IT NEWS

Move over Lockbit, there’s a new ransomware-as-a-service (RaaS) player in town attacking the education sector—and its name is Vice Society.

Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. And their ideal prey? You guessed it: universities, colleges, and K-12 schools. The Federal Bureau of Investigation (FBI) has even released a joint Cybersecurity Advisory (CSA) after observing that Vice Society has disproportionately targeted the education sector. 

But with knowledge comes power. The more the education sector knows about Vice Society, the better prepared they get to defend against them. 

In this article, we’ll arm you with five facts about Vice Society so you can get the upper-hand against this persistent threat.

1. In 2022 they were far and away the biggest attackers on the education sector

If you’re a regular reader of our monthly ransomware review, you know that the education sector has gotten plenty of attention from ransomware gangs in the last year, to say the least.

It wasn’t until Vice Society, however, that we saw a gang taking their love for the sector to a whole new level. 

Like many other ransomware gangs, Vice Society is known to steal information from victims’ networks before encryption for the purposes of double extortion—threatening to publish the data on the dark web unless you pay up the ransom they demand.

A few of the institutions published on their leak site last year include De Montfort School, Cincinnati State, and one that made national headlines in September: Los Angeles Unified, the second largest school district in the US.

Around 40% of the victims shared on the Vice Society leak site are educational institutions, a large proportion compared to other gangs.

2. And they have shown no signs of slowing down in 2023

As of January 2023, Vice Society has already published the data of six schools on their leak site. That’s more than any other RaaS gang so far this year.

The Vice Society leak site

3. They leverage living off the land techniques to sneak past detection

Living off the land (LOTL) attacks are when threat actors use legitimate tools for malicious purposes, which effectively allows them to hide in plain sight as they carry out their attack.

Vice Society actors leverage one such legitimate tool, Windows Management Instrumentation (WMI), as a means of living off the land to execute malicious commands. WMI allows administrators to manage and monitor various aspects of a computer, such as hardware and software, from a remote location.

See where we’re going with this?

Vice Society and other adversaries can use WMI to gain access to a system and then execute malicious code, install malware, or steal sensitive information.

That means you won’t be able to detect them using traditional signature-based detection mechanisms—hash values, IOCs and signatures do not detect living off the land attacks. Instead, you’ll need to turn to an Endpoint Protection Platform (EPP) that uses a combination of machine learning, behavioral analysis, and sandboxing.

4. We know how they get initial access to networks

So we know what Vice Society is doing once they’re in school networks and how to detect it. But how can we stop them from entering in the first place?

Using a combination of data from Unit 42 and the Cybersecurity Advisory (CSA) posted on CISA.org, we can paint a pretty good picture of how Vice Society is getting initial access to their targets.

Vice Society is not reinventing the wheel: these threat actors are using familiar techniques such as phishing, compromised credentials, and exploits to establish a foothold in victim networks.

Three ways Vice Society is known to get initial access (with MITRE IDs)

Our advice is as old as time, but always worth reiterating:

• Address phishing with employee training, web-based protection, and DNS filtering
• Address compromised accounts by removing dormant accounts, enforcing the principle of least privilege, and having strict password policies.
• Address exploits by maintaining regular vulnerability assessment and patching, preferably using an automated tool.

5. It seems like they’re open to negotiating their initial ransoms

First things first, the FBI recommends never paying the ransom to attackers.

There’s a good argument for not paying too: doing so encourages more attacks and there’s no guarantee you’ll get your data back either way. There is no honor among thieves, after all.

But sometimes not paying is easier said than done. Paying the ransom might be the only option left for some organizations for various reasons.

A Vice Society ransom note.

We know that Vice Society isn’t the most aggressive gang when it comes to their ransom demands. The difference between their initial demands and final demands could be as large as 60% after negotiations take place.

Getting the upper-hand against RaaS gangs

Vice Society is currently the most severe RaaS threat to the education sector. Still, to say ransomware attacks on schools is a Vice Society problem purely is missing the forest for the trees.

We don’t want to say launching ransomware on K-12 schools, colleges, and universities is as easy as taking candy from a baby, but unfortunately that’s how many RaaS gangs see it. The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making them an easy target for cybercriminals. 

We recommend the education sector follow a few best practices to prevent (and recover) from ransomware attacks from every angle. That includes: 

• Make an emergency plan sooner, rather than later.
• Endpoint Protection that uses a layered approach with multi-vector detection and prevention techniques to stop ransomware early-on.
• Ransomware rollback options that should store changes to data files on the system in a local cache for 72 hours (no ransomware actually exceeds 24 hours), which can be used to help revert changes caused by ransomware.

In our Ransomware Emergency Kit, you’ll find more tips your educational organization needs to defend against RaaS gangs. 

Get the Ransomware Emergency Kit

Late last week, Twitter user Zuk (@ihackbanme) tweeted an issue about WhatsApp that has the potential to turn heads.

The recent WhatsApp accounts takeover is simple and genius.

This is how it works:
You’re sleeping.
A “hacker” tries to login to your account via WhatsApp.
You get a text message with a pincode that says “Do not share this”.

You don’t share it, yet you still get hacked.

How?

— Zuk (@ihackbanme) January 19, 2023

He explains that attackers can take advantage of two things: a user’s availability and how identity verification works on WhatsApp.

A user who is not available to respond to verification checks—whether they’re asleep, in-flight, or have simply set their smartphone to “do not disturb”—may be at risk of losing their WhatsApp account. All an attacker needs is their target’s phone number.

Here’s how it works. 

The attacker attempts to log in to a WhatsApp account. As part of the verification process, WhatsApp sends an SMS with a PIN to the phone number tied to the account.

The user is unavailable so doesn’t realise there is a suspicious login. The attacker then tells WhatsApp that the SMS didn’t arrive and asks for verification by phone call.

Since the account owner is still unavailable and cannot pick up the call, the call goes to the number’s voicemail. Knowing the target’s phone number, the attacker then attempts to access their voicemail by keying in the last four digits of the user’s mobile number, which is usually the default PIN code to access the user’s voicemail.

The attacker then has the WhatsApp verification code, and can use it to access the victim’s WhatsApp account. They can then set up their own 2FA (two-factor authentication) on it, leaving the actual owner locked out of their own account.

Once the account has been hijacked, the attacker could use it to hijack accounts of the user’s contacts, spread malware, or hold the account hostage until the owner pays up to get it back.

How to protect your own WhatsApp account

This isn’t a new tactic, and has been around for a while, but there are two pretty simple things you can do to avoid it happening to you.

1. Change the default PIN of your voicemail.

2. Enable two-step verification on your WhatsApp account:

• Open Settings.
• Tap Account > Two-step verification > Enable.
• Enter a six-digit PIN.
• Enter an email address, or tap Skip if you don’t want to. WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.
• Tap Next.
• Confirm the details and tap Save or Done.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Yesterday I spent some time helping to fix a relative’s gaming PC. Their gaming data tied to Rockstar’s Grand Theft Auto 5 (GTAV) had somehow become corrupted and was no longer functional. I managed to repair the account and restore everything back to the way it was, but this isn’t the end of the story.

There’s a possibility that my relative has been impacted by a hack claimed to be doing the rounds in GTAV circles. It was said to allow cheaters to tamper with your account by corrupting your game data, altering your statistics, and even changing how much money you have in game. Someone doing this pretty much has free rein to do whatever they wish to helpless players.

Rockstar confirms the bug is real

The last few days have seen multiple unconfirmed reports of something very bad happening to GTAV accounts. Although initially Rockstar made no comment, this is now no longer the case. Rockstar Support has made the following brief statement:

We are aware of potential new exploits in GTA Online for PC, which we aim to resolve in an upcoming planned security-related Title Update.

For now, the only surefire way to not be caught by this is to not play the game, which isn’t optimal for a title very much dependent on multiplayer and online functionality. Rockstar says impacted players can contact customer support for assistance.

