Epic have made some alterations to how accounts for kids work, with multiple features disabled for what are now known as “Cabined Accounts”.

If your children are big fans of Epic games like Fortnite and Rocket League, you may well have worried about their gaming interactions with other players at some point. There’s many risks from voice chat, text chat, random downloads from external sources, trading and much more. Scammers will happily target younger gamers, hoping their naivety will leave them vulnerable to bad passwords, password reuse, social engineering tricks, or the promise of free gifts and rewards.

Games consoles have some incredibly granular controls for child safety, and you can almost always guarantee that there’s a setting just right for your needs on PS4/5 or Xbox. Where PCs are concerned, that has not  always been the case.

Into the gaming cabin

If someone signs up for an Epic account and they’ve indicated that they’re under 13 years of age—to the cabin they go. The account will remain this way until the child hits 13 or reaches the “age of digital consent” in their region. These are the features you can expect to have turned off with a cabined account:

• Communicating with other players using voice chat or free text chat
• Purchasing items with money
• Downloading games that are not owned by Epic
• Recommendations based on past activity
• Email marketing or push notifications
• Trades in Rocket League
• Sign in with Epic, including linking accounts to certain external services, such as social media websites or video streaming applications
• Custom display names
• SMS-based two-factor authentication (2FA)

As you may have noticed, it’s a combination of external factors (random people sending your child not very nice messages) and Epic’s own internal features and functionality (recommendations of games, email marketing, in game trading).

If your child had some sort of monthly subscription, it’s now cancelled and will remain that way until the parent gives permission. Was their Epic account linked to social media services, but now isn’t? Same deal. Did they enjoy the news / forum / marketplace tab inside the Epic game launcher? You’ll never guess what’s happened there too!

With all of these options and features, parental permission is now key. The child now has to navigate to the “Request Parental Permission” tab inside the Epic account portal. This will enable the child to have an email sent to the parent regarding consent and what steps to take next.

Restrictions, restrictions

You may think these accounts are severely restricted in comparison to regular accounts, and you’d be right. In most cases, someone under the age of 13 probably doesn’t need to be making trades with strangers, or talking to random people in game sessions. If the account is on a monthly subscription of some sort, the person paying is almost certainly the parent or guardian in any case, so this is just making the whole process a little more formal.

As has been noted, children can and will lie about their age when signing up to a product or service. For the moment, all pre-existing accounts have been snatched up and dropped into the cabin.

I am who I say I am

Could other aspects of the sign up process for a new account potentially be abused too? Perhaps, but it seems like it’d be tricky for a youngster to get around the current process. Sure, they could enter a fake email under their own control and pretend to be their own parent. However, look at the process they’d need to bypass:

When entering your age as being lower than 13 at sign up, the Epic site displays the following message:

Enter a parent or guardian email address

Some features are unavailable until your parent or guardian gives you permission to use them. We’ll send them an email to let them know about your account and how to give you permission.

“Well, that won’t stop me from entering a fake parent email address”, a child might think. Sadly for the child, everyone involved in the process has already thought of this and inserted some verification into the mix. Depending on country, the parent or guardian will need to come up with at least one of the below:

• Credit or Debit Card (available globally)
• Social Security Number (available only in the US)
• CPF Number (available only in Brazil)
• CURP (available only in Mexico)
• ID Scan (available outside the US and South Korea)
• Face Scan (available outside the US and South Korea)

If none of the verification methods work, support can be asked for an alternative solution.

A little bit safer in gaming land

The registered adult can enable most of the “cabined” features, and also possesses the ability to revoke or even delete the child’s account outright. While none of this is guaranteed to keep children from potential harm when playing games online, it’s one of the more comprehensive attempts in PC gaming land. While modern generation consoles retain the crown for walled garden customised child safety controls, it’s nice to see PC platforms moving in the same direction.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

NetGear has made a hotfix available for its Nighthawk routers after researchers found a network misconfiguration in the firmware allowed unrestricted communication with the internet facing ports of the device listening through IPv6.

No auto-update

The hotfix is available for the model RAX30, also known as the Nighthawk AX5 5-Stream AX2400 WiFi 6 Router.

