Archive for author: makoadmin

Steam users: Don’t fall for the “I accidentally reported you” scam

Suppose that, out of the blue, a Steam user tells you they’ve accidentally reported you for something you didn’t do, like making an illegal purchase, and that your Steam account is going to be suspended.

They ask you to message a Steam admin, whose profile they kindly provide, to help you sort out this dilemma.

What do you do?


There are some scams on Steam which have stood the test of time. Their tactics and target have remained generally consistent for years. Phishing campaigns aimed at harvesting as many user credentials as possible, for example, are a dime a dozen. And let’s not forget the many ways a fraudster can dupe Counter Strike: Global Offense (CS:GO) players.

Like Steam phishing campaigns, this particular Steam scam—referred to loosely as the “I accidentally reported you” or “I accidentally reported your account” scam—has been coming and going since initial reports of it emerged in late 2018. To date, it has no other target apart from Steam users. And, based on its new latest iteration, it targets Steam users with a Discord account.

For those who aren’t aware of this scam and its variants, below is a breakdown of how the scam works. On the other hand, if you’re quite acquainted with it, dear Reader, then feel free to skip to the next section.

The Steam scam playthrough

The hello

The fraudsters behind the “I accidentally reported you” scam usually approach their targets under the pretext that they need something, or they have something to say. Anything to suggest that it’s something important and that they should be heard out.

They may already be a Steam “friend”, from a couple of days or years ago, someone in the same Steam group as you, or a user who wants you to add them to your friends list.

57m9a2yu7hn61
These scammers are straightforward but polite, usually greeting you first before asking if you’re busy so as not to intrude. They are even convincingly apologetic. (Image via Reddit user /u/Moritz_M05.

I’m so sorry but I accidentally reported your account to the steam admin for scamming me and duping items instead of someone who impersonated your profile and that impersonator is a scammer who scammed me 🙁

There is no word-for-word script that scammers stick to, but the gist is this: someone posing as you scammed them, but they reported you instead of the impostor.

Note that other variants of this scam will claim that they have reported you for “doing illegal purchases”—another reason to cause a degree of alarm but flawed, nonetheless.

The help

kawaii moritz m05 1
(Via /u/Moritz_M05)

I’m worried about your account now bro because the steam admin already ban his account

kawaii moritz m05 2
(Via /u/Moritz_M05)

if my report on your account gets process you will get ban too just like the scammers account 🙁

At this point, the scammer drives the point that your account will get banned next, unless something is done. The scammer then insinuates that help is on the way: a “Steam admin” that will cancel the report and remove the target’s account from the ban pile. However, they should confirm that the report against them was a mistake first.

ok so here is the profile of the steam admin if he accept just file a ticket to him that you are not involved in the report

The sharing of a legitimate profile—or what appears to be legitimate—that is connected to Steam or its developer, Valve, is one of the tactics scammers employ to make their claims look more truthful.

If you raise the possibility that this Steam admin might not accept your friend request, the scammer suggests that you contact them via Discord.

kawaii moritz m05 5
(Via /u/Moritz_M05)

can you add him on discord? so that if he cannot notice your req on steam maybe he will notice it on discord.

anyway I need to show you something

Oh no, what now?

this is a reply about my report on your account

kawaii moritz m05 6
The scammer shows a purported response from “Jill”, the Steam admin of this case, containing explicit instructions to contact the party who was mistakenly blocked and have them contact her as well through Discord. She even left her Discord user name. (Via /u/Moritz_M05)

It’s another reinforcement tactic, to erase any doubts you may still have. Frankly, it’s overkill at this point.

The hogwash

Convinced of what you must do and who you need to contact, you get in touch with the Steam admin. Of course, this admin is fake and likely either the scammer or an accomplice.

Note that the tone of the conversation changes here. The scammer’s concerned and helpful front is gone once you start chatting with the fake admin:

Hello there, Please state the reason why did you add me?

After you briefly explain the situation, the fake admin asks for a screenshot of the chat that transpired between you and the scammer.

I received the report according to our coordinator’s review about illegal activity for Illegal Purchased but you don’t have to worry here if you’re not really involved in the said issue. I will remove the banned report issue in your account. All you need to do is to prove that your account is in good condition and it was a false accusation so that Valve Report Assistance Team will cancel the Banned report charge on your account

The proof they ask for is a screenshot of your purchase history. They will also ask you to log out of your Steam account on your computer and/or mobile so they can “start the scanning of your account status”. Of course, there is no scan. The fake admin asks this as a lead in to asking for more information—for starters, the email address tied to your Steam account.

An email address is needed when a Steam user finds themselves locked out of their account and they forgot their account name or password.

The fake admin asks you to get the verification code sent by Steam to your email address. If you happen to have Steam Guard enabled, the fake admin will ask for the code as well.

Never give anybody your Steam Guard password.

In some cases, the fake admin will ask you to send them the reported duplicate item to check if it was, indeed, a duplicate via the Steam trading function. This is framed as “borrowing” the item, but you won’t be getting it back.

If you comply with the fake Steam admin you can lose your accounts, your game items, and even money.

Targets who question any of the tasks the fake admin asks them to do are met with the pressure to respond quickly because they’re “running out of time”, they are presented with a fake certificate, or they are threatened with having their accounts deleted.

weemahn GatoTristeY
Fake Steam admin not giving you any choice but to comply, or else. (Via /u/GatoTristeY)
alexus cert lol
I know, right? (Image taken from a hijacked Steam profile)
delete freshfred69
“Shall I proceed your account to deletion?” (Via /u/freshfred69)

Although several Steam users will not reach this part of the scam, many aren’t so lucky. Some, despite knowing that something is off, aren’t 100 percent sure if they’re dealing with a scammer or not.

True social engineers, or just desperate?

