IT News

Last week on Malwarebytes Labs:

• Attackers demand ransoms for stolen LinkedIn accounts
• Patch now! Citrix Sharefile joins the list of actively exploited file sharing software
• Exchange Server security updates updated
• Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams
• Citrix NetScalers backdoored in widespread exploitation campaign
• Discord.io confirms theft of 760,000 members’ data
• Malvertisers up their game against researchers
• Beware malware posing as beta versions of legitimate apps, warns FBI
• PCMag ranks Malwarebytes #1 cybersecurity vendor
• Ford says it’s safe to drive its cars with a WiFi vulnerability
• 25 most popular websites vs Malwarebytes Browser Guard
• A new type of “freedom,” or, tracking children with AirTags, with Heather Kelly: Lock and Code S04E17

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

An ongoing campaign targeting LinkedIn accounts has led to victims losing control of their accounts, or being locked out following repeated login attempts.

Whether the attackers are using brute force methods or credential stuffing isn’t known, but because some victims are being being locked out following a great number of failed attempts, you might suspect brute force methods. It’s also not unthinkable that the attackers are using a combination of attack methods. Credential stuffing is a popular tactic of attempting to access online accounts using username-password combinations acquired from breached data. In a brute force attack attackers typically try a lot of common passwords.

Either way, victims are complaining about slow response times.

The campaign is targeting LinkedIn users all over the world. It pressures the victims that have lost control of their accounts into paying a ransom to avoid having their accounts deleted by the attackers.

The X account of LinkedIn Help is swamped with similar messages

Victims are usually made aware of the take-over by a notification that the email address associated with their account has changed. In many of the examples we saw the new email address was linked to the Russian “rambler.ru” service. This does not necessarily mean the attack is originating from Russia, but it’s not unthinkable that the accounts will be used in disinformation campaigns. According to one victim we spoke to the attackers added fake accounts to their connections.

But the accounts could also be used to distribute malware, phishing campaigns, or other types of fraud. And if that’s the case, the deletion of the account sounds better to me than having your reputation damaged.

From complaints seen by BleepingComputer, LinkedIn support has not been helpful in recovering the breached accounts, with users just getting frustrated by the lack of response.

The LinkedIn Help account has pinned a message to say:

“Hey there! 👋 We’re experiencing an uptick in questions from our members, causing longer reply times. Rest assured, we’re doing our best to assist you! For account-specific inquiries, please DM us the details and your email address. We appreciate your patience. Thanks! 🙌”

The best defence against brute force attacks, credential stuffing, and other password attacks, is to set up two-step verification.

Setting up MFA for LinkedIn with Okta turned out to be painful because LinkedIn does not provide a QR code but a secret key which is so long that it’s hard to get it right the first, or second time. But since it’s safer than using the SMS 2FA, this is how it’s done:

• Open Settings & Privacy
• Under Sign in & security
• Select Two-step verification
• Set the option to on and you will be presented with two choices
• Choose the Authenticator app method and follow the instructions from there

You will receive an email confirming the change that tells you: From now on, you can use your authenticator app to get a verification code whenever you want to sign in from a new device or browser.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability to its catalog of know exploited vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by September 6, 2023 to protect their networks against this active threat. We urge everyone else to take it seriously too and preferably not to wait untill the last moment.

According to the Citrix security advisory, this vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. Customers using ShareFile-managed storage zones in the cloud do not need to take any action.

Citrix customers should update to the latest version of ShareFile storage zones controller and read the instructions for upgrading. As an extra precaution Citrix has blocked all customer-managed ShareFile storage zones controllers versions prior to the latest version (5.11.24). Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as CVE-2023-24489 and has a CVSS score of 9.1 out of 10. It is a cryptographic bug in Citrix ShareFile’s Storage Zones Controller, a .NET web application running under Internet Information Services (IIS). Due to errors in how ShareFile handles cryptographic operations, attackers can generate valid padding which enables unauthenticated attackers to upload arbitrary files, leading to remote code execution (RCE).

Several Proof of Concepts (PoCs) have been made available since the vulnerability was discovered in July.