The NetGear Nighthawk RAX 30 (image courtesy of NetGear)

To update your router’s firmware, follow the instructions in your router’s user manual, which can be found online.

Important to note is that having the “check for updates” or even the auto-update options enabled is not sufficient to get this hotfix. It needs to be downloaded manually and applied following the instructions.

What other security vulnerabilities were fixed in this hotfix or in the newer 1.0.9.92 hotfix, which also addresses security vulnerabilities, is unknown at this point.

Popular

The researchers found the bug while looking to enter Pwn2Own Toronto. The NetGear Nighthawk RAX30 is a popular model for home users and small businesses, which is one of the reasons why it was selected as a target for the Pwn2Own contest. Contestants set out to find previously unknown vulnerabilities in widely used software and mobile devices.

NetGear frustrated a lot of participants by issuing the 1.0.9.90 hotfix one day before the registration deadline for Pwn2Own. The patch invalidated the submission of this vulnerability and, it seems, some others as well.

The vulnerability

The vulnerability found by the researchers and patched just before the deadline, allowed unrestricted communication with any services listening via IPv6 on the WAN (internet facing) port of the device, including SSH and Telnet operating on ports 22 and 23 respectively.

Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.

Secure Shell (SSH) is a network communication protocol that enables two computers to communicate and share data.

Although the researchers shared no further details  about their attack chain that was crippled by the patch, having telnet and SSH available makes it very likely they could have reconfigured the router, stolen data, or at least put it out of service.

Stay safe, everyone!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

It’s not been a great week for cloud computing service provider Rackspace.

On December 2, customers began experiencing problems connecting and logging into their Exchange environments. Rackspace started investigating and discovered an issue that affected its Hosted Exchange environments. 

Now Rackspace has announced it was actually a ransomware incident that caused the service disruptions.

While the investigation is ongoing, there are no details known about which ransomware is at play or how the threat actor gained initial access. In a press release Rackspace said that the incident was isolated to its Hosted Exchange business. Rackspace has not showed up on any of the known leak sites that ransomware groups use to apply extra pressure on their victims, but this could also be due to the fact that there are ongoing negotiations.

Hosted Exchange

Rackspace’s Hosted Exchange customers are mostly small to medium size businesses that don’t have the need or staff to run a dedicated on-premise Exchange server. The outage still affects all services in its Hosted Exchange environment, including MAPI/RPC, POP, IMAP, SMTP, and ActiveSync, as well as the Outlook Web Access (OWA) interface that provides access to online email management.

Workaround

Rackspace said it will help affected customers implement a temporary forwarding while the disruption is ongoing:

“As a temporary solution while you set up Microsoft 365, it is possible to also implement a forwarding option that will allow mail destined for a Hosted Exchange user to be routed to an external email address. Please log in to your customer account for a ticket with instructions to request this option. Customers should reply to the ticket to request the forwarding rule be put into place for each of their users.”

Impact

In an 8-K SEC filing Rackspace states that it expects a loss of revenue due to the ransomware attack’s impact on its $30 million Hosted Exchange business. An 8-K form is required to report any events concerning a company that could be of importance to the shareholders of that company or the Securities and Exchange Commission (SEC).

The attack vector

One possible attack vector was pointed out by security researcher Kevin Beaumont. It might be due to exploitation of the Microsoft Exchange vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, known as ProxyNotShell.

Beaumont found a Rackspace Exchange server cluster—currently offline—was running a build number from August 2022 a few days prior to the incident disclosure. Since the ProxyNotShell vulnerabilities were only fixed in November, it’s possible that threat actors exploited the flaws to breach Rackspace servers.

One important conclusion Beaumont notes in his post is:

“For a managed service provider (MSP) running a shared cluster, such as Hosted Exchange, it means that one compromised account of one customer will compromise the entire hosted cluster.”

This is what may have happened at Rackspace. Don’t let it happen to you.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Two women filed a proposed class-action lawsuit on Monday, December 5, in the United States District Court for the Northern District of California against Apple, the makers of AirTags.