What we believed to be the first variant of this scam in 2018 was simple and solely focused on misusing the Steam trading function. This scam is now highly evolved and, one can say, has branched out into other nefarious acts, such as hijacking accounts, rare item theft, and other ways scammers can milk victims of their (or their parents’) hard-earned money.

Like most scams, the “I accidentally reported you” scam relies heavily on social engineering tactics that aim at gaps in a Steam user’s familiarity with how things work within the platform’s ecosystem.

Scammers want to appear believable, so it’s no surprise they use already hijacked accounts that have a good standing on Steam when reaching out to targets. The same can be said about Discord accounts under their control.

alexa CoffeeMapachi
Scammers refurbish accounts to make it look like a Valve employee by customizing its URL and providing more background info. If this doesn’t scream “I’m a Valve employee!”, then I don’t know what does. (Via /u/CoffeeMapachi)

The scammers behind this scheme also come prepared. Not only do they have the materials—screenshots and a guide script—they need to counter frequent questions raised about their credibility, they are also not afraid to play on Steam users’ fears, even at the risk of losing the credibility they already built up with their target.

Familiarize and exercise

Steam has always put the onus of not getting scammed onto the shoulders of its users. If you did get scammed, Steam Support will assist to the best of their abilities, including getting your hijacked account back. But beyond this, like retrieving a stolen rare item, refunding money if your account has been used to purchase Steam gift cards (for example), they likely won’t be able to help.

That said, it’s crucial for Steam users to realize that they may have blind spots and may not be as well acquainted with some aspects of the platform as they think. Filling in these blind spots can help you spot scams.

Know that:

  • There is no such thing as “Steam admin”, false report, or a “Certificate of Eligibility”.
  • There are Valve employees with Steam profiles. And they proudly display a legitimate badge to prove this. They are top-tier moderators (mods) who have full administrator privilege in Steam.
  • Real Valve employees belong to two invite-only groups, which are Valve and Steam.
  • There are Steam Community Moderators. Like Valve employees, current and retired moderators have their own badges, too. Community moderators can ban users, among other things.
  • Real Steam Community Moderators, both active and inactive, belong to the invite-only group, STEAM Community Moderators (SUFMods).
  • There is a page where you can look up all Steam Community Moderators.
  • Scammers link back to legitimate profiles of Valve employees or Steam moderators to hook targets into reaching out to through Discord. These Discord accounts are not manned by Valve employees but by scammers.
  • There is no such thing as an illegal item. That said, there is no need for anyone to review an item.
  • If an item does need inspection, Valve employees would not require you to hand them over. They will just look it up in their database.
  • Duplicate items (or dupes) exist, but they are not illegal. Duplication was done years ago by Steam Support to restore scammed or stolen items for hijacked victims. Steam Support doesn’t do this anymore.
  • If you have handed over an item to someone claiming to be a “Steam admin”, consider it gone forever. The current policy is that Steam Support does not restore items that have left an account, including scammed ones.
  • If there is a problem with your account, or you have an impending ban, Steam will let you know either via email, a Support ticket, or account alerts. Here is an example [link to account-alert-sample] (taken from Steam on Reddit).
  • A Steam moderator will never contact you via chat or a third-party app like Discord for any reason.
  • A Steam moderator will never mediate between you and another user.

Secure your Steam account by using a strong password, taking full advantage of Steam Guard—Steam’s two-factor authentication method—and be aware of the latest scams that are targeting you as a Steam user. Keep the above points in mind, and stay safe!

The post Steam users: Don’t fall for the “I accidentally reported you” scam appeared first on Malwarebytes Labs.

Why you need to trust your VPN: Lock and Code S02E05

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we speak to Malwarebytes senior security researcher JP Taggart about the importance of trusting your VPN.

You’ve likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising.

But obscuring your Internet activity—including the websites you visit, the searches you make, the files you download—doesn’t mean that a VPN magically disappears those things. It just means that the VPN itself gets to see that information instead.

Tune in to hear about what your VPN can see, why it is important for that information to be secured, and how you can safely transfer your trust to a VPN, on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on the Apple iTunes storeSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

Other cybersecurity news:

  • Hades ransomware has been linked to the Evil Corp cybercrime gang who uses it to evade sanctions. (Source: BleepingComputer)
  • Researchers discover two dozen Chrome extensions that are being used to serve up unwanted adds, steal data, and divert users to malicious sites. (Source: DarkReading)
  • An advisory for two high-severity flaws has been issued by the OpenSSL project. (Source: SecureBlink)
  • A $50m ransomware demand made against PC manufacturer Acer by the REvil/Sodinokibi cyber crime syndicate sets a nw record. (Source: ComputerWeekly)

Stay safe!

The post Why you need to trust your VPN: Lock and Code S02E05 appeared first on Malwarebytes Labs.

Don’t post it! Six social media safety sins to say goodbye to

If you or anyone you know is committing the below social media sins, it’s time to change that habit of an online lifetime. Even the most innocuous of things can cause trouble down the line, because everyone’s threat model is different. Unfortunately, people tend to realise what their threat model is when it’s already too late.

With this handy list, you’ll hopefully avoid the most common mistakes which are served up to social media with a dash of eternal regret.

Don’t post: credit card information

Yes, people do this. Someone is issued a new credit card. Perhaps it’s their first and they’re really excited. They want to tell the world…and they do it by posting up un-redacted shots of the front and back of the card. If they’re really unlucky, they’ve left bits and pieces of personal information on the same profile or elsewhere. I’m not sure why, but these posts often stay online long after hundreds of people have replied with “Delete this!”

It’s a mystery we may never get to the bottom of.

Don’t post: medical information

This is quite a timely one. Various forms of medical data are very popular on social media right now, especially due to the pandemic. Got a nice health and wellbeing story? Off it goes into Twitter or Facebook. This can bring problems, however. Back in 2017 we looked at the trend of posting X-Rays to social media. Even where people thought they’d redacted everything, some details still slipped through the net.

