IT News

On September 18, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) announced that its Known Exploited Vulnerabilities (KEV) catalog has reached the milestone of covering more than 1,000 vulnerabilities since its launch in November 2021.

This may seem like a lot, but with over 25,000 new vulnerabilities released in 2022 alone, it helps organizations to focus on the vulnerabilities that matter the most.

Many organizations are running a plethora of software and internet-facing devices, and vulnerabilities that can be used to exploit them are found every day. Everybody knows they need to patch, but deciding what to patch when, and then finding the time and resources to do it, are significant challenges.

CISA says that one of the reasons to launch the KEV catalog was to help organizations prioritize which vulnerabilities to address first.

“As a starting point, we know that the majority of vulnerabilities are never exploited by malicious actors.”

CISA issued Binding Operational Directive 22-01 in November 2021 which established the catalog and bound everyone operating federal information systems to abide by it.

Federal Civilian Executive Branch (FCEB) agencies are handed specific—and very tight—deadlines for when vulnerabilities must be dealt with. Specifically, the Directive requires those agencies to remediate internet-facing listed vulnerabilities within 15 days and all others within 25 days. 

For everyone else it’s an opportunity to filter out the vulnerabilities by something even more relevant than CVSS scores where the exploitability of a vulnerability is only a sub score.

Because it’s based on what criminals are actually exploiting, your organization might still want to feed the catalog into its patch management strategy.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. To be considered for the catalog, the first criterium a vulnerability has to meet is to have a unique CVE ID so organizations can know precisely which vulnerability it concerns. This is not as straightforward as it may seem. CISA works with vendors, open-source projects, and the CVE program to ensure that every vulnerability that is exploited in the wild is properly identified with a CVE ID.

The second criterium is proof of the active exploitation. This evidence needs to be from a credible source – a known industry partner, a trusted security researcher, or a government partner. Even then, sorting through vast amounts of data to distinguish genuine, malicious exploitation can prove to be a daunting task.

“We can find ourselves chasing whispers of exploitation in the wild that circulate online. Adding to the challenge is that some adversaries are elusive and sophisticated, leaving barely a trace of their digital footprints.”

And last but not least, an effective mitigation needs to be available. After all, it’s no use listing a vulnerability with a due date when there is no cure at hand.

It’s hard to find metrics to show what the effect of the KEV catalog is on malware infections and ransomware attacks, but what is clear is that the mean-time-to-remediate listed vulnerabilities was an average of nine days faster than for non-listed – and 36 days faster for internet-facing vulnerabilities.

CISA says it’s exploring options to add more informative fields, such as noting whether a specific vulnerability is being used by ransomware actors, which may be of particular use to sectors such as healthcare and education. It may help you further prioritize based on your threat model.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

North America has a spying problem. Its perpetrators are everyday people.

According to recent research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

But while consenting adults can and increasingly do agree to share passwords, locations, and devices with their romantic partners, another statistic deserves scrutiny: 41 percent of the people who admitted to monitoring their partners said they did so without permission.

These numbers are particularly disappointing to report just months after Malwarebytes presented original data at the National Network to End Domestic Violence’s Technology Summit that showed that stalkerware-type activity had dropped significantly from an all-time high three years prior, when shelter-in-place orders were issued to originally limit the spread of COVID-19.

The two issues, while not identical, share an overlap, which is that the non-consensual tracking of another adult is always spying.

It’s spying when governments do it through opaque, mass surveillance regimes, it’s spying when companies do it through shadowy data broker networks that braid together disparate streams of information, and it’s spying when private individuals do it through unseen behavior on personal devices.

Malwarebytes has a firm history in opposing surveillance—in the home, at school, and around the world—and this October, during Domestic Violence Awareness Month, Malwarebytes again commits itself to advocating for user privacy, whether from a person’s government, the corporations they interact with, or from those most capable of abuse.

Monitoring without permission

This month, Malwarebytes released new research into the cybersecurity and online privacy beliefs and behaviors of 1,000 respondents in the United States and Canada. The report, titled “Everyone’s afraid of the internet and no one’s sure what to do about it,” reveals the dismal rates of adoption for antivirus software, two-factor authentication (2FA), password managers, and unique passwords across online accounts.

But the report also explores the methods and stated justifications for individuals who spy on their romantic partners.

