Archive for author: makoadmin

Today I have great news to share: We’ve acquired AzireVPN, a privacy-focused VPN provider based in Sweden. 

I wanted to share with you our intentions behind this exciting step, and what this means for our existing users and the family of solutions they rely on to keep them private and secure. 

Malwarebytes has long been an advocate for user privacy (think Malwarebytes Privacy VPN and our free web extension Malwarebytes Browser Guard). Now, we’re leaning even more on our mission to reimagine consumer cybersecurity to protect devices and data, no matter where users are located, how they work and play, or the size of their wallet.  

With AzireVPN’s infrastructure and intellectual property, Malwarebytes is poised to develop more advanced VPN technologies and features, offering increased flexibility and enhanced security for our users. 

Why AzireVPN? 

AzireVPN is renowned for its robust security standards and privacy-first commitment. Here are two examples of what the company does to support that: 

• AzireVPN physically owns and controls all of its dedicated and diskless servers—a practice Malwarebytes is committed to continuing.  

• The company developed Blind Operator, a unique privacy feature implemented to completely disable both remote and local access to its servers. This creates a barrier against unauthorized modifications and traffic interception, making it virtually impossible for anyone to modify or tap the traffic on its servers and share any information about a user.  

What does this mean for existing Malwarebytes Privacy VPN customers? 

There are no changes for Malwarebytes Privacy VPN customers at this time. They will continue to enjoy our streamlined, integrated user experience, and our no-log service will never track, store, or share any user network data.  

What does this mean for existing AzireVPN customers? 

AzireVPN customers will also continue to enjoy the same privacy-focused VPN service – no logs, no data collection, no bandwidth limitations. There will continue to be no requirement to share any information to sign up for the service.   

An exciting future is ahead of us 

We’ll share more details on our future VPN offering in the coming months.  

I’m so excited about our future. This is yet another milestone for Malwarebytes, underscoring our commitment to privacy and a free and open internet.  

Thanks for putting your trust in us to protect you. 

Tech support scammers are targeting eBay customers in the U.S. via fraudulent Google ads. In a few separate searches, we were able to identify multiple Sponsored results that were created from at least four different advertiser accounts.

While most of those ads clearly looked fake, they appeared consistently and prominently enough to trick the inattentive user into a scam. Victims who clicked the ad were redirected to bogus websites prompting them to call for assistance, leading them straight into the scammer’s den.

We have reported the malicious ads to Google and are monitoring for similar campaigns targeting other brands.

Flurry of ads

A search for ‘ebay phone number‘ or ‘ebay customer service‘ from the U.S. using Google Chrome returned several ads that were entirely fraudulent. Upon closer inspection, we found that they were created from four separate advertiser accounts, some belonging to legitimate entities, some created from scratch.

The first ad shown in the screenshot above is the most deceiving of all since it uses eBay’s brand name, logo and website. While Google has strict rules about who may be allowed to do this (i.e. the owner, affiliates), scammers are able to still “comply” with the rule and yet be total crooks.

All they need to do is ensure the final URL (once you click the ad) is one the same domain or is a subdomain that matches the one shown in the ad. That’s the case here, as they are using developer.ebay.com. (part of eBay’s Developers Program Search) which can technically be claimed as belonging to ebay.com.

Yet, as you can see below, the destination URL is not what one would expect. It shows a search portal with a printed search result that has eBay’s customer service phone number (narrator: it is not).

This is a trick we’ve seen recently with various online platforms: you perform a calculated search query, even if you know no result will be found. What matters is that your search query will appear on screen, and will be used to fool people who see it. In the example above, the search query was for “eBay.Customer-Service +1 (866) 409[-]9281“.

The other ads redirect to fake websites or pages hosted on cloud providers such as BitBucket claiming to be eBay customer service. Once again, scammers make it clear and obvious that users should call the phone number displayed on screen.

Keeping scammers at bay

Calling any of those phone numbers is strongly discouraged, unless of course your favorite sport is scam baiting. The tried and tested “tech support scam” is one of the most costly type of crime for American consumers.

From call centres mostly located overseas, young people with a broken English accent will attempt to trick victims into giving them access to their computer or phone. The end goal is to steal as much money as they can, by requesting gift cards or by taking over people’s own bank accounts.

It is important to always double check before calling any phone number, especially if it came from an ad or an unsolicited email. In doubt, always visit the source, i.e. ebay.com to access support via live chat or get their official number.

