Archive for NEWS

Misleading cybersecurity lessons from pop culture: how Hollywood teaches to hack

In pop culture, cybercrimes are often portrayed as mysterious and unrealistic. Hackers are enigmatic and have extraordinary tech abilities. They can discover top secrets in a short time and type at breakneck speed to hack into a database.

In real life, though, hacking is not that straightforward. Hackers may have technical capabilities and high intelligence, but they are otherwise normal human beings. It takes a lot of time and research to come up with foolproof strategies to break into an organization’s secret files.

In the last few decades, hacking and cybersecurity have become important topics of discussion, and pop culture has capitalized on this wave of interest. Many movies and TV shows now find ways to weave cybercrime into their storylines. At times, the depiction is realistic and informative; most of the time, it’s plain misleading and ludicrous.

In this article, we take a look at some pop culture hacking scenes from TV and movies and the cybersecurity lessons, if any, we can learn from them.

Hackers are not always basement-dwelling nerds

Predominantly, male hackers are depicted in Hollywood movies to be either reclusive conspiracy theorists or super-smart, ex-intelligence officers. Picture Dennis Nedry from Jurassic Park or Martin Bishop in Sneakers. Their female counterparts—few and far between—tend toward the harsh, ass-kicking, boyish types, like Kate Libby in Hackers or Trinity in The Matrix.

The reality is, while we may be able to create criminal profiles for threat actors or even define skill sets and personality types that are attracted to hacking, there is no single stereotype that carries.

Hackers could be bubbly, social, feminine, sporty, narcissistic—the life of the party. They could also be relatively quiet, introverts, artists, compassionate, or deeply sensitive. Simply put, pop culture has a habit of stereotyping what it doesn’t understand, and hacking is still a widely misunderstood pastime/profession.

But there is one truth that unites all hacker types: Hacking requires strategic, conceptual thinking, so intelligence is required, as is practice. The best actual hackers spend years honing their craft, testing and testing code, working with mentors and peers, sometimes going to school or, yes, the military, for skills training.

However, cybercrime isn’t dominated by super-skilled hackers. Most criminals have softer code-writing skills, purchasing malware-as-a-service kits on the dark web or using social engineering techniques to scam users out of money. Meanwhile, there are hackers who use their skills for good, called white hats, often working as security researchers or in IT for businesses, schools, healthcare organizations, or the government.

Pop culture would benefit from seeing these more diverse representations of hackers, cybercriminals, and security professionals on TV and in the movies.

Hacking takes research and patience

Movies and TV shows are meant to be exciting and dramatic. As with most careers that aren’t well understood by those outside the industry—think theoretical physicist or brain surgeon—these professional portrayals are made out to be much more action-packed in pop culture than they are in the real world.

Real hackers and cybersecurity experts have to rely on patience and persistence gained through training and experience to strike gold—much more so than a magical solution that can resolve a plot point in five minutes or less.

3..2…1…”I’m in!”

Research is one of the most important parts of hacking or engineering or reverse-engineering, along with making mistakes. Real-world cybersecurity experts understand that failures are just as important as successes. Why?

Part of cybersecurity involves testing currently-active systems to find flaws and improve what needs improving. That can often take months or years of hard work, and not just a few minutes of elaborate schemes and computer wizardry. And even when criminals building the most sophisticated software discover that their cover is blown, they go back to the drawing table to advance on how best to come up with a better plan of infiltrating the host computer.

You can’t save a system by smashing buttons

When NCIS’ Abby is hacked, a million pop-ups fill her screen—Hollywood’s favorite “You’ve been hacked!” move. Thankfully, her friend heroically steps in, furiously typing on the keyboard until the problem is solved. Of course, that’s not quite how the scene would play out in real life.

When a computer is hacked, you cannot save it by pressing buttons aimlessly. You must, at minimum, unplug/shut down the computer and restart or install a USB drive or CD system. And you should also run a scan with an anti-malware program that can clean up infected devices. If you’re part of a business network, the process is more complicated: Alerting your company’s IT team is the best course of action if you suspect an infection. Button mashing will only make your fingers sore.