Of all people (which is the General Population of respondents involved in Malwarebytes’ 1,000-person survey) who admitted to monitoring their partners online without permission:

• 23 percent looked through messages (texts, emails, DMs) on a spouse’s/significant other’s devices and apps.
• 16 percent tracked a spouse’s/significant other’s location through an app or Bluetooth tracker (like Apple AirTags, Tile, Find My).
• 22 percent looked at a spouse’s/significant other’s search history on their phone or computer.
• 13 percent installed monitoring software/apps on spouse’s/significant other’s devices.
• 17 percent monitored a spouse’s/significant other’s finances.

Respondents who monitored their partners—both with permission and without—were also asked about their own opinions on why they monitor. Half (50 percent) agreed or strongly agreed with the statement that “monitoring my spouse’s/significant other’s online activity and/or location makes me feel they are safer,” while 42 percent agreed or strongly agreed with the statement that “being able to track my spouse’s/significant other’s location when they are away is extremely important to me.”

Online monitoring rates for all survey respondents in the latest research from Malwarebytes

These numbers change slightly for members of Generation Z, but in short, Gen Z engages in more non-consensual online monitoring than non-Gen Z in nearly every single circumstance.

Of the Gen Z respondents who digitally monitor their spouses or significant others, more do so non-consensually than non-Gen Z, overall (47 percent compared to 40 percent). Those same Gen Z respondents non-consensually track locations more (19 percent compared to 15 percent), non-consensually read messages like emails, texts, and DMs more (25 percent compared to 23 percent), and non-consensually install monitoring applications on devices more (16 percent compared to 12 percent).

Gen Z even engages in more non-consensual physical surveillance than non-Gen Z, with increased rates of non-consensually reading through a spouse’s or significant other’s diary or journal (17 percent compared to 11 percent), non-consensually reading a personal letter addressed to or from that person (21 percent compared to 17 percent), and even non-consensually searching through that person’s room, backpack, car, purse, or other personal belonging (24 percent compared to 22 percent).

Offline monitoring rates for all survey respondents in the latest research from Malwarebytes

But where Gen Z presents the most novel change is in how they monitor one another with permission. While Gen Z engages in more non-consensual monitoring, they also engage in more consensual monitoring, which is only possible because Gen Z monitors significantly more than non-Gen Z overall. 

Here, the takeaways are up for interpretation. Perhaps Gen Z is, optimistically, having more open conversations about consensual sharing, both in romantic relationships and friendships. This was anecdotally confirmed last year, when the Lock and Code podcast spoke with a Bay Area teenager about how she and her friends obtain consent before sharing photos on social media.

But one activity that Malwarebytes asked about, even if originally performed with consent, could present a threat to privacy long into the future: Installing monitoring apps on another person’s devices.

Depending of the type of app used, these digital tools can provide access to a person’s location, SMS messages, photos, videos, phone calls, and contacts, while also granting remote access to a device’s camera, microphone, and WiFi functionality. What’s more, some can even do this without any notification or warning to the person being monitored. If such an app is installed on a person’s device with their consent, there is little way of them knowing that it is still on their device, even if they eventually withdraw consent. In other words, the spied-upon have few, basic indicators that they are being spied upon.

According to Malwarebytes’ research, 40 percent of Gen Z have installed monitoring software or apps on a spouse’s or significant other’s devices, compared to 29 percent of non-Gen Z.

These numbers are less open to interpretation. They are deeply concerning.

A drop in stalkerware-type activity

In July, Malwarebytes presented at the National Network to End Domestic Violence’s Technology Summit to offer device security training and updated statistics on a problem that has long plagued survivors of domestic abuse: Stalkerware.

Malwarebytes’ fight against stalkerware is long-documented. For years, the company has detected and helped people remove stalkerware-type applications, while also visiting local domestic abuse shelters and national conferences to share vital information on this pernicious digital threat.

Part of this advocacy has included publishing stalkerware-type detection data with the public, including a dramatic spike in stalkerware-type activity that coincided with shelter-in-place orders mandated near the start of the COVID-19 pandemic, and eventual decreases in that same type of activity one year after.

But that earlier data focused on what are called “detections” on Android devices—moments when Malwarebytes scanned and found apps that could monitor or spy on a user without their knowledge. This year, Malwarebytes has changed its approach to publishing stalkerware-type activity, now incorporating the active user base at any given moment, to show not just raw detection counts, but overall prevalence.

