Archive for author: makoadmin

To better understand modern malware detection methods, it’s a good idea to look at sandboxes. In cybersecurity, the use of sandboxes has gained a lot of traction over the last decade or so. With the plethora of new malware coming our way every day, security researchers needed something to test new programs without investing too much of their precious time.

Sandboxes provide ideal, secluded environments to screen certain malware types without giving that malware a chance to spread. Based on the observed behavior, the samples can then be classified as harmless, malicious, or “needs a closer look.”

Running programs in such a secluded environment is referred to as sandboxing and the environment the samples are allowed to run in are called sandboxes.

Definition of sandboxing

Let’s start with a definition so we know what we are talking about. There are many definitions around but I’m partial to this one:

“Sandboxing is a software management strategy that isolates applications from critical system resources and other programs. Sandboxing helps reduce the impact any individual program or app will have on your system.”

I’m not partial to this definition because it is more correct than other definitions, but because it says exactly what we want from a sandbox in malware research: No impact on critical system resources. We want the malware to show us what it does, but we don’t want it to disturb our monitoring or infect other important systems. Preferably, we want it to create a full report and be able to reset the sandbox quickly so it’s ready for the next sample.

Malware detection and sandboxing

Coming from that definition, we can say that a cybersecurity sandbox is a physical or virtual environment used to open files or run programs without the chance of any sample interfering with our monitoring or permanently affecting the device they are running on. Sandboxing is used to test code or applications that could be malicious before serving it up to critical devices.

In cybersecurity, sandboxing is used as a method to test software which would end up being categorized as “safe” or “unsafe” after the test. In many cases, the code will be allowed to run and a machine learning (ML) algorithm or another type of Artificial Intelligence (AI) will be used to classify the sample or move it further upstream for closer determination.

Malware and online sandboxes

As sandbox technology development further progressed and as the demand for a quick method to test software arose, we saw the introduction of online sandboxes. These are websites where you can submit a sample and receive a report about the actions of the sample as observed by the online sandbox.

It still takes an experienced eye to determine from these reports whether the submitted sample was malicious or not, but for many system administrators in a small organization, it’s a quick check that lets them decide whether they want to allow something to run inside their security perimeter.

Some of these online sandboxes have even taken this procedure one step further and allow user input during the monitoring process.

This is an ideal setup for those types of situations where the intended victim needs to unzip a password-protected attachment and enable content in a Word document. Or those pesky adware installers that require you to scroll through their End User License Agreement (EULA) and click on “Agree” and “Install.” As you can imagine. these will not do much on a fully automated sandbox, but for a malware analyst, these samples would fall into the category that requires human attention anyway.

Sandbox sensitivity

In the ongoing “arms race” between malware writers and security professionals, malware writers started to add routines to their programs that check if they are running in a virtual environment. When the programs detect that they are running in a sandbox or on a virtual machine (VM), they throw an error or just stop running silently. Some even perform some harmless task to throw us off their track. Either way, these sandbox-evading malware samples don’t execute their malicious code when they detect that they are running inside a controlled environment. Their main concern is that researchers would be able to monitor the behavior and come up with counter strategies, like blocking the URLs that the sample tries to contact.

Some of the methods that malware uses to determine whether it is running in a sandbox are:

• Delaying execution to make use of the time-out that is built into most sandboxes.
• Hardware fingerprinting. Sandboxes and Virtual Machines can be recognized as they are typically different from physical machines. A much lower usage of resources, for example, is one such indicator.
• Measuring user interaction. Some malware requires the user to be active for it to run, even if it’s only a moving mouse-pointer.
• Network detection. Some samples will not run on non-networked systems.
• Checking other running programs. Some samples look for processes that are known to be used for monitoring and refuse to run when they are active. Also the absence of other software may be considered an indicator of running on a sandbox.

Sandboxes and virtual machines

In the previous paragraph we referenced both virtual machines and sandboxes. However, while sandboxes and virtual machines share enough characteristics to get them confused for one another, they are in fact two different technologies.

What really sets them apart is that the Virtual Machine is always acting as if it were a complete system. A sandbox can be made much more limited.  For instance, a sandbox can be made to run only in the browser and none of the other applications on the system would notice it was even there. On the other hand, a Virtual Machine that is entirely separated from the rest of the world, including its host, would be considered a sandbox.

To make the circle complete, so to speak, we have seen malware delivered in the form of a VM. This type of attack was observed in two separate families, Maze and Ragnar Locker. The Maze threat actors bundled a VirtualBox installer and the weaponized VM virtual drive inside a msi file (Windows installer package). The attackers then used a batch script called starter.bat to launch the attack from within the VM.

If you’d like to know more technical details about these attacks, here’s some recommended reading: Maze attackers adopt Ragnar Locker virtual machine technique

The future of sandboxing

Keeping in mind that containerization and virtual machines are becoming more common as a replacement for physical machines, we wonder whether cybercriminals can afford to cancel their attack when they find out they are running on a sandbox or virtual machine.

On the other hand, the malware detection methods developed around sandboxes are getting more sophisticated every day.

So, could this be the field where the arms race is in favor of the good guys? Only the future will be able tell us.

Stay safe, everyone!

The post Sandbox in security: what is it, and how it relates to malware appeared first on Malwarebytes Labs.

“It happens to the best of us.”

And, indeed, no adage is better suited to a phishing campaign that recently made headlines.

Fraudsters used the brand, KnowBe4—a trusted cybersecurity company that offers security awareness training for organizations—to gain recipients’ trust, their Microsoft Outlook credentials, and other personally identifiable information (PII). This is according to findings from our friends at Cofense Intelligence, who did a comprehensive analysis of the campaign, and of course, KnowBe4, who first reported about it.

Email details are as follows:

Subject: Training Reminder: Due Date

Message body:

Good morning

Your Security Awareness Training will expire within the next 24hrs. You only have 1 day to complete the following assignment:

– 2020 KnowBe4 Security Awareness Training

Please note this training is not available on the employee training Portal. You need to use the link below to complete the training:

hxxps://training[.]knowb[.]e4[.]com/auth/saml/4d851fef35c0f

This training link is also available on Security Awareness Training.

Use the URL: training[.]knowbe[.]4[.]com/login if you like to access the training outside of the network. Please use your email on the initial KnowBe4 login screen. Once the browser directs you to authentication page, please enter your username, password, and click the “Sign in” button to access the training.

Your training record will be available within 30 days after the campaign is concluded.

Thank you for helping to keep our organization safe from cybercrime.

Information Security Officer

“Poor English” is usually a hallmark of a scam email, according to majority of cybersecurity experts, and phishing emails are notoriously known for it. The above training-themed email may have fooled several recipients who are quite forgiving to some English errors—after all, typos do happen.

However, we should remember to also look at the URLs closely, both on the email and where it really leads to when you hover a mouse pointer over each one of them. Granted this is a straightforward, unsophisticated scam, which makes discerning it easier. It also gives us the notion that whoever the campaign is trying to bag, they’re only after those who aren’t careful enough to look closely or critical enough to perceive that something is amiss.

To the seemingly untrained eye, the URLs on the email may seem genuine, but they’re not. If you’re familiar with a URL’s structure, you’ll realize quickly that they’re not even close to being genuine. Take, for example, training[.]knowb[.]e4[.]com. The main domain here is e4[.]com. As for training[.]knowbe[.]4[.]com, the main domain is 4[.]com. Basic familiarity to URLs can save you from falling for scams like this.

Once users click any of the links, they are directed to a destination that doesn’t bear the KnowBe4 brand but to what appears to be a Microsoft Outlook sign in page, asking for credentials.

Again, take note of the URL in the address bar.

According to Cofense, similar phishing pages like this are hosted on at least 30 sites since April of this year. They also found traces of other current or previous phishing campaigns that were themed around sexual harassment training, another learning course many organizations require their employees to take.

Going back: Once the Outlook username and password combination were provided and the user clicks “sign in”, they are directed to another Outlook page, this time asking for details that are more personal, such as date of birth and physical address.

As the phishing kit had already been taken down at the time of writing, testing couldn’t show what happens next after clicking “Verify Now”. But based on the sexual harassment training phishing campaign, which used the same kit, redirecting to a legitimate sexual harassment training page, it’s logical to conclude that users would also be directed to a security awareness training website, which may or may not necessarily be KnowBe4.

This isn’t the first time the KnowBe4 brand—or other cybersecurity brands for that matter—have been abused to defraud people. The company was first used in phishing campaigns in September 2018 and in January 2019.

In February of this year, a NortonLifeLock phishing scam, wherein threat actors forced a remote access Trojan (RAT) installation onto victim systems by making a malformed Word document appear to be password-protected by NortonLifeLock, was found in the wild.

In April 2019, sophisticated Office 365 credential stealers didn’t only craft fake Microsoft alert types around certain Microsoft products, they also mimicked the return path of Barracuda Networks, a well-known email security provider, and include it in the phishing email’s Received header, making the email appear that it passed through Barracuda servers. This would make it seem like it could be trusted, and thus, safe to open, when—upon closer inspection—it’s not.

Every organization has a brand to protect. And the first step to do this is to realize early on that their brand could be misused or abused by those who want to make illicit gains. That said, no brand is truly safe. Heck, even Malwarebytes has doppelgängers.

Businesses must be actively looking for those banking on their names online. Customers, on the other hand, must know and accept that online criminals can get to them through the services they use by pretending to be these companies. It’s no longer enough to readily trust emails based on the logos they purport to bear. It’s time to start carefully reading emails you care about and scrutinizing them, from the supposed sender to the email links and/or attachments.

Never attempt to click anything on dubious emails or visit the destinations by copying and pasting them on a browser unless you’re in a virtual machine. And if you don’t have time to do the investigative work yourself, ask. Give your service provider a call or report a potential phishing attempt. This way, you’re not only helping yourself but also alerting your provider and helping those who would have fallen for a scam if not for your efforts.

Stay safe!

The post Phishers spoof reliable cybersecurity training company to garner clicks appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at Fintech industry developments, specifically the differences between Europe and the US, and we analyzed how some charities and the advertising industry are tied together. We also told readers about what companies can do to counter domain name abuse.

In our Lock and Code podcast we talked to Pieter Arntz about safely using Google Chrome Extensions.

Other cybersecurity news

• Researchers discovered the Zerologon Windows exploit, which lets attackers instantly become admins on enterprise networks. (Source: TechSpot)
• A technology firm linked to the Chinese Communist Party has created and mined a global database of 2.4 million individuals. (Source: The Diplomat)
• Five Chinese nationals and two Malaysian nationals linked to APT41 were charged in connection with a global hacking campaign. (Source: Cyberscoop)
• How do stolen credit cards get used halfway around the world? Danny Palmer tried to find out. (Source: ZDNet)
• Cybersecurity companies noticed a surge in DDoS attacks targeting the education and academic sector. (Source: BleepingComputer)
• A bluetooth vulnerability dubbed BLURtooth that overwrites Bluetooth encryption keys was reported last week by two research groups. (Source: TechXplore)
• The US Department of the Interior (DoI) failed its latest computer security assessment, mostly for a lack of Wi-Fi defenses. (Source: The Register)
• A woman in Germany died during a ransomware attack on a hospital, in what may be the first death directly linked to a cyberattack on a hospital. (Source: The Verge)
• In a transformation of the threat portfolio, web-phishing targeting various online services almost doubled during the COVID-19 pandemic. (Source: Security Affairs)
• UK business owners were targeted by a phishing scam that attempts to gain sensitive information by impersonating Her Majesty’s Revenue and Customs (HMRC). (Source: Infosecurity Magazine)

Stay safe, everyone!

The post A week in security (September 14 – 20) appeared first on Malwarebytes Labs.

Even though some organizations and companies may not realize it, their domain name is an important asset. Their web presence can even make or break companies. Therefor, “domain name abuse” is something that can ruin your reputation.

Losing control

There are several ways in which perpetrators can abuse your good name to make a profit for themselves, while ruining your good name in the process.

• Domain name hijacking
• Webserver takeovers
• Domain name abuse

The first two are closely related and are usually the result of an attack or breach of some kind.

Domain name hijacking can be the result of someone getting hold of your credentials and changing the server that gets to display the information when the domain is queried. Generally speaking, this is done by changing the DNS records for the domain and if the attackers are planning to prolong the use of your domain, they will move the domain registration to a different registrar. This is done to make it harder for the original owner to get control back over the domain. To pull this off they will need to get hold of your login credentials with the original registrar, either by phishing or by a data breach at the registrar. Many registrars will also ask for an Auth-Code when a domain holder wants to transfer a domain name from one registrar to another. So, it is wise to store this separate from your login credentials. Worst case scenario: the registrar cannot solve the issue for you. Even the ICANN will not be able to remediate the illegal domain transfer if your requests to the original and new registrar do not manage to get your control back.

Webserver takeovers are more of a physical attack on your own servers, whether they are on premise, hosted, or in the cloud. This is what we often see when websites are defaced or other attacks with a shorter lifespan. The results are easier to remedy as it usually only takes a backup of the old website to restore it to its old glory. Sometimes all you need to do is remove a few files that were added by the attacker. But the important part here is to find out how the attacker got access to the webserver(s) and how you can prevent it in the future.

A whole different, but related topic, we have discussed before is the use of expired domains for malvertising. While the technique is totally different, the end goal—malvertising— is of common interest.

Domain name abuse

But the main topic for this post will be domain name abuse, a much harder to grasp subject as it does not involve access to something that belongs to you. At best (or worst rather) the infringement is on your intellectual property.

Again, there are several possible scenarios.

• Typosquatting
• Domain name registration under another Top Level Domain (TLD)
• Replacing country code TLD’s (ccTLD’s)
• Using ccTLD’s to replace .com or other general TLD’s

Depending on the objective of the domain name abuse some strategies will make more sense then others. If the motive is email fraud then making the website look exactly like the one the perpetrator wants to mimic is more important than having a convincingly deceiving domain name. Especially since spoofing is another option that is often used in email fraud.

Typosquatting is the method of using domain names that are only a little bit different from the real one. They are usually only one typo away, hence the name. These names are often used on highly popular domain names to increase the chance of success. To use an example: goggle[.]com. (See? At first glance, it kind of works.)

Changing the TLD means the holder of the new domain changed the TLD expecting the reader will not notice or be aware of the switch they made. Yet another example: whitehouse[.]com.

Replacing country code TLD is basically the same method but this is a technique often used for banking fraud sites where a national bank is impersonated by giving it a more international TLD. For example: localbank.us becomes localbank.com.

The other way around happens as well. The international TLD gets replaced with a country code TLD Which also makes sense since many internationals use this method to direct traffic for local dealerships to the localized website. For example: Chevrolet also owns Chevrolet.de besides their own Chevrolet.com.

What is the purpose of the abuse?

Before we look at how we can respond to domain name abuse, it is important to establish what the purpose of the abuser is. The motives can range from downright malicious and illegal to trying to grab some extra traffic using your brand, which is not immediately illegal, per se. There are some grey areas between the two where legal actions may or may not have the desired result.

What is definitely not allowed is when the abuser tries to pretend to be a representative for your company or to act in your name without your consent. On the other hand, it is not illegal to hope that someone makes a typo. But like we said there is a big grey area between these two. Let’s look at an example.

In most countries it is not illegal to act as an intermediary between the public and an organization. Let’s take for example the intermediaries that ask for money to do the necessary paperwork for a US Green Card. Probably every country has at least one that offers to assist you to apply for one. For a fee of course. There is nothing illegal about most of them. The terrain gets shady, though, when the intermediary uses a domain name that could make the visitor think they are dealing with the U.S. Citizenship and Immigration Services (USCIS) directly. For example, by using the domain uscis[.]us. It gets downright illegal when the owner of the domain puts official logos of another company on his website. At that point they are impersonating the USCIS and can expect a takedown. For commercial companies such behavior can also be treated as an infringement on intellectual property.

Countermeasures

What are your options when you notice, or worse, get notified about domain name abuse? There are a few options to deal with websites that throw a negative shadow over your own:

• Ignore. In some cases, there are few other options, so your best strategy may be to not waste any time on the matter and hope it goes away.
• Contact the owner. If you look up the domain name there will be a contact email or abuse email of the registrar provided. This method may help in cases of an honest mistake, but your efforts are likely to be futile when there is malicious intent.
• Contact the registrar. You will need some luck and provide decent evidence to get a registrar to take down a website of one of their customers. Some registrars are known for their slow and reluctance to help victims of domain name abuse.
• In those cases you will have to resort to a so-called “Notice and takedown” procedure. Many countries have an independent authority that you can contact with complaints about their ccTLD’s. But these authorities will not be able to help you with international TLDs.
• Take them to court. Easier said then done when you don’t know who you’re dealing with. And even if you do, court rulings can take a long time and are costly. But sometimes threatening with legal proceedings is enough since they are costly for the other party as well.
• Make sure nobody finds the offensive sites. When the owners rely on search engines to find their site you can counter them there. Often, new sites rely on paid advertisements with search engines to bring in the necessary traffic. Your options are to file a complaint with the search engine or to simply outbid the opponent by paying more for advertisements pointing to your own site.

Required level of protection

There are very different levels of necessity for specialized services and systems that watch and report possible domain name abuse on your domain. Banks and other financials will probably have a whole department involved in takedowns, where your run of the mill pop and mom shop will be satisfied if they can keep their own site updated. Some companies will have an in-house department to keep an eye on possible domain name abuse which will be backed by a legal department that gets called in when necessary. Others will hire a specialized company to do this for them, while the vast majority has taken no precautions at all and will respond whenever a problem should arise.

And as long as your company is considered to be in the appropriate category there is not much reason to make any changes. Having a specialized department when there is absolutely no track record of domain name abuse and none is to be expected is a waste of time and money.

The post Is domain name abuse something companies should worry about? appeared first on Malwarebytes Labs.

Data makes the world go round, more often than not via advertising and its tracking mechanisms. Whether you think making money from large volumes of PII to keep the web ticking over is a good thing, or a sleazy data-grab often encouraging terrible ad practices, it’s not going to go away anytime soon. Charity advertising is an important feature of revenue generation for UK-based charitable organisations, and that’s where our focus lies in this post.

A detailed analysis of ad tracking mechanisms on popular charity websites has been released by ProPrivacy, and it explores the nuances of organisations balancing the need to stay in operation alongside ensuring personal data and privacy are top of the agenda. Unfortunately, it appears there’s still a lot of work to do in that regard.

The numbers game

Right off the bat, I think it’s important to pin down exactly what kind of numbers we’re talking about here. The report is incredibly long and detailed, and it’s quite easy to miss key points as a result. If you skimmed the report, or just glanced at bits and pieces, you might come away thinking 80,000 UK based charities are harvesting data on a grand scale. That isn’t the case.

The domains were extracted by researchers from the Charity Commissioner’s database. Once potentially unrelated sites such as publishing companies, subdomains, dead URLs and more were removed from the total, what’s left is 64k sites. That’s still a sizeable number of domains. Even so, that tally is about to drop further.

The study authors deduced that 42% of what remained used ad tracking technology. That’s around 27,000 sites. This is still a big number, but as you can see we’ve already lost a significant chunk of the original tally.

Adding shape to data

As for what kind of charity advertising lurked on those sites, I’ll stand back and let the researchers do the talking:

The majority of these trackers were related to social platforms. 33.8% of the sites analysed contained trackers belonging to: Facebook, Twitter, AddThis, YouTube, Instagram, LinkedIn, or Flickr.

DoubleClick, the Alphabet-owned programmatic advertising (RTB) platform was installed on 10,105 (15.6% of sites).

Outside of the Google advertising ecosystem, we found 330 (0.51%) charities with RTB trackers and 220 (0.34%) with data broker trackers installed.

Your mileage can (and will!) vary, but I don’t personally think people generally have issues with things like social plugins, especially when many of us use those tools daily. It’s also quite easy to find out what, exactly, those plugins do and how to avoid them if you really want to.

Some of the other elements could be cause for concern, however.

The study found that 90% of the top 100 popular charities in the UK used advertising methods via DoubleClick or similar technology. Again, Google’s DoubleClick is something you can at least find information on and make an informed decision as to whether you want your data to interact with it. With them taken out of the picture, 40% used third party elements belonging to either RTB players or data brokers.

This is where the story really kicks into gear. Before said gear can be kicked, it’s time for a brief “What is RTB” interlude.

What is Real Time Bidding (RTB)?

Back in the olden times of online advertising, ads were purchased in bulk and placed on specific websites only. It was all a bit cumbersome and not particularly sophisticated, at least compared to what’s now available. Real Time Bidding (RTB) is a system where advertisers compete in real time set against specific audiences and targets.

It’s more agile than more traditional methods of ad unit placement, and usually a bit cheaper. Instead of the old bulk methods, you can assign whatever size budget you like and only “win” the bids you’re interested in. Anything unimportant to your overall strategy won’t factor into things.

Think of it as an advertising sandwich, with the advertisers wanting to promote wares on one side, the website on the other, and the ad network filling in-between connecting the two. Within that ad network space, you’ve got the big players at the top of the…sandwich tree?…and an endless procession of ad agencies.

There are usually additional ad agencies filling the role of brokers liaising with said big guns. In amongst all of this, the rogue advertisers place their bids for impressions alongside legitimate buyers, and the real-time nature of things makes it tricky to sniff them out. Those bogus ads could be pushing malware, or redirects, or both.

That’s at the “definitely very bad” end of the scale. Elsewhere, we have simply “RTB working as intended”. That’s our sign to jump back to the story at hand.

Charity sites and RTB

According to the research, 21 charities are sharing data with brokers directly, and seven are sharing with more than one broker. As you can imagine, it’s important to comply with all relevant rules to keep site visitors safe from potential privacy intrusions. What the study found, however, was that in a lot of cases where charity advertising is concerned, organisations simply had no idea what was happening on their site.

Daisy chains of third-party requests from the initially placed tracker means visitor data could be shared with multiple companies. Who are they? What are they doing with it? Well, the charity may not know and so neither would you. If people running the ad tech don’t fully explain what’s going to take place to the charities, that leaves both site and visitors at risk.

Oh no, my cookie jar

Worse, cookie compliance is a mess. In theory, when you see one of those “Do you accept” notices, you’re supposed to be able to decide if you accept cookies / tracking or not. Everything should pause under the hood and wait for you to make an informed decision. The reality is a little bit shocking, with a whopping 92% of the top charity sites failing to pause cookie loading till a decision is made.

Going back to the data, 8 charities paused 3^rd party cookie loading till a decision was made. The rest were potentially sharing data with advertisers while the site visitor decides what to do next. 30% of those in the top tier gave no consent option either way. Some form of actual control offered to visitors was granted by just 32%, with 13% ensuring their cookies are inactive, waiting for the visitor to make a move.

This is, frankly, not great.

Scenes from a charitable donation

Many of us donate to charity organisations, whether it’s one-off payments, rolling subscriptions, bags of clothing, and more. To give one example, after a house-move I passed in a lot of clothing and other items I no longer had a use for. The way it works is you fill in a few forms when you hand it over, and a few months later a letter comes through the door. It encourages me to visit the website and “See what we’ve done with your items”.

There are a few different ways this can play out:

1. The letter will be personalised to my items, for example with a unique printed code which I input on the site. From there, the website would attempt to tie me to the items given to begin the matching of personal data and advertising profiles. Who knows if the marketing tools under the hood do anything prior to me making cookie related decisions? If they’re connected to daisy-chained advertising firms?
2. The letter includes a code tied to your name / address. This code may or may not be used on the website to update details in case of a house move. It’s possible this will be tied to marketing profiles when first entered or updated, and then you’re back to the same situation in example 1.

Time to make a choice

In my example, the site presents me with a popup the length of the page, telling me analytical / marketing cookies are set to off by default. Essential cookies are ticked, and there are two separately placed “accept recommended settings” boxes. Is there no way to disallow the essential cookies even if the site requires them to function? If I click the “accept recommended settings” next to the currently switched off marketing cookies, will it enable them? Or is “off” the recommended setting?

Does the “accept recommended settings” box next to the essential cookies tick related to those specifically, or does it do the same thing as the recommended settings box next to marketing cookies? Where do I click to find out?

These are just a few of the questions I had in my mind as I browse the page, and I’m not entirely sure what the correct answers will be. It may well be a slightly excessive observation of the choices before me, but such observations are required to figure out exactly what we’re agreeing to. Without them, the idea of granting consent seems somewhat meaningless.

Charitable ethics

As the report notes, many charities deal with very sensitive subjects. How prepared are we to become monetised for random third parties, in order to keep our favourite charities of choice ticking over? There are no easy answers to this question. The main requirement here is to ensure people’s data is treated with the same respect the charities give the recipients of their hard work. Donators are happy to keep these organisations ticking over, and it’s definitely in the long-term interests of the charities to keep them that way.

Full report: Exposing the hidden data ecosystem of the UKs most trusted charities (Source: ProPrivacy)

The post Charities and the advertising industry: data ecosystems and privacy risks appeared first on Malwarebytes Labs.

“Put your money in the bank and you can watch it grow.” If there is a statement that shows us how much the financial world has changed it’s this one. With the introduction of negative interest, companies and consumers with a large amount of liquid assets are looking for a different way to handle those assets.

This is where the innovative fintech industry comes into play.

What is fintech?

The hardware and software used in the financial world is generally referred to as fintech. But the expression is also used to describe the startups in the financial world. In this article it will be used to describe the technology as many of the settled financial institutions feel they need to adapt to the same new technology that the startups offer their customers. Because of this we can find these new features in banking and other financial applications both in the apps of accomplished firms along with those of the new financials.

Differences in the leading markets

When you think about fintech there is a big difference in what everyone might envision, and this may rely for a big part on which part of the world you are in. Before 2017 the US was leading the way and they were making large investments in the development of new technologies related to online banking, mobile apps, and other new technologies in this field.

From then on investments in the US in this industry started to dwindle, simply because the existing companies turned out to need too much more investments before they could possibly become profitable. Also, there were too many horses to bet on, and the more horses, the harder it is to pick the winning one. The playing field in Europe was easier to oversee and many new branches were carried by older and more trustworthy trees. In other words, fintech firms in Europe have long been undervalued by the market while offering substantial added value and more interesting growth perspectives than their American counterparts. Product advancements and a focus on regulation have made European fintech companies more attractive for investors.

Regulation is an important factor

The use of consumer fintech in the United States seems to be well behind that in most of Europe, where regulation that looks ahead has sparked a surge of innovation in digital banking services along with the backend infrastructure onto which products are built and operated.

That might seem counterintuitive, as regulation is often blamed for slowing innovation down. Instead, European regulators have focused on reducing barriers to fintech growth rather than clinging to the way things are. For example, the U.K.’s Open Banking regulation requires the country’s nine big high-street banks to share customer data with authorized fintech providers.

Importance of fintech

The financial industry is considered to be vital infrastructure and for good reason. When we lose trust in our financial institutions, it turns our society upside down.

Web skimmers are a potential hurdle when it comes down to trust issues. Generally speaking, web skimmers insert code into legitimate websites to eavesdrop on the payment details and attempt to find enough information to steal from the buyer. These information sets are sold on the black market to the highest bidder and could turn out to be very costly for the victim, or his bank if they reimburse their customers. But even if you get reimbursed, the occurrence of someone plundering your bank account, could scare away potential buyers from online shopping.

Fintech as an industry is one of the possible caretakers when it comes to constructing tamper proof websites and prevent the interception of re-usable payment details.

PCI DSS compliance

One of the instruments that is already in place, but could be implemented better is PCI DSS compliance. Providers staying on top of achieving effective and sustainable compliance will make a notable contribution to the level of trust that consumers will have in online transactions and other fintech innovations.

The differences

The future of fintech is promising but how fast we can reap the fruits depends on where we live and how our governments handle regulation of the sector. As we have said before European laws are focused on enabling developments in the fintech industry. All the while keeping an eye on privacy issues under the flag of GDPR regulations. In the US the industry has been under heavy scrutiny since the 2008 banking crisis. For the fintech startups this has resulted in a complicated regulatory framework but also the inexistence of a concrete legislation for fintech firms that takes into consideration the different nature of their activities. And if these companies want to be players on an international level, they still have to adhere to GDPR regulations as well.

A common request from the US fintech industry has been to implement legislation that supports startups and is tailormade for the specific industry. The feeling is that this will create a favorable environment for growth and give the industry a chance to catch up with their European counterparts.

Given that the biggest part of the European fintech startups’ activity is based in the UK some analysts are still holding their breath while the implications of Brexit are starting to pen out. During the implementation period, EU law will continue to apply, firms and funds will continue to benefit. But this hasn’t brought a lot of certainty for the financial services sector in the long-term. The more traditional banks are already preparing to move hundreds of billions of dollars from London to the continent after Brexit. The magnitude of the move will likely depend on the result of the negotiations for new trade deals between the UK and the EU. But, a report from thinktank New Financial suggests that 332 financial services firms have already moved jobs out of London because of Brexit, up from 60 last time they looked in March 2019. And this was before the COVID pandemic threw a wrench in the progress of the negotiations between the UK and the EU. Companies are considering to move as a consequence of the delay and uncertainty around Brexit.

Consumer security

Whichever route the legislators decide to take, it should be clear that consumer security is a priority. Without consumer trust all the fintech endeavors will be futile anyway. Obviously mistakes will be made but they should be dealt with in a fair way and lessons should be learned from them.

One of the reasons why some of the fintech startups are so successful lies in their ability to offer alternatives to conventional financial solutions through cryptocurrencies, online loans, and P2P. Along comes a variety of challenges and one of them will be cybersecurity. The huge growth in the number and size of online platforms makes this industry very vulnerable to security breaches and creates potential targets for DDoS attacks.

The post Fintech industry developments, differences between Europe and the US appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Pieter Arntz, malware intelligence researcher for Malwarebytes, about Google Chrome extensions.

These sometimes helpful online tools that work directly with the Google Chrome browser can pull off a variety of tricks—checking your grammar, scouring the web for coupon codes, and providing a dark mode for easier nighttime browsing.

But the Google Chrome extension landscape is enormous, and, for countless users trying to navigate it, they can run into trouble.

Tune in to hear about the the history of web browser extensions, and how to spot and protect against malicious Google Chrome extensions on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Malvertising campaigns, and why they have come back in full swing.
• The global shift in dark web purchasing due to the coronavirus pandemic.
• What possible cyber threats during the election season that every informed voter should know, expect, and act upon.

Other cybersecurity news

• COVID-19 research has become valuable in the eyes of espionage agencies. In Georgia, the Lugar Centre, also known as the Center for Public Health Research, was the latest named victim of a foreign cyber attack. (Source: Agenda)
• Charming Kitten, a well-known Iranian APT group, carried out attacks against Greek Navy Officers, with the end-goal of email and social media accounts of officers. (Source: Israel Defense)
• A Netflix verification scam starts to make rounds once again—so keep an eye out! (Source: Boston 25 News)
• Multiple data breaches have occurred in a number of organizations worldwide: University of Missouri, North Carolina Health System, Service NSW, and ProctorU to name a few.
• According to new research, DDoS attacks against online education resources increased by at least 350% (between January and June 2020) compared to previous months in 2019. (Source: InfoSecurity Magazine).

Stay safe, everyone!

The post Lock and Code S1Ep15: Safely using Google Chrome Extensions with Pieter Arntz appeared first on Malwarebytes Labs.

Singapore held its most recent general election on July 10 2020, and although they used the electoral system called first-past-the-post (FPTP), a scheme favored by the US, UK, and most English-speaking countries, the road leading to Election Day was not without challenges and obstacles.

While all voters used paper ballots (thus removing the exposure to risk that comes with using electronic voting machines), phishing attempts, disinformation, threats of hacking political parties, and other election cyberthreats were nonetheless ever-present.

In light of the ongoing COVID-19 pandemic and the election technologies we know could be abused in the wrong hands, we look at these and other potential election cyberthreats—past, present, and (if pervasive enough) future—that the security world has observed for quite a while now, so that informed voters can remain informed and hopefully continue exercising your right to vote whenever and wherever that may be.

Ask, and ye shall know

Avid readers of this blog would know that we stress upon the importance of asking the right questions when it comes to deciding on what to do online, what to buy (and where), and which technologies to use. In this case, we’d like to know which election threats that we’d be facing and the ways we can protect against them or otherwise address them.

And in attempting to answer these, we first need to know what or who could be targeted during an election. This way, we’d also know what to protect and how. So, we ask—

What are election assets?

To identify the threats we can likely see/face/observe during election period, it is important to identify an election’s critical assets, which will in turn aid us in recognizing and categorizing threats to these assets and to the election as a whole.

Election assets are:

Infrastructure. This pertains to places where polling is held, including storage facilities for elections and locations where election systems are physically set up. If we want to be granular, the US Department of Homeland Security (DHS) listed some of these as: voter registration databases and their associated IT systems, election management systems (for counting, auditing, displaying election results, etc.), and voting systems.

Materials. Pretty self-explanatory. These pertain to the objects used during the election process. For example, paper ballots or voter registration cards, pens, and indelible inks.

As of this writing, there have been no real or theorized election cyberthreats lodged against such materials. However, this doesn’t mean that no one has attempted to circumvent their use.

Take, for example, the use of the electoral ink. Its indelibility is a means to prevent constituents from casting more than one vote. With the ongoing pandemic, however, hand sanitizing before and after casting votes could impact the product’s effectiveness. Not to mention that there have been cases in the past where the ink used washed off easily and completely.

People and information. Although they are two completely different entities, we cannot really separate them. The people are the political candidates, their staff, and the parties they represent; the third-party organizations that are directly or indirectly involved in the elections; electoral officials and staff; and, of course, the voters. Under third parties, we can include software and hardware manufacturers. Information, of course, refers to all of the content these people share to the public, amongst each other, and within election systems.

Technology. Voting machines aren’t the only technology that countries use for and during an election. Political candidates have freely made use of printers, mobile phones, and the Internet to reach out and communicate with their supporters. Voting technology also includes systems that are used to efficiently manage the elections. Examples of systems are information management systems, election management systems, and yes, the machine’s operating system itself.

With these in mind, we can start identifying potential threats to these assets. Note that such threats can happen before, during, or even after elections.

Why would cybercriminals do this?

Oftentimes, it is easy to pin down intent based on the kind of threat being carried out. A phishing email, for example, gives a clear indication that whoever is behind the campaign is aiming to gather something from their target—be it sensitive information or money.

In many cases, the phishing email carries with it a malware payload, or a link to its download location. The malware, once executed, then seeks and siphons out information back to its command center. But things don’t end here.

The malware could reside and remain undetected, allowing attackers to gain a foothold onto the target’s network. Sensitive data, credentials, and other information they may have gleaned can be used for their own benefit—from selling to the highest bidder, leaking to disrupt normal operations or call into question a victim’s reputation, and—if some of the files seem personal enough—used to blackmail the victim to extort money.

When it comes to elections, one would likely assume that nation-state actors would interfere to tip the political scales in their favor. Other actors would insert physical disruptions to the otherwise normal election process, either to cover up their true intent—which is usually something more sinister than causing trouble—or “just because.”

There is, however, a solid belief among cybersecurity professionals that the main motivation behind election-fueled attacks is to sow distrust among voters against either their government, the electoral staff and their processes, or the technologies used in conducting the elections. It’s also possible that their aim is all of the above.

How do threat actors disrupt or interfere in elections?

Now that we have identified what threat actors would likely target and why they would target them, we move to answering how threat actors would likely attack these targets. Here’s a comprehensive list of (potential) adversarial activities that has been observed (if not theorized) so far:

Discourse manipulation

We already mentioned earlier that election threats can happen months before election day arrives. Suffice to say that while politicians and election administrators are busy planning and preparing for election day, expect that threat actors are doing the same. One of the more subtle (yet still nefarious) ways of interfering with elections in the run-up to election day is to manipulate the discourse to favor one candidate over another, or simply to cast doubt on the entire election process.

When one manipulates the discourse, one asserts “The Good Me” while also highlighting “The Bad Them.” Unfortunately, we’re all too familiar now with the ways in which cybercriminals (and politicians alike) do this through disinformation, fake news, and computational propaganda.

Disinformation, fake news, and computational propaganda

Several forms of disinformation from all sides of the political spectrum have been around almost as long as politics itself, and certainly pre-date the Internet. Word of mouth and traditional media have helped amplify such campaigns.

With the Internet, and now especially social media, it is easier than ever to, say, cook up stories about what a certain politician purportedly said regarding a sensitive matter that would anger a certain group of people. This can even be accomplished in real time. According to The Global Disinformation Order [PDF], a paper from the Oxford Internet Institute, online disinformation campaigns have been on the uptick since 2017.

There are those who have no real affiliation with government and politics and merely want to earn easy money by targeting certain partisan groups. However, the cybersecurity industry has seen its share of serious organized criminals—often backed by their respective governments—that bank on disinformation campaigns and fake news to accomplish political subterfuge.

There are a number of reasons why governments and political parties spread disinformation, and the classic reasons are to:

1. Discredit their opponents
2. Bury views that oppose theirs
3. Erode trust in the election/election systems
4. Erode trust in democracy or other forms of government

It’s interesting to note that when it comes to conducting deliberate disinformation campaigns, our gut reaction is to point the finger at foreign nationals. There’s certainly precedent. For one, Russia has a known history of spinning phony political stories since the 1920’s.

But nowadays, Russia isn’t the only country engaged in such campaigns—or what others have started calling computational propaganda, which the Oxford Internet Institute defines as “the use of algorithms, automation, and big data to shape public life.” Iran is expanding its online disinformation operations, as are at least 70 more countries. Among these, China has dethroned Russia to become the new king of disinformation.

And then, there is social media manipulation, wherein engineered content is deployed using social networking platforms, and the proliferation of computational propaganda techniques themselves. Threat actors both domestic and foreign have been copying and honing Russia’s disinformation methods from the previous election to influence the outcome of this year’s US general elections.

The Oxford study also asserted that although we have countless social platforms currently in existence, Facebook remains the platform of choice to spread disinformation and fake news.

While governments and groups continue to either point fingers or deny allegations, let’s not forget that the recipients of such material can also amplify disinformation to their network, whether that’s their intention or not. Some may judge the veracity of the material as legitimate. Others may question it but circulate nonetheless to kick off discourse. Either way, both efforts serve to circulate baseless claims and call into question what is the truth.

Hacking

In one of our blogs about election systems in the vital Infrastructure series, we touched on how vulnerable elections could be, highlighting that although voting machines have been hacked successfully on many occasions, doing so at a large scale can actually prove more challenging than what was initially thought. To further complicate matters for potential hackers, not all states use the same voting machine make, model, and supplier. But that doesn’t mean elections are safe from hacking.

Websites can also be hacked, too. Remember that news about the website of the Florida Secretary of State being successfully infiltrated via an SLQ injection done by an 11-year old? Okay, granted, the website was actually a replica of the real thing, but one can’t but help think how potentially vulnerable these supposed critical websites are, especially when being accessed and interacted to by various people—including those with ill intent.

In the last quarter of 2019, McAfee found that swing state election websites aren’t secure from cyberattacks. For starters, the connections of these websites are problematic, as they don’t use HTTPS by default, making them far, far easier to infiltrate. Cybercriminals could make small but significant changes, like altering the websites’ content, that could cause confusion about the dates, locations, and times to vote or otherwise disrupt the election process.

Perhaps, on an even more dangerous note, hackers could do as little as claim to have compromised the site to sew seeds of doubt, casting a shadow over the efficacy of the democratic voting system and eroding the integrity of election results in that state.

Hacking is one of the many attacks on infrastructure that a state or country may encounter during a sensitive time like general elections. The act of infiltrating systems and infrastructures is also usually just the first step of a much larger campaign aimed at destabilizing government or other organizations.

For example, once an election or government site has been hacked, cybercriminals could use information and credentials to kick off a social engineering campaign. This could branch off to cyber espionage (which usually involves using malware), data theft, distributed denial-of-service (DDoS) attacks, and extortion. Come election season, attack campaigns would widen to include the possible interruption of ballots for their modification, deletion, or blocking (the act of blocking ballots from arriving to their supposed destination by threat actors).

Cyber espionage

Foreign spying has always been a challenge for governments, and it doesn’t just happen during the election season. Through the years, cybersecurity experts have investigated nation-state actors who had been involved in election-fueled espionage, particularly advanced persistent threat groups such as APT28, otherwise known as Fancy Bear; the Sandworm team; and APT40, otherwise known as Leviathan.

So far, persistent threat actors have infiltrated diverse targets during elections, from those on staff for a particular candidate or campaign to those responsible for administering ballots or distributing election materials. They are targeted for the sensitive information they have access to, but also for cybercriminals to familiarize themselves with the network’s infrastructure, so they can identity the locations housing critical information that they may use to their advantage.

Phishing

Data theft is a known and given problem during the elections since there is a huge exchange of information going on within distinct groups: among constituents and the registration databases; chat, email, or phone conversations between or among political staff and candidates; and credential information of electoral staff and administrators among others. And one way of stealing such data is via phishing.

In 2017, then-presidential candidate for France Emmanuel Macron confirmed that his staff and party, “En Marche!” or “Onwards!,” were targeted by several advanced phishing campaigns. However, no campaign data was stolen. And this is just one of the many “hundreds if not thousands” of attacks they received from locations inside Russia at that time.

Feike Hacquebord, a researcher from Trend Micro, confirmed these phishing campaigns with some emails containing a malware payload. He also noted that these attacks had telltale signs that connected them previous attacks targeting the campaigns of Hilary Clinton and Angela Merkel in 2016.

Perhaps the most notable political phishing story we can mention here is how President Macron’s campaign was able to turn the tide against the threat actors who were after their data. Led by Mounir Mahjoubi, the campaign’s digital director, they outplayed their attackers using a method called cyber-blurring or digital blurring.

This is a known diversionary tactic in the banking industry, and the Macron campaign used it to slow down and confuse hackers. They did this by deliberately creating fake documents—with some containing outright ridiculous information—accounts, and credentials and mixing them with real but otherwise uninteresting data. As a result, the attackers’ time was wasted, and the burden of proof to justify why they stole or leaked useless information was successfully shifted to the attackers.

Ransomware

Ransomware is seen as one of the big threats during the election season. Some might believe that by using ransomware, threat actors’ primary motivation must be profit in the form of digital coins. In fact, security researchers have reason to believe that, just as with other attack methods and threats used during elections, threat actors are more motivated to undermine the confidence of the results, either at the local level or state level.

“If a ransomware hits an election system, you can pay the ransom or pay a consultancy service. You can restore the data, but you still have the damage done. You cannot undo that damage,” said Lee Imrey, Cybersecurity Advisor for Slunk, in a candid webinar on election threats, “Because, even if you restore all the votes, you’ve lost confidence that the votes you’re restoring are valid votes.”

Possible scenarios also include poll workers not being able to access voter information databases due to them being locked up, which could also happen with websites that post unofficial results on and after Election Day. Some files impacted by ransomware may not being able to reverse their encryption—remember that a notable majority of files affected by a ransomware attack are not typically 100 percent recovered. Finally, a ransomware attack could result in the possible deletion of voter databases and other sensitive data.

It is known that, like some organizations in the private sector, several local governments are ill-equipped to protect themselves from ransomware attacks. Not only do they lack the manpower, they also lack the in-house expertise needed to at least guide them on what to do before, during, and after such a devastating attack.

SIM swapping/SIM swap attack/SIM intercept attack

SIM swapping is a form of identity theft, and it isn’t a new attack. But because of that successful takeover of Jack Dorsey’s own Twitter account, SIM swapping is a thing again.

This is considered an electoral threat because of its high potential to take over high profile accounts belonging to individuals involved in the election proceedings or the politicians themselves with simple social engineering tactics.

Although we have yet to see SIM swap attacks against individuals who are related to the 2020 US General Elections, there is the case of Euridice Pamela Sanchez, an Associated Students Incorporated (ASI) President and CEO candidate for California State University/East bay (VSUEB), being SIM swapped days before ASI elections in March of this year. The still-unknown actor was able to delete all her 3000+ Instagram connections. Since all candidate campaigning is done via social media due to the ongoing pandemic, Sanchez couldn’t reach her supporters to continue her campaign. The attacker also compromised her family’s AT&T account and attempted to access her personal email.

We can only imagine the scale of damage this could cause if political candidates or poll officials—even those in lower positions who may not directly report to them—would become victims of SIM swapping at this crucial time.

DDoS

DDoS can, no doubt, hinder an election process at any point. Take, for example, the cyber attack that affected the UK’s Labor Party’s websites during the 2019 general elections. Not only was the party hit once but twice over. The first attack failed, as confirmed by a National Cyber Security Centre (NCSC) spokesperson with the BBC.

A DDoS attack against websites also disrupted the voting procedures in South Korea in 2011. It was notable that a botnet attack from 200 devices happened in the morning, the time when the younger population of voters would be able to vote before they head for work. Investigators proclaimed that the threat actors were aiming for a low turnout of voters during this time, which in turn would have benefited the conservative party in South Korea.

Such attacks against this part of the election infrastructure could hinder candidates and their staff from accessing data they can use to plan on what campaigns to run in what areas and who they would be targeting to attempt to change their minds.

Deepfakes (and its other forms)

Deepfakes have come under the watchful eye of not just technology and cybersecurity experts but law enforcement as well. And why not? In the wrong hands—from nation-states with agendas tipping to their favor to naughty miscreants who just want to disrupt—it could turn the tides of any election cycle.

Many see deepfakes as another way to make disinformation campaigns more impactful and believable. But perhaps the good thing here is that, at this point in time, people are already familiar with this technology and are actually expecting a form of a politically motivated deepfake to emerge before Election Day, especially at the last minute.

But what really worries Kathryn Harrison, founder and CEO of the DeepTrust Alliance, an alliance devoted to fighting deepfakes and misinformation in general, is the emergence of something that is not a deepfake—a video, for example—of which its veracity cannot be verified. A candidate caught doing or saying something questionable could easily cry “Deepfake!” even if a video is truly legit. Researcher in deepfake circles call this conundrum Liar’s Dividend.

Other foreseen worries include an authority figure reading out wrong elections results, some fake disruptions at certain polling stations, or miseducating constituents on how they can stay safe during Election Day.

How can we protect ourselves from these threats?

For voters, it’s overwhelming to look at this lengthening list of election cyberthreats they might get affected by and feel they have so little time to prepare for to counter or protect themselves from. Fret not—most challenges on this list can only be addressed by governments in the state, local, and national level.

However, there are two things that voters must start doing (if they haven’t already):

Stay informed. Keeping apprised with the current news, especially those that touch on election cycles that are about to happen in your country or state, is one way of staying informed. And while it’s important to know what’s going on, it is equal if not more important to know credible sources of news you can refer to. Disinformation could be anywhere, and we must become smarter. With the elections drawing near, expect such campaigns to pop up in social media and other platforms.

Vote. Whether you feel like going to the polling station—wearing proper protection and following the recommended guidelines, of course—or you prefer to cast your vote via mail, please vote. The more people exercise their democratic right, the less likely electoral fraud can influence the overall outcome of the elections. It’s a numbers game, and we better make sure that the numbers weigh heavy on the side of an honest election cycle.

Good luck and stay safe!

The post The informed voter’s guide to election cyberthreats appeared first on Malwarebytes Labs.

Last year, credentials for PayPal, Facebook, and Airbnb were among the top goods on high demand in the dark web, aka the Internet’s underground market. But due to the COVID-19 outbreak, with most of the worldwide population sheltering, working, and studying indoors, many facets of life have made a full 180-degree turn—including the criminal world.

Almost everything we do is not how we used to do it before, and this is true for public and private individuals, organizations, and governments. And it’s certainly true within the dark web.

According to a recent report by Top10VPN.com, the most valuable data currently being peddled within the dark web are from services that bring about a little ease, relaxation, entertainment, and, admittedly, a little sanity for people sheltering in place.

Here are the findings

It’s no surprise to see a population on lockdown spending more time online than they normally would. And with nothing more important to do than keeping the house tidy, many have been busy binging on TV shows and movies, getting groceries delivered, and investing in mental health or learning something new. Because of this shift, data on these accounts fetches a high price tag on the dark web.

Data related to 72 percent of entries in the above table are noted as “New Item,” which means that they were never traded last year, and yet, they command the highest price tags in the underground market today. This not only gives us an idea of how profound the shift is in the dark web, but also solidifies what we already know: cybercriminals follow the money. And if these sources happen to be low hanging fruits, even better.

Other data types continue to be on high demand during the pandemic. Below is a shortened list of items for sale on the dark web and how much they are worth on average.

More data on the dark web

• Whether the world is in the middle of a pandemic or not, details related to plastic cards, such as debit and credit cards, and banking credentials remain sought after commodities. It is, after all, practically effortless to pull off a heist when you use someone’s stolen credentials to open their account and empty it.
• Underground vendors were also seen selling a fraud bundle, which comprises of hacked debit card data, cryptocurrency accounts, and SIM cards. This allows criminal buyers to SIM jack accounts and syphon money to crypto accounts. Such a bundle is sold for the maximum price of $4,600.
• Fraudsters kept their eyes on SMBs and consumers as they continue to sell details for Cash App (at $47) and Venmo ($14).
• The price of hacked Verizon accounts ($102.50) is noted to have increased ten-fold as they are now being bundled to include customers’ personally identifiable information (PII), such as social security numbers (SSNs) and dates of birth. Not only can buyers use these accounts for personal use, they can use real-world data about someone to pose as them or create new, synthetic identities.
• The lack of air travel during the pandemic had forced some people to settle for the next best thing to a vacation: a staycation. And Airbnb offers the perfect service for this. Airbnb accounts are now more prized than ever. Now valuing $13.50, these accounts can be used to create fake listings or as part of a bigger phishing campaign.
• Hacked accounts from health and wellness services like Peloton, Headspace, and Fitbit (all sold for $7) are used for identity theft and potential house burglary using GPS location data.
• It’s interesting to note that Facebook continues to be the social media platform of choice for cybercriminals. With hacked accounts now valued at $7.79, the platform is still a potent avenue to find and reach targets for various social engineering campaigns. It’s likely that its value will increase as election day draws near.
• Scammers love entertainment services as much as we do, so it’s no surprise for them to start asking for stolen accounts for Netflix (sold at $6), Disney+ (sold at $7), YouTube Premium (sold at $7.50), and Spotify (sold at $3.50).
• Hacked student emails (sold at $6) are hot, presumably because of the “.edu” domain that goes with it. For a targeted campaign, this would be more useful as it brings legitimacy to the content of the email and the purported sender.
• Perhaps what the security community should keep an eye out for are accounts related to new content platforms, OnlyFans (sold at $16) and MasterClass (sold at $6). It is still unclear why such accounts are in high demand and how they are used to commit crime.

Some points to ponder

Because there is an abundance of new hacked data being peddled in the underground, one might wonder if this is just because of the pandemic, and that such goods would eventually decrease their value—if not kill the market entirely—once a vaccine is found and life goes back to normal. So, we asked Simon Migliano, Head of Research at Top10VPN.com, and he thought that these accounts will continue to sell.

“The reality is that even if people do stop using services such as Instacart or Peloton as they return to picking up their own groceries or going to the gym, it’s unlikely that they will completely delete their accounts when they cancel their subscriptions,” Migliano said, “This abandonment of unused accounts is an aspect of consumer behavior online commonly exploited by cybercriminals to harvest personal data.”

Migliano also asserted that, if not for the pandemic, these peddled goods would have looked quite different. “Had there not been a pandemic, we would have seen many more travel brand accounts credentials for sale, such as for Uber, Expedia and JetBlue. I would also have expected to see a much greater range of online retail beyond Amazon and big box stores like Walmart.”

Time to wise up on cybersecurity best practices

If you, dear reader, are worried about the data found for sale on the dark web or have accounts on any of these sites and services, it’s a good idea to start taking computer security hygiene seriously. If you’re not sure where to begin, here are some quick and helpful tips:

• Use a password manager. They help hold multiple strings of account passwords that our memories cannot, plus encrypt and sometimes periodically change those passwords to keep them away from prying criminal eyes. Another option is to use a hardware authentication device or a hardware security key, and there are a lot of them in the market for you to check out.
• Always have two-factor authentication (2FA) enabled on all your accounts.
• Spring clean online accounts you don’t use or rarely use. Much like what we do with the apps we install on our phones but never got around to using them until they were forgotten, we should also make it a point to check for possible accounts you own and delete them if you haven’t used them for months or years. It’s a bit of a chore, yes, but like forgotten apps, these accounts could be unlocked doors just waiting for cybercriminals to open.
• Keep an eye out for notifications of account breaches. Some of the services we use are responsible enough to let us know when something has gone wrong. But there are also services that neglect this important step. If you’re unsure whether your account for a certain service has been compromised, try visiting and sending a query to Have I Been Pwned.
• Update software on all devices you use.
• Install software that can protect you from malware and harmful sites.

Now is as good a time as any always to start making a habit of practicing effective security methods, whether you are still sheltering at home or have ventured out into the world. Equip yourself with knowledge and common sense online behaviors, and you can protect against threats from the dark web or anywhere else.

Stay safe!

The post Report: Pandemic caused significant shift in buyer appetite in the dark web appeared first on Malwarebytes Labs.

Malvertising campaigns leading to exploit kits are nowhere near as common these days. Indeed, a number of threat actors have moved on to other delivery methods instead of relying on drive-by downloads.

However, occasionally we see spikes in activity that are noticeable enough that they highlight a successful run. In late August, we started seeing a Fallout exploit kit campaign distributing the Raccoon Stealer via high-traffic adult sites. Shortly after we reported it to the ad network, the same threat actor came back again using the RIG exploit kit instead.

Then we saw possibly the largest campaign to date on top site xhamster[.]com from a malvertiser we have tracked for well over a year. This threat actor has managed to abuse practically all adult ad networks but this may be the first time they hit a top publisher.

Malvertising on popular ad network

The first malicious advertiser we observed was able to bid for ads on a number of adult sites by targeting users running Internet Explorer without any particular geolocation restriction, although the majority of victims were in the US.

In this campaign, the crooks abused the popular ad network ExoClick by using different redirection pages. However, each time we were able to notify the ad network and get them shut down quickly.

The first domain they used was inteca-deco[.]com, which was setup as a web design agency but visibly a decoy page to the trained eye.

Simple server-side cloaking performs the redirect to a Fallout exploit kit landing page witch attempts to exploit CVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) before dropping the Raccoon Stealer.

About 10 days later, another domain, websolvent[.]me, became active but used a different redirection technique, a 302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon Stealer.

Beyond a common payload, those two domains are also related. A RiskIQ crawl confirms a relationship between these 2 domains where the parent host was caught doing a meta refresh redirect to the child:

Malvertising on top adult site gets maximum reach

The second malvertiser (‘malsmoke’) is one that we have tracked diligently over the past several months and whose end payload is often the Smoke Loader malware. It is by far the most daring and successful one in that it goes after larger publishers and a variety of ad networks. However, up until now we had only seen them on publishers from the adult industry that are still relatively small in scale.

In this instance, the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on xhamster[.]com, a site with just over 1.06 billion monthly visits according to SimilarWeb.com.

The gates used by this group also use a decoy site and over time they have registered domains mocking ad networks and cloud providers.

The redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some client-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP addresses.

Interestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.

Malsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat actors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.

Still using Internet Explorer?

Threat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet Explorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that there are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and fully supported browser.

As a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash Player (due to retire for good next year).

Malwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and report the campaigns we run into to help do our part in keeping the Internet safer.

Indicators of compromise

Gates used in malvertising campaign pushing Raccoon Stealer

intica-deco[.]com
websolvent[.]me

Raccoon Stealer

b289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c
f319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93

Raccoon Stealer C2s

34.105.147[.]92/gate/log.php
chinadevmonster[.]top/gate/log.php

Smoke Loader

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b

Smoke Loader C2s

dkajsdjiqwdwnfj[.]info
2831ujedkdajsdj[.]info
928eijdksasnfss[.]info
dkajsdjiqwdwnfj[.]info
2831ujedkdajsdj[.]info
928eijdksasnfss[.]info

Gates used in the malsmoke campaign

einlegesohle[.]com/indexx.php
adexhangetomatto[.]space
encelava[.]com/coexo.php
encelava[.]com/caac
uneaskie[.]com/ukexo.php
bumblizz[.]com/auexo.php
bumblizz[.]com/auflexexo.php
bumblizz[.]com/caexo.php
bumblizz[.]com/caflexexo.php
bumblizz[.]com/usexo.php
bumblizz[.]com/usflexexo.php
canadaversaliska[.]info/coflexexo.php
canadaversaliska[.]info/coflexo.php
canadaversaliska[.]info/ukflexexo.php
canadaversaliska[.]info/ukflexo.php
canadaversaliska[.]info/usflexexo.php
canadaversaliska[.]info/usflexo.php
krostaur[.]com/jpexo.php
krostaur[.]com/jpflexexo.php
krostaur[.]com/jpflexo.php
leiomity[.]com/ukexo.php
leiomity[.]com/ukflexexo.php
leiomity[.]com/usexo.php
leiomity[.]com/usflexexo.php
surdised[.]com/coexo.php
surdised[.]com/usexo.php

Tweets referencing the malsmoke campaign

https://twitter[.]com/MBThreatIntel/status/1245791188281462784
https://twitter[.]com/FaLconIntel/status/1232475345023987713
https://twitter[.]com/nao_sec/status/1231149711517634560
https://twitter[.]com/tkanalyst/status/1229794466816389120
https://twitter[.]com/nao_sec/status/1209090544711815169

The post Malvertising campaigns come back in full swing appeared first on Malwarebytes Labs.