If you weren’t already, you may want to consider using a browser extension such as Malwarebytes Browser Guard. Not only does it block ads, it also detects phishing sites of various kinds.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Indicators of Compromise

Fake pages

e-bays-24x7support-number[.]vercel[.]app
developer[.]ebay[.]com
e-bay24x7pluscaresupport[.]bitbucket[.]io
upbay[.]online
e-bay24x7customer[.]casterins[.]online
e-bay24x7-customers-services-assist[.]onrender[.]com

Fraudulent phone numbers

1[-]866[-]409[-]9281
1[-]833[-]714[-]3970
1[-]805[-]372[-]1369

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.

Here’s how it works.

Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.

Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.

If someone steals the session cookie, they can log in as you—even if you have MFA enabled.

This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.

With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that mention information that’s relevant to you only, leaving you more likely to fall for them.

Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.

How do these criminals get their hands on your session cookies? There are several ways.

On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.

However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.  

How to keep your email account safe

There are a few things you can do to stay safe from the cookie thieves:

• Use security software on every device you use.
• Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
• Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
• Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
• Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
• For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

The US presidential election is upon the American public, and with it come fears of “election interference.”

But “election interference” is a broad term. It can mean the now-regular and expected foreign disinformation campaigns that are launched to sow political discord or to erode trust in American democracy. It can include domestic campaigns to disenfranchise voters in battleground states. And it can include the upsetting and increasing threats made to election officials and volunteers across the country.

But there’s an even broader category of election interference that is of particular interest to this podcast, and that’s cybersecurity.

Elections in the United States rely on a dizzying number of technologies. There are the voting machines themselves, there are electronic pollbooks that check voters in, there are optical scanners that tabulate the votes that the American public actually make when filling in an oval bubble with pen, or connecting an arrow with a solid line. And none of that is to mention the infrastructure that campaigns rely on every day to get information out—across websites, through emails, in text messages, and more.

That interlocking complexity is only multiplied when you remember that each, individual state has its own way of complying with the Federal government’s rules and standards for running an election. As Cait Conley, Senior Advisor to the Director of the US Cybersecurity and Infrastructure Security Agency (CISA) explains in today’s episode:

“There’s a common saying in the election space: If you’ve seen one state’s election, you’ve seen one state’s election.”

How, then, are elections secured in the United States, and what threats does CISA defend against?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Conley about how CISA prepares and trains election officials and volunteers before the big day, whether or not an American’s vote can be “hacked,” and what the country is facing in the final days before an election, particularly from foreign adversaries that want to destabilize American trust.

 ”There’s a pretty good chance that you’re going to see Russia, Iran, or China try to claim that a distributed denial of service attack or a ransomware attack against a county is somehow going to impact the security or integrity of your vote. And it’s not true.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

A ransomware attack against the City of Columbus, Ohio—which drew public scrutiny following the city government’s attempt to silence a researcher who told the public about the attack—has received a little more detail from an unexpected source: The Attorney General for the state of Maine.

In a data breach notification filed by the Attorney General for the state of Maine, the cybersecurity incident that affected Columbus, Ohio impacted half a million people.

The City of Columbus was attacked by a ransomware group on July 18, 2024. Due to the timing, it was at first unclear whether the disruption in the public facing services was caused by the CrowdStrike incident or if it was in fact an attack. The attack was later claimed by the Rhysida ransomware group on their leak site, where the group posts information about victims that are unwilling to pay.

On September 12, 2024, the city of Columbus issued a notice of breach that was sent to its clients. The notice reads:

“On July 18, 2024, the city discovered that it had experienced a cybersecurity incident in which a foreign cyber threat actor attempted to disrupt the City’s IT infrastructure, in a possible effort to deploy ransomware and solicit a ransom payment from the City.”

Until now, though, the public at large did not know how many people were affected by the attack. Because of the data breach notification from Maine’s Attorney General, that number now has a little more clarity.

During the incident, the cybercriminals may have gained access which included data in connection to the Columbus City Auditor.

The City Auditor’s Office examines City operations to identify an opportunity to reduce costs, increase efficiency, quality and effectiveness, or otherwise improve management of a city function, program, service or policy.

According to the official statement, the ransomware group was also able to view and access certain sensitive personal information, which may have included first and last name, date of birth, address, bank account information, City employee account number and position, City employment and payroll records, Social Security Number (SSN), and other identifying information.

Later, a security researcher disclosed information about the content of the stolen data with the media. From what the researcher shared it became clear that the data contained unencrypted personal information not only of city employees but also residents.

At which point the City of Columbus decided to sue the researcher for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. With half a million affected people, it like safe to say the attack did not just impact City employees.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. A Bing search query for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result. We have reported the fraudulent sites to Microsoft already.

While Microsoft’s Bing only has about 4% of the search engine market share, crooks are drawn to it as an alternative to Google. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one.