The good news? Stalkerware-type activity is down. A lot.

 Across June, July, and August of 2020, on average, 0.7 percent of all Malwarebytes scans conducted on Android devices resulted in Malwarebytes encountering a stalkerware-type app. Starting in March of 2022, that incident rate dropped to below 0.2 percent. It has remained that low up to June 2023, which is the cutoff date for Malwarebytes’ most recent data.

 For that final month of data, the incident rate was just 0.11 percent—tied for the lowest rate recorded across three years.

Stalkerware-type activity across three years’ of Malwarebytes data

Erring towards caution, with good cause

Stalkerware-type activity is down, but in Malwarebytes’ latest survey, a worrying number of individuals admitted to digitally tracking their spouses and significant others, and while fewer admitted to doing this type of tracking without consent, the type of tracking made available by certain monitoring apps could create privacy invasions in the future.

Malwarebytes will always caution against a world that grows comfortable with surveillance, even if the surveillance is initially conducted “with consent.” Consent shifts with time—it can be removed, narrowed, and tailored to specific situations. But the type of access that some monitoring apps provide, particularly those with stalkerware-type capabilities, are entirely incompatible with consent. They are built to collect as much information as possible and to even hide that data collection from view.

Remember that 50 percent of all respondents who admitted to monitoring their spouses or significant others agreed or strongly agreed with the statement: “Monitoring my spouse’s/significant other’s online activity and/or location makes me feel they are safer.” (Emphasis added).

This Domestic Violence Awareness Month, perhaps we remember that adults can determine their own safety—and privacy.

Read the report

If you are currently facing domestic violence, you can call the National Domestic Violence Hotline at 1-800-799-7233.

If you are currently concerned about stalkerware-type monitoring of your device, or other possible forms of technology-enabled surveillance and abuse, you can visit the National Network to End Domestic Violence’s Safety Net Project here.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In September, we recorded a total of 427 ransomware victims. As usual, Lockbit (72) led the charts. New players we observed included LostTrust (53), ThreeAM (10), and CiphBit (8).

Last month, MGM Resorts and Caesar Entertainment made headlines after being attacked by an ALPHV affiliate known as Scattered Spider. Other significant attacks included Sony, targeted by RansomedVC, and Johnson Controls, targeted by Dark Angels.

The attacks on MGM Resorts and Caesar Entertainment—which collectively own most of the casino-hotel properties on the Vegas Strip—resulted in the former losing $100 million in earnings and the latter making a reported $15 million ransom payment to the attackers. In both cases, significant amounts of customer data were stolen.

In other news, both LockBit and the Akira ransomware gang, the latter of which has tallied 125 victims since we first began tracking them in April 2023, were confirmed last month to be exploiting a specific zero-day flaw (CVE-2023-20269) in Cisco VPN appliances. On a related note, the effect of CL0P’s MOVEit zero-day campaign was further revealed last month when the National Student Clearinghouse and BORN Ontario Child Registry disclosed data breaches attributed to the group.

Last month’s two high-profile casino breaches were an interesting case study in the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.

Primarily hailing from the US and the UK, and founded in May 2022, Scattered Spider launched two casino attacks that have given the group attention on a scale rarely seen with RaaS affiliates—whose attacks are normally grouped under whichever RaaS gang supplied them with the ransomware (in this case, ALPHV).

One possible explanation for Scattered Spider’s unusual spotlight resides in the group’s level of sophistication. RaaS, by its very nature, has a low barrier to entry, meaning many affiliates are relatively unsophisticated or possess only moderate technical skills. Scattered Spider, on the contrary, highlights the peril posed when ready-made RaaS software merges with seasoned experience: In both of their casino breaches, the group employed advanced tactics, techniques, and procedures (TTPs), including in-depth reconnaissance, social engineering, and advanced lateral movement techniques. 

Scattered Spider typically kick off their attacks by manipulating employees into granting access, and their breaches of MGM Resorts and Caesar Entertainment began no differently. For the MGM breach, Scattered Spider used LinkedIn to pinpoint an MGM Resorts employee, subsequently impersonating them and contacting the company’s help desk requesting account access. Alarmingly, this ploy unveiled a gaping security flaw at MGM—the absence of a stringent user verification protocol at the service desk. After gaining an initial foothold, they escalated their access to administrative rights and subsequently launched a ransomware attack.