Wind forward to 2021, and we have people posting vaccination selfies. Those are fine. However, close ups of the sheets / slips detailing patient info in relation to their vaccine are not. There’s plenty of folks posting these images up from all over the world, which is to be expected. We beg you to ask yourself if you really need to post it and, if you do, please redact most if not all the information on these cards. You really don’t need it online.

Don’t post: visas and passport photos

Many immigration advice firms post to social media whenever they manage to obtain visas for their clients. That’s great! Well done. What’s not so great? Posting images of the client’s passport to social media, usually along with the visa, or other entry document.

Occasionally they’ll redact some of the data…but not all of the time. And even when name / address / D.O.B. is obscured, other elements are left visible. That could be their biometric residence permit number, or something else specific to their identity in their new country of residence. Given these are Government issued documents, it’s best not to post any of it online at all. There’s often steep fees for replacement documents, and I’m not sure if it’s any better if they need replacing due to negligence as opposed loss.

Let’s say “It’s probably worse” and resolve to never do it again.

If you’re a customer of organisations helping arrange visas and you know they have social media accounts? Feel free to keep an eye on their feeds, especially if you see they already do this. You’ll probably find yourself posted online at some point, and even with redactions applied this feels like a very uncomfortable practice.

Don’t post: personal information in customer service chats

Interacting with customer service reps on Twitter is something people do 24/7. It’s often one of the fastest ways to resolve an issue, but trouble beckons when people post the inner workings of their problem. Something wrong with an order? Missing screws for your DIY table? Milk expired 3 weeks ago?

Okay, but you don’t need to post everything to go with it. Order numbers tied to public accounts, screenshots of your order summary complete with home address listed, telephone numbers, we’ve seen them all down the years.

Is your delivery driver disputing that someone was in when they rang the doorbell? It happens, but you don’t need to post up a shot of the GPS indicator from their website showing exactly where you live.

All of this information is usable to some degree by people up to no good. It could be phishing, it could be doxxing, it might be stalking. Bottom line: start from a position of total redaction and only show what you absolutely need to.

If you’re taking the conversation to direct messages? Don’t post anything sensitive in there either, and that includes things like passwords.

Don’t post: vacations in real-time

Given it’s an age since anyone likely went on holiday, it’s worth dusting off one more golden oldie. If and when we’re all able to go on vacation, remember to control your travel experience ruthlessly.

We strongly suggest you post about your trip after you get back home. It may be appealing to get everything online as it takes place, but “I’m hundreds of miles away from my empty home” seems a bit dangerous to us.

This is especially the case if any of your profiles make use of geolocation, or you happily tag your home address in any geolocation service. You may as well hire someone to fly a plane over your house with a big banner that says “We’re empty for 14 days, come on in”. This isn’t a very catchy marketing slogan, but people up for a bit of burglary will love it.

Don’t post: the TMI selfie

This probably isn’t what you’re expecting it to be. However.

Something we regularly see on social media is the TMI selfie. This is an entirely boring and normal photo, with one major exception lurking. That pic of your nice new sofa in the front room? There’s a letter on the shelf with your bank statement on it. The Instagram-worthy snap of your meal? You can see a reflection of confidential work information on your laptop in the mirror. Finally received that delivery you’ve been waiting on and Tweeted it out? You left the label with your address on the box.

We let out guard down in places we trust. This often proves disastrous for people who prefer to remain a little bit anonymous on social media. The TMI selfie is usually brought to light by helpful followers of whoever happens to post it. Interestingly, unlike the credit card snaps, these usually get deleted swiftly. That’s definitely a good thing.

Keeping it safe on social

These are the social media sins which frequently have a negative impact on people’s lives when they least expect it. By avoiding them, you’re encouraging solid security and safety practices in all aspects of your life both offline and on. If you can think of others, we’d love for you to add some of your own in the comments.

The post Don’t post it! Six social media safety sins to say goodbye to appeared first on Malwarebytes Labs.

Slack hurries to fix direct message flaw that allowed harassment

The enormous work messaging platform Slack quickly reversed course yesterday, promising to revise a brand-new direct message feature that could have been misused for harassment.

Added to the company’s “Slack Connect” product—which lets enterprise users share messages with contract workers and third-party partners outside their company—the new “direct message” feature allowed paying Slack users to message anyone outside of their company or organization, so long as they had another person’s email address. The messages came attached to an invite, but as many tech news outlets and concerned online users noted, there was no way for recipients to block the invites, or to block the content of the messages that came attached to the invites.

As Twitter product employee Menotti Minutillo said on Twitter, the implementation of Slack Connect DMs meant that malicious users could send repeated DM invites with harassing language, and that Slack would also email the DM’s recipient with the invite, including the harassing language. DM recipients would also have trouble blocking those emails as they came from a generic email address, too, Minutillo said.

Further, according to TechCrunch, the Slack Connect DM feature is opt-in at the organizational level, meaning that individual employees could not, alone, overwrite their company’s decision, should it choose to enable the feature.  

Less than 24 hours after Slack Connect DM’s full release, Slack realigned. According to Slack Vice President of Communications and Policy Jonathan Prince, the company will disable the capability to customize messages that are attached to Slack Connect DM invites.

Prince’s full statement is as follows:  

 “After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs. Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”

Slack’s quick work to fix the problem is appreciated, but it is curious that the company did not catch the problem before the full rollout. The company has already faced complaints about the limited features in the free version of its platform, which allows users to visibly show harassing language without even having to actually write and send messages. This is because Slack automatically sends notifications when new users join a thread, so if those new users stylize their username to be an insult, then the users in that thread will receive a notification that includes that language.

Further, the problem of harassment on messaging platforms is far from new. On the Lock and Code podcast, when we spoke with Electronic Frontier Foundation’s Director of Cybersecurity Eva Galperin, Galperin warned about this very issue.