Hacking is not always flashy

Hollywood loves to make eye candy out of a hacking scene, often displaying colorful, polished graphic interfaces (GUIs) or 3D-immersive virtual reality experiences—neither of which have much to do with actual hacking. This infamous hacking scene in Swordfish, for example, shows Stanley completing some sort of digital Rubik’s Cube to “assemble crypto algorithm.” Whatever that means.

And there’s also this classic from Jurassic Park, where Ariana gains control of the automatic doors by “hacking” into the Unix security system in a matter of seconds.

Setting aside that saying, “It’s a Unix system, I know this” is like saying, “It’s a Windows system, I know this,” knowing Unix (or Windows) wouldn’t automatically bestow on someone the power to override security protocols—especially on custom GUIs reminiscent of a Minecraft beta.

Pop culture loves to spoon feed its audiences cheesy 3D visuals of viruses and authentication attempts. But these flashy visual interfaces, especially in 3D, are not accurate at all. What do your file systems look like on your home or work computer? How many of them are in 3D? How many times do you see a giant “ACCESS DENIED” painted across your whole screen when you enter an incorrect password or when your operating system can’t find a file?

A more accurate interface would be to show command line (code) displayed on a console or terminal, simply because it would be the most efficient way for hackers to obtain data quickly.

However,
as much as pop culture has misrepresented hacking to the general public, it has
also taught us varying real-life lessons about cybersecurity. Here are a few
examples:

Do not download and install untrusted applications

In Ex Machina, we learned that the CEO of Blue Book, Nathan Bateman, fast-tracked the emotional growth of Ava by taking data from smartphone cameras across the world. This scenario is currently playing out in real life, as there are applications that can be downloaded from third-party platforms and even from Google Play and Apple App Store that can spy on users and steal their personal information.

This
teaches us to be careful when downloading applications online. Verify each
app’s capabilities and permission requests before installing them on your
devices. If a music app is asking for access to your GPS location, for example,
ask yourself why such information would be necessary for this app to function.
If it seems like an unnecessary amount of access, it’s better to forget downloading.

Small distractions could be a diversion

Sometimes cybersecurity lessons can be learned from movie scenes that don’t involve computers at all. For example, in Star Wars: The Last Jedi, Poe creates a diversion, distracting the general and the First Order armada before bombing the Dreadnought. In fact, military strategy is often well intertwined with that of cyberwarfare.

Small distractions were used to a great effect in the 2015 distributed denial of services (DDoS) attacks on ProtonMail, for example. A small ransom note was dropped as a precursor to a 15-minute test DDoS attack, which diverted ProtonMail’s IT team to customer service assistance. The threat actors then followed up with the true mission, jamming up ProtonMail servers with a 50 Gigabit-per-second wave of junk data that took down the datacenter housing servers while simultaneously attacking several ISPs upstream, causing serious damage that took the company offline for days.

The lesson you can take away from this is that a small disruption of services could just be the blip on the radar meant to pull attention away from the storm. Make sure you stay on alert, especially if you notice this at work, where cybercriminals are focusing more of their efforts for larger returns on their investments.

Always use two-step verification

Always use two-factor authentication (2FA) to protect your online accounts—that cannot be overemphasized. In Mr. Robot, 2FAs were used to guard access to the company’s data and keep hackers out. Many IoT devices, password managers, and other applications have recognized the power of 2FA, or multi-factor authentication, in shielding user and proprietary data from hackers who are able to exploit bad password habits.

Hollywood tends to misrepresent what hacking and cybersecurity are to the general public. But it has also taught us valuable lessons about how to protect ourselves, our devices, and our information on the Internet. We hope that, as cybersecurity awareness increases, the misrepresentations are reduced to the barest minimum. That way, TV and movies can do to cybersecurity what they do best: educate, inform, and entertain the public about its importance to our daily lives.

The post Misleading cybersecurity lessons from pop culture: how Hollywood teaches to hack appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Cyber tips for safe online dating: How to avoid privacy gaffs, exploits, and scams

Research and reporting on this article were conducted by Labs writers Chris Boyd and David Ruiz.