Or, as vx-underground so poetically put it: “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

Less specifics are known about the exact social engineering scheme used in the Caesar Entertainment breach, but judging by the company’s SEC filing, it’s safe to say Scattered Spider used a similar help desk style scam. Both breaches remind us that, whether ransomware is deployed or not, the human element remains one of the most vulnerable spots in an organization’s defenses.

Additionally, the aftermath of these attacks highlights the absence of a one-size-fits-all solution when it comes to paying attackers ransom. According to the Wall Street Journal, MGM Resorts refused to pay the attackers while Caesars Entertainment, in an effort to prevent their stolen data from being leaked, reportedly paid attackers a ransom worth approximately $15 million. It’s worth reiterating, of course, that despite whatever internal calculus Caesars Entertainment made when deciding to pay the ransom, there is no guarantee that attackers will hold up their end of the bargain. The company’s public willingness to pay also makes them a vulnerable target for further attacks.

On the other hand, there’s no denying that a data leak, especially of sensitive customer or corporate information, can cause a level of reputational harm that some companies might view as impossible to risk taking on—even if it means paying a substantial amount to thieves who may or may not honor their word.

New Players

LostTrust

LostTrust is a likely rebrand from the MetaEncryptor ransomware gang we first spotted in August 2023. In September, they had a staggering 53 victims. The reason for the rebrand is unclear at present.

ThreeAM (3AM)

ThreeAM, a new ransomware family used as a fallback in failed LockBit attack, had 10 victims in September. 

CiphBit

While CiphBit has been posting victims on their dark website since April, the group wasn’t discovered in-the-wild until last month. In September, they reported two new victims, bringing their total to eight victims to-date.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Information belonging to as many as seven million 23andMe customers has been put up for sale on criminal forums following a credential stuffing attack against the genomics company.

On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that threat actors had “obtained information from certain accounts, including information about users’ DNA Relatives profiles.”

The company says cybercriminals stole profile information that users had shared through its DNA Relatives feature, an optional service that lets customers find and connect with genetic relatives who have also signed up to DNA Relatives. It does not explain what data was stolen, or how much of it, but it does indicate that crooks pulled off the heist “where users recycled login credentials”, and not because of a vulnerability in its systems.

We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.

In other words, cybercriminals succeeded in getting access to a number of 23andMe accounts where users had used the same password on both 23andMe and a website that had suffered a data breach. Accessing accounts on a website by using lists of usernames and passwords exposed on another is known as “credential stuffing”, and it’s both common and effective. It works because users often use the same password for multiple websites. However, the damage seems to go far beyond the accounts with reused passwords.

It seems the attackers didn’t simply steal the data belonging to the accounts they broke into—they used those accounts to access a much larger trove of data via DNA Relatives. According to Bleeping Computer, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached.”

The Record reports that the stolen data does not include genomic sequencing data, but does include “profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23AndMe’s health data.”

The stolen data is only worth something in so far as it can be used to extract money from somebody, so we expect it will be used in social engineering attacks, like scams and phishing. Users of 23andMe are likely to be the targets, so if that includes you, take extra care when answering messages about or apparently from 23andMe. We suggest you visit the website directly to get information and guidance, don’t follow links or download attachments from emails saying they’re from 23andMe, and follow our simple guide to spotting any scam.

23andMe is urging its users to ensure they have strong passwords, to avoid reusing passwords from other sites, and to enable multi-factor authentication (MFA).

Respectfully, we would like to see 23andMe reach a different conclusion. Telling users to choose strong passwords and not to reuse them is great advice that just isn’t working. It’s good in theory but fails in practice. In a world where users have tens or even hundreds of logins to manage, password reuse and weak passwords that are easy to remember are inevitable.

The company is right to emphasise the enormous usefulness of MFA, but rather than asking users to turn it on, why not just make it mandatory? MFA is, by far, the most useful thing you can do to stop credential stuffing, and if it’s switched on it protects users from their bad password habits like reuse.

In 2019, Microsoft’s Alex Weinert wrote that “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.” You won’t find another technology that gets close.

