IT NEWS

Major airline American Airlines has fallen victim to a data breach after a threat actor got access to the email accounts of several employees via a phishing attack.

According to a published notice of a security incident, the data breach was discovered in July 2022.

How it happened

American Airlines said the successful phishing attack led to the unauthorized access of a limited number of team member mailboxes. American Airlines discovered the breach on July 5, 2022 and immediately secured the impacted email accounts. It then hired a cybersecurity forensic firm to investigate the security incident. A forensic investigation can be a huge help to determine what happened and what the possible consequences of the incident are.

What the attackers had access to

In the notice, American Airlines wrote:

“The personal information involved in this incident may have included your name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information you provided.”

So far, American Airlines has not disclosed the exact number of breached email accounts or how many customers were affected.

Aftermath

American Airlines says it will implement additional technical safeguards to prevent a similar incident from happening in the future.

It offers affected customers a complimentary two-year membership of Experian’s IdentityWorksSM. While we would not recommend paying for such a service, getting it for free may not be a bad deal. Identity theft monitoring services sound great at first, they’re not really expensive and seem to provide peace of mind against an avalanche of ever-more damaging breaches. But they don’t, at present, protect against the worst impacts of identity theft—the theft itself.

American Airlines says it has no evidence that personal information has been abused, but recommends that you enroll in the free credit monitoring. In addition, customers should be extra vigilant, including by regularly reviewing account statements and monitoring free credit reports.

Phishing

We’d like to add that this type of incident often triggers yet another round of phishing attacks, only targeted at potentially affected customers. Typically these phishing mails will try to leverage some kind of urgency to try and trick you. For example, they might urge you to click some link to claim some sort of compensation for the incident. The sense of urgency is something almost all phishing mails have in common: They do not want you to think, just react.

Other signs that something’s phishy:

• The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
• The URL shown on the email and the URL that displays when you hover over the link are different from one another.
• The “From” address is an imitation of a legitimate address, especially from a business.
• The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
• The content is badly written. Sure, there are plenty of bad writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English?
• The email contains attachments from unknown sources that you were not expecting.
• The website you are sent to is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)

And each of the above is reason enough to question the legitimacy of the email. Phishers have far evolved past the “Nigerian prince with a treasure” level. Above all else, trust your instincts—if it looks, smells, or feels phishy then it probably is.

Stay safe, everyone!

The operators of a site known to most observers for being in a recent state of flux have announced a forum breach. Kiwi Farms, which gained a reputation for sophisticated trolling and doxxing, was recently dropped by Cloudflare after a sustained campaign to have the DDoS mitigation and cloud hosting service abandon the forum.

The site has since returned, but with a major problem: a breach which potentially reveals a large amount of user data.

The breach revealed

The site creator had the following to say in relation to the compromise:

The forum was hacked. You should assume the following.

Assume your password for the Kiwi Farms has been stolen.

Assume your email has been leaked.

Assume any IP you’ve used on your Kiwi Farms account in the last month has been leaked.

The attack made use of the synergy between the main forum site and a second site, XenForo. The latter is a commercial internet forum software package written in PHP. Attackers created a webpage disguised as an audio file to XenForo, loading this page elsewhere in a manner which caused user authentication cookies to be sent off-site. The main admin account for the forum was apparently hijacked in this same fashion.

The fallout from a forum compromise

We often warn about using forums without implementing the proper failsafes and protection, and a breach such as this hammers home the point. A lot of users on the site may now have a lot of information exposed that they’d really rather not. Similarly, curious observers or even unwary researchers or law enforcement may have registered and not considered the possibility of a data leak.

This data could end up anywhere, and there’s no surefire way to know what’s been taken. It could end up on other forums, data dumps, or in the hands of law enforcement agencies. No matter what site you’re registered on, you should consider:

• Use different passwords for all sites. Once those data dumps go public, cybercriminals will try logging in to other accounts using the same email and username combinations.

• Consider using a VPN, TOR, or some other method to obscure your IP address. Some forums insist on people using their real IP address when registering and posting to a forum, and may even ban or block VPNS, proxies, and other services.

• Be careful what you reveal to other site users via direct messages. People tend to not delete these messages, and sites don’t always auto-prune older messages. It’s also possible sites may store data sent and received, and not even tell you.