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication.

Bing search engine poisoning

We first noticed a phishing campaign coming from Bing’s search engine and targeting Keybank customers on November 29. A malicious link is displayed as the first result and pretends to be Keybank’s login page.

The domain name used is ixx-kexxx[.]com which was registered on November 15. Given that it is only two weeks old and yet came up before ibx.key.com (the real website), we surmise that the attackers are abusing Bing’s search algorithms.

Indexing and cloaking in one go

Upon clicking on the link, users are redirected to a friendly and helpful website before getting redirected again to the actual phishing page. However, we need to pause right here in order to see a couple of “blackhat” techniques.

That first page is only meant for crawlers and scanners (and users who aren’t of interest) which will both scrape the content and index it, as well as see that the page is clean. This technique is fairly common, and we actually see similar examples with ad fraud. The idea is about creating content that looks real, like a blog, but with malicious intent (monetization or other).

Actual victims do not get to see that page because they are immediately redirected to another website, this time completely malicious. The redirect happens server-side based on user attributes such as their browser profile, IP address and others.

That page uses the official branding and is a login portal for KeyBank. Once a victim types their user ID and password, criminals will receive the data immediately. Note that the phishing site is using https, which means strictly nothing here (the information will be encrypted while in transit but received in clear text by the recipient).

Bypassing multi factor authentication

In some phishing campaigns, criminals are notified in real time when a new victim attempts to login into their fraudulent page. One thing we noticed on the phishing page after the first screen, was a message claiming that the internet connection was poor. This is a disguise for what’s happening behind the scenes:

It’s often necessary for criminals to get past a few hurdles first. They need to login from the same location as the victim (their fake site gives them the IP address and they can use a proxy) and they may need to get through multi-factor authentication. Sometimes, the easiest thing to do is simply to ask for it.

Multi-factor authentication is still highly recommended, but users should be aware that criminals can directly ask for verification codes while pretending to be the real bank. We should also note that SMS verification is one of the weakest methods for two-factor authentication.

Security questions (usually 3 of them) are also used to either reset a password or for some other verification purpose (maybe a login from a new browser or location). This phishing kit also asks the victims to enter that information:

Conclusion

Phishing is one of the biggest threats consumers face every day. Malicious links can be sent to them via email, text message, social media or they may simply come across them via a search engine.

In this particular example, Bing was tricked into indexing a website that looked legitimate but turned out to be a gateway to a phishing portal. As the domain name was unknown to Microsoft at the time, it failed to protect users.

We highly recommend anyone to adopt more phishing-proof ways to login into important websites. Passkeys come to mind immediately since they do not involve passwords at all. In other words, if you don’t need to type a password… there’s no password to steal.

Unfortunately, not all websites offer the latest technologies to protect their customers. While it is important to add a second factor for authentication, you may want to upgrade to an Authenticator app, instead of the less trustworthy SMS verification. Perhaps the most important thing to remember is that criminals can also try to request those one-time codes from you and you should always be extremely vigilant before entering them in any online website (or replying to an unknown text).

Malwarebytes Browser Guard already protected users from this phishing campaign without having seen the malicious websites before. This is because of the built-in anti-phishing heuristic rules which intercept the connection and display a warning message:

If you suspect your banking information has already been stolen, try to take action as quickly as possible by contacting your financial institution(s) and resetting all your passwords (especially if you reused any of them for different websites).

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Indicators of Compromise

Cloaking domains

ixx-kexxx[.]com

Phishing domains

xxx-ii-news[.]net
xxx-ii-news[.]com
ixxx-blognew[.]com
xxx-ii-news[.]net
new-bllog-i[.]com
info-blog-news[.]com
xv-bloging-info[.]com
xxx-new-videos[.]com

Hosting server

200.107.207[.]232

Last week on Malwarebytes Labs:

• 1,000+ web shops infected by “Phish ‘n Ships” criminals who create fake product listings for in-demand products
• Android malware FakeCall intercepts your calls to the bank
• Patch now! New Chrome update for two critical vulnerabilities
• Update your iPhone, Mac, Watch: Apple issues patches for several vulnerabilities
• Europol warns about counterfeit goods and the criminals behind them

Last week on ThreatDown:

• Introducing streamlined case management and enhanced monthly reports

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Researchers at the Satori Threat Intelligence and Research team have published their findings about a group of cybercriminals that infect legitimate web shops to create and promote fake product listings.

The threat, dubbed “Phish ‘n Ships” by the researchers, reportedly infected more than 1,000 websites and built 121 fake web stores to trick consumers. Estimated losses are in the region of tens of millions of dollars over the past five years.