As 23andMe says in its own blog post, “Since 2019 we’ve offered and encouraged users to use multi-factor authentication.” The company deserves credit for offering MFA, but the scale of this attack against it suggests that not enough users are making the choice. The only way to make MFA the norm is to insist on it instead of ask.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

What are you most worried about online? And what are you doing to stay safe? 

Depending on who you are, those could be very different answers, but for teenagers and members of Generation Z, the internet isn’t so scary because of traditional threats like malware and viruses. Instead, the internet is scary because of what it can expose. To Gen Z, a feared internet is one that is vindictive and cruel—an internet that reveals private information that Gen Z fears could harm their relationships with family and friends, damage their reputations, and even lead to their being bullied and physically harmed. 

Those are some of the findings from Malwarebytes’ latest research into the cybersecurity and online privacy beliefs and behaviors of people across the United States and Canada this year.

Titled “Everyone’s afraid of the internet and no one’s sure what to do about it,” Malwarebytes’ new report shows that 81 percent of Gen Z worries about having personal, private information exposed—like their sexual orientations, personal struggles, medical history, and relationship issues (compared to 75 percent of non-Gen Zers). And 61 percent of Gen Zers worry about having embarrassing or compromising photos or videos shared online (compared to 55% of non Gen Zers). Not only that, 36 percent worry about being bullied because of that info being exposed, while 34 percent worry about being physically harmed. For those outside of Gen Z, those numbers are a lot lower—only 22 percent worry about bullying, and 27 percent worry about being physically harmed.

Does this mean Gen Z is uniquely careful to prevent just that type of information from being exposed online? Not exactly. They talk more frequently to strangers online, they more frequently share personal information on social media, and they share photos and videos on public forums more than anyone—all things that leave a trail of information that could be gathered against them.

Today, on the Lock and Code podcast with host David Ruiz, we drill down into what, specifically, a Bay Area teenager is afraid of when using the internet, and what she does to stay safe. Visiting the Lock and Code podcast for the second year in the row is Nitya Sharma, discussing AI “sneak attacks,” political disinformation campaigns, the unannounced location tracking of Snapchat, and why she simply cannot be bothered about malware. 

“I know that there’s a threat of sharing information with bad people and then abusing it, but I just don’t know what you would do with it. Show up to my house and try to kill me?” 

Tune in today to listen to the full conversation.

To read the full report, click below. 

Read the report

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Last month, we wrote an article about what to do when upgrading your iPhone. Since then, we’ve received several requests to do a similar post about Android devices.

Providing uniform and easy to follow instructions is a bit harder to do for Android, because there are many differences between makes, models, language settings, and Operating System (OS) versions. Nonetheless, we will try to provide some guidance for when you are ready to move on to the next model.

We will provide you with some options, but it’s important to realize the difference between transferring your settings and transferring your data. After migrating data (files) only you will need to reinstall all the apps.

1. Back up your data

You can back up content, data, and settings from your phone to your Google Account. You can even set up your device to automatically back up your files.

• Open your device’s Settings app.
• Select Google And then Backup.

Tip: If this is your first time, turn on Backup by Google One and follow the on-screen instructions.

• Tap Back up now.

Please keep in mind that your Google One backup can take up to 24 hours. When your data is saved, “On” will be showing below the data types you selected.

2. Transfer your data

Cloud storage services like Google Drive, Dropbox, or OneDrive can be used to transfer data between two Android smartphones. You need to upload the files to the cloud storage service from one device and then download them on to the other device.

Alternatively, f you’d rather use a method that doesn’t require an internet connection and your model supports it, you can try using a microSD card. Insert an extra card into your phone and then copy your files to the card with the My Files app.

Some manufacturers provide special methods to transfer data between their models. For example, Samsung allows you to use Smart Switch to transfer contacts, photos, messages, and other types of files, and Xiaomi has introduced the Mi Mover App to transfer data from any phone to a Xiaomi model.

Or you can transfer using short range connections. There are a few different methods to do this, but they are usually limited to data and will not transfer settings between phones of different manufacturers.

• You can use Bluetooth to transfer data between two Android smartphones. To do this, enable Bluetooth on both smartphones, pair them, and then select the files you want to transfer.
• If both smartphones support NFC (Near Field Communication), you can transfer data by holding them close to each other. This method is faster than Bluetooth, but both devices need to be very close to each other.
• Wi-Fi Direct also allows you to transfer data between two Android smartphones without the need for an internet connection. You need to enable Wi-Fi Direct on both smartphones and then select the files you want to transfer.

3. Check your new phone is up-to-date

Install all updates on your new device and check if everything still works. There may be differences in how your new make and model phone works because of a difference in OS and the level of customization by the original equipment manufacturer (OEM).  First make sure you have the latest updates installed. For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device.

Then use your new phone for a day or so. This way you should find any flaws that came with the migration and you may be able to correct them with your old phone still functional.

4. Erase your device

Once you are satisfied everything is working as it should, it’s time to safely retire your old phone.

To remove all data from your Android device, you can reset your device to factory settings. Factory resets are also called formatting or hard resets. As the name implies, this will restore the device back to the state it was in when it left the factory. The process is easy enough, but it can’t be reversed. So, make sure you have everything important backed up first.  On most phones, you can reset your phone through the settings app. If you can’t find the option in your phone’s settings app, you can try factory resetting your phone using its power and volume buttons. We recommend checking your manufacturer’s support site for device-specific instructions.

Once you have created a backup and removed all the data from your device, it is now safe to hand it down, sell it on, or have it recycled. There are plenty of nonprofit organizations and local communities that offer options to help you recycle old electronics.

If you don’t feel like giving them away for free, Amazon offers gift cards for just about any kind of electronics device. And many other companies will give you store credit for your old devices, no matter where you bought them.

We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Last week on Malwarebytes Labs: 

• Multi-factor authentication has proven it works, so what are we waiting for?
• Amazon Prime email scammer snatches defeat from the jaws of victory
• 2023 MITRE ATT&CK® Evaluation results: Malwarebytes earns high marks for detection, blocks initial malware executions
• Update now! Apple patches vulnerabilities on iPhone and iPad
• Sony was attacked by two ransomware operators
• Meta and TikTok consider charging users for ad-free experience
• Exim finally fixes 3 out of 6 vulnerabilities
• Update your Android devices now! Google patches two actively exploited vulnerabilities
• Gen Z fears physical violence from being online more than anyone else, Malwarebytes finds
• Meta is using your public Facebook and Instagram posts to train its AI
• Ransomware reinfections on the rise from improper remediation
• Food delivery robots give captured video footage to police
• FBI warns of multiple ransomware attacks on same victim

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Recently, Amazon announced that it will require all privileged Amazon Web Services (AWS) accounts to use multi-factor authentication (MFA), starting in mid-2024.

Our regular readers will know that we feel that passwords alone are not adequate protection, especially not for your important accounts. So we wholeheartedly agree with Amazon on this.

Multi-factor authentication is so much more secure, and with that a lot more forgiving, than passwords alone. I would not recommend it, but writing down your password on a Post-It and pasting it on your monitor won’t do an attacker any good if you have set up your MFA properly. Also not recommended, but you could even re-use your weak password on every site, as long as all those accounts were protected with the best that MFA has to offer.

The last piece of that sentence, “the best that MFA has to offer”, is important. As Amazon wrote in its announcement:

“We recommend that everyone adopts some form of MFA, and additionally encourage customers to consider choosing forms of MFA that are phishing-resistant, such as security keys.”

The takeaway here is that not every form of MFA is equally secure. When given the choice, the best form of MFA is a password and hardware key, but this means you’ll need to buy a hardware key. Please consider dong so, since they are worth the small investment and not nearly as intimidating as they may seem.

Security keys conforming to the FIDO U2F or FIDO2/WebAuthn standards are inherently resistant to reverse proxy and man-in-the-middle attacks that are reportedly on the rise right now.

If you aren’t ready to take that step yet, the next best form of MFA uses an app that prompts you with a notification on your phone. Next best after that is MFA that uses a code from an app on your phone, and the least good version of MFA uses a code sent over SMS.

But even that least good version provides a good chunk of security.

In 2019, Microsoft’s Alex Weinert wrote that, based on Microsoft’s studies, your account is more than 99.9% less likely to be compromised if you use MFA. This year (2023), Microsoft’s Tom Burt blogged:

“While deploying MFA is one of the easiest and most effective defenses organizations can deploy against attacks, reducing the risk of compromise by 99.2%, threat actors are increasingly taking advantage of “MFA fatigue” to bombard users with MFA notifications in the hope they will finally accept and provide access.”