It remains to be seen what happens to Kiwi Farms, and the site owner is looking to migrate away from aspects of the site which led to this compromise. For now, it’s a timely reminder to keep on top of potential system vulnerabilities and also consider what data you may be leaving on a site for others to collect at the worst possible moment.

Cyberattacks are rapidly evolving, leaving businesses and their IT security teams to handle immense workloads.

Keeping up with today’s cyberthreats not only involves staying up to date in an ever-changing threat landscape, it also involves managing complex security infrastructure and technologies. Detection and response tools are designed to help security teams monitor, evaluate, and respond to potential threat actor activity.

EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources.

Although detection and response tools share similar purposes, they are not all equal. Every threat detection and response capability has its own advantages when it comes to addressing the needs of your business and catching threats that have thwarted traditional security layers.

Let’s dive into the basics of three common detection and response solutions.

Endpoint Detection and Response (EDR)

Endpoint detection and response (EDR) solutions cover all endpoint monitoring and activity through threat hunting, data analysis, and remediation to stop a range of cyberattacks. These attacks include malware, ransomware, brute force, and zero-day intrusions.

Managed Detection and Response (MDR)

Managed detection and response (MDR) is a service that offers a suite of outsourced capabilities to deliver round-the-clock, 24/7/365 monitoring and detection, proactive threat hunting, prioritization of alerts, correlated data analysis, managed threat investigation, and remediation. MDR is popularly thought of as an in-house Security Operations Center (SOC) alternative. It blends a human element of highly-skilled experts with threat intelligence technologies.

Extended Detection and Response (XDR)

Extended detection and response (XDR) is a proactive cybersecurity solution that provides improved, unified visibility over endpoints, networks, and the cloud through aggregating siloed data across an organization’s security stack.

What is the difference between EDR vs MDR vs XDR?

Today’s industry-leading detection and response technologies rely on threat intelligence data pulled from different sources. This threat intel data varies in readability and usefulness depending on the tool and its intended audience, your security team, decision-makers, or key stakeholders. Not all businesses have the cybersecurity resources to interpret copious amounts of data, investigate alerts, and act on threats.

Let’s compare threat detection and response tools and the challenges they address.

EDR vs MDR

The difference between EDR and MDR is scale.

The needs of your organization, the number of assets and endpoint devices to protect, available resources, bandwidth, and in-house cybersecurity skill level are all factors to consider when it comes to MDR vs EDR. Addressing your business’ security challenges is crucial to understanding how much visibility your company really needs, doing so will help determine the detection and response technology best fit for your business and enhance your cybersecurity stack.

EDR has several benefits and provides holistic visibility into the attack surface of all your endpoints and can detect threats that circumvent legacy endpoint protection platforms (EPP). Endpoint Detection and Response is a staple for establishing a comprehensive security strategy and lays the groundwork for scalable cybersecurity maturity. Although fundamental, it generates a lot of alerts and endpoint telemetry data, adding to its complexity. It requires skilled cybersecurity talent who can readily handle high alert volume, interpret EDR alerts, and respond proficiently. The key takeaway is that standalone EDR products help businesses wanting to enhance their endpoint security posture but require a level of resources and advanced cybersecurity personnel.

MDR security is a managed service which merges human expertise with threat intelligence, offering advanced threat hunting, threat identification, alert prioritization, and incident response. MDR helps businesses obtain outsourced, high-skilled cybersecurity experts at an affordable cost. Regardless of size and level of expertise, your current IT team can leverage a turnkey experience with Managed Detection and Response to close the skill gap in specialized security talent. Small businesses seeking to build security maturity, handle complex threats, and relieve in-house alert fatigue, have everything to gain from Managed Detection and Response.

MDR vs XDR

XDR works to consolidate alerts and unify previously siloed data from a range of cybersecurity tools. Businesses struggling with an influx of alerts across multiple existing security tools have the most to benefit from XDR solutions. Providing extended visibility, the tool is centered on aggregating and correlating telemetry from various security tools and enhancing defense across the security ecosystem.

Extended Detection and Response addresses the challenges of businesses with multilayered security architecture.

Tips for choosing a threat detection and response tool for your business

Choosing the right detection and response tool starts with addressing your business’ security needs at scale. Simply put, your organization should consider the following questions:

• What does my company need to protect? What assets are most vulnerable to being compromised?
• How much visibility does my organization need?
• Does my security team have the skillset, time, and bandwidth to handle large security workloads?
• What are the resource constraints of my organization?
• Who will be analyzing, investigating, and responding to detected threats, alerts, and data?

Featured articles 

What is Threat Hunting?

3 ways MDR can drive business growth for MSPs

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

Last week on Malwarebytes Labs:

• The North Face hit by credential stuffing attack
• Facebook engineers aren’t sure where all user data is kept
• 6 patch management best practices for businesses
• The MSP playbook on deciphering tech promises and shaping security culture
• Apple puts the password on life support with passkey
• BackupBuddy WordPress plugin vulnerable to exploitation, update now!
• Update now! Google patches vulnerabilities for Pixel mobile phones
• Important update! iPhones, Macs, and more vulnerable to zero-day bug
• Steam account credentials phished in browser-in-a-browser attack
• How to help your child manage their online reputation
• WPGateway WordPress plugin vulnerability could allow full site takeover
• Update now! Microsoft patches two zero-days
• The privacy concerns of tying SIM cards to real identities
• 5 technologies that help prevent cyberattacks for SMBs
• Malvertising on Microsoft Edge’s News Feed pushes tech support scams
• Cyber threat hunting for SMBs: How MDR can help
• Here are the new security and privacy features of iOS 16
• Explained: Fuzzing for security
• School app Seesaw compromised to send shock NSFW image
• Uber hacked
• 3 ways MDR can drive business growth for MSPs

Stay safe!

Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains of which many are spelling variations of the brand name Sniffies.

Sniffies identifies itself as a “modern, map-based, meetup app for gay, bi, and curious guys.”

Kody used an open source tool called DNSTwist to generate a list of lookalike domains for Sniffies.com. Out of the 3531 possibilities generated by the tool, 51 represented valid domains.

“I saw a good amount of domains registered with the same MX server set up, even though the domains were hosted on random platforms.”

A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. So that would imply that the domains were set up by the same threat-actor.

Typosquatting

Typosquatting is a term you may have seen when reading about Internet scams. In essence it relies on users making typing errors (typos) when entering a site or domain name. Sometimes it is also referred to as URL hijacking or domain mimicry, but IMHO the word typosquatting more accurately describes the matter. As you will understand, the success of a typosquat scammer depends on the number of victims that are likely to misspell the intended domain and land on the scammers’ pages.

One factor is the popularity of the domain. With an estimated number of 79,600 visitors per day, Sniffies certainly qualifies in that department.

Advertising

BleepingComputer’s test results were described as:

“Once accessed, the illicit ‘Sniffies’ copycat domains do one of the following things:

• Push the user to install dubious Chrome extensions
• Launch the ‘Music’ App on Apple devices right from the web browser
• Lead the users to bogus technical ‘support’ scam sites
• Lead the users to fake job posting sites”

Obviously, we did some testing of our own. We found some domains that had either been abandoned or parked for the future, but some did what they were set up for—redirect visitors based on some basic system properties and the location (based on IP address).

Most of the redirects we found at Malwarebytes went to advertising sites that were more or less legitimate. But certainly not what the user would be looking for. Many shared this look, offering the visitor a few choices.

In one instance (Dutch IP, Windows system) we were redirected to a fake Microsoft Defender warning site (including soundtrack and locked screen), parked in the domain ondigitalocean.app which has been on Malwarebytes’ radar for some time.

We also found one of the Chrome extensions that BleepingComputer described as dubious. Malwarebytes detects these extensions as PUP.Optional.AdMax.

Mitigation

While it’s certainly nice to read how these campaigns work and how the research was done, Sniffies is just an example of what is out there.

To avoid falling victim to typosquatters, there are a few basic measures you can take, which are in essence aimed at not typing the url.

• Bookmark your favorites
• Use search results rather than typing the url in the address bar
• Leave some or all of the sites that you visit every day open in your browser tabs (most popular browsers offer the option to continue where you left off or to specify a set of sites to start with)
• Never click links in unexpected emails or on unknown sites
• Use an antivirus or anti-malware solution that offers web protection and preferably even an anti-exploit solution.

Stay safe, everyone!

The managed service provider market is growing rapidly. As cyberattacks continue to increase worldwide, more and more small-and-medium-sized businesses (SMBs) are looking to MSPs to take the load off when it comes to securing their business. 

With more business, of course, comes more competition—and what better way to whet your competitive edge than to offer security services that SMBs desperately need?

It’s a no-brainer. By focusing on the specific security needs of their customers, MSPs can attract and retain the 91% of SMBs who would consider switching service providers if another one offered the “right” cybersecurity services.

Okay, but that begs the question: Exactly what security service should MSPs be offering to their clients? Endpoint protection, EDR, and VPM services are high-up there—but you may not know that Managed Detection and Response (MDR) is another must-have.

MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack. Gartner reports that, by 2025, 50% of organizations will be using MDR services for threat monitoring, detection, and response functions that offer threat containment capabilities.

The core service capabilities of MDR include:

• 24×7 monitoring of an organization’s environment for threats.

• Threat detection, alerting, and response from highly experienced security analysts.

• Correlation of endpoint alerts with other data sources to identify threats and response measures more effectively.

• Proactive cyber threat hunting based on past indicators of compromise (IOCs)

While it’s technically possible for MSPs to build out their own MDR program in-house, doing so takes the same time, expense, and effort as starting an entirely new IT security department. You’ll need to build out your own security operations center (SOC) facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on.

In short, the expertise and infrastructure required for MDR is why many MSPs opt to outsource their MDR to a service provider. 

Here are three ways MDR can drive business growth for MSPs.

1. Minimize dwell time

In the cybersecurity world, dwell time is the time that elapses between a malware or an attacker infiltrating a system and when they are detected (and removed).

The longer the dwell time, the longer an attacker has to elevate their privileges and move deeper into a network in search of sensitive data and other high-value assets. We call this lateral movement—and MDR can nip it in the bud, preventing a potential data breach. It’s all made possible by threat hunting. 

Threat hunting typically includes two essential functions in the delivery of MDR services:

• A research-based approach, where security analysts look, or “hunt,” for known attackers or adversarial behaviors listed in threat intelligence services. 

• An active hunting approach, where security analysts systematically review your organization’s environment to uncover any current suspicious activity or newly emerging indicators of compromise (IOCs) that are in progress.  

Because both research-based and active threat hunting can stop an attacker before they exfiltrate data or deploy ransomware, outsourcing your threat hunting can greatly help control infections for your MSP clients. And if you have a reputation for letting fewer threats through than your competitors, you’ll likely attract more business.

Read: Cyber threat hunting for SMBs: How MDR can help

2. Overcome alert fatigue

Let’s say your MSP business serves more than 60 customers, ranging from small businesses with a handful of employees to larger companies with about 150 users. 

Every day, your small team works to protect thousands of endpoints, and deals with an ever-growing number of alerts.

With constant alerts demanding attention, MSP security analysts end up being overworked and exhausted, reducing their ability to properly identify and triage alerts to prevent malware infections and the spread of damage. That can lead to missed threats getting through to clients—ultimately leading to data loss and downtime for their organizations.

By outsourcing your MDR, your environment is monitored 24x7x365 by a team of advanced cybersecurity analysts. Rather than scrambling to identify and understand critical threat alerts, your MSP team receives notifications from the MDR team with guidance to remediate critical threats.

Not only can this increase your team’s morale and job satisfaction, but it also opens your team’s resources to focus on net new billable projects.

3. Increases customer satisfaction and MRR

If you’re an MSP, you might find three ways to take your business to the next level:

• Increasing your number of customers offers increased monthly recurring revenue (MRR) and diversifies your client base, but providing the services businesses are looking for could require extra staff.

• Recruiting larger customers could increase MRR at a lower marginal cost than serving multiple small clients, but a larger client could require more resources to properly manage.

• Upselling existing customers would allow your MSP to build upon your current customer base, but it will require a compelling value proposition to encourage satisfied customers to increase their monthly spend.

Finding an offering that provides 24x7x365 security is a great way to increase your number of customers, recruit larger customers, and upsell existing customers all at once—and MDR can make it happen. Specifically, other than 24×7 real-time threat detection and threat hunting, MDR offers a few other key features that businesses of all sizes are looking for:

• Threat intelligence: Provides insights into who attackers are, where they can access the network, and specific actions that can be taken to strengthen defenses against a future attack. 

• Effective threat response: An MDR service provider with top-tier security analysts will have the skills to tackle complex threats. This will reduce an organization’s mean time to respond (MTTR).

• Reporting: MDR service providers give transparent and consistent communication, sharing details about their threat detection and giving expert guidance on responding to and remediating security threats.

By outsourcing your MDR, you can offer all of these in-demand activities for current and prospective clients without needing your own in-house MDR tools and staff.

Transform your MSP business with MDR

The threat hunting, threat intelligence, and threat response capabilities of MDR make it a must-have solution for any security-minded SMB. Likewise, with the demand for MDR services on the rise, MSPs would be wise to include it in their security portfolio. 

For many MSPs, however, delivering MDR services isn’t possible with their current staff and tools. 

Partnering with an MDR vendor provides several key advantages, giving you fast time-to-market to immediately address market demand and enabling you to offer a service that has top-tier professionals and uses the best security tools. 

Want to learn more about the tools MDR analyst use to detect and respond to threats? Checkout our webinar: Malwarebytes for Business Demo.

Featured articles 

What is Threat Hunting?

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

Uber informed the public on Thursday it was responding to a cybersecurity incident after somebody breached its network. From what we have been able to find out so far, the attacker managed to compromise an employee’s access to the chat app Slack. The intruder may also have gained access to the Amazon and Google-hosted cloud environments where Uber stores its source code and customer data, and to the company’s HackerOne account, which contains information about security flaws in its products.

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.

— Uber Comms (@Uber_Comms) September 16, 2022

There has been no indication that Uber’s fleet of vehicles or its operation was affected.

Security researchers that spoke with the hacker, who claims to be 18 years of age, are under the impression that the threat actor’s main motive seems to be to show off what he did. The person also said Uber drivers should receive higher pay.

A highly respected source revealed that the threat actor spammed an employee with MFA push requests, an established tactic that can defeat some kinds of multi-factor authentication by simply annoying a victim into submission. This type of MFA sends a notification to a user whenever their username and password are used. The user has to approve the login by pressing a button on a smartphone app. The idea is that a stolen username and password are useless to an attacker unless they also have physical access to the victim’s phone. It doesn’t always work like that though. Unfortunately, some criminals have learned that they can batter people into submission by repeatedly using the username and password until the victim approves the login just to make the notifications stop.

In this case the attacker reportedly contacted the employee on WhatsApp and told them they had to accept the requests to make them stop, at which point the victim did as instructed.

Slack

Slack is a messaging system that’s widely used by, and within, tech companies as an alternative to email. It allows direct messages between individuals, and conversations among groups of people take place in channels dedicated to specific topics or areas of concern. Channels contain a complete history of every conversation they have ever hosted, and may contain sensitive or valuable information. In other words, Slack can be a potential gold mine for an attacker looking to expand their access and impact.

The New York Times reports that Uber was forced it to take several internal communications and engineering systems offline after the attacker used Slack to send a message to Uber employees.

The Slack message, including spelling errors, read:

“I announce I am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and two monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives”

The message was received as a joke by Uber’s employees in the Slack channel at first, but people soon started realizing the claims were serious. To prove that the intruder really had access they posted a photo on an internal information page for employees, as well as screenshots of the Uber AWS instance, HackerOne administration panel, and more.

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses who want to know about security issues in their products with penetration testers and cybersecurity researchers looking to be rewarded for their bug-hunting efforts.

I suppose if there is one thing you don’t want a hacker to get their hands on, it’s the company’s HackerOne administration panel. Imagine someone having access to a list of unfixed security vulnerabilities affecting your organization, alongside proof-of-concept code that can exploit them.

We reached out to HackerOne to ask about the security measures that apply to a company account. We are awaiting their response.

No hush, hush this time

Uber famously covered up a 2016 data breach that affected its 57 million customers and drivers. The company hid the incident from the public and paid the hackers $100,000 to delete the data and keep quiet. That Uber hack came to light after new leadership took over the company in 2017, a year after the incident occurred. Uber settled the case with the DOJ (US Department of Justice) and paid  $148M for civil litigation settlement.

On Wednesday, parents and teachers reported that student learning platform, Seesaw, had been hacked after some users received an infamous explicit photo known as “goatse” on private chats. Schools from districts in Colorado, Illinois, Kansas, Michigan, New York, Oklahoma, South Dakota, and Texas all experienced similar issues, and began to send out warnings like the one below:

San Francisco-based Seesaw, which prides itself on having more than 10 million users, declined to comment on how many were affected.

In a news release, Seesaw said it wasn’t hacked but was compromised via “a coordinated ‘credential stuffing’ attack” in which widely available compromised credentials—email address and password combinations—were used to illegally take over Seesaw accounts.

“We have no evidence that the attacker performed additional actions in Seesaw beyond logging in and sending a message from these compromised accounts,” the notification said.

In an update, Seesaw said it has removed the inappropriate link, which is a bit.ly shortened URL, and undertook other actions to make sure that no one can access the link anymore.

“However, in a few instances, if the message was already loaded in a web browser or one of our apps, the message may have been cached on your device,” it added. “To ensure that no one has access to the inappropriate message, we recommend all everyone *refresh their web browsers and refresh their mobile apps*. On mobile, you can update your device to the latest app version (version 8.1.2, released today) and re-launch Seesaw OR close and re-open the Seesaw app.”

Seesaw has adjusted its detection and blocking feature and is slowly bringing back the messaging feature of the app after it temporarily disabled it as part of sorting out the compromise.

Say ‘no’ to password reuse

The Seesaw incident is a timely example of why it’s important for people not to reuse passwords across different accounts. Often when a breach occurs the stolen credentials are sold on to more cybercriminals who then try these logins on other sites.

To eradicate password reuse forever, get yourself a password manager to create and remember unique, complex passwords. All you need is one very long and very complicated password for the password manager itself—you can combine random words or think of a ridiculous phrase that is unguessable. 

Seesaw endorsed a guideline for creating and managing passwords by CISA (Cybersecurity & Infrastructure Security Agency). Responsible parents, teachers, and guardians would also be wise to heed this.

Stay safe!

While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.

We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories.

In this blog post, we raise awareness and expose this scam operation that has been going on for at least two months.

Overview

The Microsoft Edge News Feed is a collection of thumbnails alternating between news content, traffic updates and advertisements. We have identified several ads that are malicious and redirect unsupecting users to tech support scams.

The redirection flow can be summarized in the diagram below:

Technical details

When a user clicks on one of the malicious ads, a request to the Taboola ad network is made via an API (api.taboola.com) to honor the click on the ad banner. The server will respond with the next URL to load, with the folling format:

document.location.replace('https://[scammer domain]/{..}/?utm_source=taboola&utm_medium=referral

The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target.

An original version of this script can be found here, while a beautified version can be found here.

The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert.

This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers. What’s worth noticing is the cloud infrastructure that is being leveraged here, making it very difficult to block.

These are subdomains on ondigitalocean.app which are constantly changing; in the span of 24 hours, we collected over 200 different hostnames.

Infrastructure

The advertisements displayed on the Edge News Feed are linked with the following domains (this list is not exhaustive):

• feedsonbudget[.]com
• financialtrending[.]com
• foddylearn[.]com
• glamorousfeeds[.]com
• globalnews[.]cloud
• hardwarecloseout[.]com
• humaantouch[.]com
• mainlytrendy[.]com
• manbrandsonline[.]com
• polussuo[.]com
• newsagent[.]quest
• newsforward[.]quest
• puppyandcats[.]online
• thespeedoflite[.]com
• tissatweb[.]us
• trendingonfeed[.]com
• viralonspot[.]com
• weeklylive[.]info
• everyavenuetravel[.]site

One of the domains,tissatweb[.]us, which was also publicly reported for hosting a browser locker has interesting whois data:

Registrant Email: sumitkalra1683@gmail[.]com

That email address is associated with the following additional domains:

The email address belongs to an individual named Sumit Kalra who is listed as a director for Mws Software Services Private Limited, a company located in Delhi whose principal business activity is “Computer and related activities”.

Protection

This particular campaign is currently one of the biggest we are seeing in terms of telemetry noise.

The fingerprinting to avoid detection is interesting and more sophisticated than usual. We will continue to expose and report abusive infrastructure used for scams.

Malwarebytes users were already protected against this tech support scam thanks to our Browser Guard extension.

When you hear the words “cyber threat hunting”, you just may picture an elite team of security professionals scouring your systems for malware. Sounds like something only huge businesses or nation states would need to do, right?

Not quite. Threat hunting is just as essential for small-and-medium-sized businesses as it is for larger organizations—for the simple reason that threat actors see SMBs as an easy way to make a quick buck.

Cybercriminals know that most SMBs don’t have the budget for robust cybersecurity technology or seasoned security professionals. And when hackers attack, it stings: In 2021, the average cost of a data breach for businesses with less than 500 employees was $2.98 million.

Threat hunting can weed out malware before anything bad like a data breach can happen. Unfortunately, cyber threat hunting is more difficult for SMBs to do than it is for large organizations due to the aforementioned resource constraints. That’s where Managed Detection and Response (MDR) can help. 

In this article, we’ll review what MDR and threat hunting are, and how exactly MDR can help SMBs with cyber threat hunting.

What is cyber threat hunting?

Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23% of intrusions lead to ransomware, 29% to data theft, and 30% to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.

Threat hunting is all about nipping these sorts of stealthy attackers in the bud. And not only dormant attackers, but dormant malware too.

Threat hunting arrived on the scene as an important security practice with the increased prevalence of unidentifiable or highly-obfuscated threats—those that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

The bad news for SMBs: Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC). That’s where MDR comes in.

What is MDR?

Managed Detection and Response, or MDR, is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack. Using a combination of Endpoint Detection and Response (EDR) technology and human-delivered security expertise, an MDR service provides advanced attack prevention, detection, and remediation, as well as targeted and risk-based threat hunting. 

The core service capabilities of MDR include:

• 24×7 monitoring of an organization’s environment for threats.

• Threat detection, alerting, and response from highly experienced security analysts.

• Correlation of endpoint alerts with other data sources to identify threats and response measures more effectively.

• Proactive cyber threat hunting based on past (and newly reported) indicators of compromise (IOCs)

So, as you can see, MDR is much, much more than just threat hunting.

While it’s technically possible for SMBs to build out their own MDR program in-house, doing so is a time, expense, and effort equivalent to starting an entirely new IT security department. You’ll need to build out your own SOC facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on.  That’s why many SMBs opt to outsource their MDR to a service provider. 

In short, MDR is a service designed to protect an organization’s data and assets, even if a threat eludes EDR security detection. Outsourcing your MDR alleviates the capital expenditures (CapEx) of purchasing a SIEM or other security tools and gives SMBs fast time-to-market to immediately address your organization’s security needs.

Cyber threat hunting and MDR

Now, let’s bring this thing full circle: what does threat hunting for SMBs look like as a managed service? 

Threat hunting typically includes two essential functions in the delivery of MDR services. The first one is research-based threat hunting where security analysts look, or “hunt,” for known attackers or adversarial behaviors listed in threat intelligence services.

“Let’s say we get our intelligence and it says listen, if you see these five files with this hash, it’s most likely this attack. Because we understand the tools, tactics, and motives of the adversary, we can say oh, look, we just found one of those five files,” says Bob Shaker, VP, Managed Services at Malwarebytes.

“We know they’re trying to steal certain types of data. I’m gonna go look and see if that data is being exfiltrated. And there it is. There’s a folder created and all the data is being copied into this folder. This is that attack.”

The second approach is active threat hunting, where security analysts systematically review your organization’s environment to uncover any current suspicious activity or newly emerging IOCs that are in progress.  

Shaker explains this second approach: “Here’s how it works: Intelligence and data comes into the MDR team. The team creates playbooks that execute against the customers’ environment, looking at the EDR data that’s been collected for one of those indicators of compromise.”

“When an IOC is found in the EDR data, the analyst takes the next step to investigate wherever it was found to determine if it’s an attack or not. If not, they mark it as a false positive. And if it is, they take whatever the appropriate steps are that the customer allows them to take. Then they notify the customer with potential remediation actions, such as deletion, quarantine, blocking, and the customer chooses.”

Shaker further notes that, if a threat slips through the cracks of your MDR provider and an attack is successful, then there’s nothing your MDR can do anymore. The point of MDR is to do everything it can to stop the threat at the point of attack: after that, your incident response company takes over.

SMBs need cyber threat hunting—and MDR can help them do it 

Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentiall remain undetected for over two weeks after compromising a network. 

Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. In this article, we’ve outlined how outsourcing your threat hunting to an MDR service can help.

Want to learn more about MDR and threat hunting? Check out the resources below. 

Featured articles 

What is Threat Hunting?

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo