There’s a big push in rogue advert land at the moment, with multiple forms of bogus websites being used as bait to rob people of their logins and funds.

This story first came to light a few days ago, with news of a well known cryptocurrency fan “NFT God” being caught out by a bogus video recording tool.

NFT God lost pretty much all of his digitally accrued wealth after the malicious executable grabbed his logins and switched out his digital wallet details. He arrived at this fake video editing tool thanks to a rogue sponsored ad sitting at the top of his Google search results.

Once the file was installed, it set about sending all pertinent login details back to base and the damage was done. The fallout continued as various logins were compromised and phishing attempts were sent to his 16,000 or so Substack followers.

Rogue ads: following a trend

Following up on this prominent tale of hijacking in cryptocurrency circles, Bleeping Computer did some investigation of its own and found a lot more bad ads vying for attention in Google. It’s not just imitation OBS files you have to watch out for. USB booting tools, PC maintenance tools, multiple unnamed programs, and a malicious Notepad++ found by security researcher Will Dormann are just a few of the highlights on display. In fact, several other researchers found their own bad ad equivalents too with one able to put together a list of no fewer than 70 rogue advert domains.

The sites being used for these scams are typically typo squatting. This is where URLs which are similar, but not identical, to the real thing are used as the launchpad for the malicious downloads. These sites tend to rip pieces off the real site, if not the entire domain, to look as convincing as possible. A related tactic is to make a lot of the clickable URLs on the fake portal point to the real thing, with the sole exception being the bogus download. Whatever it takes to appear as convincing as possible.

When the fake sites are out, but not down

Google told Bleeping Computer that the sites in question have since been removed from its ad program. This doesn’t necessarily mean that the sites have been taken offline, and they may well still be out there waiting to strike somewhere else. They could easily be sitting in regular results in another search engine, or be placed into a non-Google related search engine ad program.

This also doesn’t mean all rogue sites have been removed from the search results listings, and caution should always be exercised where ads are concerned.

How do you avoid bad ads?

It wasn’t so long ago that the FBI warned of rogue adverts popping up in search engine results. That warning also included a reference to blocking ads, which some folks may not have expected to see in an FBI release.

The advice for steering clear of rogue adverts likely includes some best practices you’re already aware of and make use of. In an ideal world we wouldn’t have to worry about such things, but despite whatever quality control and ad inventory checking is in place at major search engines this keeps happening anyway. With this in mind:

• You probably have the URL you need. It’s somewhat unusual for many people to have zero idea of the genuine URL for a major brand, service, product, and so on. Your first interaction with said entity will almost certainly have their genuine URL printed on a banner, box, instruction manual, or anything else you care to mention. Navigate directly to the site in this instance, because you don’t need to go digging around in search engines.
• Careful searching. If you do need to go looking, cross reference the URLs you see in search engines with a search of your own. If it’s legitimate, you should see a large number of people and businesses referencing it.
• Report bad ads. If a sponsored ad is up to no good, there should be a way to report from the search engine in which you found it. You’re doing your part to help the next person who comes along stay safe!
• The thorny blocking issue. If you choose to block ads, be aware that the way you block may break functionality of the site you’re on. Some sites will insist you turn off your ad blocker. Others may simply not work anymore if you use script blocking or turn off JavaScript. It’s not so much a case of “job done”, as it is “job just getting started”.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Users of multiple Zoho ManageEngine products are under urgent advice to install the patch issued October 27, 2022. The advice is urgent because on January 13, 2023 the Horizon3 Attack Team tweeted that Proof of Concept (PoC) code and a deep-dive blog will be released within a week.

Mitigation

A long list of vulnerable ManageEngine products and their fixed version can be found in the ManageEngine advisory. Clicking on the URLs under Fixed Version(s) behind the affected product takes you to the update instructions for that product.

The vulnerability

The vulnerability, listed under CVE-2022-47966, is described as an unauthenticated remote code execution vulnerability. The vulnerability is caused by the use of an outdated third-party dependency, Apache Santuario. Apache Santuario is used for XML syntax and processing. The vulnerability allows a successful attacker remote code execution with SYSTEM level access, meaning the entire system could be compromised.

Zoho used Security Assertion Markup Language (SAML) to simplify the authentication process. SAML is an open standard used for authentication and based upon the Extensible Markup Language (XML) format.

According to Horizon3:

The vulnerability is easy to exploit and a good candidate for attackers to “spray and pray” across the internet.

Exploit

An attacker would need to send a specially crafted SAML request to trigger the exploit.

Please note that depending on the specific ManageEngine product, this vulnerability is exploitable if SAML single-sign-on is enabled or has ever been enabled. So, even if you do not currently have SAML enabled, you are under advice to install the patch with priority.

A Shodan scan performed by the researchers showed 5255 exposed instances of ServiceDesk Plus of which 509 have SAML enabled, and 3105 exposed instances of Endpoint Central, of which 345 have SAML enabled. At the moment we have no knowledge of active attacks against this vulnerability, but that might change rapidly once the PoC code is available.

In September, 2022, an RCE vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier) were found to be being actively exploited after several PoCs and a Metasploit module for it were made public.

IOCs

IOCs for ServiceDesk Plus, Endpoint Central, and Other ManageEngine Products can be found in the blogpost by Horizon3 about this vulnerability.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Software development service company CircleCI has published its incident report on a breach that happened in December.

CircleCI revealed an engineer’s laptop was successfully infected with a yet-to-be-named information-stealing Trojan, which was used to steal an engineer’s session cookie. The company didn’t provide information on how the malware got onto the laptop.

From the report:

“This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.”

In this case, the session cookie was an authentication token, described in the report as a “2FA-backed SSO session” cookie. This is a kind of authentication cookie that is stored by a web browser after you successfully log in to a website. When the browser interacts with restricted content, it uses the cookie to prove that you have logged in, so you don’t need to reenter your password over and over again.

Stealing a user’s authentication cookie gives an attacker exactly the same access as they’d get if they stole the user’s password and logged in. In this case, the account wasn’t just protected by a password, it was also protected by some form of two-factor authentication (2FA). By stealing an authentication cookie, the attacker was able to perform an end run around the 2FA (and any other forms of authentication) protecting the acount.

Thankfully, stealing authentication cookies isn’t easy, and in this case the attacker was only able to do it by installing malware on on an engineer’s laptop, from where they could probably have stolen the victim’s passwords and 2FA tokens eventually anyway.

A customer alerted the company to “suspicious GitHub OAuth activity” on December 29, 2022, leading to the conclusion that this customer’s OAuth token had been compromised. As a result, CircleCI says it proactively began rotating all customer-associated tokens on their behalf. These include Project API, Personal API, and GitHub OAuth tokens.

CircleCI made an official announcement of its security breach on January 4 of this year, urging all its clients to rotate “any and all” their secrets—passwords or private keys—stored in CircleCI and review logs for unauthorized access occurring between December 21, 2022, and January 4, 2023.

Because the victim employee is an engineer who routinely generates access tokens, the attacker “access[ed] and exfiltrate[d] data from a subset of databases and stores, including customer environment variables, tokens, and keys. The company also has reason to believe that reconnaissance activity took place first on December 19 before an exfiltration activity was spotted on December 22, just days after.

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the report further says.

Since then, CircleCI says it has been improving its infrastructure by adding behavior detection to its antivirus and mobile device management (MDM) system. It’s also restricted access to its production environments and increased the security of its 2FA implementation.

This recent cybersecurity incident with CircleCI isn’t a first. In 2019, the company was breached following a supply chain attack against its analytics vendor. Its account with the vendor was compromised, giving attackers access to some user data, which includes usernames and email addresses associated with GitHub and Bitbucket.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Vice Society ransomware gang is back and making some unfortunate waves in the education sector. According to Bleeping Computer, the Society has held their ransomware laden hands up and admitted an attack on the University of Duisberg-Essen. Sadly this isn’t the University’s first encounter with ransomware attacks, though it has proven to perhaps be its worst, given reports of leaks and changes to its IT infrastructure.

Ransomware and a destroyed network

When word spread of the attack back in November, it essentially shuttered the university’s entire network and removed it from the internet. Essential functionality such as email and telephone were entirely non-functional. “Large parts” of the servers were encrypted, alongside the usual ransom demands.

At the time, there was no word as to who did it. This has all changed now, with the leaking of files onto the dark web. A statement from the University mentions that it refused to pay the ransom, not wanting to support criminal offences or contribute to ransomware authors doing it to someone else next time. The University will also be contacting people and institutions affected by the data leak.

