IT NEWS

There’s a flaw in the way many of the world’s most popular messaging and email platforms—such as Facebook Messenger, Instagram, iMessage, Signal, and WhatsApp—render URIs (Uniform Resource Identifiers). That flaw makes it possible for phishing attempts to bypass filters and escape the trained eye, and results in apps incorrectly displaying URLs.

The flaw can be exploited when an attacker inserts an RTLO (right to left override) Unicode control character, which is used to display Arabic or Hebrew messages, in a string. Because messages written in these two languages are read from right to left, once the browser or messaging application sees the RTLO character, it displays every character after it right-to-left.

Two security researcher, zadewg and sick.codes, demonstrated this rendering flaw in a GitHub post you can see here.

“When a message contains a valid URL, it is highlighted and marked as hyperlink. However, this is printed to screen before sanitizing Unicode Control Characters, which results in URI spoofing via specially crafted messages.”

The two researchers used Google’s browser URL in a test case involving Instagram. In this case, they took https://google.com/ and combined it with the shortened URL, bit.ly/2Max1Kz#. They then inserted an RTLO Unicode character after the “/” of Google’s URL and before bit.ly. Once this is sent to someone, it will look like the URL you see on the GIF above:

https://google.com/#zK1xaM2/yl.tib

Notice that the bit.ly bit of the URL is flipped from the left-to-right orientation to the right-to-left orientation.

It’s simple to do, but what are the implications of this trick?

For one thing, it’s a tactic that attackers can use to fool potential victims by making them think what they received is legitimate. Attackers can piggyback on legitimate domains as well, such as in this demo where the domain is legitimately Google.

Abusing the RTL has been done many times in the past, but it usually involves filenames and not URLs. Several malware authors, such as those behind Bredolab, Mahdi, and SpyEye, are known to abuse the RTLO to hide malicious file names by disguising them as Word files or PDFs in spam attachments.

Malware Intelligence Researcher Pieter Arntz and Senior Security Researcher Jean Taggert have shown how the disguising could be done here and here, respectively. Sirefef, a Trojan known for its stealth, used RTLO when injecting malicious entries into the affected systems’ registry. And just last month, researchers from Vade Secure unearthed a phishing campaign that targeted Microsoft 365 users by disguising its spam attachment as a “voice message” when it was actually the phishing page in HTML format.

As there are a handful of applications affected by this flaw, each one has been assigned a CVE number to track:

• CVE-2020-20093 – Facebook Messenger 227.0 or prior for iOS and 228.1.0.10.116 or prior on Android
• CVE-2020-20094 – Instagram 106.0 or prior for iOS and 107.0.0.11 or prior on Android
• CVE-2020-20095 – iMessage 14.3 or older for iOS
• CVE-2020-20096 – WhatsApp 2.19.80 or prior for iOS and 2.19.222 or prior on Android

If you are wondering if the RTLO flaw works in emails, it doesn’t. BleepingComputer tested this on Gmail, Outlook.com, and Protonmail.

The URI spoofing flaw is still there with the current versions of Facebook Messenger, Instagram, iMessage, and WhatsApp. So, it’s best for users of these apps to exercise caution when clicking links until a patch or update is released for this flaw. Sick Codes has advised users the following:

“Turn off link previews in everything, especially mail apps and anything related to notifications. Don’t visit weird websites with popups. Don’t click random prize giveaways.

You already have a phone, so use your bookmarks and make sure to keep it up to date. Given the amount of zero-days flying around, especially those disclosed recently for iOS, it would be perilous to trust URLs in IMs.”

Stay safe!

The post URI spoofing flaw could phish WhatsApp, Signal, Instagram, and iMessage users appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team has identified a malvertising campaign targeting Japanese users. The campaign they discovered was found to be using a cloaking technique to lure visitors of popular adult site PornHub to a decoy site at the domain mixhd[.]club.

Cloaking

Cloaking is a method which gives visitors and search engines the impression that a website carries content that is different from what users actually see. In this case, every visitor that was not geolocated in Japan was shown a decoy page with content stolen from a well-known Japanese adult site.

The web server in this case decides what the visitor gets to see based on the information provided by the visitor like the user-agent string, browser language, IP address, and cookies.

Japan

With a population of some 125 million and a high level of connectivity, Japan has the third highest number of Internet users after China and the US. However, we hardly ever hear about any tech support scams directed at this audience.

In fact, the first arrests for tech support scams in Japan only happened in January this year, when Tokyo police announced that they had arrested three people in connection with an alleged scam where the suspects claimed to be providing technical support for malware-infected computers.

The campaign

Visitors to PornHub were shown an advertisement for another site with adult content. Users that followed the advertisement and that were fingerprinted as being Japanese were confronted with this browser lock page.

Popups and an audio warning on the page urge the victim to call Microsoft support, but shows telephone numbers that do not belong to Microsoft.

The goal is to defraud the victims in a tech support scam. Typically, scammers will use remote control of the affected system to help the victim get rid of the browser lock and the pop-ups at a steep price. They will then try to convince the victims to sign expensive contracts. In the case where the arrests were made, for example, victims were charged around ¥30,000 (US$ 245) for half-year contracts.

While most tech support scams are operated out of India, in this case Japanese police arrested the alleged ring master, a Filipino man. Based on additional evidence we collected, we believe there is a collaboration between criminal groups in India and the Philippines, with the former providing the traffic, pop-up alerts and browser locker infrastructure. But this is not limited to Japan, as we reported a few days ago tech support fraud is still a growing market in the US.

Stay safe, everyone!

The post Tech support scam campaign targets Japanese visitors to PornHub appeared first on Malwarebytes Labs.

Calendars are a rich source of bad behaviour for scammers and spammers. They’re one of the most prolific tools the workplace has for collaborative actions and general cross-purpose messaging. They’ve been misused by bad actors for many years now, most commonly spamming unwary potential victims and leading them to bad times ahead.

A brief history of calendar connivances

Scammers abuse pretty much any beneficial feature you can think of in order to get the job done. In 2016, Mac spammers made use of the ability to suggest events found in other apps. They also fired calendar invites to people’s iCloud addresses, meaning the spam would hit the calendar and the notification center.

In 2021, iPhone calendar spam was on the up with fake infection/pornographic spam giving device owners major headaches. Bogus CAPTCHA spam and redirects to device cleaning tools were less than appreciated.

Just this year, we had something resembling an update to the tried and tested calendar methods with comment spam in shared Google documents.

These tactics have been around for many years. Witness 419 scammers misusing Google calendar invites in 2011, or even using Yahoo! Calendar to spam in 2009. If there’s a calendar with any form of sharing functionality, you can bet someone will be along shortly to post invites you don’t need. What’s the latest in unwanted calendar spam messaging land?

Calendar app spam leads to phishing pages

Many tools use calendar apps/plugins for additional features and functionality. Calendly is one such app which provides Zoom integration, website embedding, and more. It’s free and easy to sign up which means scammers will try to abuse it however they can.

According to Bleeping Computer, it’s been abused to send phishing missives. The example given shows a supposed fax message which claims “You have received a new fax document”. It also lists page count, size, and a clickable link to preview the document in question.

The landing page for these links is a blurred document with a bogus Microsoft login popup box which claims “only recipient email can access shared files”. It also has potential victims enter details twice, presumably to make sure they’re definitely entering usable credentials.

The phish routine ends with that time honoured process of redirecting the phished individual to a real website afterwards. This is to make them think there’s nothing untoward going on, unaware that they’ve handed over login details to a faker.

Dodging bogus calendar invites

This is, of course, a very bad and sneaky thing to do. While some folks may be aware of more general spam and nonsense sent their way via Google Calendar, they might not suspect the same thing can happen via other platforms. As Bleeping Computer notes, a password manager with login functionality will help as the mismatch in URLs means login details will stay safely tucked away from harm’s reach.

It’s also possible the slightly unnatural approach to “document” sending may work against the spammers here. Do people typically send you important documents by email, or by third party calendar app messaging? If it’s the former, and it likely is, then this should be enough to set alarm bells ringing.

As with all these attacks, the key is to remain calm. Don’t rush to open the document. Check who it claims to be from. Is it a stranger? Or someone you know? If it’s someone you know, it’s time to do some outreach and double check if the document is what it appears to be. Last but not least, make use of any available security/privacy features your calendar may possess. It could be the difference between a clutter free week ahead or days of skipping through rogue invitations.

The post Phishers make a date with your calendar apps appeared first on Malwarebytes Labs.

Cybersecurity can be complex work, as security teams need to regularly decipher and prioritize alerts, protect against daily threats, and possibly implement product configuration changes, all while staying abreast of the latest intelligence on new and evolving threats. For organizations that lack fully staffed, internal security teams, or sometimes even one security hire, cybersecurity is then a function of simplicity and time: Any good cybersecurity product must be effective and intuitive out of the box.

With the results of this year’s MITRE ATT&CK® Evaluation, announced today, Malwarebytes’ standout performance proves that our Endpoint Detection and Response (EDR) solution is just that type of product.

In the two categories of Protection and No Delays or Configuration Changes, we achieved a 100 percent success rate, meaning that our business product stopped every tested cyberthreat before it reached a machine, and we did it “out of the box,” meaning that we did not have to change any configuration settings to achieve total protection. For the many businesses that lack a SOC, this simple, intuitive protection is vital to their daily operations, as it allows those businesses to focus on any threats that do manage to get through.

We also detected 83 out of 90 steps that were included in the MITRE ATT&CK Evaluation, and of the corresponding 83 alerts for those steps, 82 were of the highest quality, providing actionable insight that could help stop an attack as it happens. Combined with our 100 percent protection score and our user-friendly simplicity, Malwarebytes can give even small businesses everything they need to get back to doing what they do best—their jobs.

In this post, we will focus less on how Malwarebytes performed in the MITRE ATT&CK evaluation, and more on what the test means and how it can be best interpreted by businesses of all sizes.

Why MITRE ATT&CK matters to you 

Choosing a cybersecurity product can be just as difficult as understanding its advertising. Vendors constantly vie for customers, promising new capabilities baked into varying, three-letter acronyms coupled with the “latest,” “greatest,” “best-in-class” features. Adding to this complexity is the fact that, seemingly every day, a new cyberthreat emerges that can derail any business, small or large, and it’s difficult to know if any product under consideration will be effective against evolving attacker techniques.

Fortunately for customers, there are multiple third-party tests that can provide better insight into how cybersecurity products would perform under real-world testing. Interpreting those results, though, and actually applying them to the real world can be challenging. For the many businesses that still see cybersecurity as a solution that can hopefully be implemented directly “out of the box,” how do the various comparison graphs and tables of stats reveal which solution will deliver on that promise?

We’re going to help explain the 2022 MITRE Engenuity ATT&CK Evaluation results with the same approach we take to cybersecurity overall: We want to make it simple and actionable for you.

The MITRE ATT&CK Evaluation third-party test involves the work of cybersecurity researchers testing individual cybersecurity vendors’ products against documented attack methods. This year the testing was modeled after real-world threat actors Wizard Spider and Sandworm. MITRE Engenuity’s researchers record how a product performs across separate activities: Did a product catch every “substep” of an attack? Did it provide a quality alert that provided robust information to the end-user? During Protection evaluation, did it prevent an attack that could have distracted an end-user from the primary attack? And did a vendor go into the product and change any settings to improve results after missing a step?

To understand the results this year, we are going to explain three evaluation categories that provide the best judgment opportunity for businesses choosing a cybersecurity vendor. Those categories are Visibility, Analytic Coverage, and Protection. We will also explain the importance of configuration changes.

Visibility 

Cyberattacks do not happen in a vacuum. Instead, when attackers pull off something like a ransomware attack, they are often planning and implementing the attack over a period of weeks or days, leaving behind clues that they have breached a network and started to spread laterally before delivering a final payload. And while spending weeks on an attack may seem long to some, it’s important to remember that these very same attacks used to take months. Threat actors are working faster and more efficiently than ever before, often equipped with many automated technologies, which is why these types of third-party tests are so important: Organizations have to more quickly recognize warning signs and respond to them to avoid falling victim to an attack. As always, it is better to stop an attack at the start of its chain rather than trying to recover after it has struck, especially when an attack results in encrypted data, like the attack used in this year’s MITRE evaluation.

Without good visibility, your cybersecurity team is lost. With no prior warnings sent to your team, every cybersecurity event will be an emergency, noticed likely by an employee with seemingly isolated computer issues. In actuality, that one employee’s problems could be replicated across your business, indicative of an attack that began months ago and which you and your teammates are only seeing the results of today.

Strong cybersecurity products provide visibility into those attacks as they happen, warning users about suspicious activity along the way and helping provide information so that an attack can be stopped before it escalates. In fact, in this year’s MITRE ATT&CK testing, one of the attacks started in the simplest way—a user accidentally opening a malicious file.

Others steps in the attack included access using unsecured credentials, lateral movement through Remote Desktop Protocol, and multiple instances of Ingress Tool Transfer, which could point to threat actors bringing their own files or tools into your now-compromised network. The sequence of attacks recorded in the evaluation show a clear concept of “attack flow,” from an attack’s earliest stages, including the execution of a malicious file, to its later progression through other tactics like credential access, discovery, defense evasion, and lateral movement, until, at the completion of the attack, a victim’s data is encrypted.

The MITRE ATT&CK Evaluation’s 90 steps show a clear intent of attack, and a good cybersecurity product will catch these types of activities and warn your security team about them when they happen. In the testing, the number of steps detected provided the product’s “Visibility” score, because the more steps a security team is warned about, the clearer a picture they have to stop an attack as it happens.

Malwarebytes detected 83 out of 90 steps, or 92 percent of all steps.

Alert quality 

As we explained above, visibility is a crucial component for any cybersecurity product, as a collection of warnings can provide some patterns for the human users on the other end to interpret. But warnings themselves are not always enough. Often, security teams need to know more about a specific warning to understand whether it is an issue or not, and how, specifically, they should respond, depending on what a warning tells them. After all, a non-informative warning can be as ineffective as a non-existent one.

This is where alert quality comes into play.

Not every alert is equal. Some provide far more detailed information that can be acted upon by security teams, while other alerts only notify a security team of a problem. In the MITRE ATT&CK evaluation results, alerts are given three tiers of specificity, from least to most specific—General, Tactic, and Technique.

Techniques are the types of alerts that empower security teams to solve problems faster. Going beyond a basic description of what happened, like whether a PowerShell script was executed on a machine, a Technique alert will explain the surrounding context. That can include what threat actors are trying to accomplish with the script—like persisting in an environment even after a system reboot—and how threat actors could achieve that—by changing a registry value to leverage a Winlogon key to execute arbitrary binaries upon logon or logoff.

These quality alerts will help not just small- to medium-sized businesses equipped with equally small IT teams, it will also help the Managed Service Providers who often support these businesses. For small IT teams, quality alerts will help prioritize what problems need to be addressed, while MSPs can also gain better intelligence for the SOCs. In our MITRE results this year, Malwarebytes delivered 82 Technique alerts out of the 83 alerts delivered in total, meaning that nearly every piece of information that we offered to security teams was of the highest quality.

Protection 

Nearly every important component of the MITRE ATT&CK Evaluation results fits into the broader umbrella of actionable intelligence. Quality alerts help all teams—from small to large to MDR to MSP—prioritize the cybersecurity issues that will affect them most, while raw telemetry across the landscape of the attack gives more evidence of what is happening and when.

But the value of both components could diminish under an onslaught of cyberevents that bog down any response. What helps in these situations is protection—preventing attacks before they happen. Without protection, even a wealth of high-quality alerts will only stretch your IT team to its limit, unable to meaningfully prioritize, forced to make every alert a priority.

Here, Malwarebytes stands particularly proud, having achieved a 100 percent success rate in the Protection category for Windows.  We must note that for this latest MITRE ATT&CK round, we did not submit our solution for Linux testing—a process that, while entirely optional, still impacted vendors’ Visibility scores. Malwarebytes recognizes the importance of cybersecurity for every operating system within any organization, and our EDR solution for Linux will be available on April 5.

A note on configuration changes 

Designing a third-party cybersecurity test isn’t easy, as any meaningful evaluation must consider how a product is used by real organizations, from the smallest nonprofit to the largest enterprise. But what’s good for one subset of organizations isn’t necessarily good for the other.

One of the allowances MITRE Engenuity gives their participants is the ability to change configuration settings in a security product once an evaluation has already begun. This reflects the real-world application of larger enterprise companies that have security professionals who prefer a robust interface of settings and configurations that they, personally, can adapt to their own business environment.

There is a flip side to this, though, in that there are countless customers who do not have the time to configure their security product’s settings. There are just as many customers who do not have the internal or external resources for such a project. For these customers, endpoint security is still a product that needs to function as a “set it and forget it” tool. Importantly, these customers may actually lose some value if they try to implement the same types of configuration changes that MITRE Engenuity allows, as these changes will likely produce a greater quantity of alerts, leaving these customers to spend more time deciphering the importance of these alerts and how to respond. This adversely affects the visibility and alert quality components as customers spend time sifting through a potentially significant number of additional, low-quality alerts in order to determine priority actions. A productivity loss no organization—big or small—is willing to accept. Malwarebytes completed the MITRE ATT&CK Evaluation completely without delays or configuration changes, so our results reflect the out-of-box efficacy customers expect.

We consistently want to provide cybersecurity in a simple, accessible, and effective way, and that means developing a product that responds to cyberthreats even without any configuration changes. This isn’t easy, as every business environment is different, but it’s worth the trouble if it means our users are safer than they were without us.

Making use of MITRE 

Third-party tests should empower your team to choose the right cybersecurity product for their own business goals. No matter your organization’s size or complexity, though, a few criteria must be met: Your solution must catch the warning signs of an attack in progress, it must provide the highest-quality alerts possible, and it must prevent as many attacks as possible, so as to not overwhelm your security team and your employees.

The MITRE ATT&CK Evaluation thankfully evaluates many cybersecurity tools on these exact metrics. We hope that, with our breakdown on what matters when reading the results, you and your business are able to thrive, away from cyberthreats.

If you want to learn more about how Malwarebytes performed in the MITRE ATT&CK Evaluation, you can contact us here.

The post MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks appeared first on Malwarebytes Labs.

Given current world events, there’s an incredible amount of misinformation and disinformation around at the moment. Whether we’re talking 5G, the pandemic, vaccines, or invasions, there’s a lot out there.

One of the biggest problems where bad information placed online is concerned is bot farms. A huge army of automated accounts sowing seeds of doubt and nonsense isn’t helpful, and it can be tricky to do much about it. Occasionally, we hear tales of successful takedowns. This is one such story.

The difference between misinformation and disinformation

It’s important we know where both of these diverge, and how. Misinformation is when someone spreads incorrect information. There doesn’t need to be any malicious intent behind the spreading. They’re simply getting something wrong, and throwing it out there anyway. Someone may even be repeating a talking point to be helpful or give assistance. Unfortunately incorrect information being spread across social media and elsewhere can lead to all sorts of problems.

Disinformation is designed to be bad from the outset. It’s carefully crafted lies and subterfuge, manipulating the truth for dubious purposes. It can be done by anyone with a random account online, or deployed in more sweeping fashion by a Government. It’s a popular tool during wartime, and it’s being used daily throughout the invasion of Ukraine.

What is a click farm?

A common question asked is “What does a bot farm actually look like?”, with good reason. People imagine rows of servers, doing server type things. Someone once asked me if they “resembled robots”. There are different types of farm, which can make the confusion even worse.

Click farms are incredibly common, and are used to perform basic tasks on social media.

These farms may employ people to monitor dozens or hundreds of mobiles and interact in some way on content intended to go viral.

Click farms often descend into click fraud and other activities such as SIM smuggling, with law enforcement inevitably becoming involved.

What is a bot farm?

Bot farms, as the name suggests, attempt to go one better and automate a lot of these activities. It wasn’t so long ago that researchers uncovered an insecure bot farm and dug into how it operated. The intention of that farm was to perform political manipulation. Bots playing host to friends (also bots) across their networks pushed dubious and divisive content. They also joined specific Facebook groups to push the content further still. No doubt some of the material promoted was disinformation.

This is what’s currently happening in relation to the invasion of Ukraine.

When bot farms are dismantled

It’s been revealed that no fewer than five significantly sized bot farms have been shut down by the Security Service of Ukraine (SSU) since the invasion began.

According to the SSU, these bot farms are responsible for at least some of the many bomb threats called in from the start of the year onward.

The farm itself involved a wealth of equipment across two individual’s residential properties, with a third person fielding technical maintenance. 3,000 SIM cards, numerous laptops, and multiple GSM gateways were among the items seized.

Combating disinformation tactics

There’s never been a more urgent need for fact checking services. The Ukrainian Center for Countering Disinformation has set up its own Telegram bot, aimed at fact checking dubious claims within minutes. There are also several well-known fact-checking sites providing shakedowns of bogus claims and viral content in relation to the Russian invasion of Ukraine. These include Full Fact, Snopes, and AFP fact check.

Before retweeting or sharing content, it’s always worth checking the facts first. Even engaging with disinformation to counter or correct it can boost the disinformation’s viral nature, making it even harder to shut down. This is why, for example, people will often screenshot bogus claims to counter them instead of quoting them directly. In many cases, it may well be better to simply report the content instead of directly engaging with it.

The post Ukraine shuts down disinformation bot farm appeared first on Malwarebytes Labs.

Despite continued warnings of deepfake chaos during major events, things haven’t worked out the way some thought. Those video deepfakes are bad, and they remain bad. Quite simply, nobody is fooled – or at least, nobody able to make a mistaken snap judgement in a way that matters.

As much as we over dramatise their use in our heads, the video aspect of deepfaking has a long way to go to pull the proverbial wool over our eyes. But it’s a little bit harder to spot an AI-generated image, as you can see on sites such as This Person Does Not Exist, and some people are using these fake images on social media.

When LinkedIn connections go wrong

Two Stanford University researchers, Renée DiResta and Josh Goldstein have found more than 1,000 fake Linked In profiles using AI-generated faces

The story begins with someone sending a message to an individual on LinkedIn. Nothing odd there, except the recipient happens to know their way around AI generated images.

The avatar attached to the profile did indeed turn out to be entirely fictitious; “Keenan Ramsey” does not exist. From there, the pretend people were unearthed doing their thing on LinkedIn.

These “employees” were tagged under various businesses, except those businesses said they didn’t authorize the use of computer generated profile imagery. The researchers digging into this discovered companies selling LinkedIn marketing services. They also offered bot/avatar accounts, which is a no-no from LinkedIn’s perspective.

The long tail of deepfake marketing

It’s somewhat bizarre that people may be making money from selling web generated profile pictures to businesses that could just do it themselves given 10 seconds and a web browser. It’s also bizarre that nobody at any point in this daisy-chain of fake people’s profiles seems to know exactly where, or how, or why any of this has been happening. Who is responsible? What are these accounts doing besides perhaps bolstering employee count numbers?

A very good question.

For now, it may be worth paying close attention to random messages and/or connection requests on LinkedIn. Is the person at the other end who they claim to be, or a business-realm fakeout? It may be tricky to pin down a conclusive answer, but I’d definitely rather know just who is wanting to get inside my connections network…and why.

The post Watch out for LinkedIn fakes who want to get connected appeared first on Malwarebytes Labs.

If you’ve received a spam SMS message sent from your own phone number, don’t panic.

No, you weren’t hacked. And you’re not the only one who has received such a message, which looks a bit like this:

Free Msg: Your bill is paid for March. Thanks, here’s a little gift for you: {redacted link}

But why do they make it look like the text has come from your own number? It’s likely the scammers spoofed it in order to get past built-in filter features because they don’t block messages you send yourself.

The Verge writer Chris Welch said that clicking the link directed him to Channel One Russia, a Russian state media network. But this could have easily led to nefarious payloads, like malware, and some have already classed this as a smishing (or “SMS phishing”) attempt.

Interestingly, Welch said, the texts appear to be targeting users of Verizon Wireless, one of the biggest telecommunication companies in the US. 9to5Mac’s Allison McDaniel says she’s also seen customers of Visible, Verizon’s MVNO (mobile virtual network operator), complain about the spam SMS on Reddit, too.

Rich Young, Verizon’s spokesperson, said in an email to The Verge:

“Verizon is aware that bad actors are sending spam text messages to some customers which appear to come from the customers’ own number. Our team is actively working to block these messages, and we have engaged with US law enforcement to identify and stop the source of this fraudulent activity. Verizon continues to work on behalf of the customer to prevent spam texts and related activity.”

McDaniel has advised Verizon and Visible users to report receiving this spam SMS—and others like it—to the FCC by filing a complaint. Pay particular attention to the bit on “Your Number is Being Spoofed.” You can also forward the message to SPAM (7726).

Tell your friends and family about this smishing attack. If they received one, tell them to report it, delete it and move on.

The post “A little gift for you” SMS spam appears to come from your own phone number appeared first on Malwarebytes Labs.

Google has launched Chrome version 100 which, among other things, fixes 28 vulnerabilities. Other new security features include Safety Check, Enhanced Safe Browsing, and the ability to control website access to your location and device.

Of the 28 vulnerabilities, none have been marked as critical but 9 have been marked as high severity. High severity usually means that any compromise would be limited to the browser, although vulnerabilities that allow an escape from the browser’s sandbox will often be classified as High as well. But these vulnerabilities could have more serious consequences when used in conjunction with others, so it warrants a quick update.

Version 100

We have talked about possible user-agent string problems with the introduction of version 100, for both Chrome and Firefox. With Google Chrome 100, the browser’s user-agent string now uses a three-digit version number compared to a two-digit number. After testing showed that some sites had issues with the new user-agent string, they were quickly fixed by developers so these sites now support the three-digit version. This is not to say that every site has been tested, so it may still cause problems for some.

Google has announced that Chrome 100 will be the last version of the browser with an unlimited user-agent string. The user-agent string—which is sent out on each http-request—contains information about the user’s OS, the used browser and  its version number, the device model, the architecture, and more. With this combination of parameters and the large variety of potential values, it could be possible to identify internet users based on their user-agent strings.

To reduce this option for fingerprinting Google plans to reduce the information in the user-agent string to only the browser’s brand and significant version, its desktop or mobile distinction, and the platform it’s running on.

Safety check

The new safety check allows users to quickly check a few security settings like available updates, the strength of their saved passwords, whether safe browsing is enabled, and more.

Go to your Settings and then select Security and Privacy. Here you can click the Check now button under Safety check.

Enhanced Safe Browsing

According to Google, Enhanced Safe Browsing protection adds a few extra layers to the standard protection:

• Predicts and warns you about dangerous events before they happen
• Keeps you safe on Chrome and may be used to improve your security in other Google apps when you are signed in
• Improves security for you and everyone on the web
• Warns you if passwords are exposed in a data breach
• Sends URLs to Safe Browsing to check them. Also sends a small sample of pages, downloads, extension activity, and system information to help discover new threats. Temporarily links this data to your Google Account when you’re signed in, to protect you across Google apps.

It is up to you whether you would like to provide Google with this data, but you can enable Enhanced Safe Browsing by following the procedure outlined below.

Go to Settings and then select Security and Privacy. Click Security and turn the radio button before Enhanced protection.

Control website access to your location and device

Sometimes websites ask permission to use your location, microphone, and more. Chrome now has site safety controls that help you understand and change the permissions for the sites you visit.

You can check the current permission by clicking the lock symbol in the address bar and select the Site settings to see an overview of all the permission. You will also be able to see existing permissions that you can simply reset by using the Reset permission button.

New developer APIs

With this release, Google has also added the Digital Goods API so that web applications can make in-app purchases using the Google Play Store. This API has been made available alongside the Multi-Screen Window Placement API that  extends the web platform’s single-screen paradigm to support multi-screen devices. As multi-screen devices and applications become a more common part of user experiences, it is deemed important to give web developers information and tools to leverage that expanded visual environment.

How to update Chrome

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it.

Then all you have to do is relaunch the browser in order for the update to complete.

After the update, the version should be 100.4896.60.

Stay safe, everyone!

The post Update now! Google launches Chrome version 100 and fixes 28 vulnerabilities appeared first on Malwarebytes Labs.

People up to no good get themselves caught in an endless number of ways. This has always been the case in the real world, and continues to be true online. No matter how talented, how daring the schemes, greed and the desire for fame often win out. This has disastrous consequences for those caught, and a little more illumination for those of us taking part or watching from the sidelines.

Anybody can be caught in the act. Even groups with near mythical levels of skillset-cred fall by the wayside. It is, in the worlds of one Agent Smith, inevitable.

Well, occasionally inevitable.

The ever-shifting sands of “I’ve made a terrible mistake”

A recent article over on ITPro highlights some of the ways would-be cybercriminals and those at the more professional end of data snatching get themselves caught. So-called script kiddies can take a couple of weeks; big name groups can take longer, but they can still fall foul of the smallest mistake.

Some of the most common mistakes listed in the article are combinations of technical misfire, greed, lack of skill, and unfamiliarity with social engineering. How can things go wrong for the unwary? Let’s take a look.

Technological mishaps

Something we see happening is tiny slices of technology causing major ripples in unexpected ways. A person may have a great plan, a plan B, and a bunch of other what-ifs and workarounds. It all comes undone in the most unexpected of ways. If the founder of the infamous Silk Road can run into problems with VPNs, so can anyone.

Even if the VPN doesn’t glitch out at the worst possible moment exposing an IP address, forgetting to switch it on in the first place can give the same end result. Many years ago, a fairly prolific defacer of websites I was tracking fell foul of this problem. They became addicted to the rush of posting their latest compromises to a hacking forum dishing out kudos points for cool hacks.

Their lack of skill beyond the basics coupled with the fame rush resulted in a forum hack from their college network, with the VPN switched off. I’m still unsure if the hack they used was misused somehow and resulted in their IP posted to the defaced page, or this was revenge from the admins. Either way, enough pieces of the puzzle were available that this individual ran into trouble shortly after and ended their defacement activities. 

Oh no, my trophy storage

People involved in compromise, defacement, and other actions simply cannot help themselves with a bit of showing off. It stands to reason that those with this inclination end up assembling a large trophy case marked as “all the evidence goes here”. This trophy storage may take the form of a list of site defacements posted to a forum. It may be on passwordless server storage running off their home network. It might even just be a collection of zipfiles in cloud storage somewhere.

Other times, it may be files grabbed by malware and uploaded to a server with no encryption or passwords applied. It’s left to sit around for the longest time. Once law enforcement comes knocking, it’s likely too late for the accused to do anything about it.

When makeovers go horribly wrong

Back in the Myspace days, we’d sometimes see someone take their first steps into the defacement scene with a revamp of their personal profile. Where once it contained their name, location, and home photographs, it now looked very much like someone had just watched Hackers and decided to HACK THE PLANET.

Unfortunately for them, they didn’t know about the existence of search engine caches, or services like Internet Archive. They also failed to consider the dozens of messages in the comments section calling them by name. This is partially one reason why smarter people in the Myspace hacking scene would place their top friends outside of the top friends box, and place random people there instead.

Even without technical mishaps or overflowing trophy cabinets, there are other ways to fall on your own sword composed of ones and zeroes. The social aspect of underground forums often leads to people letting their guard down. A bit too much information shared, a little too friendly in the direct messages, and it all adds up.

Revealing too much information about yourself on forums and in chat, posting in bragging threads where you display your best hacks, can lead to disaster. Other people caught by law enforcement can turn informer, and socially engineer details from individuals who feel they’re in a safe, relaxed environment.

Turning the tables

The forums themselves can suddenly switch from safe-haven to massive bearpit of law enforcement pandemonium. Some underground forums have a very strict no-spam policy. They strengthen this stance in what may sound like very surprising ways. Some refuse to allow users to login via proxies or VPNs. That’s right: they need to use their actual IP address. How do you think this pans out if the forum is taken over by the authorities? Or simply compromised by somebody for giggles with the forum logs dumped into the wild?

The other suspicion is that any supposed underground forum demanding real world information could well be a sting operation. How does someone ever really know before they sign up?

It’s a dog eat dog world out there

If someone avoids spilling too many beans or posting incriminating information, it can still go wrong. As we’ve seen recently, little fish are tasty treats for more experienced hands. People regularly post hacking tools and phish kits to dedicated forum sections. Every so often, we see someone drop a booby-trap onto a site and gobble up all the data from compromised forum-goers.

This isn’t new, and neither are any of the other pitfalls and mishaps listed above. Even so, overenthusiastic forum-goers will keep walking into them and providing headlines for years to come. Is it really worth the worry?

The post Looking over your shoulder: when small mistakes have big consequences appeared first on Malwarebytes Labs.

Since the start of the Russian invasion of Ukraine, the war on the battlefield has been accompanied by cyber attacks. Those attacks against critical infrastructure have knocked out banking and defense platforms, mostly by targeting several communication systems.

In a timeline set up by NetBlocks, you can follow individual attacks on communication services, starting Thursday 24 February 2022, the same day the invasion of Ukraine started. The attack methods are very diverse, as are the consequences.

But that wasn’t the start of it, the denial of service attacks that were clear attempts to disrupt banking and defense services began earlier, and a huge drop of connectivity was noticed as early as February 15, 2022.

NetBlocks

NetBlocks is a global Internet monitor based in London. It uses “diffscans”, which map the IP address space of a country in real time, and show Internet connectivity levels and corresponding outages. Deliberate Internet outages will often show a distinct network pattern, and NetBlocks uses those patterns to determine and attribute the root cause of an outage.

The NetBlocks timeline shows disruptions of fixed-line service provider Triolan, the Viasat satellite internet network, backbone internet provider GigaTrans, network operator Kyivstar, the Vinasterisk network, as well as targeted attacks on certain areas that were often accompanied or followed by physical strikes.

Financial problems have also presented challenges for network operators. On Tuesday 15 March, internet provider LocalNet announced that it would have to lock down subscribers with debt on their account due to difficulty paying the company’s own bills.

On Monday 28 March 2022, Ukraine’s national provider Ukrtelecom experienced an extended, nation-scale network disruption, following a major cyberattack. It’s not yet known whether Ukrtelecom—a telephone, internet and mobile provider—was hit by a distributed denial of service (DDoS) attack or a deeper, more sophisticated intrusion. But NetBlocks stated that the gradual loss of connectivity was a giveaway that it wasn’t a power or cable cut.

Communications

As we have said in the past, communication systems are a vital infrastructure. Important decisions may be postponed when the person or body that is supposed to make that decision is unable to gather the information necessary. This is also why we see a lot of misinformation and disinformation on both sides of the conflict.

The ongoing conflict has also affected radiation monitoring, communications, and long-term maintenance and cleanup efforts at nuclear power plants across Ukraine, which is an extra worrying factor. The loss of communications was subsequently raised as a point of concern by the International Atomic Energy Agency.

Methods of disruption

When it comes to disrupting communications services the methods are as diverse as the means of communication. Communication lines and infrastructure include physical lines, satellites, and other wireless methods.

Physical lines can be cut off in physical attacks, but they are also vulnerable to the cyberattacks that can be used against wireless communications.

• An unwanted wireless signal injected into the original signal may result in a temporary loss of wireless signals, poor receiver performance, or bad quality of output by the electronic equipment.
• Channel interferences influencing the performance of wireless communication systems can be co-channel interferences or adjacent channel interferences.
• Overload attacks, like DDoS attacks are designed to overwhelm the available capacity of the infrastructure or absorb so much capacity that the negative influence on the service is notable.
• Attacks on physical components like cables, switches, routers, and network centers.

As we discussed recently, even our networks of satellites and space systems are vulnerable to cyberattacks, which can create a backdoor into the physical and digital systems we rely upon on a daily basis.

DDoS

A tried and tested method to disrupt communications is to overload the network(s) with a Distributed Denial of Service (DDoS) attack. This type of attack involves sending large amounts of traffic from multiple sources to a service or website, intending to overwhelm it.

One DDoS method that was used against Ukrainian websites was via hundreds of compromised WordPress sites that use visitors’ browsers to perform DDoS attacks by means of an inserted malicious script. The DDoS attacks will occur in the background without the user knowing it’s happening, other than a slowdown of their browser. BleepingComputer discovered that the same script is being used by a pro-Ukrainian site to conduct attacks on Russian websites.

Incommunicado

The cyberattacks on communications are an understandable part of modern warfare. And one that nations and international organizations should prepare for. But, as always, these attacks have consequences for the inhabitants of the countries that are at war.

On both sides of the conflict, people have been cut off from communications. On the Russian side people have been denied access to most social media, which they have been trying to circumvent by using VPNs. But what is way worse from a human perspective is that worried Ukrainians are unable to reach their relatives in areas that are under attack.

The post Attacks on Ukraine communications are a major part of the war appeared first on Malwarebytes Labs.