“Primarily, the onus for making safe platforms, is on the makers of the platforms,” Galperin said. “And so, if there are people who are listening to this podcast, who are developing software or who are developing platforms or services for commercial use, I encourage them to think about how their tool will be used for harassment.”

Galperin provided specific guidance for any platform with messaging capabilities. She said that those platforms should make it possible for users to not use their real names, and for users to block other users or to mute certain keywords. This setup, Galperin said, is beneficial for both the user and the company.

“If you give the power to the users, then they can decide what is harassment and what is abuse, and it really takes the onus off the platform to be judge, jury, and executioner for every communication that somebody has online.”

Unfortunately, Slack users could not block users—and in fact the company has pushed back against such a feature for years—or mute keywords, and users would have trouble filtering out emails from Slack’s generic email addresses that included the DM invites and the accompanying messages.

These may sound like high-level discussions that are difficult to forecast, but there is actually a far simpler way to look at the problem. To borrow the words of Twitter user @geekgalgroks, a developer and accessibility advocate:

“Seriously with every new messaging system and feature ask yourself if people can send unsolicited dick pics and if those receiving them can block the sender.

Because it will happen.”

The post Slack hurries to fix direct message flaw that allowed harassment appeared first on Malwarebytes Labs.

Perkiler malware turns to SMB brute force to spread

Researchers at Guardicore have identified a new infection vector being used by the Perkiler malware where internet-facing Windows machines are breached through SMB password brute force.

Perkiler is a complex Windows malware with rootkit components that is dropped by the Purple Fox exploit kit (EK) and was spread by phishing campaigns.

What is SMB?

Server Message Block (SMB), aka Common Internet File System (CIFS), is the network-protocol that enables file exchanges between Microsoft Windows computers. You will find it wherever Windows computers are sharing printers, files, and sometimes remote control. By default, SMB is configured to use the ports 139 and 445.

SMB vulnerability history

SMB has a history of being used by malware (coupled with a history of being enabled by mistake and exposed to the Internet by accident). The most famous example of SMB-exploiting malware is WannaCry. This worm-like outbreak spread via an operation that hunted down vulnerable public facing SMB ports and then used the EternalBlue exploit to get on the network, chained with the DoublePulsar exploit to establish persistence, and allow for the installation of the WannaCry ransomware.

What are brute force attacks?

A brute-force password attack is a relentless attempt to guess the username and password of one or more systems. As it sounds, a brute-force attack relies on force rather than cunning or skill: It is the digital equivalent of throwing everything and the kitchen sink at something. Some attacks will try endless combinations of usernames and passwords until finding a combination that works, others will try a small number of usernames and passwords on as many systems as possible.

Brute force attacks are usually automated, so they don’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system-specific property, an attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and wait to get notified when one of the systems has swallowed the hook.

Not a new infection method

The fact that the researchers found the Perkiler malware attacking Windows machines through SMB password brute force came as something of a surprise. Not because of the SMB brute force per se. SMB has always been brute forced, but why would you bother when you have:

  • EternalBlue that allows you to own every single unpatched SMB server without going through the brute force routine.
  • A few million RDP ports you can brute force with a potentially bigger gain. Remote desktop is exactly what the name implies, an option to remotely control a computer system. Which is much more interesting to an attacker than just being able to drop a file on an SMB server.

The answer to this question remains a mystery for now. Maybe they are planning ahead for when the number of vulnerable RDP servers dries up.

Using compromised machines

Perkiler uses a large network of compromised servers to host its dropper and the payloads. These servers appear to be compromised Microsoft IIS 7.5 servers. Most of these Windows Servers are running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels.

The rootkit

Once a machine is infected with the new variant of Perkiler, it reboots to load the rootkit that’s hidden inside the encrypted payload. The purpose of this rootkit is to hide various registry keys and values, files, etc. Ironically enough, the hidden rootkit was developed by a security researcher to conduct various malware analysis tasks and to keep the research tasks hidden from the malware.

Infected machines

Once the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session.

One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.

Mitigation

In theory, brute force password attacks conducted over the Internet can be defeated by even moderately strong passwords (six characters should be enough). However, even the threat of big-game ransomware using RDP brute force attacks hasn’t been enough to get people using stronger passwords. And if the prospect of facing a $50 million ransom isn’t enough motivation, it’s hard to see anything else working.

Luckily there are other, easier ways to blunt brute force attacks. The best defence of all is to remove the SMB (or RDP, or anything else) service from the Internet entirely, if possible, or to put it behind a VPN protected by two-factor authentication if it isn’t possible.

The post Perkiler malware turns to SMB brute force to spread appeared first on Malwarebytes Labs.

Software renewal scammers unmasked

We’ve been tracking a fraudulent scheme involving renewal notifications for several months now. It came to our attention because the Malwarebytes brand as well as other popular names were being used to send fake invoices via email.

The concept is simple but effective. You receive an invoice for a product you may or may not have used in the past for an usually high amount. Feeling upset or annoyed you call the phone number provided to dispute the charge and ask for your money back.

That was your first mistake. The second is letting strangers access your computer remotely for them to uninstall the product in order to avoid the charge. Before you know it your computer is locked and displaying random popups.

In this blog, we follow the trail from victim to scammer and identify one group running this shady business practice.

Fake renewal notifications

We’ve received a number of similar reports from people that have been scammed or simply wanted to alert us. It starts from an email using branding from a number of security companies, although in this blog we will focus on those that impersonate Malwarebytes.

The email includes an invoice renewal for the product stating that it has already been processed via credit card. The amount usually is in the $300 to $500 range, which is a lot more than what we normally charge.

  • scam email
  • scam email0
  • scam email2

The scammers are hoping victims will call them to dispute the automatic renewal. In the heat of the moment, most people would not think to check their bank or credit card statement instead.

This scheme is essentially a lead generation mechanism, just like what we see with fake browser alerts (browlocks). It just happens to use a different delivery vector (email) and is perhaps just as, if not more effective.