This year, the Cl0p ransomware gang has made extensive use of vulnerabilities in file transfer software. In March it emerged from dormancy to become the most active gang in the world by exploiting a zero-day vulnerability in GoAnywhere MFT. After going quiet for a few months it repeated the trick in June and July as its widespread exploitation of a MOVEit Transfer zero-day vulnerability became clear.

With Cl0p seemingly looking for exactly this kind of vulnerability, it should be a no-brainer that this needs to be patched as soon as possible.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Microsoft has re-released the August 2023 Security Updates (SUs) for Exchange Server. The original release of the SUs, from August 8 2023, had a localization issue with Exchange Server running on a non-English Operating Systems (OSes) that caused Setup to stop unexpectedly, leaving Exchange services in a disabled state.

Exchange Online users are already protected from the vulnerabilities addressed by these Security Updates and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

This patch comes with a complicated table of recommended actions, in which version 1 is the original August 2023 SU and version 2 is the re-released August 2023 SU. Microsoft says:

• If you successfully installed version 1 without problems, no further action is needed.
• If you installed version 1 automatically without any problems or issues, version 2 will be downloaded automatically.
• If the installation of version 1 failed, leaving Exchange services disabled, and you restarted the Exchange services without installing version 1 again, you should install version 2.
• If the installation of version 1 failed, leaving Exchange services disabled, you restarted the Exchange services, and you used the workaround to manually create a “Network Service” account and then installed version 1, you should:
  • Uninstall version 1 and reboot.
  • Remove the manually created “Network Service” account (if it still exists).
  • Install version 2.

If version 1 was never installed, you can skip straight to version 2. Although there is no reason to suspect there are active exploits in the wild, we still recommend to do this as soon as possible to protect your environment. Exchange Servers are attractive targets for cybercriminals.

The vulnerability fixed by the security update, listed as CVE-2023-21709, required users to run a script in addition to installing the update. If you took the extra steps needed to address CVE-2023-21709 none of the actions above will undo them, so you do not have to repeat or undo them at any point. But again, if you haven’t done it yet, you should do so as soon as possible.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Fox-IT has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). Over 1900 instances were found to have a backdoor in the form of a web shell. These backdoored NetScalers can be taken over at will by an attacker, even when they have been patched and rebooted.

A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. The scripts are placed on internet-facing servers and devices so they can be reached remotely.

In July, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical unauthenticated remote code execution (RCE) vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE that the cybercriminals used to plant the backdoor is listed as:

CVE-2023-3519 (CVSS score 9.8 out of 10): a Citrix NetScaler ADC and NetScaler Gateway code injection vulnerability. The vulnerability can lead to unauthenticated RCE. It affects appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication, authorization and accounting (AAA) virtual server.

Fox-IT (in collaboration with the Dutch Institute of Vulnerability Disclosure) scanned for the web shells to identify compromised systems. As of August 14th, 1828 NetScalers remain backdoored, 1248 of those have been patched but still remain vulnerable. So, it seems that many administrators saw the need to patch for the vulnerability, but didn’t realize that patching was not enough to deal with an already established backdoor.

Several factors indicate that the biggest part of this exploitation campaign took place between late July 20th and early July 21st. Some systems have been compromised with multiple web shells. In total, the scans revealed 2491 web shells on a total of 1952 compromised NetScalers.

The campaign was likely targeted at European organizations. Of the top five affected countries, only one is located outside of Europe, in Japan. Germany alone accounts for over 500 backdoored instances.

On August 10, 2023, the DIVD started reaching out to organizations affected by the web shell. It used its already existing network and responsible disclosure methods to notify network owners and national CERTs. There is no reason to wait for such a notification however.

Prevention, detection and response

If your Citrix server hasn’t been updated to a secure version, we strongly advise you to patch it as soon as possible, especially if you’re utilizing any of the following features:

• SSL VPN
• ICA Proxy
• CVPN
• RDP Proxy
• AAA virtual server

If you are not using one of these servers, we still recommend that you patch to a non-vulnerable version to prevent your appliance from becoming vulnerable when you start using one of these functions in the future.

Regardless of whether and when the patch was applied, it is recommended that you perform an Indicator of Compromise check on your NetScalers.

There are several resources available that document the in-the-wild exploitation of Citrix appliances where forensic artifacts can be found:

• https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/
• https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a
• https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
• Fox-IT has provided a Python script that utilizes Dissect to perform triage on forensic images of NetScalers.