Dating apps have been mainstream for a long time now, with nearly every possible dating scene covered—casual, long-term, gay, poly, of the Jewish faith, interested only in farmers—whatever you’re looking for. Sadly, wherever you find people trying to go about their business, you’ll also find others quite happy to intrude and cause problems.

Multiple pieces of research regularly highlight potential privacy flaws or security issues with dating apps galore. All this before we even get to the human aspect of the problem—no wonder online dating is exhausting.

Breaking into online dating circles

Dating apps are an unfortunate juicy target for cybercriminals, who will use any vulnerability—from software to psychological—to achieve their goal. Because it’s important to remember: Dating apps store more than just basic personally identifiable information (PII). They include sensitive data and images people might not be comfortable sharing elsewhere, which gives cybercriminals added leverage for blackmail, sextortion, and other forms of online abuse.

To start, the dating apps and sites themselves may not be safe from prying hackers looking to slurp user details. There’s the infamous 2015 compromise of cheating site Ashley Madison, or last year’s badly-timed announcement from dating app Coffee Meets Bagel, who informed users about a data compromise on Valentine’s Day.

How about location-based dating apps, like Tinder? In 2019, location-based dating app Jack’d allowed users to upload private photos and videos, but didn’t secure them on the backend, leaving users’ private images exposed to the public Internet. Now combine that with the ability to pinpoint a user’s exact location or track them on social media, and the end result is rather frightening.

Finally, online dating can wreak havoc in the workplace, too. If your organization supports a bring your own device (BYOD) policy, security vulnerabilities in dating apps could cause additional risk to your own reputation, as well as the company’s networks and infrastructure. (Though to be fair, you could argue “additional risk” is part and parcel of any BYOD policy.) A 2017 study by Kaspersky found that mobile dating apps were susceptible to man-in-the-middle attacks, putting any data or communications with the enterprise conducted via mobile device in danger.

Hints and tips for safe online dating

There are too many dating apps and websites out there to be able to give granular advice on privacy settings and security precautions for each and every one. However, a lot of security advice in this area is about common sense precaution, just as you would while dating in the real world. Many of these tips have been around forever; some require a little cybersecurity education, and a few rely on newer forms of technology to ensure things go smoothly.

Time to go hunting

Deploy some Google-Fu: One of the very first things you should do is a search related to your prospective date. There may well be multiple alarm bell–ringing search results for a troublesome dating site member all under the same username, for example. Or you could stumble upon multiple profiles begging for money on different sites, all using the same profile pic as your supposed date.

Checking photos and profile pics is a good idea in general. Use Google image search, Tineye, and other similar services to see if it’s been swiped from Shutterstock or elsewhere. It’s possible lazy scammers may start using deepfake images, which will be even harder to figure out, unless you read our blog and see some of the ways you can spot a fake.

Stay in on your night out

Don’t go outside the theoretical safety boundary of the app you’re using. This is one of the most common scam signs for any form of online shenanigans. Mysterious free video game platform gifts sent in your general direction? Surprise! You must receive the gift via dubious email link instead of the gaming platform you happen to be using. Making a purchase from a website you just discovered? Suddenly, you need to make a wire transfer instead of paying online—and so on.

Many dating apps restrict how much profile information you can reveal—that’s a good thing. However, that layer of privacy protection won’t work as well as it should if you’re convinced by a scammer to pass along lots of PII through other means. If the person on the other end of the communique is particularly insistent on this, that’s a definite red flag—for malware and for dating.

Hooking up with social media

A well-worn point, but it bears repeating: Sharing dating profiles with social media platforms may well open your data up to further scrutiny, thievery, and general tomfoolery. Your dating profile may be nicely locked down, but that approach again loses value if tied to public profiles containing a plethora of information on you, your friends, and your family. This just isn’t a risk worth taking.

Sharing is not always caring

Keeping your own dating data disconnected from social media platforms is just one step in protecting your sensitive information. Another step is awareness. When using dating apps, you should spend some time looking at their privacy policies and settings, as well as looking up news stories on them online, so that you know where your data is going, who is sending it around, and why.

For example, last month, the Norwegian Consumer Council revealed how the Android apps for Grindr, Tinder, and OkCupid sent sensitive personal information—including sexual preferences and GPS locations—to advertising companies, potentially breaching user trust.

The nonprofit’s report shone light on the digital advertising industry’s efforts to collect user information and channel it through a complex machine to find out who users are, where they live, what they like, who they support in elections, and even who they love. By analyzing 10 popular apps, the report’s researchers found at least 135 third parties that received user information.

Users’ GPS coordinates were shared with third parties by the dating apps Grindr and OkCupid. GPS “position” data was shared with third parties by the dating app Tinder, which also shared users’ expressed interest in gender. OkCupid also sent user information about “sexuality, drug use, political views, and much more,” the report said.

As to who received the information? The answers are less familiar. While Google and Facebook showed up in the report—both receiving Advertiser IDs—the majority of user data recipients were lesser-known companies, including AppLovin, AdColony, BuckSense, MoPub, and Braze.

Infographic showing which popular Android apps are sharing what information with third parties

There’s no cure-all to this type of data sharing, but you should know that privacy advocates in California are on it, having already asked the state’s Attorney General to investigate whether the data-sharing practices violate the California Consumer Privacy Act, which just came into effect at the start of this year.

General OPSEC tips

Operational security, or OPSEC for short, is pretty important as far as online dating is concerned. Some of the basic cybersecurity hygiene steps that we encourage our users to perform in their day-to-day business can help thwart unwanted digital access or steer you clear of physically dangerous situations. Here are a few examples:

Passwords, passwords, passwords

We all know password reuse is bad—across dating sites, apps, or any accounts—but depending on personal circumstances, it may also be bad to recycle usernames. If you don’t want people you’d rather avoid in the future tracking you down on social media, remember to use random names unrelated to your more general online activities.

While we’re on the subject, there are several other best practices for password security that we recommend, such as creating long passphrases that are unrelated to your name, birthday, or pets. If you can’t remember 85,000 different passwords, consider storing them in a password manager and using a single master password to control them all. If that seems like putting too much power in the hands of one password, we recommend using two- or multi-factor authentication.

The point is: Don’t reuse passwords on dating sites. There may be a plethora of intimate messages sent on these platforms, more so than on most other services you use. It makes sense to lock things down as much as possible.

Stranger danger

Meeting a date in person for the first time? Tell other people where you’re going on your date beforehand. It’s a basic, but invaluable safety step—especially if you have no way of vetting your date outside of the dating app constraints. Let your insider know the name/profile name/and anything else relevant to your date that might help them track you later, if necessary.

Also, try to obscure your literal latitude and longitude or home address from a virtual stranger before you get to know and trust them. Dating apps have taken those spammy “hot singles in your area” ads to their logical end point. Hot singles in your area really would be beneficial where dating is concerned, so why shouldn’t apps allow you to search on factors related to distance? However, on the flip side, this does rather tip your hand where revealing your general location is concerned.

So while your date will have some sort of idea as to where you’re based, you’ll want to have your first meeting(s) somewhere other than “the bar at the end of my street.” A little travel goes a long way to blocking some crucial details. Oh, and consider using public transport or your own vehicle to get to and from the date.

Ring, ring

If possible, don’t hand over your main phone number—especially when such a thing may be tied to SMS 2FA, which can lead to social engineering attacks on your mobile provider. If your mobile is your only phone, consider using a disposable phone specifically for dating that isn’t tied to anything important.

If that’s out of the question, you could try one of the many popular online services which provide their own number/voicemail.

Play it safe

After reading all of this, you may think that between potential security vulnerabilities, privacy exposures, and contending with awful scammers that it’s not worth the hassle to bother with online dating. That’s not our intention.

As long as you follow some of the advice listed above and keep in mind that dating apps can be compromised just like any other software, you should have a safe online dating experience. Just remember that anything you communicate online has the potential to drift offline—after all, that’s the whole goal of online dating in the first place.

Good luck, and stay safe out there!

