Archive for March, 2020

Lock and Code S1Ep3: Dishing on data privacy with Adam Kujawa

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Adam Kujawa, a director of Malwarebytes Labs, about the state of data privacy today, including how users and businesses can protect sensitive information when there are few laws to help them out, and whether we could foresee the many problems with today’s rampant data sharing when we first built the Internet.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research:

Plus other cybersecurity news:

  • Housing association spills data: A “please update your details” missive has horrible data exposure consequences for a UK-based organization. (Source: The Register)
  • The age-old problem of password reuse: Shockingly, it’s a problem for Fortune 500 companies, too. (Source: Help Net Security)
  • Homework equals router mayhem: With many worldwide retreating to their home environment, it figures that hackers would follow them there. (Source: Cyberscoop)
  • Compromised news sites lead to malware: A variety of backdoor files are offered up by hijacked news portals. (Source: Bleeping Computer)
  • Netflix and phish: The increase in work-from-home employees is also giving rise to a bump in attacks on streaming services. (Source: RapidTV News)

Stay safe, everyone!

The post Lock and Code S1Ep3: Dishing on data privacy with Adam Kujawa appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Coronavirus Bitcoin scam promises “millions” working from home

In the last week, we’ve seen multiple coronavirus scams pushed by bad actors, including RAT attacks via fake health advisories, bogus e-books working in tandem with Trojans, and lots of other phishing shenanigans. Now we have another one to add to the ever-growing list: dubious coronavirus Bitcoin missives landing in your inbox.

Reworking a classic spam tactic

This is a retooling of an older spam run involving British comedian Jim Davidson, the older form of which was seen bouncing around in November 2019. As they put it, “Jim Davidson bounced back from bankruptcy with Bitcoin.” Even before that, in the first half of 2019, he was being used alongside other well-known British celebrities such as Jamie Oliver and daytime TV presenters to promote a variety of misleading Bitcoin get-rich schemes. This is common for Bitcoin scams, and you can dip into any year you like and find a few of these floating around at any given time.

What do we have this time?

In short, these coronavirus Bitcoin scams are older attempts to have people part with their cash hastily retooled to make hay with the current global pandemic. It’s incredibly lazy—the landing pages and follow on websites seem to be untouched from whenever they first appeared. The only new ingredient is the email content mentioning coronavirus, but sadly, that’s often more than enough to have people part with their money.

Click to enlarge

It begins with a non-stop drip-feed of emails, from many different addresses pumping out spam. In the above mailbox, it’s a total of 11 in six days. All of the email addresses are rather optimistically called “coronavirus positives”, letting you know that staying at home thanks to a global pandemic can actually make you rich beyond your wildest dreams.

Some of the subject lines read as follows:

Staying at home because of COVID-19!! Spend your time making thousands on Bitcoins. 

The positive impact of staying home (Corona-virus), Make thousand a day trading Bitcoin.

Join 1000s of Brits making 1000s a day. Bitcoin is back – and this time you can make a million.

Without a larger sample selection to go from, we can’t say which missive is the most popular subject line, but the one mentioning “work from home” is at least the most popular in this particular mailbox and a few others that we’ve seen. 

Coronavirus Bitcoin email style

The emails are formatted in much the same way, emulating the British newspaper “red top” style—most specifically, The Sun.

Here’s the text from one of the samples we looked at:

Click to enlarge

Click to enlarge

The text reads as follows:

Jim Davidson Reveals How He Bounced Back After The Bankruptcy – He claims anyone can do it & shows ‘Good Morning Britain’ How!

Appearing on ‘Good Morning Britain’ show, Jim Davidson, a man who has recovered from Bankruptcy thanks to an automated Bitcoin trading platform, called BTC Profit . The idea was simple: allow the average person the opportunity to cash in on the Bitcoin boom. Even if they have absolutely no investing or technology experience.

A user would simply make an initial deposit into the platform, usually of £200 (or $250, as the platform works with USD) or more, and the automated trading algorithm would go to work. Using a combination of data and machine learning, the algorithm would know the perfect time to buy Bitcoin low and sell high, maximising the user’s profit.

To demonstrate the power of the platform Jim had Kate Garraway deposited £200 on the live show.

