IT NEWS

Bitcoin ATMs have experienced a severe bout of cash drain after a zero-day bug was exploited to steal a total of $1.5 million in digital currency. The ATMs, located in various convenience stores, function along the lines of regular banking ATMs except your dealings are all in the cryptocurrency realm.

As Ars Technica notes, a particular feature of the affected ATMs is the ability to upload video. It’s not mentioned what these videos are used for (presumably security cameras), but the master server interface allowing for the video uploads is where things went horribly wrong.

From the General Bytes statement regarding the March 18 incident:

The GENERAL BYTES Cloud service and other standalone servers run by operators suffered security breaches. We noticed the first signs of a break-in on Friday night, right after midnight on Saturday, 18 March (UTC+1). We notified customers to shut down their CAS servers as soon as possible. The attacker could upload his java application remotely via the master service interface used by terminals to upload videos and run it using BATM user privileges. As a result, the attacker could send funds from hot wallets, and at least 56 Bitcoins were stolen before we could release the patch. The patch was released within 15 hours.

To make use of the exploit, the attacker uploaded a custom made application to the ATM application server used by the administration interface. In a nod to the evergreen security tip “Don’t allow things to autorun if you don’t need them to”, the application server allowed applications to start by default.

With this in place, the attacker was able to perform the below:

• Ability to access the database.
• Ability to read and decrypt API keys to access funds in hot wallets and exchanges.
• Send funds from hot wallets.
• Download user names and their password hashes, and turn off 2FA.
• Ability to access terminal event logs, which can include private keys at the ATM.

56 bitcoins are currently worth a cool $1.5 million. It is very unlikely all of the stolen coins belonged to one person, but this is scant consolation for anyone affected. For now, General Bytes is collecting information on everyone affected to “validate losses”. It remains to be seen if anyone is able to recover their funds, but losing money in any cryptocurrency scenario is always a very risky business because  they are generally, by design, unable to roll back fraudulent transactions.

Interestingly, the affected company has a call to any security companies and individuals who feel they can assist in making the product safer.

Keeping your hot wallet safe

Your cryptocurrency wallet type is an article all to its own, but in most cases you’re going to have a wallet which is hot or cold. A cold wallet is not connected to the Internet and is therefore the safest possible choice. A hot wallet comes with some form of connectivity built in, which is much more convenient. You’re able to send funds, for example, and engage with cryptocurrency exchanges. In this case, the compromised wallets are considered to be hot. Without this functionality, the ATM would be rather useless for the user’s needs.

You can’t prepare for every eventuality. If an exchange (or, in this case, a connected ATM) is compromised then your funds could still vanish no matter what security plans you have in place. Even so, here’s what you can do from your end to keep things secure.

• Enable two-factor authentication. If it’s available for your flavour of wallet, then make sure to turn it on. Hardware keys are safest, then authenticator apps, and lastly SMS.
• Keep your recovery passphrase safe. Never hand over your recovery phrase to any site or individual, this is a common scam deployed by phishers.
• Be sceptical of airdrops. This is another way to entice potential victims with phishing tactics. As per the above, asking for your recovery phrase is the ultimate aim.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We’ve warned about the possible dangers arising from plugging in unknown USB sticks before, but the dangers we’re concerned with are normally confined to your data.

However, this week we learned a far more serious threat. No fewer than five different news agencies in Ecuador were sent parcels containing a USB stick. In the one instance where a stick was plugged into a PC by a journalist, the device exploded, injuring a presenter in the news room. At least one of the devices had been loaded with a “military type explosive“.

Law enforcement is currently investigating, but for now we have to hope that no additional devices were sent out, just waiting to be inserted into a PC. While this scenario is almost guaranteed to be one that you will not face, that doesn’t mean there aren’t USB stick related perils out there in the wild.

A sticky malware threat

Malware authors are big fans of sending out infected USB sticks to potential victims. Just last year, slick looking Microsoft boxes supposedly containing Office 365 loaded onto USB sticks were sent out by tech support scammers. When inserted into a PC, a phone number would appear and callers would find themselves asked to install remote access tools on their devices. Elsewhere, infected USB Sticks came bearing the gift of ransomware.