Remote access and sales pitch

Victims are instructed to visit a website to give the ‘technician’ access to their computer. The reason given is that the service needs to be uninstalled first before a refund can be granted.

In this instance, the scammers asked us to visit zfix[.]tech, a website linking to a number of remote access programs. They asked us to download TeamViewer and share the ID and password so they could connect.

tv

They also quietly downloaded and installed another program (SupRemo) to maintain unattended access. This means that even if you shutdown TeamViewer, the scammers can still connect to your computer when they feel like it.

supremo

The next part of the scheme is interesting because it shows how the fraudsters are able to extort money from their victims. Since the renewal email is fake they have to find a way to trick you into paying them even if you refuse to.

notepad1

The scammers take to their favorite tool, notepad, to start typing away about the risks of not renewing the service. They particularly insist on the fact that the computer may not work anymore if they proceed.

Locking up the machine

Scammers have been known to lock victims’ machines on numerous occasions. They typically use the SysKey Windows utility to put a password that only they know.

In this case, they used a different technique. Working behind the scenes, they downloaded a VBS script onto the machine which they placed into the Startup folder.

startup
script

The Startup folder location is a loading point that can be abused easily because it can trigger code to run when the system loads Windows. Unsurprisingly, before parting ways, the scammers asked us to restart the machine to complete the uninstallation process.

lock

After a restart, we see an alert dialog about the Windows license being out of date. This message keeps on showing despite clicking the OK button and also starts to open a number of browser windows to mimic some kind of malware infection.

alert

At this point, you might be tempted to call the number for help but this would end in paying hundreds of dollars to fraudsters. There is a way to restore your computer safely which we cover in the next section.

Disabling the locking script

The first thing to do is disconnect your machine from the Internet. If it’s using a wired cord to the modem unplug it, otherwise simply turn off the modem or your WiFi access point.

Then proceed to disable the script:

  • Ctrl+Alt+Delete
  • Select Task Manager
  • Select Microsoft Windows Based Script Host
  • Click ‘End task’
closescript

Then delete the script:

  • Click ‘More details’ (if needed) in Task Manager
  • Choose ‘Run new task’
  • Type explorer in the box

Your Desktop will be visible again, allowing you to browse to:

C:Users[your username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup

From there, delete the WIN LICENSE.vbs file

Identifying the scammers

We don’t always get too many details from scammers that could help us to identify who they are, but sometimes with luck, skill and tools like HYAS Insight we can shed light on adversary infrastructure. Here the scammers left a few trails with the VBS script but more importantly the first website we visited to download remote access software.

We were able to identify the registrant behind the zfix[.]tech domain as being Aman Deep Singh Sethi using the aman.techsquadonline@gmail[.]com email address. Pivoting on the associated phone number [+9]19810996265 we uncovered a larger piece of their scamming infrastructure as well as an associate named Swinder Singh.

Both individuals are registered as directors of a company in New Delhi called Lucro Soft pvt located at 14/28, F/F SUBHASH NAGAR NEW DELHI West Delhi DL 110027.

map
company

Although this company was incorporated in 2018, the scammers have been active since at least 2015 and used several different domain names and identities. We are blocking this infrastructure and reporting it for takedown as well. If you would like more information about this group, please get in touch with us.

maltego

An active scheme

This particular scheme has been very active for the past few months and it is difficult to estimate how many people fell victim to it.

Tech support scams have been around for many years and continue to be a huge problem in part because of the lack of action on the field where they are known to take place.

However, there is also a strong community out there that is pursuing scammers and giving back to victims. The likes of Jim Browning who made headlines for his hacking into the CCTV of a call centre are doing a tireless job. For this investigation, we used a Virtual Machine that was made by @NeeP that mimics a normal user desktop.

If you are a Malwarebytes customer and have any questions about your renewal, please visit our official page here.

Indicators of Compromise

Phone numbers:

1[-]833[-]966[-]2310
1[-]954[-]800[-]4124
1[-]909[-]443[-]4478 
1[-]877[-]373[-]2393
1[-]800[-]460[-]9661
1[-]325[-]221[-]2377
1[-]800[-]674[-]5706
1[-]855[-]966[-]6888
1[-]877[-]373[-]2393
1[-]866[-]504[-]0802

Emails:

aman.techsquadonline@gmail[.]com
aman.bigrock1@gmail[.]com
aman.bigrock2@gmail[.]com
aman.bigrock3@gmail[.]com

Domain names:

help-live[.]us
live-support[.]us
quick-help[.]us
network-security-alerts[.]com
cyberonservices[.]com
zfix[.]tech
2fix[.]tech
cybersmart[.]xyz
live-support[.]us
safebanking[.]biz
classifiedlookup[.]com
quickhelpdesk[.]in
cyberonservices[.]com
support247live[.]us
help-live[.]us
2fix[.]tech
cmdscan[.]info
rrlivehelp[.]com
delvelogic[.]us
quickhelpdeskk[.]us
quick-help[.]us
quickhelpdeskk[.]us
amazondevicesupports[.]xyz
live-online-support[.]info
help365[.]us
cyberonservices[.]com
rightassists[.]com
yahoomailhelplinenumber[.]com
hotmailhelplinenumber[.]com
webroot-support-number[.]com

The post Software renewal scammers unmasked appeared first on Malwarebytes Labs.

The human impact of a Royal Mail phishing scam

Last week, we looked at a Royal Mail themed scam which has very quickly become the weapon of choice for phishers. It’s pretty much everywhere at this point. Even one of my relatives with a semi-mystical ability to never experience a scam ever, received a fake SMS at the weekend.

The problem with common attacks is we grow complacent, or assume it isn’t really a big deal. Sadly, they’re always going to be a problem for someone. It doesn’t matter how tech-savvy you are, nothing is bulletproof. Anybody, including myself, can be caught out by a momentary lapse in concentration.