• Mandiant has provided a bash-script to check for Indicators of Compromise on live systems. Be aware that if this script is run twice, it will yield false positive results as certain searches get written into the NetScaler logs whenever the script is run.

If you find that your Citrix NetScaler has been compromised, make sure to set up a clean system from scratch, or at the very least backup/restore from a safe snapshot. But first, or from a forensic copy of both the disk and the memory of the appliance, investigate whether the backdoor has been used by the attackers. Usage of the web shell should be visible in the NetScaler access logs. If there are indications that the web shell has been used to perform unauthorized activities, it’s essential to perform a larger investigation, to see whether the adversary has successfully taken steps to move laterally from the NetScaler.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Back in January 2020, we blogged about a tech support scam campaign dubbed WoofLocker that was by far using the most complex traffic redirection scheme we had ever seen. In fact, the threat actor had started deploying infrastructure in earnest as early as 2017, about 3 years prior to our publication.

Fast forward to 2023, another 3 years have gone by and this campaign is still going as if nothing has happened. The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts. This change may have been in response to the work we did with web hosting companies and registrars, which only put this operation out of business temporarily.

It is just as difficult to reproduce and study the redirection mechanism now as it was then, especially in light of new fingerprinting checks. By connecting previous indicators of compromise we were able to expand our knowledge about the first iteration of WoofLocker and its new setup.

While we still do not know a lot about who is behind this scheme, we believe it may be the work of different threat actors that specialize in their area of expertise. WoofLocker may very well be a professional toolkit built specifically for advanced web traffic filtering and used exclusively by one customer. Victims that fall for the scam and call the phone number are then redirected to call centres presumably in South Asian countries.

This blog post summarizes our latest findings and provides indicators of compromise that may be helpful to the security community.

Overview

Contrary to other tech support scam campaigns that often rely on malvertising as a delivery vector, we only observed WoofLocker being distributed via a limited number of compromised websites. The threat actor appears to have gained access to two categories: non adult traffic and adult traffic. That distinction can be seen in the unique redirection URL created for each victim with a parameter called “nad” and “ad” respectively.

Malicious JavaScript embedded in the compromised websites is used to retrieve the WoofLocker framework directly into the DOM from one of a handful of domain names. The code used by WoofLocker is highly obfuscated and makes use of steganography, a technique that embeds data inside of images.

Each victim that visits the compromised site is fingerprinted to determine if they are legitimate or not. Numerous checks are performed to detect the presence of virtual machines, certain browser extensions and security tools. Only genuine residential IP addresses are considered, provided they have not already been fingerprinted.

Figure 1: WoofLocker version 2 diagram

The information from victims is sent back to the server as a PNG image (the data is hidden inside thanks to steganography) and followed by two possible outcomes. Users deemed not interesting will not see anything further, while potential victims will get redirected to another domain via a URL generated on the fly, with a unique ID only valid for this specific session.

This redirection shows the familiar browser locker screen with a fake warning about computer viruses. That part of the code is relatively straightforward and inspired by existing templates.

Compromised sites

As mentioned earlier, the threat actor is using two different types of traffic: adult and non adult. The majority of websites loading WoofLocker are adult sites and this is not a coincidence as it plays into the scam’s social engineering tactics.

Originally, the injected code was not obfuscated and contained the fingerprinting checks but in 2021 the threat actors changed it, to simply the injection and move some of the logic outside:

Figure 2: Code injected into compromised sites (comparison)

In the image below, we are using Chrome’s Developer Tools to see malicious code dynamically injected into the DOM. As a website administrator going directly to the raw HTML page, you might not see anything injected.

Figure 3: Code viewed in developer tools

This code allows the threat actor to connect with their fingerprinting and redirection infrastructure, which in this case is located at cdncontentstorage[.]com.

Fingerprinting

We previously described the fingerprinting mechanism in detail and it remains very similar. There were a few additions though, such as the check for specific Chrome extensions (GeoEdge, Kaspersky, McAfee). There also seems to be some kind of proxy detection, or perhaps detection specific to web debugging tools like Fiddler. This makes it much harder for security researchers to get a traffic capture as evidence of malfeasance.