The post Cyber tips for safe online dating: How to avoid privacy gaffs, exploits, and scams appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove

We first stumbled upon the nasty Android Trojan xHelper, a stealthy malware dropper, in May 2019. By mid-summer 2019, xHelper was topping our detection charts—so we wrote an article about it. After the blog, we thought the case was closed on xHelper. Then a tech savvy user reached out to us in early January 2020 on the Malwarebytes support forum:

“I have a phone that is infected with the xhelper virus.
This tenacious pain just keeps coming back.”

“I’m fairly technically inclined so I’m comfortable with
common prompt or anything else I may need to do to make this thing go away so
the phone is actually usable!”

forum user misspaperwait, Amelia

Indeed, she was infected with xHelper. Furthermore, Malwarebytes for Android had already successfully removed two variants of xHelper and a Trojan agent from her mobile device. The problem was, it kept coming back within an hour of removal. xHelper was re-infecting over and over again.

Photo provided by Amelia

If it wasn’t for the expertise and persistence of forum patron Amelia, we couldn’t have figured this out. She has graciously has allowed us to share her journey. 

All the fails

Before we share the culprit behind this xHelper re-infection, I’d like to highlight the tactics we used to investigate the situation, including the many dead ends we hit prior to figuring out the end game. By showing the roadblocks we encountered, we demonstrate the thought process and complexity behind removing malware so that others may use it as a guide. 

Clean slate

First off, Amelia was clever enough to do a factory reset before reaching out to us. Unfortunately, it didn’t resolve the issue, though it did give us a clean slate to work with. No other apps (besides those that came with the phones) were installed besides Malwarebytes for Android, thus, we could rule out an infection by prior installs (or so we thought).

We also ruled out any of the malware having device admin rights, which would have prevented our ability to uninstall malicious apps. In addition, we cleared all history and cache on Amelia’s browsers, in case of a browser-based threat, such as a drive-by download, causing the re-infection.

The usual suspect: pre-installed malware

Since we had a clean mobile device and it was still getting re-infected, our first assumption was that pre-installed malware was the issue. This assumption was fueled by the fact that the mobile device was from a lesser-known manufacturer, which is often the case with pre-installed malware.  So Amelia tested this theory by going through the steps to run Android Debug Bridge (adb) commands to her mobile device. 

With adb command line installed and the mobile device plugged into a PC, we used the workaround of uninstalling system apps for current user. This method renders system apps useless even though they still technically reside on the device. 

Starting with the most obvious to the least, we systematically uninstalled suspicious system apps, including the mobile device’s system updater and an audio app with hits on VirusTotal, a potential indicator of maliciousness.  Amelia was even able to grab various apps we didn’t have in our Mobile Intelligence System to rule everything out. After all this, xHelper’s persistence would not end.

Photo provided by Amelia of xHelper running on mobile device

Triggered: Google PLAY

We then noticed something strange: The source of installation for the malware stated it was coming from Google PLAY. This was unusual because none of the malicious apps downloading on Amelia’s phone were on Google PLAY. Since we were running out of ideas, we disabled Google PLAY. As a result, the re-infections stopped!

We have seen important pre-installed system apps infected with malware in the past. But Google PLAY itself!? After further analysis, we determined that, no, Google PLAY was not infected with malware. However, something within Google PLAY was triggering the re-infection—perhaps something that was sitting in storage. Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else.

In the hopes that our theory held true, we asked Amelia to look for suspicious files and/or directories on her mobile device using a searchable file explorer, namely, anything that started with com.mufc., the malicious package names of xHelper. And then…eureka!

The culprit

Hidden within a directory named com.mufc.umbtts was yet another Android application package (APK). The APK in question was a Trojan dropper we promptly named Android/Trojan.Dropper.xHelper.VRW. It is responsible for dropping one variant of xHelper, which subsequently drops more malware within seconds.

Here’s the confusing part: Nowhere on the device does it appear that Trojan.Dropper.xHelper.VRW is installed. It is our belief that it installed, ran, and uninstalled again within seconds to evade detection—all by something triggered from Google PLAY.  The “how” behind this is still unknown.

It’s important to realize that unlike apps, directories and files remain on the Android mobile device even after a factory reset. Therefore, until the directories and files are removed, the device will keep getting infected.