People who lose out to internet fakery often feel guilty, or assume that they messed up somehow. Nobody wants to be laughed at via internet shenanigans. I’d like to think most folks are sympathetic when people are brave enough to speak out.

“Surely people don’t fall for these things” is a well worn refrain. Sadly they do, and one such person spelt out the awful cost last Sunday. They had indeed received a bogus Royal Mail text, and entered their payment details into the phishing page. How bad could things get?

We’re about to find out.

Things have gotten: very bad

The victim was asked for a bogus £2.99 postage fee last Friday, having not seen the scam warnings circulating online. Below is an example of the scam that Malwarebytes Labs received:

IMG 4808
The text of the Royal Mail scam

Royal Mail: Your package Has A £2.99 shipping Fee, to pay this now please visit www[dot]royalmail-shippingupdate[dot]com. Your package will be returned if fee is unpaid

In our last post about it, we pointed out that these scams work because with so much online ordering going on during this cardboard-laden pandemic, people aren’t 100% sure what’s due to arrive. And that means speculative messages about fake parcels have a good chance of success.

A similar thing happened here. If the target wasn’t due a birthday, the scam may not have worked on them. But the message will have gone to lots of people, and one of them, perhaps many, will have been expecting a delivery. As it was, they were expecting “a couple of packages” and so “thought nothing else of it”.

This is absolutely the key moment where the battle was already lost.

The scam asks recipients to pay a £2.99 GBP fee, but of course the scammers are after much more. To pay the fee, the victim has to enter their personal details, and credit card details.

Scammers get to work

The victim’s bank accounts were compromised very quickly, and the phishers wasting no time at all in going for gold. A day or so after they paid the bogus fee, the bank contacted the victim to let them know what had gone wrong. As it turns out, quite a lot:

  • Multiple direct debits (recurring billing) for mobile phone companies and technology stores
  • Transactions of £300 for the Argos store
  • Debit cards for banking cancelled, with new ones issued as replacements
  • Brand new sort code / account numbers for her bank account, as those had been given to the phishers too

This is really bad news for the victim, and a massive inconvenience. Don’t forget the pandemic impact here, either. At a time when the ideal option is cashless / card payments only, this person now has no cards and no easy way to withdraw money either.

If this had been where it ended, that would be bad enough. However, things were sadly about to get worse.

Phished by phone

The bank phoned the victim asking them to transfer their money into their “replacement” account. I’m sure you can already see where this is going wrong. No bank is going to cold call a scam victim, and also ask them to start transferring money. Why can’t the bank do it?

The answer, unfortunately, is that the bank can do it. This cold caller was a scammer armed with details gathered from the scam page a day or so prior. The follow up strike gave the individual, who was already reeling from rapidly losing lots of money, no time to regain some balance or get their game face on. If this call had come a week or so after the initial phish, the next few paragraphs would possibly look quite different.

From bad to worse

Good news: the victim asked the person on the call to verify their bank credentials. Bad news: they forgot the phisher already had access to everything in their account. As a result, they listed account balances and other information to keep everything nice and convincing.

Two smaller transactions were sent to the “new” account, at which point the victim realised they were being scammed all over again. Every penny they had to their name was gone.

Having wool pulled over your eyes once is bad enough. To then hand over cash to the scammers by telephone is the icing on a very bitter cake. So-called safe account scams are quite the pain, and this is what caught them out second time around.

A simple phish, a massive problem

There is no real happy ending to this tale currently, outside some reassurance the victim will probably get most or all of their money back. Consider that this person’s nightmare scenario began with a simple, believable, SMS message claiming a package was being held.

A few keystrokes, some brief personal information entered on a phishing site with Royal Mail branding, and they’ve been plunged into a situation which could take weeks or more to resolve. All that stress, in the middle of the never-ending pandemic. It’s an awful story, and a chilling insight into how much is at stake every single time a throwaway phish lands in your mailbox or SMS tray.

We wish Emmeline all the best in recovering her money and commend her for her courage in coming forward and showing the true cost of these scams.

The post The human impact of a Royal Mail phishing scam appeared first on Malwarebytes Labs.

When contractors attack: two years in jail for vengeful IT admin

An IT contractor working for an IT consultancy company took it upon himself to perform an act of revenge against the firm he worked at, after they complained about his performance. The charge he faced was breaking into the network of a company in Carlsbad, California. And it got him two years in prison.

What happened?

Deepanshu Kher was helping a client to transition to a Microsoft Office 365 environment. But apparently the client company was so displeased with Kher’s performance that they complained about it to the consultancy company that despatched him. As a consequence, Kher got laid off and went back to India.

Some two months later, once he was outside of the US, Kher decided to infiltrate the California firm’s servers and deleted over 80% of employee Microsoft Office 365 accounts.

The aftermath

As employees were suddenly unable to access emails, contacts, calendars, stored documents, as well as Microsoft’s Virtual Teams remote management platform, they were unable to do their jobs. It took the company two days to get back in full swing. But all kinds of IT-related issues persisted for three more months after the cyberattack.

The arrest

The company informed the FBI about the incident and it wasn’t all that hard to figure out who the culprit was. Unaware of the outstanding warrant for his arrest, Kher was arrested while flying from India to the US. US District Court Judge Marilyn Huff charged Kher with intentional damage to a protected computer, a crime which can lead to up to 10 years in prison and a $250,000 fine.

Insider threat

The CERT Definition of an insider threat is:

 “Insider Threat – the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

Kher did have credentialed access to the network and the Office 365 environment as part of his job, and he certainly acted in a way that negatively affected the company. So we see this as an insider threat, even though he was no longer working for the victim.

Controlling insider incidents

While cybersecurity education and awareness are initiatives that every organization must invest in, there are times when these are simply not enough. Such initiatives may decrease the likelihood of accidental insider incidents, but not for negligence-based incidents, professional insiders, or other sophisticated attack campaigns. Organizations must implement controls and use software to minimize insider threat incidents.