So, the numbers are slightly down, mainly because cybercriminals have started to adapt and are finding ways to bypass the weakest MFA methods.

An MFA fatigue attack, aka MFA bombing or MFA spamming, is a social engineering strategy where attackers repeatedly trigger second-factor authentication requests. The attacker bombards the user with requests to allow access and hopes the intended victim gets tired of the racket or makes a mistake and pushes the coveted “Yes, that’s me” button.

Still, a success rate of over 99% is no small feat. And this number will improve with better MFA.

What is holding us back is the number of sites and services offering us the possibility of using MFA. So please, if you are not doing this, stop asking users for more complex passwords that change every few weeks, but start implementing MFA for them. It will not only increase security but also provide a better user experience.

At some point users should and will, demand to be able to use MFA to protect their accounts from being abused or taken over by cybercriminals. So, providing them with this option means you are ready for the future.

To help you as a user get started, here are links to the 2FA setup instructions for the five most visited websites:

• Google 2-step verification
• YouTube 2-step verification 
• Facebook two-factor authentication
• Twitter two-factor authentication
• Instagram two-factor authentication

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

More often than not, its our solemn duty on this site to keep you informed about the nature and tactics of dangerous, cunnning, and persistent cybercriminals.

This is not one of those days.

In fact, this is the oppposite of one of those days. This is about a passable spam email sent by a spammer who did the phishing equivalent of arriving at the airport three hours early for their flight, the day after it left.

It’s about a malicious email that failed hard because, for all that it got right, it got the most important thing wrong, all but guaranteeing itself a inevitable, rapid, one way trip to the spam trap.

Still, there are valuable lessons to be learned in failure, and I can’t think of a better way to compound the hapless spammer’s misery than to turn it into a teachable moment that could improve security.

Let’s start with what didn’t go wrong.

What didn’t go wrong

No matter how they’re dressed up, scams almost always boil down to an urgent demand for money. The scammer’s task is to make their breathless cash grab as plausible as possible, which they do by impersonating somebody or something you’re expecting to hear from.

More often than not, that means impersonating familiar brands. Scammers love global brands like Microsoft, Google, Amazon and UPS because they are instantly recognisable, their logos and styling are easy to copy, and people are used to receiving emails from them.

In this case, the urgent demand for money came wrapped in Amazon packaging, pretending that my Prime benefits were on hold because of a billing issue, with 24 hours to resolve by updating my payment method.

The premise is plausible, the colours look right, the logo does too, and the sign off, “Amazon.co.uk Customer Service”, correctly placed me in the UK.

The scammer used a few other tricks to make the scam seem more believable too.

Unusually, the email’s “From” address was an honest-to-goodness amazon.co.uk email, rather than a cute attempt to obscure a non-Amazon email. It’s important to note that this doesn’t mean that the scammer used Amazon infrastructure, or that the email touched Amazon in any way at all—you can put anything you like in an email From address. There’s a reason scammers tend to go for cute tricks though, which we’ll get to below.

Of course the email is just the bait, the actual theft of users’ payment details has to happen on a website somewhere, and scammers don’t often spin up their own infrastructure. For that, they more commonly hijack somebody else’s. The Update Payment Method link in this email links to an admin page on a site belonging to a leading constructor of altar furniture in Vietnam.

Because its address might look weird to an email scanning engine, or an eagle-eyed recipient, the furniture site is reached via an open redirect on Russia’s answer to Facebook, VKontakte, which is a large and well established website that won’t ring any alarm bells.

An open redirect is a URL on a site that can be modified to redirect to any other page on the web. Despite being widely recognised as an undesirable security flaw, open redirects are common on search engines and social media sites, which use them to track the links you click on, much to the delight of scammers.

Aside from the fact that it starts “Dear Cusotmer Prime,” the email is chock full of things that make it believable. With all those ingredients in place you might think this email was destined for success, but when it arrived it was instantly and ignominiously dumped into the spam folder.

What didn’t go right

You remember that amazon.co.uk address the scammer used? That’s what didn’t go right. Email in its pure form allows a sender to put anything they like into the From address, but with a bit of work companies can ensure there are consequences if scammers use their domains like this.