The group infected legitimate web shops with a malicious payload that would redirect visitors to web shops under their own control. While visiting such an affected web shop the visitor would be served fake product listings. When they clicked on the link for that item, hundreds of thousands of victims were redirected.

The fraudsters also made sure that their fake product listings contained metadata that put them near the top of search engine rankings for those items. SEO poisoning is a technique employed by cybercriminals to manipulate search engine results, making harmful websites or advertisements appear at the top of search results.

On the fake web shop, one of four targeted third-party payment processors collects credit card info and confirms a “purchase,” but the product never arrives.

The fraudsters used several established vulnerabilities to infect a wide variety of web shops.

For the users it’s not just the payment for an article they’ll never receive and the disappointment about not getting that sought-after article, but there is also the risk of providing cybercriminals with their payment card information.

The campaign has been disrupted for a large part due to the efforts of the researchers, but they warn that part of it is still active.

So, what can consumers do to stay safe?

Keep an eye on the website displayed in the address bar. Did the advertisement you clicked on take you to the expected web shop? And when the checkout process runs through a different web shop, this is another reason for alarm.

Be especially cautious when you are looking for hard-to-get items, because this is what the group specializes in.

If you are suspicious, it’s a good idea to try the input validation of the shipping information. The fraudsters do not care whether you fill out a real phone number or street address since they have no intention of shipping anything, so the validation process does not work. On a legitimate web shop this should work and warn visitors about invalid entries.

Malwarebytes’ web protection module and Browser Guard block the IP addresses in use by this group.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

An Android banking Trojan called FakeCall is capable of hijacking the phone calls you make to your bank. Instead of reaching your bank, your call will be redirected to the cybercriminals.

The Trojan accomplishes this by installing itself as the default call handler on the infected device. The default call handler app is responsible for managing incoming and outgoing calls, allowing users to answer or reject calls, as well as initiate calls.

As you can imagine handing these options to a malicious app comes with some serious risks.

Last time FakeCall reared its head, BleepingComputer reported that the malware was being distributed as fake banking apps that impersonate large financial institutions, as well as being distributed in phishing emails. When the receiver clicked a link in the email they’d download an Application Package (APK file) which acted as a dropper for the malicious app.

Likely without realizing, when the user gives the app permission to set it as the default call handler, the malware gains permission to intercept and manipulate both outgoing and incoming calls.

The FakeCall malware abuses this trust by hijacking the user’s call to a financial institution. To better understand how the attackers use this, you’ll need to know that FakeCall is a very versatile tool. It can also steal sensitive information from the infected devices which enables the cybercriminals to deploy targeted attacks against the owners of infected devices.

They will know which bank the target primarily uses and will send them offers that might be of interest to them, via in-app notifications or vishing (voice-phishing). The cybercriminals may, for example, offer a loan with a low interest rate and ask the target to call if they’re interested.

Regardless, whether the target uses the displayed phone number or tries to directly call the number of his bank, the call will get redirected to the criminals.

The FakeCall app is hard to detect since it uses several methods to evade detection, and it uses several names to mimic legitimate banking apps. This is where Malwarebytes for Android can help you, by identifying these apps and removing them.

Malwarebytes for Android detects FakeCall as Android/Trojan.Banker.Fakecall.

Google has released an update for its Chrome browser which includes patches for two critical vulnerabilities.

The update brings the Stable channel to versions 130.0.6723.91/.92 for Windows and Mac and 130.0.6723.91 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

This update is crucial as it addresses two major security vulnerabilities. Previous Chrome vulnerabilities reported by Apple turned out to be exploited by a commercial spyware vendor.

Technical details

One of the vulnerabilities was reported to Google by Apple Security Engineering and Architecture (SEAR), which reported the issue on October 23, 2024. This vulnerability, tracked as CVE-2024-10487, can be used by cybercriminals as a drive-by download. That means that a victim’s device could be compromised just by visiting a malicious website or advertisement.

The vulnerability was found in Dawn, an open source and cross-platform implementation of the WebGPU-standard. WebGPU is a JavaScript Application Programming Interface (API) provided by a web browser that enables webpage scripts to use a device’s graphics processing unit (GPU).

In this case, the discovered vulnerability could allow attackers to write data beyond the allocated memory, potentially leading to code execution or system crashes.

The other vulnerability, tracked as CVE-2024-10488, was reported by researcher Cassidy Kim. That vulnerability in Chrome’s WebRTC (Web Real-Time Communication) component could lead to the execution of arbitrary code or cause a crash. It could be used for potential data theft or system crashes.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.