The controls

Controls keep an organization’s system, network, and assets safe. They also minimize the risk of insider threats. Below are some controls organizations may want to consider adopting:

  • Block harmful activity. This includes preventing access to particular websites, or stopping employees from downloading and installing certain programs.
  • “Allow list” applications so that everything is blocked until and unless it is specifically allowed. This includes the file types of email attachments employees can open.
  • Use the principle of least privilege and give employee accounts the access they need, and nothing more.
  • Apply the same principle to data access, so data is only available to people whose job requires it—organizations should focus on this, too, when it comes to their telework or remote workers.
  • Put flags on old credentials. Former employees may attempt to use the credentials they used when they were still employed.
  • Create an employee termination process.

The last two points in particular could have helped prevent this incident. Both the consultancy company, and the victim, could have looked at this, or taken steps when they realised that Kher was unhappy about being laid off. But often when two entities are supposed to do something, they expect the other to do it. With the end result that neither did.

Worst case scenario

This was not a worst-case scenario. The contractor had access to one specific, albeit vital, part of the organization. I’m sure you can imagine someone in your organization that can do a lot more harm than that if they wanted to. Remember that when your roads part in the future. If they no longer work for you, they should not have access to your network.

Stay safe, everyone!

The post When contractors attack: two years in jail for vengeful IT admin appeared first on Malwarebytes Labs.

Report goes “behind enemy lines” to reveal SilverFish cyber-espionage group

The PRODAFT Threat Intelligence Team has published a report (pdf) that gives an unusually clear look at the size and structure of organized cybercrime.

It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools—including its own malware testing sandbox—and has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.

SilverFish uncovered

The research team managed to do a full investigation of one of the SilverFish group’s Command and Control (C2) servers, after detecting an online domain (databasegalore[.]com) from previously published Identifiers of Compromise (IOCs).

It was possible for researchers to create a unique fingerprint of one of the online servers by using multiple metrics, such as installed software. After 12 hours of global scans of the IP4 range, they identified more than 200 other hosts with a very similar setup.

According to the report this “enabled the PTI Team to access the management infrastructure” of the group and learn significant information about how the group worked, who it had attacked, and how.

Sophisticated organization

What the researchers found was a highly sophisticated group of cybercriminals targeting large corporations and public institutions worldwide, with a focus on the EU and the US. They named this organization the SilverFish group.

By linking together the C2 servers they found, and comparing them to known IOCs, the researchers were able to connect the SilverFish group to the infamous SolarWinds attacks.

A large subset of the servers the researchers identified were also used by the infamous EvilCorp group, which modified the TrickBot infrastructure for the purpose of a large-scale cyber espionage campaign.

Links to SolarWinds

The report describes a “significant overlap” between the 4,700 victims identified during the investigation and organizations affected by the SolarWinds attacks. A significant part of the large infrastructure was found to have strong connections with the SolarWinds IOCs shared by three different security companies. The conclusion being that these servers most likely took part in the SolarWinds campaign.

Links to Trickbot

By looking at the group’s tactics, techniques, and procedures (TTP), combined with the technical complexity of the SilverFish group’s attacks, PRODAFT was able to detect similar findings in the c2 server, command statistics, infection dates, targeted sectors and countries, tools used during the attacks, executed commands, and other information that was very similar to those used by TrickBot.

So, is this group related with TrickBot? Not likely, but the research shows that the SilverFish group is using a similar version of the TrickBot infrastructure and codebase. It also found evidence of WastedLocker malware and other TTPs that matched with both EvilCorp and SolarWinds.

Links to EvilCorp

EvilCorp is the name of a vast, international cybercrime network. The alleged leaders of this network are very high on the FBI’s wanted list. In 2019, US authorities filed charges against EvilCorp’s alleged leaders, Maksim Yakubets and Igor Turashev, accusing them of using malware to steal millions of dollars from groups, including schools and religious organizations, in over 40 countries. EvilCorp is held responsible for the development and distribution of the Dridex and WastedLocker malware.

Malwarebytes’ Threat Intel Team commented:

Prodaft also mentions ties with the WastedLocker ransomware thought to be operated by EvilCorp, likely from the Traffic Distribution System analysis. One of the hostnames in particular is related to the SocGholish social engineering toolkit and is used to fingerprint victims before distribution of the final payload.

Management

According to PRODAFT, the main dashboard of the SilverFish C2 control panel features a section named “Active Teams”. SilverFish uses a team-based workflow model and a triage system similar to modern project management applications. Each user can write comments about each victim. Based on these (mainly Russian) comments, the researchers gained a better understanding of the motivation of the group and the prioritization of the victims—operations were prioritized based on these comments.

A hierarchy was also found to be present in the comments on the C2 server, enabling management of different targets, assignment of these targets to different groups and triage of incoming victims.

Targets

The main areas of focus for the SilverFish group appear to be the US and Europe, with each region serviced by different teams. They also seem to primarily target critical infrastructure. Successfully compromised victims were found in nearly all critical infrastructures (as defined in the NIST Cyber Security Framework).

The SilverFish group predominantly targets critical entities like energy, defense, and government or Fortune 500 enterprises. Second, the researchers found comments in the C2 servers that indicate ignoring victims like universities, small companies, and other systems which they consider worthless.

Approximately half of the victims were found to be corporations which have a market value of more than $100 million USD, as per their public financial statements.

WordPress

In contrast to traditional attacks that use a domain name purchased via means of anonymous payments, SilverFish is using hacked domains for redirecting traffic to their C2 control panel.

To avoid disrupting the legitimate traffic of the hacked website, the SilverFish group creates new subdomains, which makes it almost impossible for a website owner to understand that their domain is being exploited in an attack. The frequency in which they change domains would imply that the SilverFish group has more than 1,000 already compromised websites, which are rotated almost every other day.