Amazon has implemented Domain-based Message Authentication, Reporting and Conformance (DMARC). As soon as the scam mail arrived, our infrastructure checked to see if the email had been digitally signed by Amazon (it hadn’t) and if the scammer’s server was allowed to send amazon.co.uk emails (it wasn’t). With a negative against those checks it didn’t matter how convincing the rest of the email was.

Now, there is a chance that the scammer is playing 3D chess here and did this deliberately. Administering email systems and policies can be difficult, so many organisations—likely smaller ones—haven’t implemented DMARC, or have switched it off in a heavy-handed solution to an email authentication problem.

So perhaps the scammer has done some back-of-the-envelope maths and calculated that the advantages of using a “real” email address outweigh the considerable disadvantages. Maybe. But a scammer who can do that can probably use a spell checker too, so I prefer to put my faith in Hanlon’s Razor—”Never attribute to malice that which is adequately explained by stupidity”.

VKontakte has the last laugh

When I checked the URL that redirected via VKontakte, I noticed something odd that suggests it was already aware of the offending URL. The redirect should have returned a 301 or 302 status code, indicating that the response was a redirection, but it didn’t, it returned 418, a status code that indicates that the server is a tea pot.

From the official Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0), published on April Fool’s Day, 1998:

Any attempt to brew coffee with a teapot should result in the error code “418 I’m a teapot”. The resulting entity body MAY be short and stout.

Kudos.

The most important lesson

The SMTP protocol that email relies upon is a 50 year old relic of an age when the internet was tiny and trusting. Its intrinsic lack of security has been bolstered over the years by a series of technologies that can ensure emails are encrypted, and From addresses can be trusted. However, because they aren’t part of the SMTP specification they are optional, and businesses have to decide to embrace them.

The most important lesson this scam has for businesses, no matter how small, is to set up DMARC.

Whether the scammer was dumber than dirt or playing 3D chess, their email was always going to fail in the face of anti-spoofing checks.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

According to a report from the Wall Street Journal, Meta is considering charging its European users around $14 a month if they don’t agree to personalized ads on Facebook and Instagram. On mobile devices, the price for a single account would be higher because Meta would factor in commissions charged by Apple’s and Google’s app stores.

European rules require Meta to get users’ consent in order to show them targeted ads, so this seems like an obvious attempt to make up for the lost advertising revenue when a user declines to give their consent. In the past, Meta tried to circumvent the European legislation by claiming in court that showing advertisements was an intricate part of the services stipulated in the user agreement.

A Meta spokesperson said:

“ [the company] believes in free services which are supported by personalized ads, but is exploring options to ensure compliance with evolving regulatory requirements.”

Meta has spoken with digital-competition regulators in Brussels, privacy regulators in Ireland, and other EU privacy regulators about its proposal, according to the report. The company has reportedly named the plan “subscription no ads” (SNA), and it wants to start rolling it out in the coming months.

At the same time, the BBC reports that TikTok is testing a monthly subscription model for ad-free content. The current price during the test for this feature is $4.99 per calendar month. Reportedly, this the test is being done at a small scale and it’s not sure whether a subscription model will be rolled-out globally.

YouTube and X, formerly Twitter, are among sites already offering fewer or no ads for a monthly fee. X Premium promises to show 50% less advertisements on your timelines “Following” and “For you.”  YouTube Premium offers YouTube and YouTube Music without advertisements.

It is unknown if in the SNA model that Meta is trying to agree upon with European privacy watchdogs there will also be restrictions about the information gathering that takes place on the platforms. If not, it is very feasible that you will still get targeted ads based on your Facebook activity, you’d just see them on other sites you visit. If that’s the case, Facebook will make money off your presence on more than one side.

Netflix, Spotify, and others like them, allow you to pay for ad-free movies and music, so maybe the model can easily be ported to YouTube. But whether it will work for social media remains to be seen.

It’s also unknown whether Meta will be offering the same option to users outside of the EU. This may well depend on how successful the formula turns out to be for the company. The announced “Meta Verified” paid verification subscription service wants to provide verification for more than the notable users like politicians, executives, members of the press and organizations to signal their legitimacy.

Obviously it is up to you, if you are presented with a choice, to decide whether you prefer to pay directly, or you’d rather be the subject of targeted advertising. Given that a big part of the population is active on several social media platforms, all the monthly subscriptions would add up to a sum most young people can’t afford to shell out, so there’s a good chance that it will be mostly business as usual for the social media giants.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.