This fix may help

If you find yourself staring at a corrupted data message, don’t panic. There is a “temporary fix” available. The solution to corruption issues is to delete your Rockstar Games folder from PC Documents, and then load up the game which will refresh your profile. According to reports, this should solve things (and it appears to have worked for my relative with no complaints since I tried it).

If you don’t do this fix once impacted, reports indicate you may be stuck in a sort of limbo with no game ever loading.

One thing to note where corrupted data messages are concerned: if you’re a modder, and you see a corrupted profile message, it may not be a compromise. If you’ve recently made some mod alterations, or changed how the mods themselves work, this can sometimes trigger a message along these lines. In most cases, the solution there is to delete and reinstall the game from scratch. 

An uncertain timeline

There is no estimate for when Rockstar will be able to patch this, so if you’re on PC, you may wish to play something else for the time being. It could cause hours of aggravation for anyone snared by someone up to no good, so hopefully it’s a case of all hands on deck for the megastar game developers and we’ll see the back of this one sooner rather than later.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Looking at the privacy related stories of 2022, it’s not hard to see that much of the focus was on the social media giants. Banning TikTok is slowly becoming a trend among US states. Google and Facebook’s owner Meta was fined on several occasions for amounts that would have put other companies out of business, and Twitter fell victim to a power struggle that made victims left and right.

Social media

The problem for social media users is that there will always be voices telling them it’s their own fault. But is it really? Can you blame users for being unable to stop using apps that have algorithms which are fine-tuned to a tee to keep them hooked. Social media platforms like TikTok are designed to serve you the content you have shown an interest in. The result? According to research, the average American teenager spends 7 hours and 22 minutes on their phone every day.

For many users, social media is a way to stay in touch with people to a level that would be impossible if they have to resort to physical contact or even phonecalls. For others, social media a way of showing the fruits of their creativity. For some, it’s a way of keeping up with current events, some of which is fake news.

It’s easy to tell social media users that they are responsible for providing their personal data themselves. In a breach you can point at the company that was supposed to keep your data safe, but when it comes to social media you are expected to read hundreds of pages of legalese and understand that the platforms will share your data with third parties.

For companies, social media platforms have become invaluable tools in education, marketing and communication. Stop using them and you are giving the advantage to your competition, allowing them to take your place.

Cookies and advertising

Internet giants like Meta (Facebook, Instagram) and Alphabet (Google) depend on advertising. Advertising represented 98% of Facebook’s $86 billion revenue in 2020, and more than 80% of Alphabet’s revenue comes from Google ads, which generated $147 billion in 2020.

Now that awareness, regulation, and tools to control cookies have become mainstream, these advertising moguls have started looking at other ways to capitalize on their user numbers. Google has started experimenting with its FLoC alternative and others have looked at alternatives like TrustPID.

Harvesting data

Social networking companies harvest huge amounts of sensitive data about their users’ activities, interests, personal characteristics, political views, purchasing habits, and online behavior. Although in most cases the data is gathered solely to increase the effectivity of advertising and making it more targeted, the data could be used for far more nefarious reasons if they fall into the wrong hands.

And, let’s face it, the personal data that social media platforms collect and retain are vulnerable to hacking, scraping, and data breaches.

Spying

Scraping data by and for advertisers is not the only concern about social media. The Chinese owned TikTok app has been under a lot of scrutiny, and a few US states have officially banned TikTok from state-owned or state-leased smartphones, laptops, and other internet-enabled devices.

Federal Communications Commissioner (FCC) Brendan Carr called for TikTok to be banned in America, months after deeming it an unacceptable security risk, and calling for Apple and Google to completely remove the app from their app stores. FBI Director Christopher Wray expressed deep concerns about China’s influence on US citizens via TikTok.

Alternatives

Yes, there are alternatives for popular social media. With a change of management at Twitter, part of the infosec community migrated to Mastodon, a decentralized platform. But as the Twitter case has demonstrated, migrating to a different platform only appeals to users within certain communities and most companies are waiting to add these new platforms to their outreach potential, let alone migrate from the old and proven to the new and unknown.

Privacy policies

I fear that having easy to find and understand privacy policies might not chase away existing users, but an often-heard complaint is that the privacy policy that is presented to a new user is hard to understand, full of loopholes and exceptions, and often not much more than a long-winded waiver which can be subject to one-sided change at any given moment.

Private information

When it comes to social media, there are three main methods of leaking information.

• The information you post voluntarily. Everything from which restaurants you visited, to sharing how happy you are about soft drugs getting legalized, can come back to bite you later. More importantly, it provides people and advertisers with information about what kind of person you are.
• The information your connections share about you. For example, remember how much fun we had together when we went to this event or that location? You can’t stop their sharing, so limit the number of connections to those that will understand if you ask them not to share that kind of information without checking first.
• The information you provide to the company running the social media service. And not just your birthday, recovery email address, and phone number, but also about your online behavior, your shopping preferences, and which topics you are into.

What all this information has in common is that once it’s out there, it’s impossible to make it disappear. If you share, post, and click with that in the back of your mind, you’re a long way towards responsible use of social media.

Countermeasures

It is doubtful whether the countermeasures we have tried so far have made more than a little dent in the money-making machines that are social media companies. Legislation and fines are tackled by some of the best lawyers that money can buy. And as long as the optimized algorithms keep us hooked, users will keep going back and give up their privacy voluntarily.

All we can do is remind users of the dangers, and inform them about methods that are less harmful than giving all their data up for free. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A fish is in hot water (metaphorically speaking) after having performed some incredible antics on a video game live stream. The fish, known for playing popular video game titles to completion on live streams, decided to take that whole gamer lifestyle thing a little too far and went on a rip-roaring crime rampage which came to a grand total of about 4 dollars.

Shall we take look? The answer, of course, is “Yes please, immediately”.

The wacky world of alternative video game controllers

Gamers have long since made their streams more interesting than watching someone play a game. Some streamers make performance part of the act of playing the game, and use all manner of odd objects and accessories to play a title. For example, folks used ultrasonic sensors to play Trombone Champ with real and home made trombones. Someone else beat one of the toughest bosses in Elden Ring while using a Dance Pad. 

Elsewhere, people make use of sensors and have their pets “play” video games. The star of our fishy tale has already completed an earlier version of Pokemon by using a grid corresponding to button presses tracked by a camera sending commands to a circuit board.  The fish completed the game in 3,000 hours, which to be fair is still a lot less than many people spend playing a massively multiplayer title.

The fish was due to thunder into action once more with the release of the newest Pokemon game. We’ve all heard the horror stories of unattended children spending vast fortunes on credit card purchases while the parents are out of the room. On this occasion, the child is fish shaped and the vast fortune is four dollars.

It still counts though.

A fishy heist

How did our intrepid phish manage to get its fins on the four dollars in question, I hear you ask? Well, the owner hadn’t accounted for two horrible possibilities.

One: that the game would crash.

Two: that the game would crash while they were off doing something entirely unrelated to a fish playing video games.

While the owner is away, the Pokemon loving fish will play. When the game crashed, the Switch exited to desktop but the fish was still in control. Lots of random button presses eventually resulted in our fishy friend managing to perform the following incredible and hilarious actions:

• Opening up the Switch store (twice!)
• Adding four dollar’s worth of funds to the owner’s account with stored card details.
• Purchasing a new avatar.
• Downloading an N64 emulator, because if the fish wanted to play Goldeneye it wouldn’t surprise me at this point.
• Triggering a confirmation email.
• Changing the account name to ROWAWAWAWA¥. Any resemblance to the words “row away” are both entirely fitting and absolutely intentional. This fish is going to be on an FBI ‘Wanted’ poster within the next six months.

Protecting your Nintendo account from aquatic threats

Nintendo’s store allows account holders to set various purchase restrictions for young children to prevent the kind of shenanigans highlighted up above. Purchases, content renewals, and even content visibility can all be set along with restrictions based on age. Your Nintendo-centric threat model may not have accounted for “gamer fish goes rogue” up until now, but here we are.