Airtags are a small Bluetooth-enabled devices designed to track personal belongings. The suit accuses the company of failure to introduce measures to combat abuse of the technology as stalkers have and continue to use AirTags to track people. Both claimed their ex-partners did just that.

Lauren Hughes, one of the plaintiffs, learned she was being tracked in August 2021 after ending a three-month relationship. According to The New York Times, Hughes’s stalker sent her threatening voicemails and made abusive posts on social media. She moved to a hotel after receiving plants from her stalker at her doorstep.

At the hotel, she received an iPhone notification that an unknown AirTag had been traveling with her. Eventually, Hughes found it in the wheel well of her car tire, colored with a Sharpie marker and wrapped in a plastic bag to disguise it. Discovering the AirTag “terrified” her. 

Hughes then found a new home, but months later, her stalker shared a picture of a taco truck in her new neighborhood, captioned with a winky emoji and the text “#airt2.0”, the suit said. This, the suit alleges, showed the stalker’s continued use of the AirTag to track Hughes.

“Ms. Hughes continues to fear for her safety—at minimum, her stalker has evidenced a commitment to continuing to use AirTags to track, harass, and threaten her, and continues to use AirTags to find her location,” the suit said.

The second plaintiff, referred to as Jane Doe in the court papers, alleged that her ex-husband was stalking her when she found an AirTag planted in her child’s backpack. She got rid of it, but it was replaced with another.

“In the wake of a contentious divorce, she found her former spouse harassing her, challenging her about where she went and when, particularly when she was with the couple’s child,” the suit said.

Apple introduced the AirTag in April 2021, with executives and publicists actively portraying the AirTag as a “harmless—indeed ‘stalker-proof’“—product, the suit said. It’s been a controversial product since its release and has raised concerns among privacy advocates and law enforcement that it could be misused to track people. And, true enough, AirTags have been used in stalking incidents, even murder, and theft of luxury cars.

In a blog post in February, Apple said it would add more safeguards to AirTags to curb unwanted tracking. Apple said it has been working with law enforcement to update the device’s safety warnings, such as providing a privacy warning when using AirTags for the first time.

An Apple spokesperson also pointed to the February blog post about the company’s stance on unwanted tracking:

“AirTag was designed to help people locate their personal belongings, not to track people or another person’s property, and we condemn in the strongest possible terms any malicious use of our products. Unwanted tracking has long been a societal problem, and we took this concern seriously in the design of AirTag.”

The suit, however, alleges that Apple’s safeguards were “woefully inadequate, and do little, if anything, to promptly warn individuals if they are being tracked.”

Hughes and Doe are seeking a jury trial with no monetary damages.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Just about anywhere you look, organizations are relying on Software-as-a-Service (SaaS) apps like Dropbox and Hubspot to help power their businesses. With more SaaS apps, however, comes increased security risks.

While SaaS is without a doubt the easiest and most accessible way for businesses to reap the benefits of the cloud, these services are delivered online—which can make it easier for data leaks to happen or threat actors to get a hold of sensitive data. In fact, 43 percent of organizations have dealt with one or more security incidents caused by a SaaS misconfiguration. 

You might be asking yourself though: Doesn’t my cloud provider take care of security for me? Well, yes and no.

Your cloud provider will protect your cloud infrastructure in some areas, but under the shared responsibility model, your business is responsible for handling things such as identity and access management, endpoint security, data encryption, and so on. 

The good news is that there’s a set of SaaS security best practices to help keep your business from becoming another statistic. 

Whether your business uses Office 365, Salesforce, Google Drive, or another SaaS app, this blog will help guide your journey to SaaS security with five best practices.

1. Manage SaaS sprawl 

You might be surprised to find that our journey into SaaS security begins not with an answer, but with a question: are you suffering from SaaS sprawl? 

SaaS sprawl is a situation where a business is bloated with so many different (and even duplicate) SaaS apps that IT can no longer manage them effectively. 

Most departments now have 40 – 60 SaaS tools each, with 200+ apps at the company level—and for small businesses, only 32 percent of these apps are IT-approved. Not only does SaaS sprawl waste money, but it has security risks as well. 

For one, SaaS sprawl makes it harder for IT and security teams to ensure compliance or identify security risks that expose sensitive data. Admins just don’t have the time (or the visibility) to individually check and update potential issues for each app. 

Another issue is that SaaS sprawl and “shadow IT” (i.e. SaaS apps that have bypassed IT’s typical vetting procedures) are closely related—the more shadow IT, the worse the SaaS sprawl. As if trying to manage a ton of authorized SaaS apps wasn’t enough, IT teams don’t even know about the unauthorized ones—and they definitely can’t fix what they can’t see!

All of this is to say: tackling SaaS sprawl before anything else will make it easier for you to get into the more granular aspects of SaaS security. Some best practices to manage SaaS sprawl include:

• Discover all apps: Regularly audit all SaaS apps being used across the business, IT-approved or not.

• Create a vetting process: Have a consistent method to audit app requests for security, compliance, and other details.

• Educate employees: IT should regularly caution employees about the risks of using unauthorized apps. 

• Bridge the gap between IT and other departments: Put a process in place that allows team members to freely approach IT with new apps they wish to use.

2. Use Single Sign-On (SSO) paired with Multi-Factor Authentication (MFA)

SSO is a nonnegotiable security requirement for any company with more than five employees.

SSO solutions such as Okta, Duo, and Microsoft Azure Active Directory (AD) allow you to access all SaaS applications after entering your credentials just one time. Not only is SSO more convenient for end users, but it gives IT and Security teams the ability to effectively manage user accounts across dozens or hundreds of vendors. 

SSO also makes it much easier to enforce Multi-Factor Authentication (MFA), a crucial extra level of SaaS security, across all of your accounts.  

After signing in using SSO, for example, a user is prompted with MFA to confirm the session using “something they have” (i.e by receiving a push notification or text on their phone). 

3. Manage identity and access to SaaS applications

Each user in a cloud environment has their own roles and permissions governing the access they get to certain parts of the cloud, and because SaaS workloads are accessed online, all hackers need are your credentials to get the “keys to the kingdom.”

This is why strong identity and access management (IAM) policies are so essential to cloud security.

Identity and access management is a means of controlling the permissions and access for users of cloud resources. You can think of IAM less as a single piece of software and more of a framework of processes, policies, and technology. Some IAM best practices include:

• Removing dormant accounts

• Only giving privileged access to those who truly need it

• Enforcing strict password policies 

According to Palo Alto Networks, most known cloud data breaches start with misconfigured IAM policies or leaked credentials.

Specifically, researchers found that IAM misconfigurations cause 65 percent of detected cloud data breaches, with the runners up being weak password usage (53 percent) and allowing password reuse (44 percent).

4. Use a strong cloud malware scanner

Did you know that malware delivered through cloud storage apps such as Microsoft OneDrive, Google Drive, and Box accounted for 69 percent of cloud malware downloads in 2021?

It can be difficult to monitor and control all the activity in and out of SaaS cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. 

That’s where cloud storage scanning comes in.

Cloud storage scanning is exactly what it sounds like: it’s a way to scan for malware in cloud storage apps like Box, Google Drive, and OneDrive. And while most cloud storage apps have malware-scanning capabilities, it’s important to have a second-opinion scanner as well.

Reduce risk from cloud-based malware today

A second-opinion cloud storage scanner is a great second line of defense for cloud storage because it’s very possible that your main scanner will fail to detect a cloud-based malware infection that your second-opinion one catches. 

Look for a third-party cloud storage scanner that aggregates threats across different vendor’s repositories and uses multiple anti-malware engines when scanning files.

5. Define your Software Security Edge (SSE)

In 2021, Gartner introduced the concept of “Security Service Edge” (SSE),  which they defined as an evolving stack of different cloud-based security tools to secure access to the internet, SaaS and specific internal applications. A subset of Secure Access Service Edge (SASE), SSE can help you with SaaS security using tools such as: 

• Zero Trust Network Access (ZTNA):  ZTNA is an IT solution that secures boundaries around SaaS applications. With ZTNA, your business can enforce “least privilege” access to specific apps and ensure no users are given network access, eliminating unauthorized lateral movement.

• Cloud secure web gateway (SWG): SWGs filter unsafe content from web traffic and hence can help prevent your SaaS apps from being compromised through a phishing attack, for example. Features include URL Filtering, application control, Data Loss Prevention (DLP), and anti-malware detection and blocking.

• Cloud access security broker (CASB): A CASB sits between you and your SaaS provider, enforcing security policies and practices including authentication, authorization, alerts and encryption. CASBs offer feature sets across four pillars: data security, compliance, threat protection, and visibility.

• Firewall-as-a-service (FWaaS): FWaaS is a firewall delivered via the cloud, acting as a barrier to prevent unauthorized access to the network. FWaaS inspects all traffic coming into your network (including SaaS app traffic) to detect and address threats.

SaaS security doesn’t have to be scary

No doubt, SaaS is here to stay. At the same time that businesses are reaping enormous benefits from the cloud, however, SaaS security is top-of-mind. With everything from shadow IT, misconfigurations, access management, and cloud malware threatening the security of your SaaS environment at all times, it has never been more important to adhere to a few best practices.

But SaaS security doesn’t have to be scary.

The combination of processes, technologies, and outsourcing outlined here can vastly improve your SaaS security posture for SMBs, helping to prevent a much-dreaded data breach. 

More resources

Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories

Cloud data breaches: 4 biggest threats to cloud storage security

Cloud-based malware is on the rise. How can you secure your business?

Case study: Cloud-based environment now vulnerable to cyber-attacks

In the Android security bulletin of December 5, 2022 you can find an overview of the security vulnerabilities affecting Android devices that are fixed in patch level 2022-12-05 or later.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed.

Mitigation

If your Android phone is at patch level 2022-12-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Vulnerabilities

The total number of patched issues is 81, and four of them are security issues labelled as critical.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below are details for the four critical ones.

CVE-2022-20472: a critical remote code execution (RCE) vulnerability in the Framework component.

CVE-2022-20473: another critical RCE vulnerability in the Framework component.

The Android framework consists of a group of Java classes, interfaces, and other precompiled code upon which apps are built.

CVE-2022-20498: a critical information disclosure (ID) vulnerability in the System component.

CVE-2022-20411: a critical RCE vulnerability in the System component. Exploiting this vulnerability could allow an attacker to perform remote code execution over Bluetooth with no additional execution privileges needed.

Google didn’t provide any details about the vulnerabilities in order to protect the Android users that haven’t been able to patch yet.

Patch gap

Depending on the manufacturer of your Android device, the patch may not available to you yet.

There is a patch gap that exists when software patches have to wait for a second vendor to incorporate them into their software before they reach an end user.

This has always been a particularly acute problem on Android phones. If there is an update for the Android operating system—software that sits at the core of about 70% of all mobile devices—it can take a very long time to reach end users. This is because many mobile phone vendors sell their devices with their own tweaked versions of Android and any fix has to be tested in that slightly different environment.

We know that Samsung has issued the patch including a fix for CVE-2022-20411 and the other critical vulnerabilities.

Stay safe, everyone!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The US Department of Justice has indicted a Ukrainian national for his involvement in Raccoon Stealer, a noteworthy password-stealing Trojan leased in the underground for criminals to use as part of a malware-as-a-service (MaaS) business model.

According to court documents, Mark Sokolovsky, 26, is currently held in the Netherlands under an extradition request from the US government. Dutch authorities arrested Sokolovsky, known online as “raccoonstealer,” in March 2022. At the same time, the FBI (Federal Bureau of Investigation) partnered with Italian and Dutch law enforcement to dismantle Raccoon Stealer’s digital infrastructure, taking the existing version offline.

In a press release, Deputy Attorney General Lisa O. Monaco said:

“This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats. As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.”

Sokolovsky is charged with four counts of computer crime: conspiracy to commit computer fraud; conspiracy to commit wire fraud, conspiracy to commit money laundering, and aggravated identity theft.

On September 13, 2022, the Amsterdam District Court ordered Sokolovsky’s extradition to Texas, where many of his victims were located. He is currently appealing for his extradition. If convicted, he will be sentenced to a maximum of 20 years for wire fraud and money laundering, five years for computer fraud charges, and a mandatory two-year term for identity theft offenses.

About Raccoon Stealer

Raccoon Stealer was popular on the dark web from 2019 to early 2022 for its simplicity and customization. Its operations temporarily ceased sometime in March 2022 after an operator revealed that a key developer of the Trojan died at the beginning of the Russia-Ukraine invasion. In June 2022, Raccoon Stealer resumed operations with the release of V2.

Administrators of Raccoon Stealer rent out the malware for $200 per month, paid in cryptocurrency. Cybercriminals use the Trojan to steal data from victim computers. This data includes login credentials, financial and banking information, and personally identifiable information (PII). They trick users into downloading the malware via email phishing campaigns (among others). 

The FBI identified at least 50 million unique credentials stolen by Raccoon Stealer from victims worldwide. Because of this, the agency has created a dedicated website, raccoon.ic3.gov, where potential victims can check if their data has been stolen. All they need to do is to enter their email address. Note, however, that the website only contains data for US-based victims. 

The FBI also encourages potential victims to fill out a detailed complaint and share the harm the malware caused them at the FBI’s Crime Complaint Center (IC3).

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Brownsville Police Department is warning about scammers impersonating law enforcement in order to extract money from potential victims. The scam involves pressure from an immediate threat, several ways to extract yourself from this non-existent claim of wrongdoing, and multiple levels of officialdom to scare you into making a wrong move. 

How the fake warrant call works

Calls from individuals pretending to be energy suppliers offering discounts, or fake parcel delivery firms are all the rage at the moment. However, don’t discount fake law enforcement ploys! The way this scam works is as follows:

1. You receive a call from someone claiming to be in law enforcement. This individual knows at least some of your personal information, though there’s no indication as to where they obtained it. Depending on your region, they may claim to be city, county, state, or federal law enforcement officers. This specific technique is aimed at residents of the US, though it can of course be tailored to work anywhere.

2. The victim is informed that there is a warrant out for their immediate arrest. In fact it’s so immediate that the scammer claims they will visit your house and place you under arrest there and then. The only way to get out of this entirely fictitious predicament and avoid going to fake jail is to pay a fee or a fine via payment apps such as Zelle or Cash App, or gift cards.

Not this scam’s first rodeo

This isn’t the only time such a scam has been reported by Brownsville Police Department. Back in 2020, they alerted residents of the following scam attempt doing the rounds:

“…a group of scammers impersonating county judges and Brownsville Police Department Officers. These scammers are calling people via telephone telling them they have warrants for their arrests and that they have to pay a fine. The scammers are requesting credit card information and over the phone payment.”

Somewhere along the way, the Judges apparently dropped out of the scam leaving only law enforcement doing the heavy lifting. Perhaps they thought Judges supposedly making these calls is a little bit too unbelievable. You may be tempted to assume the same for police, but consider that these calls are entirely based around the pressure point of “Pay this fine, or we’re coming to arrest you immediately”. This is absolutely not something you want to hear down the phone out of the blue, and how many people would stop to question such a thing when put on the spot?

Ways to avoid this bogus warrant fakery

Brownsville PD has the following advice for anyone who may be on the receiving end of one of these calls:

1. Get the caller’s name, phone number, and agency.

2. Tell them you are going to contact the agency with the warrant, not the number they give you.

3. Call the agency that has the warrant, and verify the person by name. Get the agency’s phone number via the internet.

4. If the call was a scam, report it immediately to the proper authorities.

Law enforcement asking directly for payment on pain of immediate arrest is simply not a thing which is going to happen. Nobody wants to receive an unpleasant call like the ones mentioned above, but if you do receive something along these lines: don’t panic. Ask the caller for as much information as possible, and inform them that you’re going to ring a number you’ve verified is the real deal. If the person calling is genuine, there should be no problem with you doing this. If they hesitate, or insist that this is a case of “do it now or else,” you can almost guarantee that this is a fake out.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A family of malicious apps from developer Mobile apps Group are listed on Google Play and infected with Android/Trojan.HiddenAds.BTGTHB. In total, four apps are listed, and together they have amassed at least one million downloads.

Older versions of these apps have been detected in the past as different variants of Android/Trojan.HiddenAds. Yet, the developer is still on Google Play dispensing its latest HiddenAds malware.

This follows on the heels of adware that was found on Google Play just a couple months ago from a rogue PDF reader.

Delayed ungratification

Our analysis of this malware starts with us finding an app named Bluetooth Auto Connect (full app information at the bottom of this article). When users first install this malicious app, it takes a couple of days before it begins to display malicious behavior.  Delaying malicious behavior is a common tactic to evade detection by malware developers.  It turns out that this app uses delays quite a bit, as you’ll discover in our analysis.

After the initial delay, the malicious app opens phishing sites in Chrome. The content of the phishing sites varies—some are harmless sites used simply to produce pay-per-click, and others are more dangerous phishing sites that attempt to trick unsuspecting users.  For example, one site includes adult content that leads to phishing pages that tell the user they’ve been infected, or need to perform an update.

The Chrome tabs are opened in the background even while the mobile device is locked.  When the user unlocks their device, Chrome opens with the latest site.  A new tab opens with a new site frequently, and as a result, unlocking your phone after several hours means closing multiple tabs.  The users browser history will also be a long list of nasty phishing sites.

Deeper analysis using LogCat

As per my last blog post, I once again used an Android OS test phone and plugged it into my laptop running LogCat via good old Android Device Monitor. To clarify, LogCat is used to observe all logs created by installed apps and the Android OS, including the logs of this malware.  The first log entry from this malware came several hours after the initial installation.

10-20 05:11:07.504: D/sdfsdf(11987): {"adDelay":7200000,"flurryId":"YQBTHDXPVMFT3D7Z7Q92","chromeLink":"https://<phishing_URL>.com/?ts=1666264263370&id=344","showOuterAd":true,"firstAdDelay":259200000,"versionWithNoAd":"no"}

The first important datapoint of the log entry is what LogCat calls the Tag.  This usually is a descriptor of the log text like ActivityManager. In this case, they use an obfuscated tag of sdfsdf — another sign of willful deception. Diving into the Text segment of the log, where the important data is stored, there are couple of key datapoints: adDelay, chromeLink, and firstAdDelay.

First, the chromeLink is the URL of the phishing site to open in Chrome. Next, let’s look at the firstAdDelay datapoint with the value of 259200000. This value is the length of delay to displaying the first ad in milliseconds—seventy-two hours. Add the several hours to this delay before the log entry is created, and you have roughly four days from the time the malicious app is installed to when it displays the first ad in Chrome. 

Keep in mind that the delay length of each malware app varies.  Additionally, after the first ad is displayed, it then has an adDelay of 7200000, or two hours.  It’s unclear if that means to wait an additional two hours after the first ad delay, or display another ad two hours after the first ad.  Regardless, it is another example of using delays to obfuscate detection.  These type of log entries are recorded every fifteen minutes, constantly setting new time released ads.

After the delay time ends, the ad is then triggered to display.  At this instant, it creates additional log entries using tag ActivityManager.

10-24 08:26:30.476: I/ActivityManager(765): START u0 {act=android.intent.action.VIEW dat=https:// <phishing_URL>.com/... flg=0x14002000 pkg=com.android.chrome cmp=com.android.chrome/org.chromium.chrome.browser.ChromeTabbedActivity (has extras)} from uid 10062

10-24 08:26:31.026: W/ActivityManager(765): Activity pause timeout for ActivityRecord{736d893 u0 com.android.chrome/org.chromium.chrome.browser.ChromeTabbedActivity t11780}

These log entries are representative of when Chrome opens a new tab with a phishing site using activity ChromeTabbedActivity. After that point, unlocking the mobile device will reveal the ad.

Tracing it back to code

Now that we have LogCat entries, the next step in our analysis is to trace back to where in the code this malicious behavior is happening.  To do that, we first need to look in the app’s Manifest file.

The Manifest file is basically a guide for the Android OS to use to run activities, services, and receivers of an app.  Each activity, service, and receiver contains code to be ran. Every Android app has a Manifest file.

Many times, the activities, services, and receivers used by a particular malware is unique.  However, at first glance at this malware it is hard to tell which activities, services, or receivers are running the malicious code.  This is where the LogCat entries can assist.  These logs are the smoking gun of exactly what activities, services, or receivers are triggering malicious behavior. Ironically, their attempt to obfuscate detection using a LogCat tag of sdfsdf made tracking the culprit easy. A quick search of sdfsdf in the code reveals it traces back to service name com.github.libpackage.service.PushService, and activity name com.github.libpackage.view.NotificationActivity. The use of the popular GitHub in the naming convention is yet another blatant attempt to obfuscate detection.  From there, we were able to further verify using the additional datapoints from the LogCat text.

History of HiddenAds

Continuing to focus on Bluetooth Auto Connect, this app has had a long history of being infected with different variants of HiddenAds.  Note that other apps from Mobile apps Group have a similar history. 

LinkedIn knows it has a problem with bots and fake accounts, and has acknowledged this on more than one occasion. For years, it has been aware of spam, fake job offers, phishing, fraudulent investments, and (at times) malware, and has been trying to combat those issues.

In 2018, LinkedIn rolled out a way to automatically detect fake accounts. It also gave users an inside look into what’s going on behind the scenes: A dedicated team constantly analyzing abusive behavior, risk signals, and patterns of abuse; tools that are continuously improving; and the company investing in AI technologies aimed at detecting communities of fake accounts.

Now, LinkedIn is rolling out new security features to support its cause further. As Oscar Rodriguez said in his post on the LinkedIn blog:

“I am eager to share that as part of our ongoing commitment to keeping LinkedIn a trusted professional community, we are rolling out new features and systems to help you make more informed decisions about members that you are interacting with and enhancing our automated systems that keep inauthentic profiles and activity off our platform. Whether you are deciding to accept an invitation, learning more about a business opportunity, or exchanging contact information, we want you to be empowered to make decisions having more signals about the authenticity of accounts.”

What’s new?

The “About this profile” feature. This new section in a LinkedIn profile will contain information about when the profile was first created, when it was updated last, and indications of whether the account is associated with a verified phone number or work email address. This feature has already been rolled out.

(Source: LinkedIn)

Tech that analyzes profile pictures. As AI-based synthetic image generation technology—often called deepfake—has grown in sophistication, tech has become indispensable in helping us filter genuine profile photos from AI creations. LinkedIn’s deep-learning tech looks for subtle image artifacts, which may be invisible to the naked eye, associated with images created using AI. Accounts with positive detections will be removed before they can be used to reach out to members.

Flags that alert users of suspicious behavior. One known tactic of those with ill intent is encouraging their potential victim to continue their conversation away from the social platform they first met in favor of another communication medium, usually via email or IM. Scammers and fraudsters have employed this same tactic on LinkedIn. The platform now warns potential targets when the person they’re talking to suggests they move elsewhere.

(Source: LinkedIn)

“This sender appears to be trying to move the conversation off LinkedIn. We recommend you review these safety tips before proceeding.” reads the warning. Clicking “View message anyway” displays the sender’s message, which LinkedIn initially blocks unless the receiver wants to view it.

Stronger together

While we see the tools grow that keep users safe and give them confidence in their decision-making regarding online safety, the community’s involvement remains a powerful and effective deterrence against cybercriminals. LinkedIn encourages its users to be wary and report anything strange they see within the platform, such as:

• People asking for money (in the form of cryptocurrency or gift cards) so you can claim a prize or other winnings
• People expressing their romantic interest in you (this is generally frowned upon and is considered highly inappropriate on the platform)
• A job posting that sounds too good to be true
• A job posting that asks for an upfront fee for anything.

Keep in mind these red flags, too:

• Profiles with abnormal profile images
• Profiles with inconsistencies in their work history and education
• Profiles with bad grammar. Question the credibility and legitimacy of such profiles
• New profiles with no common connections, generic names, or few connections

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.