How to remove xHelper re-infections

If you are experiencing re-infections of xHelper, here’s how to remove it:

  • We strongly recommend installing Malwarebytes for Android (free).
  • Install a file manager from Google PLAY that has the capability to search files and directories.
    • Amelia used File Manager by ASTRO.
  • Disable Google PLAY temporarily to stop re-infection.
    • Go to Settings > Apps > Google Play Store
    • Press Disable button
  • Run a scan in Malwarebytes for Android to remove xHelper and other malware.
    • Manually uninstalling can be difficult, but the names to look for in Apps info are fireway, xhelper, and Settings (only if two settings apps are displayed).
  • Open the file manager and search for anything in storage starting with com.mufc.
  • If found, make a note of the last modified date.
    • Pro tip: Sort by date in file manager
    • In File Manager by ASTRO, you can sort by date under View Settings
  • Delete anything starting with com.mufc. and anything with same date (except core directories like Download):
  • Re-enable Google PLAY
    • Go to Settings > Apps > Google Play Store
    • Press Enable button
  • If the infection still persists, reach out to us via Malwarebytes Support.

Mobile malware hits a new level

This is by far the nastiest infection I have encountered as a mobile malware researcher. Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware. This fact inadvertently sent me down the wrong path. Luckily, I had Amelia’s help, who was as persistent as xHelper itself in finding an answer and guiding us to our conclusion.

This, however, marks a new era in mobile malware. The ability to re-infect using a hidden directory containing an APK that can evade detection is both scary and frustrating. We will continue analyzing this malware behind the scenes. In the meantime, we hope this at least ends the chapter of this particular variant of xHelper. 

Stay safe out there!

The post Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Malwarebytes Labs releases 2020 State of Malware Report

Malwarebytes Labs today released the results of our annual study on the state of malware—the 2020 State of Malware Report—and as usual, it’s a doozy.

From an increase in enterprise-focused threats to the diversification of sophisticated hacking and stealth techniques, the 2019 threat landscape was shaped by a cybercrime industry that aimed to show it’s all grown up and coming after organizations with increasing vengeance.

The 2020 State of Malware Report features data sets collected from product telemetry, honey pots, intelligence, and other research conducted by Malwarebytes threat analysts and reporters to investigate the top threats delivered by cybercriminals to both consumers and businesses in 2019.

Our analysis includes a look at threats to Mac and Windows PCs, Android and iOS, as well as browser-based attacks. In addition, we examined consumer and business detections on threats to specific regions and industries across the globe. Finally, we took a look at the state of data privacy in 2019, including state and federal legislation, as well as the privacy failures of some big tech companies in juxtaposition against the forward-thinking policies of others.

Here’s a sample of what we found:

  • Mac threats increased exponentially in comparison to those against Windows PCs. While overall volume of Mac threats increased year-over-year by more than 400 percent, that number is somewhat impacted by a larger Malwarebytes for Mac userbase in 2019. However, when calculated in threats per endpoint, Macs still outpaced Windows by nearly 2:1.
  • The volume of global threats against business endpoints has increased by 13 percent year-over-year, with aggressive adware, Trojans, and HackTools leading the pack.
  • Organizations were once again hammered with Emotet and TrickBot, two Trojan-turned-botnets that surfaced in the top five threats for nearly every region of the globe, and in the top detections for the services, retail, and education industries. TrickBot detections in particular increased more than 50 percent over the previous year.
  • Net new ransomware activity is at an all-time high against businesses, with families such as Ryuk and Sodinokibi increasing by as much as 543 and 820 percent, respectively.

To learn more about the top threats of the year for Mac, Windows, Android, and the web, as well as the state of data privacy in commerce and legislation, check out the full 2020 State of Malware Report here.

The post Malwarebytes Labs releases 2020 State of Malware Report appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

A week in security (February 3 – 9)

Last week on Malwarebytes Labs, we looked at Washington state’s latest efforts in providing better data privacy rights for their residents, and we dove into some of the many questions regarding fintech: What is it? How secure is it? And what are some of the problems in the space?

We also detailed a new adware family that our researchers had been tracking since late last year and pushed out a piece on performance art’s impact on Google Maps and other crowdsourced apps.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 3 – 9) appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 1 of 6 12345...»