Please do not leave your Pokemon-conquering gamer fish alone with your console, and ensure the motion sensors are switched off when performing other tasks. You may return to find yourself, and your payment details, floundering.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Popular game developer Riot Games brings word of a system compromise which may cause issues for updates to well known titles, although for the time being it seems as though customer data isn’t affected.

A social engineering development

Making the notification via Twitter late last week, we’re still waiting on the full story as an investigation takes place. For now Riot, stewards of titles such as Valorant and League of Legends, made the following statement in relation to the attack:

Earlier this week, systems in our development environment were compromised via a social engineering attack. We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.

We may not be told the full details of what exactly took place here. Based on how these things usually tend to go, social engineering launched via an email sent directly to an employee could be a strong candidate.

Having said that, games publishers and developers make use of everything from social media to Discord for keeping in touch with players and fans. It could just as easily be that this began in a social media direct message and spiralled from there.

Slowdowns expected

Riot Games manages a number of incredibly popular online titles. This newly discovered compromise is going to cause some drag and delay in relation to keeping things updated with new content and other under the hood activities.

Unfortunately, this has temporarily affected our ability to release content. While our teams are working hard on a fix, we expect this to impact our upcoming patch cadence across multiple games.

League of Legends, for example, has a regular patching cycle and some of those patches are very large indeed, as you’d expect for an online game. The League of Legends Twitter account has already warned of potential impact. Valorant operates in much the same way. We can expect similar across all titles as resources are used up to ensure the compromise has been fully contained and addressed.

The game developer jackpot

Games companies have been major targets for compromise for years, which is only to be expected considering the huge amount of data these organisations have access to. There are so many areas for exploitation, from game platform logins to publisher-centric accounts. You can target a PC running a game with remote code execution, go phishing for two-factor authentication codes, steal an account and sell digital items from its inventory…the list is endless.

The only good thing here is the low probability of customer data having been grabbed, with the attack instead focusing on the development environment for reasons known only to the attacker. There have been many incidents where attackers poking around behind the scenes have been in an effort to upload or release rogue files via game titles themselves.

This hasn’t happened here, thankfully, and with any luck Riot Games will release additional information as the week goes by.

Update, 9:03AM (GMT-8)

Riot Games updated its Twitter followers regarding the compromise. It confirmed attackers were able to steal code for some its flagship games, League of Legends and Teamfight Tactics (TFT), and a legacy anticheat platform.

As promised, we wanted to update you on the status of last week’s cyber attack. Over the weekend, our analysis confirmed source code for League, TFT, and a legacy anticheat platform were exfiltrated by the attackers.

1/7 https://t.co/IogE05HaD1

— Riot Games (@riotgames) January 24, 2023

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The fight for data privacy must be won in the middle.

No declaration, no call to arms, will sway the worst offenders. No public swell, no great big hack, has changed how money gets made.

Corporations will continue to reap our data, package it into ad-friendly profiles, and, for a price, deliver the right ads to the right users as determined by the right algorithms of the moment, because that is the formula for profit. And if a few privacy fiascos happen along the way? Well, pay the government-mandated fee, introduce a couple new controls, and, most importantly, march onwards.

This is where you, the people, come in.

Every single Data Privacy Day, companies, organizations, and privacy rights advocates make their best case for why everyday people should care about privacy. “It’s a human right,” we say, forgetting that one international charter does not hold sway on most of the human population. “It’s threatened every day,” we say, forgetting that the most common privacy threats happen away from plain sight, difficult to see and to understand. Even when we offer well-intentioned privacy tips, we forget that privacy today has become management. It’s fiddling with settings. It’s saying “No” on countless forms. It’s auditing and dumping old apps and clicking through the permissions on your current ones. It is, for many people today, inconvenient.

That’s why, for this year’s Data Privacy Day—which has been expanded into Data Privacy Week—we’re doing something different. We’re going to explain the most convenient advantages and benefits of privacy.

This isn’t about what you have to do to get some sense of privacy online. This is about what privacy gets you.

Fewer all-knowing ads

Today’s advertising landscape isn’t necessarily new, it’s simply hyper-charged beyond our wildest predictions. For decades, advertisers delivered their ads to the people they believed most likely to buy their products—investment managers advertising in the pages of The Wall Street Journal, joint pain medication companies airing daytime television commercials, when retirees are most likely to watch.

But in the early 2000s, the ability to grab user attention was revolutionized, as emerging tech companies began hoovering up entirely new types of user data that could be used to build “profiles” that advertisers could then select to buffet with ads. No longer did companies have to rely on a little bit of guesswork when sending their ads out based on zip codes or age ranges. Instead, companies like Facebook built new infrastructure for advertisers and marketers, selling access to users’ attention based on these newly collected data streams.

In 2021, the end-to-end encrypted messaging app Signal tried to reveal the invasive nature of Facebook’s advertising profiles by purchasing Instagram ads that would tell users exactly why they’d been selected, based on their characteristics, to receive the advertisement.

“You got this ad because you’re a newlywed pilates instructor and you’re cartoon crazy. This ad used your location to see you’re in La Jolla. You’re into parenting blogs and thinking about LGBTQ adoption,” read one of the ads, which, like all the others made by Signal, was banned by Facebook before ever being rolled out.

Sneaky as these privacy invasions may be, they are only half the picture. The other half is third-party ad-tracking cookies. Third-party ad-tracking cookies, which are going out of style, enable companies to track your web browsing activity across multiple sites. It’s why your search for luggage on one site could deliver a relevant luggage ad on a separate website.

And at least when it comes to stopping third-party ad trackers, we have several solutions.

Browser plugins like Malwarebytes Browser Guard block third-party ad trackers (and, separately, malicious websites), which means your activity across the internet won’t be so easily stitched together into a user profile that advertisers can target with what they think you want to buy most. Privacy-forward browsers like Safari, Firefox, and Brave all block third-party ad trackers by default.

This means fewer ads following you around and fewer ads that remember your every search. (It also probably means fewer moments where you think your phone is listening to you.) 

Now, it’s true that browser plugins and privacy-minded browsers won’t stop companies like Google and Facebook from collecting the information we seemingly volunteer—through our posts, our friend requests, our Google searches—but it’s important to remember that those same companies also relied on third party ad trackers for years to grow their own advertising operations.

Faster browsing

A half-hour TV show, without commercials, doesn’t last a half-hour. The same idea is true when browsing online. Webpages cluttered with ads take longer to load, and webpages without ads—all other things being equal—will take less time to load.

And if you’ve got privacy on your side, you’ve got fewer ads to worry about.

Browser plug-ins that block ad-tracking (like Malwarebytes’ Browser Guard) can result in faster loading times for websites. To illustrate this, the web browser Brave offers a regular infographic on how much time the browser has saved for its users because of its pro-privacy experience.

We must remind you that advertisements are far from the only variable that affects loading times. Your personal connection speed, the website’s optimization, and the engine that drives the browser you’re using—which determines how a browser reads a website’s information and in what order that information will be loaded—all affect how long it takes for a website to load. 

Potentially fewer spam calls and robocalls

Your phone number is too easy to find. Want proof? Just look at the number of spam calls and robocalls that you likely encountered last year.

But spam callers don’t call you because they’re targeting you, specifically. They’re calling you because your phone number, which has been endlessly collected, shared, and sold, is just a few clicks away.

According to the call protection company First Orion, everyday actions, like applying for credit, donating to charity, or calling a 1-800 number, will likely result in your phone number being collected. Once that data is collected, separate, third-party companies work to tie that data to more information about the household behind the phone number, such as any addresses associated with it, any real names, and even info like estimated salaries. And those third-party companies have little problem selling these packages of data to whoever pays for it. Often, it’s their entire business model.

But what if the collection and sale of your data was only allowed with your explicit agreement? What if your privacy—not your data—was most valued?

We like to think that your phone number would be collected less often, which might mean it would be sold less often, which might create a few more obstacles for whatever scam group is pushing its latest robocall campaign.

It’s not about “nothing to hide”

The weakest excuse we hear from people who have yet to champion their own privacy is that they “have nothing to hide.” The stark, unavoidable truth today is that you have nothing to hide, yet.

On June 24, 2022, the US Supreme Court overturned earlier decisions made in Roe v. Wade and Planned Parenthood v. Casey, which had, for decades, ensured national access to abortions. With the Court’s new decision, the issue of abortion—and its legality—was pushed onto the states, which could individually criminalize abortion itself, criminalize providing abortion services, and criminalize the act of supporting anyone seeking abortion.

Immediately, questions of legality and data privacy rushed to the forefront. As we discussed in our podcast Lock and Code at the time:

“Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?”

The Supreme Court’s decision also sparked a flurry of activity from users of period-tracking apps who now had to worry about how their previously benign data might be used as evidence against them in an investigation into now-allegedly criminal behavior. The companies that make these apps responded to their users’ concerns, promising to either anonymize their users’ data, or encrypt it so that it would be useless if requested by law enforcement. At least one of those companies’ promises were over-inflated, one investigation found.

This unanswerable turmoil spat forth like a geyser, with little warning, upending everyday people’s lives for behaviors that were not illegal just 24 hours prior.

You deserve better.

So much of your data is collected every day that it’s more accurate to say that so much of you is collected every day. Your late-night WebMD visits about a new symptom. Your personal record on your regular jogging route near your home. Your first baby’s due date.

Privacy isn’t about having something to hide. It’s about not needing to hide yourself at all.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have successfully dismantled a massive ad fraud campaign they stumbled upon by accident. 

The Satori Threat Intelligence and Research Team dubbed the campaign VASTFLUX, a portmanteau of “fast flux”—an evasion technique involving the constant changing of IP addresses behind a single domain—and “VAST” (Video Ad Serving Template), a framework to embed ads in videos. The researchers said they came across the VASTFLUX operation while investigating a different ad fraud scheme. While looking at the other scheme, they noticed an app creating an abnormally large number of requests using different app IDs.

Since then, they have studied the campaign in depth, uncovering its inner workings, before taking everything down.

VASTFLUX, up close

Satori researchers defined VASTFLUX as “a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views”. Its sophistication only mirrors the intimate knowledge its operators have of the digital advertising ecosystem.

Apparently, this campaign was an adaptation of an earlier ad fraud scheme called Matryoshka that made headlines in 2020. Researchers said VASTFLUX exploited apps that run ads, particularly on iOS. “More than 1,700 apps and 120 publishers were spoofed in the course of the operation, reaching a peak volume of 12 billion ad requests a day and impacting nearly 11 million devices,” they further said.

VASTFLUX begins with JavaScript (JS) injections into a static ad the operators issue. These scripts decrypt the encrypted ad configurations, which include a static banner image for the ad slot, a video ad player behind the banner image, and parameters for stacked video players. A script then calls home to its command-and-control (C2) server for additional information on what to place behind the static banner.

The researchers say VASTFLUX spoofs legitimate publisher and app IDs, including the size of the ads, and operators do it in a way that could easily be missed with cursory glances at the code. The code also contained masked instructions on what apps to spoof, how to spoof them, and how video players can be stacked up to play 25 streams with ads. These ads generate income, but the videos they play on are hidden behind a visible ad, rendering the video stack invisible to users.

As this video stack renders the ads simultaneously, they also “keep loading new ads until the ad slot with the malicious code is closed”.

“The URL of the VAST players are encoded in base64,” the researchers said. “When decoded, they show that each player has its own ‘playlist’ of ads to cycle through, each with its own URL with tracking code attached. It’s in this capacity that VASTFLUX behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with.”

Decrypted code of the ad playlist, which plays in videos hidden from users. (Source: HUMAN)

VASTFLUX is very much capable of operating under fraud tracking schemes. It does this by avoiding using ad verification tags, which is a piece of technology that allows marketers to check whether their ads have been seen by real people or not. Since the real ads VASTFLUX runs are all out of sight with no tags to track them, the campaign appears virtually nonexistent.

The takedown

VASTFLUX’s takedown didn’t happen in one go. In fact, the Satori team carried out three waves of “distinct mitigation responses”, which all occurred between June and July 2022, before finally pulling the plug. The first resulted in a dramatic decrease in VASTFLUX’s traffic, but the operators adapted quickly. The second mitigation reduced 92 percent of the billions of requests the campaign sent at the peak of its operations. The third and final mitigation further blocked VASTFLUX’s activity.

The Satori team identified the operators behind this ad fraud scheme, but they didn’t name them. Working closely with fraud abuse organizations, VASTFLUX met the inevitable in December. “[B]id requests associated with VASTFLUX, which reached a peak of 12 billion requests per day, are now at zero,” the team proudly declared in their blog.

Because this ad fraud campaign particularly targets ad slots within apps, it is highly likely that legitimate apps would start showing VASTFLUX-related ads. That said, any or all iOS users may start experiencing the effects of having multiple videos playing in the background while using an app, such as device performance drops, battery drains quicker, and even overheating.

These are classic symptoms of adware infection, and if your device is experiencing one or more of these, be suspicious and try looking for which apps have caused these. Perhaps it’s time to start paying attention to how your device behaves. The researchers provided the following other red flags you should be looking out for:

• The device’s screen seems to turn on at unexpected times and without prompting, like in the middle of the night.
• An app suddenly slows down the performance of the device.
• Data use jumps dramatically from one day to the next.
• An app crashes frequently and without warning.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In December, 2022, we warned our readers about an actively exploited vulnerability in Apple’s WebKit. Back then we wondered why Apple specifically stated that the issue may have been actively exploited against versions of iOS released before iOS 15.1.

At the time, our resident Apple expert Thomas Reed said that Apple has been known to release fixes for older systems when it is aware of active attacks taking place. And indeed, Apple has now released security content for iOS 12.5.7. which includes a patch for this vulnerability.

Affected devices

The patch is available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

The update may already have reached your device during your regular update routines, but it doesn’t hurt to check if your device is at the latest update level.

Here’s how to update your iPhone or iPad.

Since the vulnerability we’ll discuss below is already being exploited, it’s important that you install the update your devices as soon as you can, if you haven’t already.

The vulnerability

The bug (CVE-2022-42856) was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. In essence this means an attacker can try to lure his victims to a malicious site to compromise their devices. But Apple has not disclosed any details about the circumstances under which the vulnerability was actively exploited.

Other updates

There is also new security content for  iOS 15.7.2 and iPadOS 15.7.2 and security updates for a lot of other Apple software.

The results of our latest survey on mobile cybersecurity in K-12 and hospitals are in—and it’s not all peaches and roses.

When we talk about endpoint protection, it’s only natural to only think about the most commonly compromised endpoints like work laptops and servers—but your smartphone isn’t off the hook.

There are plenty of risks associated with mobile devices, and we ignore them at our peril. In 2020 alone, almost 50% of organizations had at least one employee download a malicious mobile application that threatened their organization’s network and data.

Certain industries such as education and healthcare face their own distinct set of challenges when it comes to mobile security, namely a diverse amount of endpoints and lackluster budgets and infrastructure.

To better understand the mobile security landscape, we asked 250 schools and hospitals about their mobile security posture (including Chromebooks). The average organization surveyed was based in North America and had anywhere from 250 to over 5000 endpoints.

Here’s some key takeaways.

45% of schools reported that at least one cybersecurity incident last year started with Chromebooks or other mobile devices

Almost 30% of schools and hospitals aren’t protecting mobile devices with their current endpoint protection solution

77% of organizations are confident in their ability to protect mobile devices, including Chromebooks, from cybersecurity threats

Chromebooks and employee devices rank top among schools’ riskiest attack surfaces

63% of organizations say cost is their biggest concern for their current mobile security tools

58% of organizations’ cybersecurity budgets are the same compared to 2022

Mobile security for resource-constrained organizations