A significant number of these compromised websites were using WordPress. The report notes that while it is possible to buy login credentials from underground markets, “the amount of compromised websites with the same software shows us that the SilverFish group might also be leveraging 0-day or N-day exploits.” WordPress is, by far, the world’s most commonly used web Content Management System, and out-of-date installations and vulnerable plugins provide no shortage of targets.

Post-exploitation

Perhaps unsurprisingly, the SilverFish group was found to make extensive use of publicly available “red teaming” tools such as Empire, Cobalt Strike and Mimikatz, as well as Powershell, BAT, CSPROJ, JavaScript and HTA files used for enumeration and data exfiltration.

Executed Cobalt Strike beacons use domain fronting for communicating to the C2 server. Domain fronting obscures the eventual destination of HTTP traffic by relaying it from the server listed in the publicly-readable SNI portion of a request, to a different server listed in the private (encrypted) Host header.

The main goals of the SilverFish group are likely to be covert reconnaissance and data exfiltration. According to PRODAFT, the commands and scripts the SilverFish group use “strongly indicates sophistication and an advanced post-exploitation skillset”.

Remote sandboxing

The most astounding find the researchers uncovered was that the SilverFish group has designed an unprecedented malware detection sandbox, formed by actual enterprise victims, which enables the adversaries to test their malicious payloads on live systems with different enterprise AV and EDR solutions (enterprise systems can be hard for criminals to acquire).

Malwarebytes Threat Intel Team commented:

Machines are profiled and used as a testing ground, a sort of live antivirus testing platform featuring many different EDR products.

The SilverFish attackers were using this system to periodically test their malicious payloads on more than 6,000 victim devices, scripts, and implants. According to the report, the SilverFish group members appear to be tracking the detection rate of their payloads in real time.

Level of sophistication

PRODAFT says “we believe this case to be an important cornerstone in terms of understanding capabilities of organized threat actors”, and it is hard to disagree.

Although ransomware groups can be well organised, they are mostly engaged in noisy smash-and-grab raids. The SilverFish group is something different. According to PRODAFT it is an “organization that operates in an organized and disciplined manner in a hierarchical environment, one that is even highly compartmentalized,” that takes a “structured approach to covert cyber-espionage.”

Attribution

The Prodaft researchers refrain from attribution, but there are some strong pointers which can be found in their extensive report.

  • Russian comments and use of Russian slang words on the C2 servers.
  • Indications that the group is sparing countries that were part of the former USSR and still have strong ties with Russia.
  • The group is active during European work hours, with most of its activity recorded between 08:00 and 20:00 (UTC).
  • The attention to critical infrastructure, and major companies in the US and Europe.

Attribution is hard and sometimes the conclusion you come to is the one the threat-actors want you to reach. But if it walks like a duck and quacks like a duck….

The post Report goes “behind enemy lines” to reveal SilverFish cyber-espionage group appeared first on Malwarebytes Labs.

How to enable Facebook’s hardware key authentication for iOS and Android

Since 2017 desktop users have had the opportunity to use physical security keys to log in to their Facebook accounts. Now iOS and Android users have the same option too. Physical security keys are a more secure option for two-factor authentication (2FA) than SMS (which is vulnerable to SIM swap attacks and phishing), and apps that generate codes or push notifications (which are also vulnerable to phishing).

Two-factor authentication (2FA)

2FA is the least complex version of multi-factor authorization (MFA) and was invented to add an extra layer of security to the—now considered old-fashioned and insecure—simple login procedure of using a username and password. By definition, 2FA depends on two different methods of identifying a user.

Authentication factors are commonly divided into three groups:

  • Something you know, such as a password.
  • Something you have, such as a code sent by SMS, or a hardware key.
  • Something you are, such as your face or fingerprints.

Different 2FA schemes typically rely on users providing a password and one of the other factors. If you are an Android or iOS user, Facebook will now let you authenticate yourself with a password (something you know) and a hardware security key (something you have).

Hardware security keys

Hardware keys, also known as physical security keys, connect to your device via USB-A, USB-C, Lightning, NFC, or Bluetooth, and are portable enough to be carried on a keychain.

Most of them use an open authentication standard, called FIDO U2F. U2F enables internet users to securely access any number of online services with one single security key, with no drivers or client software needed. 

FIDO2 is the latest generation of the U2F protocol and it allows devices other than hardware keys, such as fingerprint sensors or laptops and phones with face recognition, to act as hardware keys.

How do security keys work?

You can use a hardware security key for as many accounts as you like. Once the key has been set up to work with a service, logging in is as simple as inserting the security key into your device (or wirelessly connecting it) and pressing a button on the key itself.

Behind the scenes, the security key is presented with a challenge by your web browser or app. It then cryptographically signs the challenge, verifying your identity.

Setting up Facebook for physical security keys

To add a physical security key as a 2FA factor for Facebook, open Facebook on your device and open the menu.

In the Menu click on Settings under Settings and Privacy.

Settings

You will see the Account Settings menu. Click on Security and Login under Security.

security and login

You will see the Security and Login menu. Click on Use two-factor authentication under Two-Factor Authentication.

Two-Factor Authentication

In the Two-Factor Authentication menu select the Security Key option and click on Continue.

security keys

From there, follow the instructions that are device and key-specific to add your security key as an extra factor of authentication.

Privacy and security

Imagine all the information an attacker might find out about you if they should get hold of your Facebook credentials. It’s not just all your public, and private posts, but your Messenger conversations as well. The first thing a successful attacker will do is enable 2FA to lock you out. So get ahead in the game and enable it yourself. Any 2FA is better than none, but a security key is the most secure form of 2FA.

2FA enabled

Stay safe, everyone!

The post How to enable Facebook’s hardware key authentication for iOS and Android appeared first on Malwarebytes Labs.