The shattering impact of a ransomware outbreak

The data appeared on the Vice Society leak page, which comes complete with pages “for journalists”, “for victims”, and even a blog. A short biography of the University sits above a “View Documents” link. Bleeping Computer says it found “financial documents, research papers, student spreadsheets”, and also backup documents.

Though it’s not possible for anyone but the University itself to confirm the legitimacy of these claims and files, on the surface it doesn’t sound very good. Vice Society has been targeting education for some time now, with an ever growing number of schools and learning resources being massively impacted by the attacks.

The UDE attack alone broke the University’s IT in half at the end of November, bringing portions of the network back online in a way that was so unsatisfactory that the whole thing had to be rebuilt from the ground up a week or so into the start of January.

This is, of course, potentially devastating for educators who can no longer teach effectively, and students themselves who can no longer learn without additional hurdles to jump. Not all education sectors have the ability to teach remotely or even provide learning materials away from the classroom. If this disruption spills into test time or revision periods, things can quickly become a bit of a nightmare all round.

Keeping ransomware at bay

It’s not easy to fend off a determined ransomware attack, especially from an experienced group or someone making use of professional Ransomware as a Service (RaaS) tools. However, there are many ways to reduce the attacker’s window of opportunity.

• Plan your emergency response. Who is responsible for what, and which data needs removing from the network as fast as possible?
• Lock down your Remote Desktop Protocol. Weak passwords, no 2FA, and no limit on how many times someone can try to login spells disaster.
• Backup your data. Keep it away from the network, and test the backups on a regular basis.
• Update your devices and your security tools, and run regular security scans across the network.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last month, the TikTok user TracketPacer posted a video online called “Network Engineering Facts to Impress No One at Zero Parties.”  TracketPacer regularly posts fun, educational content about how the Internet operates. The account is run by a network engineer named Lexie Cooper, who has worked in a network operations center, or NOC, and who’s earned her Cisco Certified Network Associate certificate, or CCNA. 

In the video, Cooper told listeners about the first spam email being sent over Arpanet, about how an IP address doesn’t reveal that much about you, and about how Ethernet isn’t really a cable—it’s a protocol. But amidst Cooper’s bite-sized factoids, a pair of comments she made about something else—the gender gap in the technology industry—set off a torrent of anger. 

As Cooper said in her video:   

“There are very few women in tech because there’s a pervasive cultural idea that men are more logical than women and therefor better at technical, ‘computery’ things.”

This, the Internet decided, would not stand. 

The IT industry is “not dominated by men, well actually, the women it self just few of them WANT to be engineer. So it’s not man fault,” said one commenter. 

“No one thinks it’s because women can’t be logical. They’re finally figuring out those liberal arts degrees are worthless,” said another. 

“The women not in computers fact is BS cuz the field was considered nerdy and uncool until shows like Big Bang Theory made it cool!” said yet another. 

The unfortunate reality facing many women in tech today is that, when they publicly address the gender gap in their field, they receive dozens of comments online that not only deny the reasons for the gender gap, but also, together, likely contribute to the gender gap. Nobody wants to work in a field where they aren’t taken seriously, but that’s what is happening. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Cooper about the gender gap in technology, what she did with the negative comments she received, and what, if anything, could help make technology a more welcoming space for women. One easy lesson, she said:

“Guys… just don’t hit on people at work. Just don’t.” 

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

On January 12, 2023, the Liquor Control Board of Ontario (LCBO) published a news release about a cybersecurity incident, affecting online sales through LCBO.com. It is one of the largest retailers and wholesalers of beverage alcohol in the world.

Web skimmer

The cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information. Or, in the words of the LCBO:

“an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process.”

LCBO has reset all LCBO.com account passwords.

Magecart

The web skimmer was identified by experts as a Magecart web skimmer. The malicious code injected was inside a Google Tag Manager (GTM) snippet encoded as Base64. The abuse of this legitimate Google service has been ongoing because it provides attackers free infrastructure upon which they can host their scripts, while also granting enhanced capability to avoid detection.

Malwarebytes’ Director of Threat Intelligence Jérôme Segura commented:

The attack on LCBO’s online portal follows a trend we’ve seen before of injecting malicious code disguised as legitimate snippets such as Google Tag Manager. In this case, the threat actor added an extra level of stealth by loading the skimmer code via a websocket, instead of a more typical HTTP request. LCBO took quick action to take its site offline and publicly acknowledge and disclose the issue which should be commended.”

The code only loads the skimmer if the current URL contains the string ‘checkou’ (note the missing ‘t’). It then opens a websocket for communication which is more covert than a typical HTTP request. The Magecart domain is: magento-cdn[.]net, which was registered less than a month ago.

Stolen information

According to the press release, customers who provided personal information on check-out pages and proceeded to the payment page on LCBO.com between January 5, 2023, and January 10, 2023, may have had their information compromised.

The stolen information could include names, email and mailing addresses, Aeroplan numbers, LCBO.com account password, and credit card information.

LCBO is looking to contact those affected directly, but in the meantime all customers who initiated or completed payment for orders on LCBO.com during that time period should monitor their credit card statements and report any suspicious transactions to their credit card providers.

The vast majority of payment card records that are stolen by Magecart groups using the GTM container method were later offered for sale on Dark Web marketplaces.

Preventing web skimmers on your site

Operating an e-commerce website comes with certain responsibilities, especially if payment information is handled through it. It is usually a safer (and easier) practice to outsource the handling of financial transactions to larger, trusted parties. PCI compliance and risks associated with collecting data can be overwhelming, especially for site owners that would rather focus on the business side of things.

Third-party resource integrity checking is one security aspect that has been overlooked but can provide great benefits when loading external content. The reality is that a website usually cannot host all the content itself, and it makes more sense to rely on CDNs and other providers for speed and cost reasons.

This relationship does not necessarily mean having to weather the issues experienced by a third party. There are a number of threats that can be disseminated via third-party libraries. For this reason, implementing safeguards such as Content Security Policy (CSP) and Subresource Integrity (SRI) can help to mitigate many issues.

Not falling victim

One thing to keep in mind as consumers is that we are largely placing our trust in the online stores where we are shopping. For this reason, it may be wise to avoid smaller sites that perhaps do not have the same level of security as larger ones.

Using browser plugins such as NoScript can prevent JavaScript loading from untrusted sites and therefore reduces the surface of attack. However, it has the same shortcomings when malicious code is embedded in already trusted resources.

Magecart and other web skimmers can be mitigated at the exfiltration layer, by blocking connections to known domains and IPs used by the attackers. It is not foolproof, though, considering how trivial it is to register new properties. But infrastructure reuse is something we still see quite often.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Ransomware gangs have shown that they can play a long game, so it shouldn’t come as a surprise to learn of one prepared to wait months to make use of a compromised system.

S-RM’s Incident Response team shared details of a campaign attributed to the Lorenz ransomware group that exploited a specific vulnerability to plant a backdoor that wasn’t used until months later.

Lorenz

The Lorenz ransomware group first appeared on the radar in 2021. They have targeted organizations all over the world and are known to specialize in VoIP vulnerabilities to access their victims’ environments. Like many ransomware groups, they steal their victim’s data before encrypting it, so they can add the threat of leaked data to the threat of encryption making it irrecoverable.

Vulnerability

The researchers found in a specific case that the Lorenz group was able to exploit a vulnerability listed as CVE-2022-29499 a week prior to it being patched. This vulnerability, which has a CVSS score of 9.8 out of 10, exists in the Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 and allows remote code execution because of incorrect data validation. Essentially the vulnerability allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution.

Exploited

After a vulnerability has been discovered and patched, it is not uncommon for organizations to wait for a convenient moment to apply the patch. But as soon as a patch is made available threat actors have the opportunity to reverse engineer it, find the vulnerability, create an exploit, and then scan for vulnerable systems. Its exactly this window of opportunity that the Lorenz ransomware group managed to exploit, in order to install a web shell on the vulnerable system. This web shell has a unique name and requires credentials to access the system.

The shell was placed some five months before the actual ransomware event, and sat dormant throughout that period. Whether the backdoor was created by an Initial Access Broker (IAB) and then sold on to the ransomware group or whether the Lorenz group created it themselves is unknown. But the results is the same.

Why wait?

The time between the compromise and the deployment of the ransomware can be explained by several theories.

• The backdoor was planted by an IAB that waited for the right offer to sell off their access to the compromised system.
• When an easy to exploit vulnerability is available, a group will first compromise as many systems as possible and later work their way through the list of victims.
• With the initial breach the threat actor replaced several key artefacts on the perimeter CentOS system, effectively blocking the creation of any additional logging or audit data. After a while old logs will be deleted and no new ones are created, which improves the attacker’s chances of going in undetected.

Patching

Besides showing us how important it is to patch in a timely fashion, this vulnerability has shown us that patching alone is not always enough.

Victims were made with this vulnerability before there was a patch available. The vulnerability was found by investigating a suspected ransomware intrusion attempt, so there was at least one group that was able to use the vulnerability when it was still a zero-day.

The exploit details were published in June and the victim patched in July but was compromised a week prior to patching. So, the backdoor was planted during the time between the patch being released and it actually getting installed, the so called “patch gap”.

Monitoring

So, what else do we need to do in case we patch a vulnerable system? A difficult question with no easy cure-all answer. But there are some pieces of advice we can give:

• Keep the patch gap as small as possible. We know it’s not easy, but it helps a lot.
• Check vulnerable devices before and after patching for indicators of compromise (IOCs). They may not always be available, but when it concerns a vulnerability that’s known to have been exploited you may be able to find the IOCs or figure out where to look.
• Constant monitoring. If you didn’t find the backdoor, make sure you have the capabilities to find the tools threat actors use for lateral movement, and block the final payload (ransomware in this case).
• Look for unauthorized access or atypical behavior originating from the recently patched device/system.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The real world impact of cybercrime rears its head once more, with word that 14 schools in the UK have been caught out by ransomware. The schools, attacked by the group known as Vice Society, have had multiple documents leaked online in the wake of the attack.

One of the primary schools highlighted, Pates Grammar School, was affected on or around the September 28, 2022. The school eventually realised that data had been stolen somewhere around the October 14, notifying the parents. Law enforcement are investigating, but this timeline of not knowing data had been exfiltrated for a week or two is sadly common.

Schools: A recurring target

Vice Society is no stranger to school compromise, having most recently been in the news for threatening to leak data from the LA Unified School District. In that incident, the School District refused to pay up despite the threat of eventual data leakage should they not comply with the ransom demands.

Here, the same pattern of attack has been followed with data leaked after non-payment of the ransom. There’s going to be quite a bit of concern for parents and teachers alike, with sensitive data being thrown into the mix.

According to the BBC, the data includes:

• Passport scans of both pupils and parents which date back to 2011
• Contractual offers made to members of staff
• Headmaster’s pay and student bursary fund recipients
• Special Educational Needs (SEN) data 

Other, unnamed confidential documents were seen which belong to a variety of other schools from across all parts of the UK. The responses to the attacks from the schools are a mixed bag. Some reported the attack to teachers but did not notify them that data had been taken. Others notified their IT department but not parents and pupils. One school reports roughly 18,680 documents having been stolen.

The word from law enforcement

There’s no word if any of the schools affected paid the ransom and had their data leaked anyway, or if the ransomware gang stuck to its word and “only” leaked in cases of non-payment. As we’ve seen recently, cyber insurance is no guarantee of avoiding a ransomware pitfall either with refusal of payout being decided in a court of law.

Schools are a juicy target for ransomware affiliates—schools’ often lack both funding and IT expertise, which can mean they’re an easier target than sectors where funding for cybersecurity is more available. The impact on students can be immediate, with no access to teaching resources, cancelled exams, or even a total school shut down.

The FBI has already issued multiple alerts with regard to school attacks down the years, with a joint FBI / CISA alert dedicated to Vice Society back in September of last year:

Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff…School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk.

The message is loud and clear: If you’re in education, you’re sadly a target for some of the most prolific ransomware groups around and geographical location is no restriction.

Avoiding the breach

If you’re compromised, there’s no guarantee the attackers will play nice should you pay up. They may leak the files they’ve stolen anyway, or the decryption tool you’re given to recover your files might not work properly. Our advice is to never pay. Here’s some things to think about in terms of warding off ransomware attacks:

Remote Desktop Protocol (RDP) compromise. While we don’t know how the attackers got into so many school networks, we can say that RDP is often used to gain entry to targets. Ensure your RDP points are locked down with a good password and multi-factor authentication. If you require a VPN to access it, ensure the VPN is locked down with MFA and other security measures appropriate to your network too. Rate limiting is a great way to fend off brute force attempts on your login.

Backup your data. Backups are the last line of defence against an attack that encrypts your data. This makes your backups a target for attackers, so they need to be offline and offsite so they are completely out of reach. They also need to be tested regularly to make sure they can be restored and aren’t missing anything vital. Backups are not a defence against attackers that steal and leak the data.

Make an emergency plan sooner, rather than later. Too many incidents happen and the first reaction is “What do we do now?” Take the initiative. Work out who is contacted first in the event of an emergency, which data is the most sensitive and valuable on your network, and what do you need to restore access to first after an attack. You may have a backup plan in place, but who is responsible for setting it in motion? Are you aware of your legal data breach notification responsibilities? These are all valuable components of a solid response strategy.

Keep your tools in good shape. Are your security tools and network endpoints updated and patched? Ensure that you’re running regular scans and looking for unusual activity on the network. On a related note, keep your security tool licences up to date. You don’t want to discover, mid-incident, that someone in accounting didn’t authorise a payment for another year’s worth of security detection and remediation.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malicious links. Third-party ad trackers. Information-gobbling data brokers.

Let’s face it, the Internet is kind of like the Wild West when it comes to threats to our privacy and security. And unfortunately, it takes a little more than a cowboy hat and a pistol to defend yourself out there.

That’s where Malwarebytes Premium + Privacy VPN comes in.

Whether it’s blocking unwanted trackers, securing your personal information, or booting malware off your devices, here are three ways Malwarebytes can help you become the sheriff of your own digital frontier.

1. Let’s you browse anonymously

It’s no secret that some companies are big fans of your personal information.

Your name, your address, location data, and more, are all being collected, packaged up, and sold to advertisers at any given moment. Even menstrual cycle data is fair game.

But one of the most valuable pieces of information is your browsing history, because it says a lot about what you like and where you spend your time. When it comes to getting a good look at your browsing your ISP has a window seat, and in the USA ISPs have been allowed to sell your browsing data since 2017.

The easiest and most effective ways to put a stop to that? Using a Virtual Private Network, or VPN.

VPNs create a secure, encrypted “tunnel” between your device and the VPN server, through which all of your internet traffic is routed—so if your ISP is collecting your data, it won’t be able to read it.

But not all VPNs are equal.

Some VPN providers log your data and browsing history, which means they’re just another ISP that can potentially share your data with third parties. Other VPNs can slow down your Internet to a significant degree, using older encryption methods or having fewer options for servers located nearer to you.

Needless to say, choosing the wrong VPN vendor can feel like trading one poison for another. So if you’re tired of dealing with both data-hungry companies and lackluster VPNs, then look no further than Malwarebytes Privacy.

• We don’t log anything. Ever.
• Best-in-class encryption secures your personal information.
• Less lag. Browse the Internet faster with VPNs powered by WireGuard®.
• Over 380 servers in more than 30 countries.
• 7-day free trial. All the premium features, no data limits!

2. Crushes ads, third-party trackers, and blocks malicious websites

We ignore the many threats to web browsers at our own peril.

Legitimate sites are following us with third-party tracking code, and criminal hackers are busy making friendly sites unfriendly by injecting credit card skimmers, and trying to steal our passwords with phishing sites. One way or another, wherever you go, your personal, sensitive data is being stolen or shared with somebody using it for financial gain.

And your browser? It lets this happen without complaint.

If you think your browser comes with native abilities to block tracking scripts and other threats like phishing websites, though, you’d be half right.

Chrome has the infamously useless ‘Do Not Track’ setting, and anti-phishing engines exist, like Chrome Safe Browsing or Microsoft Defender SmartScreen, but they work with variable levels of success and aren’t enough by themselves.

It stands to reason then that Malwarebytes Browser Guard is the ultimate browsing sidekick for quashing ads, phishing sites, and trackers.

• You’re in charge. We prevent third-party ad trackers from collecting information about your browsing habits.
• Shields up. We intercept (and block) malicious skimming scripts your browser can execute them.
• Clear the clutter. Browse up to 4x faster by blocking ads and other unwanted content.
• Uses heuristics to sniff out and block unknown phishing sites.
• Available on your preferred browser—for free!

Malwarebytes Browser Guard blocking a credit card skimming attack

3. Uses multiple protection layers to actively stop threats

A key part of browsing securely online is accepting the risk that no one technology can keep out 100 percent of the threats 100 percent of the time.

To that end, it’s essential to use a strong anti-malware product that catches any threats that do slip through the cracks and make it to your desktop.

But that’s not all. To quote everybody’s favorite ogre, security has “layers” just like onions—your anti-malware should also have multi-layers of defense, not just one.

Because what’s better than one layer of protection? Two.

What’s better than two? Three.

Better than that?

(Okay, you get the point.)

The fact is you don’t want to rely on any one mechanism to keep the wolves at bay, you want several.

Enter Malwarebytes Premium, offering four different layers of malware protection.

• Advanced web protection. Blocks outgoing or incoming communication so malware can’t receive instructions or steal your data.
• Malware & PUP protection. Blocks malware, viruses, adware, potentially unwanted programs (PUPs), and other threats.
• Ransomware protection. Proprietary ransomware attack prevention technology.
• Exploit protection. Blocks malware which seeks to leverage bugs and vulnerabilities in your device.

Go beyond just antivirus. Level-up your security and privacy today.

Choosing between security and privacy shouldn’t feel like a Herculean task.

While no single method is ever 100 percent foolproof, there are some tried and true ways for keeping your data (and device) safe that, if put into practice, will guard you from most of the threats and prying eyes on the Internet.

Downloading Malwarebytes is one of those ways.

With the Malwarebytes Premium + Privacy VPN bundle, you get total protection with smart antivirus, faster, safer web browsing, and our next-gen VPN for your online privacy. Level-up your protection and upgrade to the bundle today.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

It’s bad news for the US Department of the Interior—a Government watchdog’s security audit has revealed its passwords are simply not up to the job of warding off cracking attempts.

The audit’s wordy title was not kind:

P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk

The audit, which used a list of “more than 1.5 billion words” and only cost around $15,000 to achieve with a dedicated cracking rig, tested the words against cryptographic hashes for the department’s active directory accounts. The words were a combination of public password lists, pop culture and government terminology, and various dictionaries written in several languages.

How well did the 86,000 or so hashes hold up? The answer is, sadly, not hugely encouraging.

A poor show of security practices

According to the results:

• 21 percent of the 85,944 hashes tested were cracked
• Close to 300 accounts had elevated privileges as opposed to simply being “regular” accounts
• 362 accounts belonged to senior employees.

Perhaps more worryingly, multi-factor authentication (MFA) is not being used as widely as it could be. This may not be a surprise to regular readers. We’ve often talked about low MFA adoption rates, and this is despite large organisations like Google doing everything possible to drive people toward such setups.

25 out of 29 so-called high value assets were not protected by MFA. According to the audit, these accounts had the potential to “severely impact agency operations”.

4.75 percent of all active user accounts were based on the word “password”, and the department’s complexity requirements meant that variations of “password” combined with “1234” fulfilled the criteria despite being easy to crack.

The report makes several recommendations for better security practices, but Ars Technica notes that at least one of these is itself perhaps not the best of advice. The audit takes the Department of the Interior to task for not sticking to password changes every 60 days. Some folks insist that this practice just leads to weak password alterations. (If your staff think password1 is a decent password they’ll just change it to password2 after 60 days.)

Tackling your password problems

If you’re worried about your organisation’s password routine, there are steps you can take to hopefully makes a lot more secure.

1. Multi-factor authentication (MFA). MFA renders password cracking almost useless, no matter how weak your password. The best form of MFA is a FIDO2 device, like a hardware key, although almost any form of MFA is better than none.
2. Strong passwords. Most humans are terrible at coming up with just one strong password, and most of us need about 100 of them. Password managers solve this problem by creating and remembering strong passwords. The key part here is to ensure that the master password is also strong, and that the password manager access itself is also gated behind an additional layer of login security.
3. Password requirements. If your complexity requirements sound good on paper, but allow for passwords like “p@ssw0rd123”, then you need to set about revising them. Research suggests that forcing users to make a password that passes a formula doesn’t help much. It’s better to simply block common passwords and have users focus on choosing long passwords rather than shorter, more complex ones.
4. Rate limit login attempts. For as long as the login requires an online component of some kind, you can make life very difficult for attackers by only allowing 3 or 4 logins before shutting them down for a period of time.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.