USB sticks are also easy to lose: Sometimes people find them lying around in the street, full of potentially sensitive data, as opposed some kind of horrible malware.

Our willingness to insert sticks into computers is helped along by USB sticks being a commonplace giveaway at events, conferences, and even a staple of certain performance art pieces. If you have children, your school may well hand out digital copies of school photographs on USB sticks. Many people will insert those sticks into their computer without a second thought because they’re from a trusted source, the school. Even so, the stick is actually from a totally unrelated third party photographer. Can we guarantee that the photographer is following safety rules, if they even exist?

We never really know for sure, and that can be a problem. However, there are a few things you can do to help keep yourself safe from USB harm.

Tips for USB security

• Don’t autorun files. If Autorun is enabled on your device, it’s time to consider turning it off.
• Restrict access. If people in your workplace don’t need to use USB sticks, turn off USB access on their devices and block the USB ports.
• Occasional access. For times when someone needs to use a USB stick, consider using those sticks on a non-networked PC running a virtual machine.
• Fire up those security tools. Always scan the contents of a USB stick. Your Endpoint Detection and Response should be equipped to deal with USB threats.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

New gadgets and software come with new bugs, especially if they’re rushed. We can see this very clearly in the race between tech giants to push large language models (LLMs) like ChatGPT and its competitors out the door. In the most recently revealed LLM bug, ChatGPT allowed some users to see the titles of other users’ conversations.

LLMs are huge deep-neural-networks, which are trained on the input of billions of pages of written material.

In the words of ChatGPT itself:

“The training process involves exposing the model to vast amounts of text data, such as books, articles, and websites. During training, the model adjusts its internal parameters to minimize the difference between the text it generates and the text in the training data. This allows the model to learn patterns and relationships in language, and to generate new text that is similar in style and content to the text it was trained on.”

We have written before about tricking LLMs in to behaving in ways they aren’t supposed to. We call that jailbreaking. And I’d say that’s fine. It’s all part of what could be seen as a beta-testing phase for these complex new tools. And as long as we report the ways in which we are able to exceed the limitations of the model and give the developers a chance to tighten things up, we’re working together to make the models better.

But, when a model spills information about other users we stumble into an area that should have been sealed off already.

To understand better what has happened, it is necessary to have some basic working knowledge about how these models work. To improve the quality of the responses they get, users can organize the conversations they have with the LLM into a type of thread, so that the model, and the user, can look back and see what ground they have covered and what they are working on.

With ChatGPT, each conversation with the chatbot is stored in the user’s chat history bar where it can be revisited later. This gives the user an opportunity to work on several subjects and keep them organized and separate.

Showing this history to other users would, at the very least, be annoying and unacceptable, because it could be embarrassing or even give away sensitive information.

Nevertheless, this is exactly what happened. At some point, users started noticing items in their history that weren’t their own.

Although OpenAI reassured users that others could not access the actual chats, users were understandably worried about their privacy.

According to an OpenAI spokesperson on Reddit the underlying bug was in an open source library.

OpenAI CEO Sam Altman said the company feels “awful”, but the “significant” error has now been fixed.

Things to remember

Giant, interactive LLMs like ChatGPT are still in the early stages of development and, despite what some want us to believe, they are neither the answer to everything nor the end of the world. At this point they are just very limited search engines that rephrase what they found about the subject you asked about, unlike an “old-fashioned” search engine that shows you possible sources of information and you can decide which ones are trustworthy and which ones aren’t.

When you are using any of the LLMs, remind yourself that they are still very much in a testing phase. Which means:

• Do not feed it private or sensitive information about yourself or your employer. Other leaks are likely and may be even more embarrassing.
• Take the results with more than just a grain of salt. Because the models don’t provide sources of information, you can’t know where it’s ideas came from.
• Make yourself familiar with the LLM’s limitations. It helps to understand how up to date the information it uses is and the subjects it can’t converse freely about.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Tax season is upon us and, as with every year, we’re seeing tax scammers rearing their heads.

Below, we have an example of a tax scam currently in circulation along with some suggestions for avoiding these kinds of attacks.

An IRS W-9 tax form scam

A Form W-9 is a form you fill in to confirm certain personal details with the IRS. Name, address, and Tax Identification Number are all things you can expect to fill in on one of these forms.

In this case, the Form W-9 is being used as a lure for people to download something sinister. Our Senior Director of Threat Intelligence, Jerome Segura, found an email being sent out with the title of “IRS Tax Forms W-9” which appears to have been sent from “IRS Online Center”. The email, which contains an attachment and very little text, looks like this:

The rather short message reads as follows:

Let me know if you would like a hard copy mailed as well.

Respectifully [SIC]

Barbara LaCosta

Inspector

Department of Treasure

The attachment, W-9 form.zip, is 709 KB in size.

Opening the attachment up reveals a Word document called W-9 form.doc

This file’s size is 548,164 KB (548 MB), which is very suspicious. You won’t find many genuine Word documents weighing in at 500MB or more. In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the background. Malware authors are artificially pumping up the size of the document in order to try and fool or break security tools. This is because the large file size may prove too difficult for the tools to get a handle on and properly analyse.

Opening the document quickly becomes a game of Macro-related risk. Macros, used to automate aspects of your documents, are a tried and tested way of infecting a PC with malware. This is why you’ll almost always see a message saying that Macros are disabled when opening a downloaded document.

Malware authors know this, and will do everything in their power to make you enable them. This is no exception. When opening W-9 form.doc, you’ll see the following message:

This document is protected
Previewing is not available for protected documents. You have to press “enable editing” and “enable content” buttons to preview this document.

Enabling this will result in Emotet being downloaded onto the system.

Emotet has been around since 2014. Originally created as a banking trojan, later versions added malware delivery and spam services. Mostly featuring in email spam campaigns, a big focus of fake mails helping to deliver the infection include subjects like parcel shipping, invoices, and other forms of payment.

In fact, Emotet features as one of the top five cyberthreats businesses face in our 2023 State of Malware report. Flagged by Europol as “The world’s most dangerous malware”, law enforcement has never quite been able to shut it down permanently despite its entire global infrastructure being taken offline in 2021. Emotet’s ability to push additional forms of malware onto target systems including threats like TrickBot, IcedID, and Conti ransomware make it a formidable proposition for any security team to handle.

Avoiding tax scams

Here are some of the ways you can outsmart tax fraudsters and keep one step ahead of the phishing, malware, and social engineering attacks which come around every year during tax season.

• File early. One of the quickest ways to stumble into a trap is to leave filing your tax return until the last minute. That added pressure can mean responding to fake mails you otherwise would have ignored.
• Be careful around suspicious refunds. Tax agencies have a proper process for issuing refunds, found on their websites. Some, like HMRC, are very clear that refunds are never issued by email. If in doubt, phone the tax office directly and ask if what you have is the real deal or a fake.
• Beware of fake bank portals. Some tax scams will ask you who you bank with, and then open up a phishing page for that bank. Always navigate directly to your banking website, click throughs and redirects typically spell danger.
• Avoid the pressure pitch. Tax scammers like to hurry you along to data theft and malware installs. Claims of only having 24 or 48 hours to file for a refund should be treated with skepticism. As with most solutions for these forms of social engineering, contact the tax entity directly.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

On March 15, 2023 US law enforcement arrested a man from New York who was accused of being the administrator of BreachForums, a well-known and probably the largest Dark Web marketplace for stolen data to be leaked and sold.

At first, a new administrator rose to the occasion and said they were working on a plan to get the forum through the problems caused by that arrest. But on Tuesday March 21, 2023 this new administrator announced the decision to shut BreachForums down.

BreachForums was set up by the arrested administrator working under the handle “Pompompurin” after the FBI seized RaidForums in 2022. On his arrest, 21-year-old Conor Brian Fitzpatrick allegedly confessed he used the alias Pompompurin  and that he was the owner and administrator of BreachForums. Fitzpatrick has been charged with a single count of conspiracy to commit access device fraud.