Figure 4: Chrome extensions checks

URL redirection

We were able to identify the redirection URL this time, after numerous replays and debugging attempts:

Figure 5: Browser locker URL is sent hidden in PNG image

Again, the threat actor uses steganography to include JavaScript code inside of an image. The browser reads that response via the getImageData function and executes it. Here, we can see the URL that is unique to this session (uid) and used for the redirect to the browser locker page.

Web traffic

We were able to record a full traffic capture despite WoofLocker’s evasion techniques. As mentioned previously, it appears that certain tools that involve proxying traffic may be detected. We had to use a different mechanism to get this traffic without being detected.

Sequentially, we see the fingerprinting checks being done with the use of steganography. The absence of the specific Chrome extensions the threat actor is looking for also generates some traffic. The final part is the user data validation and creation of a unique id (uid). The code once again uses steganography to load the malicious URL corresponding to the browser locker page.

Figure 6: Traffic capture showing the fingerprinting and redirection mechanisms

Infrastructure comparison

Since our original blog post, we were able to identify additional parts of the WoofLocker infrastructure. What is most interesting is how the threat actors completely changed it and went with hosting providers that appear to give them stronger protection against takedowns.

Figure 7: WoofLocker version 1

The ASNs are located in Bulgaria and Ukraine:

Figure 8: WoofLocker version 2

Conclusion

WoofLocker is an advanced fingerprinting and redirection toolkit that appears to have been built for a single customer. While it could be used for any web threat as an evasion framework, it has been pushing tech support scams for the past 6 years.

Unlike other campaigns that rely on purchasing ads and playing whack-a-mole with hosting providers and registrars, WoofLocker is a very stable and low maintenance business. The websites hosting the malicious code have been compromised for years while the fingerprinting and browser locker infrastructure appears to be using solid registrar and hosting providers.

Malwarebytes users have always been protected against this threat thanks to our heuristic detection engine.

Indicators of Compromise

Fingerprinting and redirection infrastructure:

api[.]cloudcachestels[.]com
api[.]cloudseedzedo[.]com
api[.]imagecloudsedo[.]com
appcloudzedo[.]com
cdn[.]contentob[.]com
cdncontentstorage[.]com
cdnpictureasset[.]com
cloudcusersyn[.]com
cloudgertopage[.]com
cloudlogobox[.]com
csscloudstorage[.]com
datacloudasset[.]com
logosvault[.]com
miniassetcloud[.]com

Recent browser locker domains:

furakelw[.]com
gopilofan[.]com
zemolist[.]com
besoliza[.]com
vedopixt[.]com
defolis[.]com
somawan[.]com
vulidoc[.]com
barustan[.]com
semilupa[.]com
bopiland[.]com
somalics[.]com
sebasong[.]com
molesanu[.]com
xepilondi[.]com
malubana[.]com
beeronas[.]com
lobosixt[.]com
gomoyad[.]com

Threat actors constantly take notice of the work and takedown efforts initiated by security researchers. In this constant game of cat and mouse chasing, tactics and techniques keep evolving from simple to more complex, and more covert.

This is a trend we have observed time and time again, no matter the playing field, from exploit kits to credit card skimmers. As defenders, we may have mixed reactions: on the one hand, as technical people we naturally appreciate a well-written exploit or piece of code and the challenge it creates. There is something about it that sparks our interest and curiosity. On the other hand, we know that the people behind it have bad intentions and intend on doing harm.

In today’s blog post, we look at a recent malvertising chain that started using a more advanced cloaking technique to remain under the radar. Based on our tracking, it is a new trend for these malvertising campaigns dropping infostealers and other malware used by initial access brokers in ransomware operations.

Malicious ad and cloaking

Threat actors continue to target certain IT programs such as remote access programs and scanners by creating ads that are displayed on popular search engines such as Google. The ad below is for the Advanced IP scanner tool and was found when performing a Google search from a US IP address.

Figure 1: Malicious ad on Google for Advanced IP Scanner

The domain name advnced-lp-scanner[.]com may look legitimate but it is not. It was registered on Jul 30 2023 and is hosted on a server in Russia at 185.11.61[.]65.

If you were to investigate this ad, you would likely open it up in a virtual machine and see what it leads to. One of the most common checks that is done by threat actors is a simple server-side IP check to determine whether you are running a VPN or proxy or have visited the site before. That means that as researchers we need to constantly find new IP addresses that look legitimate and then revisit the page again.

