign is trying to bag, they’re only after those who aren’t careful enough to look closely or critical enough to perceive that something is amiss.

To the seemingly untrained eye, the URLs on the email may seem genuine, but they’re not. If you’re familiar with a URL’s structure, you’ll realize quickly that they’re not even close to being genuine. Take, for example, training[.]knowb[.]e4[.]com. The main domain here is e4[.]com. As for training[.]knowbe[.]4[.]com, the main domain is 4[.]com. Basic familiarity to URLs can save you from falling for scams like this.

Once users click any of the links, they are directed to a destination that doesn’t bear the KnowBe4 brand but to what appears to be a Microsoft Outlook sign in page, asking for credentials.

Screenshot of the first Outlook 365 phish page courtesy of KnowBe4

Again, take note of the URL in the address bar.

According to Cofense, similar phishing pages like this are hosted on at least 30 sites since April of this year. They also found traces of other current or previous phishing campaigns that were themed around sexual harassment training, another learning course many organizations require their employees to take.

Going back: Once the Outlook username and password combination were provided and the user clicks “sign in”, they are directed to another Outlook page, this time asking for details that are more personal, such as date of birth and physical address.

Screenshot of the second Outlook 365 phish page courtesy of Cofense

As the phishing kit had already been taken down at the time of writing, testing couldn’t show what happens next after clicking “Verify Now”. But based on the sexual harassment training phishing campaign, which used the same kit, redirecting to a legitimate sexual harassment training page, it’s logical to conclude that users would also be directed to a security awareness training website, which may or may not necessarily be KnowBe4.

This isn’t the first time the KnowBe4 brand—or other cybersecurity brands for that matter—have been abused to defraud people. The company was first used in phishing campaigns in September 2018 and in January 2019.

In February of this year, a NortonLifeLock phishing scam, wherein threat actors forced a remote access Trojan (RAT) installation onto victim systems by making a malformed Word document appear to be password-protected by NortonLifeLock, was found in the wild.

In April 2019, sophisticated Office 365 credential stealers didn’t only craft fake Microsoft alert types around certain Microsoft products, they also mimicked the return path of Barracuda Networks, a well-known email security provider, and include it in the phishing email’s Received header, making the email appear that it passed through Barracuda servers. This would make it seem like it could be trusted, and thus, safe to open, when—upon closer inspection—it’s not.

Every organization has a brand to protect. And the first step to do this is to realize early on that their brand could be misused or abused by those who want to make illicit gains. That said, no brand is truly safe. Heck, even Malwarebytes has doppelgängers.

Businesses must be actively looking for those banking on their names online. Customers, on the other hand, must know and accept that online criminals can get to them through the services they use by pretending to be these companies. It’s no longer enough to readily trust emails based on the logos they purport to bear. It’s time to start carefully reading emails you care about and scrutinizing them, from the supposed sender to the email links and/or attachments.

Never attempt to click anything on dubious emails or visit the destinations by copying and pasting them on a browser unless you’re in a virtual machine. And if you don’t have time to do the investigative work yourself, ask. Give your service provider a call or report a potential phishing attempt. This way, you’re not only helping yourself but also alerting your provider and helping those who would have fallen for a scam if not for your efforts.

Stay safe!

The post Phishers spoof reliable cybersecurity training company to garner clicks appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 1 of 38 12345...»