Here’s one that emulates The Sun to a high degree, complete with almost-but-not-quite name using the same font as the well-known newspaper:

Click to enlarge

In the above mail, a student reveals how “he earns more than £40,000 every month working from home.” Some of the links are now seemingly broken, and a few redirect to Google or random shopping sites such as the below if you presumably visit from a region they’re not interested in:

Click to enlarge

Not all of the links are broken, however. A few will indeed lead you to the supposed Bitcoin promised land.

Getting rich quick?

What you’ll see on a live page is essentially a rehash of the information in the email, complete with a few more familiar faces from UK daytime television. At this point, the coronavirus hook has been entirely abandoned:

Click to enlarge

Click to enlarge

After a lot of urging the visitor to sign up to some sort of wonderful Bitcoin system, clicking the links will finally take them to the end game:

Click to enlarge

It’s a landing page promoting something called “Bitcoin Revolution.” This has been around for a while, usually in relation to dubious ads featuring the previously mentioned celebrities.

Access is given to a trading platform, a fair amount of money is deposited into it over time, an “investment manager” asks you to deposit their commission into a bank account so they can release your funds, and…oh dear. This is the part where people report the funds never arrive and now they’re massively out of pocket.

Profiting from chaos

Endlessly spamming these “get rich quick” emails to people in normal circumstances is bad enough, but jumping on the coronavirus bandwagon to claim people can make a fortune from working from home is dreadful. This is absolutely the worst time to end up losing a significant amount of savings—they may prove to be absolutely essential further down the line.

If you receive one of these mails and they’re not automatically placed into your spam folder, report, delete, and move on. We have a feeling you won’t be making your millions from this one.

The post Coronavirus Bitcoin scam promises “millions” working from home appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Criminals hack Tupperware website with credit card skimmer

Update: Following our blog post, we continued to monitor the Tupperware website. As of 03/25 at 1:45 PM PT, we noticed that the malicious PNG file had been removed, followed later by the JavaScript that was present on the homepage.

On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered.

Threat actors compromised the official tupperware[.]com site—which averages close to 1 million monthly visits—as well as a few of its localized versions by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process. This form collects customer payment data via a digital credit card skimmer and passes it on to the cybercriminals with Tupperware shoppers none-the-wiser.

Digital credit card skimmers, also known as web skimmers, continue to be one of the top web threats we monitor at Malwarebytes. For the past several years, a number of criminals (usually tied to organized Magecart groups) have been actively compromising e-commerce platforms with the goal of stealing payment data from unaware shoppers.

In light of the COVID-19 outbreak, the volume of people shopping online has dramatically increased, and there is little doubt that a larger number of transactions will be impacted by credit card skimmers moving forward.

There was a fair amount of work put into the Tupperware compromise to integrate the credit card skimmer seamlessly and stay undetected for as long as possible. Below, we walk you through how we discovered the skimmer, and analyze the threat and its attack techniques.

Rogue iframe container

During one of our web crawls, we identified a suspicious-looking iframe loaded from deskofhelp[.]com when visiting the checkout page at tupperware[.]com. This iframe is responsible for displaying the payment form fields presented to online shoppers.

There are a few red flags with this domain name:

  • It was created on March 9, and as we see with many fraudulent websites, newly-registered domains are often used by threat actors prior to a new campaign.
  • It is registered to elbadtoy@yandex[.]ru, an email address with Russian provider Yandex. This seems at odds for a payment form on a US-branded website.
  • It is hosted on a server at 5.2.78[.]19 alongside a number of phishing domains.

Interestingly, if you were to inspect the checkout page’s HTML source code, you would not see this malicious iframe. That’s because it is loaded dynamically in the Document Object Model (DOM) only.

One way to reveal this iframe is to right click anywhere within the payment form and choose “View frame source” (in Google Chrome). It will open up a new tab showing the content loaded by deskofhelp[.]com.

There is one small flaw in the integration of the credit card skimmer: The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages. For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English:

Below is the legitimate form (in Spanish):

More trickery to dupe shoppers

The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.

This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.

Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.

You can still spot a slight difference between the legitimate time-out page (loaded from secureacceptance.cybersource.com) and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

  • First and last name
  • Billing address
  • Telephone number
  • Credit card number
  • Credit card expiry date
  • Credit card CVV

Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png
es.tupperware[.]com/media/wysiwyg/faq_icon.png

tupperware[.]ca/media/wysiwyg/faq_icon.png
fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com
5.2.78[.]19

The post Criminals hack Tupperware website with credit card skimmer appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Consumerization: a better way to answer cybersecurity challenges

A version of this article originally appeared in Forbes on February 12, 2020.

Consumerization: The specific impact that consumer-originated technologies can have on enterprises. 

Gartner

More and more, enterprises are coming to understand that they need to adopt the agile processes and product strategies of startups in order to compete in today’s markets. But there is a parallel problem in enterprise security that is not being addressed. Simply tweaking your internal processes won’t solve this problem: A different approach is needed.

We read the stories every day. The number and severity of cyberattacks keep growing. More and more businesses are being breached more and more often—and it’s happening in schools, hospitals and clinics, and major cities, too.

For example, in December 2019, the city of New Orleans told employees to “power down computers, unplug devices, and disconnect from Wi-Fi” after a cyberattack struck its computers. Although 911 emergency services were not affected, the police department had to shut down its entire IT network.

Increasingly, we see governments, organizations, and enterprises struggling to keep up with cyberattacks. And, disturbingly, they are increasingly failing to stop them.

The fact is, agile processes and improved efficiency won’t solve the growing security problem. Nor will throwing more personnel at it. That’s what organizations are attempting now, and it’s not working. Businesses are falling behind the attackers. Something has to change.

What is needed is a new way of thinking about security.

When you get millions of alerts, and you respond by looking for more trained technicians to troubleshoot the alerts, you’re pursuing a faulty strategy. For one, you won’t find the talent. For another, the strategy doesn’t scale. As you add security tools and staff, you multiply the complexity of your security operation. What you need is to reduce the complexity.

It’s helpful to step back and ask, “What would a desirable, effective security solution look like?” I suggest that it should be as intuitive as using an iPhone app.

“Hold on,” you say. “The IT market is not like the consumer market. There are different problems to solve, unique expectations to meet, and technical skillsets required to operate.” And that’s all true. But that’s just a description of the challenges inherent with the old model of security thinking.

Consider the security and privacy challenges in the consumer space. Consumer products have to be easy to use, or they won’t sell—particularly for a problem that is mostly invisible to the consumer (until it bites them). Security tools need to be easy enough for consumers to use, yet powerful enough to give them ownership of their privacy and security. That’s hard to achieve, but consumer software development is all about empowering users without overwhelming them with complexity.

And that has to be the goal in the enterprise as well. It should be just as easy for a company to protect itself and have a strong cybersecurity posture as it is for a consumer to use an app. Organizations should strive for top protection using fewer staff members that require specialized training. That should be the target of enterprise security solutions.

We call this goal the democratization, or consumerization, of cybersecurity. It’s the right goal in today’s market. It’s also quite difficult. To write robust cybersecurity products that provide organizations with comprehensive coverage and are as simple to use as consumer technology is so difficult that no one has been up to the task.

It’s easy to generate a new security tool that handles lots and lots of alerts. But making it prioritize threats so that you only address real dangers while simplifying user interface so that it doesn’t require extensive training—that’s the hard part. And that’s what we’re talking about when we refer to the consumerization of IT security.

It reminds me of the famous saying by French mathematician Blaise Pascal, which is often attributed to Mark Twain: “I would have written a shorter letter, but I did not have the time.” Simple is hard.

But it can be done. We know what consumer-grade tools look like. And we know what cybersecurity challenges businesses face. The task before us as an industry is to fit these two puzzle pieces together. It will require greater attention to user interface design and highly-automated threat detection. It will call for combining technical excellence with human intuition. But it can be done.

The consumerization of IT security—consumer-grade ease of use, plus enterprise security expertise—can meet the cybersecurity challenges of today.

The post Consumerization: a better way to answer cybersecurity challenges appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Windows 7 is EOL: What next?

End-of-life (EOL) is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. Many companies, including Microsoft, announce the EOL dates for their products far in advance.

Every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade, or make other changes to your software.

Windows 7 EOL

For those that were unaware, Windows 7 reached EOL on January 14, 2020. When a Windows Operating System (OS) hits the end of its lifecycle, it no longer receives updates from Microsoft.

That means Microsoft no longer supports users of Windows 7, and Windows 7 will no longer receive updates, although Microsoft has been known to make exceptions for urgent vulnerabilities. And while organizations may be able to extend support by paying for it, home users are advised to move on to more modern operating systems.

Or as Microsoft puts it:

“Now is the time to shift to Windows 10. Get robust security features, enhanced performance, and flexible management to keep your employees productive and secure.”

And of course, they have a point. If cybercriminals discover a vulnerability in Windows 7, there is no guarantee that this vulnerability will be patched by Microsoft. And while there is still a large Windows 7 user base, it pays off for the cybercriminals to weaponize such a vulnerability and use it to their advantage. Keep in mind that most of the exploit kits active in the wild focus on older vulnerabilities, which will not be patched if you are using EOL software.

Is Windows 10 more secure?

While the call to move on to Windows 10 by Microsoft makes it sound mighty safe, what exactly are these security features that Windows 10 has over Windows 7? We know it’ll be supported by Microsoft, and therefore any known vulnerabilities will be patched. Its other security features are as follows:

  • Windows 10 includes Windows Defender by default, which provides a baseline level of antivirus protection.
  • SmartScreen is a reputation system that tries to block harmful and unknown file downloads.
  • Windows 10 includes Microsoft Edge instead of Internet Explorer, which is targeted most often by exploits.

On the downside, you might argue that Windows 10 has a lot of new features that tend to come with new problems and risks. However, Windows 10 has been around for a while now, so the worst problems should have been tackled.

However, we want to stress: Moving on to a new operating system, while safer than sticking with a legacy system, is no substitute for a strong security solution. Even Windows 10 machines need anti-malware protection.

According to a spokesperson from our malware removal staff, the correlation between browser use and malware is actually higher than the one between OS version and malware. Meaning: The browser you use has a much bigger impact on the likelihood of being infected than the OS that you use. So even if you switch over to Windows 10 but keep using Google Chrome, you can still be easily infected. Now that Windows 10 has switched over to Edge, many cybercriminals are focusing on exploits for Google Chrome, one of the most popular browsers today.

Other operating systems

To avoid potential infection—or because they’re looking for a change— some Windows users might consider moving to entirely different operating systems, such as Mac or Linux. But layering up built-in protection with security software is important, even if you decide to switch.

For example, the long-standing myth that Macs are safer than Windows systems has been proven wrong. As you can read in our 2020 State of Malware Report, Mac threats increased exponentially in comparison to those against Windows PCs in 2019, with nearly double the threats per Mac endpoint than Windows. And while Macs don’t get viruses, Mac adware is more sophisticated and dangerous than traditional Mac malware.

In some cases, people may consider switching to a Chromebook, which is certainly a cheaper option if it offers enough capabilities to replace your current Windows desktop or laptop. But even Chromebooks can—and do—get infected.

We don’t expect a lot of users to switch to a more hardcore Linux OS, since they might expect a huge learning curve (another misconception) or their favorite software is not available (unfortunately, not a myth). However, even if they do, Linux OSes are not free from malware. They’re simply attacked less often because cybercriminals understand their user base isn’t as large (and therefore, their payday isn’t as big).

Windows 7 user base

Currently over 23 percent of Windows users worldwide are still on Windows 7, and only 69 percent have already switched to Windows 10. The rest are using the less popular Windows 8 or versions of Windows that have gone EOL long before Windows 7.

Oddly enough, the percentage of Windows 7 users has hardly decreased after reaching the EOL date in January (from roughly 24 percent to 23 percent). With this huge amount of potentially unpatched systems still active in the market, any exploitable vulnerability will result in a widespread disaster.

Would WannaCry have had such an enormous impact if Windows XP and Windows Server 2003 had been abandoned before it spread? We will never know. What we do know that Windows 8 and 10 did not need to be patched for the vulnerability that was used to spread WannaCry. They were not contributing to the choir of systems trying to infect their neighbors. Emergency patches were released for several older Windows versions, including Windows 7. At the time, Windows 7 was still supported.

We got you

It is not our habit to promote our own products in our blogs, but we wanted to let you know that whichever OS (and browser) you chose next, we’ve your back. As a demonstration, here is a list of the available Malwarebytes consumer versions created to protect our users:

Malwarebytes for Windows

Malwarebytes for Mac

Malwarebytes for Chromebook

Malwarebytes for Android

Malwarebytes for iOS

Malwarebytes Browser Guard (for Firefox and Chrome)

Download links, pricing, and more information, such as a list of our business offerings and customer reviews, can be found on our pricing page.

Stay safe, everyone!

The post Windows 7 is EOL: What next? appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 1 of 5 12345