Interestingly, even with a fresh IP address the landing page looked innocent. This can happen for different reasons, for example if the threat actor is in the process of setting up the site and hasn’t finished swapping it to the malicious version. Or it could also be that the time of day is not in line with when the attacker is making the switch.

Figure 2: Decoy page without any malware to download

Advanced fingerprinting

Looking closer at the network requests from the ad to the web server we saw new code that looked suspicious. This is Base64 encoded JavaScript that is loaded before anything else on the page.

In fact, this client-side request was performed after a server-side IP check to determine if your IP address was clean. In other words, this is another layer that needs to be processed before we get to see what we are looking for.

Figure 3: Suspicious Base64-encoded code

We can deobfuscate this code using CyberChef and further beautify it to see what it does. Here are some of those checks:

• browser properties such as window and screen size
• time zone (difference between UTC and local time)
• browser rendering capabilities related to video card driver
• MIME type for MP4 file format 

Figure 4: Decoded fingerprinting script

Many tools used by researchers are scripted in Python and will fail the test. Same goes for virtual machines, the WEBGL_debug_renderer_info API can help to detect if you are using virtualization such as VMware or VirtualBox.

The data that is collected from visitors is then sent back to the attacker’s website via a POST request for further parsing and to determine what action to take next.

Figure 5: POST request sending victim’s details to attacker

Below is the web traffic view of a successful redirection to the malicious page where the victim can download the malware payload.

Figure 6: Web traffic from malicious ad to payload page

And this is the malware landing page:

Figure 7: Malware landing page after successfully passing the fingerprinting checks

We can now collect the payload and make sure that it is detected.

Conclusion

By using better filtering before redirecting potential victims to malware, threat actors ensure that their malicious ads and infrastructure remain online longer. Not only does it make it more difficult for defenders to identify and report such events, it also likely has an impact on takedown actions. In the majority of cases where we have reported malvertising incidents, the abused platform needs to validate the information before taking action against the advertiser.

This makes sense as reports could be erroneous and lead to advertising accounts being suspended unjustly. However, it also means that while an incident is being investigated and reproduced (which could take hours), people will click on those ads and download malware.

As we continue to report malvertising campaigns, we improve our understanding of the threat actors’ TTPs and adjust our toolsets accordingly. Any intelligence gathered is shared within our products and ultimately delivered to Malwarebytes customers via web and malware protection updates to ensure they remain protected.

Discord.io was/is a third party service that enables owners of Discord servers to create customized, personal Discord invites. After a preview of Discord.io’s users database was posted on BreachForums, the owners have decided to shut down all Discord.io services “for the foreseeable future.” Existing premium subscriptions have been canceled and discord.io promised to reach out as soon as possible on an individual basis.

The site confirms that there has been a data breach

The stolen information could include your discord.io username and your Discord ID, your email-address, your billing address, and a salted and hashed password if you signed up in 2018 or earlier. (In 2018 discord.io started to exclusively offer Discord as a login option.)

Payment details are said to be safe because those are stored safely by the payment partners, Stripe and PayPal. Discord.io has confirmed the authenticity of the breach, by an entity acting under the name Akhirah.

It is important to know that Discord is not affiliated with discord.io, a spokesperson from Discord told Stackdiary:

“Discord is not affiliated with Discord.io. We do not share any user information with Discord.io directly and we do not have access to or control of information in Discord.io’s custody.”

Discord has revoked the oauth authentication tokens for any Discord user that has used Discord.io, so that app can no longer perform actions on behalf of those users until they re-authenticate. Affected Discord users should change their passwords and enable multi-factor authentication (MFA).

To enable MFA on Discord:

• Open the Discord desktop app or go to discord.com/login and enter your credentials to log in.
• Go to the second vertical tab, and then click the gear icon beside the Mute and Deafen options to open user settings.
• In the My Account tab, scroll down and click Enable Two-Factor Auth.
• Enter your Discord password and open the authenticator app of your choice on your device.
• Scan the QR code and enter the six-digit code to enable 2FA. You may want to write down the key and store it in a secure space, in case you should somehow lose access to your account.
• Click Enable SMS Authentication to enable 2FA on Discord via SMS.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The FBI has issued a warning that cybercriminals are embedding malicious code in mobile beta-testing apps in attempts to defraud potential victims. The victims are typically contacted on dating sites and social media, and in some cases they are promised incentives such as large financial payouts.

Beta-testing apps are new versions of software that are undergoing their final tests and aren’t quite ready to be officially released. In the legitimate software ecosystem, beta testing gives users a chance to improve their favorite apps and get early access to new features. For criminals, “beta-testing” apps offer a plausible reason for vicitms to donwload software from unsafe places, away from the usual app stores, without raising their suspicions.

To make the apps look legitimate the criminals use familiar looking names, images, or descriptions that are similar to popular apps. Embedded in the apps  is malicious code used to defraud the victim or compromise the device. According to the FBI:

“The malicious apps enable theft of personally identifiable information (PII), financial account access, or device takeover.”

The agency says it’s aware of fraud schemes where the victims are contacted and directed to download mobile beta-testing apps, such as cryptocurrency exchanges, that steal money instead of investing it.

In an earlier warning the FBI focused on scammers that haunt forums and comments sections, looking for victims who have lost cryptocurrency to fraud, scams, and theft. The scammers claim to provide cryptocurrency tracing and promise to recover lost funds.

Example of an (intercepted) attempt to post recovery a advertisement in our blog comments

These recovery scheme fraudsters will charge an up-front fee and either cease communication after receiving the initial deposit, or they will produce an incomplete or inaccurate tracing report and claim they need additional fees to recover the funds.

The fraudsters will even go as far as to claim they are affiliated with law enforcement or legal services to appear legitimate. It is important to realize that private sector recovery companies cannot issue seizure orders to recover cryptocurrency.

Stay safe

Beta-testing can be fun and rewarding, but check that you are testing the app from a legitimate source and trusted developer. For example, Malwarebytes offers their beta downloads on their own forums.

Do not send payment to someone you have only spoken to online, even if you believe you have established a relationship with them. Scammers specialize in making you think that.

Do not provide personal or financial information in email or messages, and do not respond to email or message solicitations, including links.

Do not download or use suspicious looking apps as a tool for investing unless you can verify the legitimacy of the app.

Shy away from advertisements for cryptocurrency recovery services. Research the advertised company and beware if the company uses vague language, has a minimal online presence, and makes promises regarding an ability to recover funds. Do not make things even worse.

Law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm.

As the FBI pointed out:

“Cryptocurrency exchanges only freeze accounts based on internal processes or in response to legal process.”

We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Ford has released information about a buffer overflow vulnerability in its SYNC 3 infotainment system.

Ford learned from a supplier that a security researcher had discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. The company said it started an investigation and subsequently decided that the vulnerability does not affect vehicle driving safety.

Ford’s SYNC 3 system exists in Ford models from 2015 onward. Other than recent vehicles that have the newest version, most Ford vehicles have SYNC 3. If you have a Ford Owner account, you can go to the Vehicle Dashboard to see what version of SYNC your car has.

Lincoln drivers can check their version on the Lincoln Support site (you will need to enter your VIN number).

The SYNC 3 vulnerability is CVE-2023-29468: a vulnerability in the TI WiLink WL18xx MCP driver. An attacker within wireless range of a potentially vulnerable device can gain the ability to overwrite memory of the host processor executing the MCP driver. Exploiting this vulnerability involves a malicious actor crafting a specific frame to trigger a buffer overflow, potentially leading to remote code execution (RCE).

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

Ford’s assessment of the vulnerability is that it is highly unlikely to be exploited, since it requires a highly skilled attacker within close proximity of the target vehicle, and the vehicle need to have the engine running and WiFi support enabled. Ford said it isn’t aware of any instances of exploitation.

And even if an attacker were to gain RCE on the SYNC 3 system using this vulnerability, the potential damage would be limited, since the system is isolated from critical control functions like steering, throttling, and braking.

Ford says that if drivers are worried, they can disable the WiFi support in the SYNC 3 infotainment system in the Settings menu, which will stop an attacker from being able to exploit the vulnerability.

Ford is still working on a patch, which is expected in the coming weeks and will be presented including instructions how to manually install the patch using a USB flash drive.

We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.