Since Pompompurin not only headed up BreachForums but has also allegedly been involved in some major breaches himself, more charges may follow. For example, Pompompurin was linked to the 2022 breach of the FBI’s InfraGard network and he took credit for sending out thousands of fake emails about a cybercrime investigation by abusing a flaw in the FBI’s Law Enforcement Enterprise Portal (LEEP).

Another forum administrator going by the account name “Baphomet” said they were working through an emergency plan for the forum after the arrest of Fitzpatrick. After taking ownership of the forum Baphomet announced an impending migration to a new infrastructure.

But after Baphomet noticed someone logged in on one of the old servers after the arrest of Fitzpatrick, they said they had serious misgivings about the forums being compromised. The server, which was left unchanged, should only be accessible from Fitzpatrick’s machine.

A statement signed by Baphomet says:

“Any servers we use are never shared with anyone else, so someone would have to know the credentials to that server to be able to login. I now feel like I’m put into a position where nothing can be assumed safe, whether it’s our configs, source code, or information about our users the list is endless. This means that I can’t confirm the forum is safe, which has been a major goal from the start of this sh*tshow.”

There is unfortunately absolutely no reason to assume that your stolen data is now suddenly safe. There are plenty of other forums, and Baphomet talked about plans to revive BreachForums with the help of competitor forum admins and various service operators. Besides that, we have already noticed a shift from the use of forums to Telegram channels that serve the same illicit purposes.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Threat actors often compete for the same resources, and this couldn’t be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once.

In the past, we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website. Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation. In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn’t seem to be documented yet.

In fact, we saw instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice. In this blog post, we show how the newly found Kritec skimmer was found along side one of its competitors.

Original campaign using WebSockets

Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada’s largest liquor store (LCBO). While details were not shared at the time, we were able to determine thanks to an archived crawl on urlscan.io that the skimmer was using WebSockets and is the same one as described in Akamai’s blog. 

Kritec campaign

Akamai notes that they identified multiple compromised websites that had similarities. They also list nebiltech[.]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script, but not within it.

We believe this is a different campaign and threat actor altogether. Here are some reasons why:

• No WebSocket being used
• Domains abusing Cloudflare
• Intermediary loader
• Completely different skimming code

To complicate things, we observed some stores that had both skimmers at the same time, which is another reason why we believe they are not related:

We started calling this new skimmer ‘Kritec’ after one of its domain names. It has an interesting way of loading the malicious JavaScript we had not seen before either. The injected code calls out a first domain (seen above encoded in Base64) and generates a Base64 response:

Decoding it reveals a URL pointing to the actual skimming code, which is heavily obfuscated (likely via obfuscator.io):

The data exfiltration is also done differently as seen in the image below. On the left, the stolen credit card data is sent via a WebSocket skimmer while on the right, it is a POST request:

Google Tag Manager variants

In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another. We mentioned Akamai’s blog but it was also documented by Recorded Future. In those instances, the malicious was actually embedded in the Google Tag Manager library itself, which is very clever and difficult to detect.

While the Kritec skimmer hangs around the Google Tag Manager script, we believe it is not related to the other active campaigns. We have been documenting it recently and are reporting the abuse to Cloudflare which it uses to hide its real infrastructure.

Malwarebytes customers are shielded against this campaign via our web protection in Endpoint Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.

Indicators of Compromise

Most of us have a camera on us at all times, and so photo taking and image sharing has become almost ubiquitous. But when sharing an image, you want to have control over what you share. And that might lead you to crop images, or redact parts of them.

Maybe you cropped out a person that didn’t want their photo online, maybe you put a black mark across your address, or credit card number, or other personal information. You edited it out for a reason, but now it seems as though the original image might still be available for others to view.

Researchers have published a proof-of-concept (PoC) for a vulnerability in Google Pixel’s in-built editing tool Markup. The vulnerability allows anyone with access to the edited image to recover parts of the original, unedited, file.

Testing has shown that Microsoft’s image-snipping tools in both Windows 10 and 11 have a very similar vulnerability.

Markup is a built-in tool which was released with Android 9 Pie in 2018. It can be found on Pixel phones and its main purpose is to edit (crop, add text, draw, and highlight) screenshots.

Due to the vulnerability, known as aCropalypse (CVE-2023-21036), it is possible to, partially, retrieve the original image data of a cropped and/or edited image.

Not every image at direct risk of exposing sensitive information, but many of them will be. The problem is that the Markup tool passes the wrong argument to the parseMode() function. The consequence is that the “old” image does not get truncated and lives on in the redacted image. Simply put, if the altered image has a smaller file size than the original, the information about the original can be retrieved from the last part of the data which did not get overwritten.

So, cropped images are very likely to reveal information about the original file, because the main reason to crop them is often to decrease the image size. But also images where you redacted a part of the image with a marker may be recoverable. In the example below you will see an uploaded image of a credit card with the number masked, next is the image after downloading, and last is the image after going through the recovery tool. The 16 digit number is now visible again.

You can try the exploit for Markup yourself by uploading your own images to this online demonstration provided by the aCropalypse researchers. The demonstration tool only works for images edited with Markup, since the exploit script that works for images edited with Microsoft’s snipping tools is slightly different, according to one of the researchers.

What to do

Unfortunately, there is no way to change the way in which previously redacted images will behave. So if you know of some images that you have posted that could reveal anything you’d rather keep a secret, then you’ll have to find them and delete them. This is a daunting task, since there may be more backups of that image than you would care to imagine. For example, internet archives, backups, all types of caches, and downloads.

Before you go on a wild goose chase, it may be handy to know that you don’t have to worry about some images:

• Most social media platforms recompress uploaded files, so anyone downloading your screenshots from Twitter will not get the exact same file you uploaded. So those can be left alone. But Discord, as shown in the example, and other messaging apps will give back the exact same file that was uploaded.
• If the redacted information is in the upper section of the image (roughly the top fifth of the image) the original part has probably been overwritten and can’t be recovered.
• The vulnerability the researchers found only affected the screenshot editor Markup. But as it turns out, other tools may have similar flaws.
• The exploit only works for PNG files, but a similar vulnerability may exist in JPG files. Basically, if you crop an image and the file size of the saved result is the same as the original, your tool of choice might not be deleting the old image data.

For future images, you can install the March 2023 Google Pixel Update. We encourage you to check your Android version to make sure you are on the latest software. The vulnerability in Microsoft’s tools has not been fully worked out yet, and so for the moment all we know is that somehow the original data can be retrieved. A patch will be forthcoming in the probably not so distant future.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Threat actors are notorious for trying to hide their code in various ways, from binary packers to obfuscators. On their own, these tools are not always malicious as they can also be be used by companies or individuals who wish to keep their work safe from piracy, but overall they tend to be largely abused.

In the case of credit card skimmers in client-side attacks, obfuscators are a common occurrence as they can make code identification more difficult. Defenders typically have the choice to either rely on the browser’s debugger and step through the code, or can statically try to reverse it. The latter tends to be quite time consuming, but the former can often problematic if the malware author adds anti-debugging routines.

Today, we look at a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.

Initial injection on e-commerce sites

The attack relies on 2 steps: the first one is code injected inside the website’s source that calls out a remote URL. That URL in turn, loads the skimmer within the payment checkout process.

We notice a large blurb of code that contains some static elements and others that are uniquely generated. The ‘eval‘ portion of the code is a clear giveaway that the random looking string is being processed dynamically to return some instructions.

The function (h,u,n,t,e,r) helps us to identify that this obfuscator is called Hunter and available on GitHub. To decode the obfuscated string, we can simply write out the content of eval and we obtain a single line of JavaScript pointing to a URL.

This URL contains code that has been obfuscated with Hunter once again. This time, once we deobfuscate it, we see what appears to be HTML code with forms referring to credit card fields. This is the actual skimmer.

Skimmer at checkout page

When a victim who’s shopping at a compromised online store goes to check out, there will be additional fields injected in the contact form that aren’t normally there. Below is the legitimate checkout page of a store without the skimmer being loaded:

We can see that the payment process is on the bottom right hand side. In contrast, this is what the same page looks like when the skimmer is loaded:

Additional fields were inserted between the shopper’s email address and name. In this case, the threat actor didn’t do a very good job because the fields are in English while the rest is in Spanish.

The credit card data to be stolen is encoded, then stored inside a cookie and subsequently exfiltrated via a POST request.

Infrastructure

The skimmer domains registered with Porkbun all appear to be hosted on the same server at 193.201.9.116 (ASN49505):

We can get any of the currently still resolving domains to show their own version of the skimmer code by crafting a GET request with the proper referer:

The Hunter obfuscator is handy but quite easy to reverse and as such provides minimal stealth capabilities. Based on the skimmer code, this is not a very sophisticated attack probably limited to less than a hundred stores. However, this was the first time we encountered a Magecart skimmer using this kind of obfuscation and most endpoint security products are not detecting the client-side JavaScript.

Malwarebytes customers are shielded against this campaign via our web protection in End Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.

Indicators of Compromise

The National Basketball Association (NBA) has notified its fans they may be affected by a data breach in a third-party service the organization uses.

For now, it is safe to assume that the attacker only obtained names and email addresses, but the NBA has hired the services of external cybersecurity experts to analyze the scope of the impact.

The NBA is a global sports and media organization most famous for its annual mens basketball league in the USA. The organization is actually built around five professional sports leagues: the NBA, WNBA, NBA G League, NBA 2K League and Basketball Africa League.

The NBA sent out emails to a number of its followers noting that while names and email addresses have been compromised, no other personally identifiable information was breached.

According to BleepingComputer the email read:

We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA.

The email also warned about possible phishing attempts appearing to come from organizations associated with the NBA or basketball in general. It urges fans to treat any links and attachments, even if they appear to come from a legitimate @nba.com email address, with extra caution.

We know that newsletter services are high on the target list of cybercriminals. In January of 2023, Mailchimp fell victim for the second time in a year to a social engineering attack. Getting your hands on a list of email addresses that share a common interest is a golden opportunity for scammers.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The creator of a Remote Access Trojan (RAT), responsible for compromising more than 10,000 computers, has been arrested by law enforcement in Ukraine.

At the time of the arrest, the developer still had real-time access to 600 PCs. According to the announcement, the RAT could tell infected devices to:

• Download and upload files
• Install and uninstall programs
• Take screenshots
• Capture sound from microphones
• Capture video from cameras

Once data was harvested by the RAT, some of it was put to further use: Account theft and withdrawal of electronic funds contained in compromised balances are both mentioned in the police release.

Unfortunately, the release makes no mention as to how the file was distributed other than as “applications for computer games”. Bleeping Computer suggests that the campaign resembles malware distribution involving bogus YouTube videos promoting game cheats and modifications.

With this in mind, what can you do to try and avoid rogue files such as these?

Steering clear of bogus applications

Be careful of YouTube promotions. Avoid downloading newly advertised apps via sites such as YouTube. Genuine files are distributed in one of a handful of generally trusted locations, and not a video clip sharing platform. Anyone can upload a YouTube video and claim that it links to a genuine file. If the download is located on free file hosting services, that’s a good sign to steer clear too.

Be wary of sponsored search engine results. Anything at all can be lurking in paid-for links sitting at the top of your search results. Imitation sites are a huge problem, not just for fake gaming mods and applications but all manner of other software too. Those sites may direct you to fake adverts, survey scams, or even rogue installers filled with malware. Games and other popular forms of software are prime targets for these kinds of attacks.

Stick to trusted sources. If it’s a PC gaming mod you’re after, you’ll likely obtain it from the Steam Workshop page associated with the game’s Steam page. Otherwise, it’ll be located on Nexus Mods which performs some degree of virus checking and has a large community which quickly flags rogue files.

Scan your files. It’s always worth taking a few moments to see if anything bad is lurking in a download with the assistance of your trusted security tools. Many game related infections often make use of older, identifiable components so the odds are in your favour.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW