IT NEWS

Phishers use verified status as bait for Instagram users

Another Instagram phish is doing the rounds, and will appeal to a wide variety of platform users. Bleeping Computer reports that verified status is once again being dangled as bait.

The “importance” of being verified

Being verified gives the impression of status, or importance, on social media platforms. Often, verification is more about simply confirming that someone is in fact who they claim to be. There are many verified accounts out there for people you’ll not have heard of, and that’s perfectly fine. At the other end of the scale, it is definitely an additional status symbol for people who care about such things. It’s also very handy where confirming that high profile accounts are in fact the real deal.

Scammers know this, and bank on it on a daily basis. Indeed, a whole sub-industry of fake verification services exists to part people from their money (and, potentially, accounts).

It’s not just the scams on the platform itself you have to be wary of. It’s the messages bouncing around off-platform too.

The phish in motion

No fewer than 1,000 phishing messages per day were sent in this particular campaign, peaking at the end of July and early August. The mails, branded to resemble official Instagram / Facebook missives, read as follows:

Your Instagram account has been reviewed by us and has been deemed eligible for a blue badge. To get your blue badge, please click the badge form button below and fill the form carefully. Make sure you fill out the form correctly and completely. Otherwise, your account will not be verified. If you ignore this message, the form will be permanently deleted within 48 hours.

An interesting scam combo, here. The usual splash of time-related pressure to get something done “or else”. Add to this the suggestion that the hard part, actually getting verified in the first place, is all but done. All you have to do is click a button and essentially say “yes please”.

Sounds great. Sounds too good to be true. (Because it is.)

You won’t get something for nothing

The bogus website, adorned with several Facebook-centric logos, asks for username, password, email, and phone number. Anyone filling out the form and hitting submit is going to be very disappointed. The only winner here is the scammer, who now has everything they need to steal the victim’s Instagram account.

As highlighted by Instagram, notability—”Your account must represent a well-known, highly searched for person, brand or entity”—is a seemingly non-negotiable part of the verification deal. You won’t grab verification, no matter how many promises those dubious verification services make. 

If you’ve fallen for this, go and change your login details while there’s still time. Consider enabling Instagram’s two-factor authentication. You may be able to gain verification on other social media platforms even without what is considered to be a “notable” profile. As far as Instagram is concerned though, you’re just going to have to ignore those tempting email invitations.

Microsoft will disable Basic authentication for Exchange Online in less than a month

Microsoft has posted a reminder on the Exchange Team blog that Basic authentication for Exchange Online will be disabled in less than a month, on October 1, 2022.

The first announcement of the change stems from September 20, 2019. With so much warning you might expect organizations to be ready, and many are. But there has been an entire pandemic since then, and no shortage of other things for Exchange users to worry about. So, as always, some aren’t ready.

Goodbye “Basic”, hello “Modern”

For many years, client apps have used Basic authentication to connect to servers, services and endpoints. It is enabled by default on most servers and services and it’s easy to set up. Basic authentication sends a username and a password with every request and does not require TLS. This can leave credentials being sent back and forth over the wire in plain text, making them easy to intercept. To make matters worse, according to Microsoft, using Basic authentication means “the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible”—an absolute no-no for 2022.

Microsoft wants its customers to switch to Modern authentication (OAuth 2.0 token-based authorization). Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client, like a laptop or a phone, and a server. It enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.

The schedule

The change will be implemented for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. SMTP AUTH remains as is. For those using Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, this service will continue to have Basic authentication enabled until December 31 2022.

To spread the workload, starting October 1, Microsoft will start to randomly select tenants and disable Basic authentication for the affected protocols. Users will receive a message seven days before, and receive Service Health Dashboard notifications to each tenant on the day of the change.

To avoid the pitfall of thinking your organization is ready, while you are not, there is a Basic authentication self-help diagnostic to be found in the Microsoft 365 admin center. Click the small green “?” symbol in the lower right hand corner of the screen and enter the phrase “Diag: Enable Basic Auth in EXO”. (Alternatively, the Microsoft blog article has button that will launch the diagnostics in Admin center for you.)

Escape and delay

If you are not ready for this change then Microsoft is offering customers the option to opt specific protocols out of the Basic authentication disablement temporarily. Be warned though, by January 2023 Basic authentication will be off for all protocols, no matter whether you opted out or not.

It is also worth considering that no matter how inconvenient this change might be, it is being done for very good security reasons, so we would advise you to switch to Modern authentication as soon as possible. We have reported about many phishing campaigns that are after your Microsoft login credentials and many other schemes to steal them. Basic authentication is simply no longer safe enough for such an important part of your businesses.

Are you ready? Let us know in the comments if anything is holding you back or whether you’ve been ready for years.

Zero-day puts a dent in Chrome’s mojo

On Friday, Google announced the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as CVE-2022-3075. As with previous announcements, technical details about the vulnerability won’t be released until a certain number of Chrome users have already applied the patch.

Google is urging its Windows, Mac, and Linux users to update Chrome to version 105.0.5195.102.

CVE-2022-3075 is described as an “[i]nsufficient data validation in Mojo”. According to Chromium documents, Mojo is “a collection of runtime libraries” that facilitates interfacing standard, low-level interprocess communication (IPC) primitives. Mojo provides a platform-agnostic abstraction of these primitives, which comprise most of Chrome’s code.

An anonymous security researcher is credited for discovering and reporting the flaw.

CVE-2022-3075 is the sixth zero-day Chrome vulnerability Google had to address. The previous ones were:

  • CVE-2022-0609, a Use-after-Free (UAF) vulnerability, which was patched in February
  • CVE-2022-1096, a “Type Confusion in V8” vulnerability, which was patched in March
  • CVE-2022-1364, a flaw in the V8 JavaScript engine, which was patched in April
  • CVE-2022-2294, a flaw in the Web Real-Time Communications (WebRTC), which was patched in July
  • CVE-2022-2856, an insufficient input validation flaw, which was patched in August

Google Chrome needs minimum oversight as it updates automatically. However, if you’re in the habit of not closing your browser or have extensions that may hinder Chrome from automatically doing this, please check your browser every now and then.

Once Chrome notifies you of an available update, don’t hesitate to download it. The patch is applied once you relaunch the browser.

easset upload file63727 234723 e

Stay safe!

Controversial Kids’ Code aims to keep children safe online

California has passed a bill designed to make the internet a safer place for children. The bill, commonly referred to as the “Kids’ Code”, has been passed by the State Senate. If signed by Gov. Gavin Newsom, it will spring into life.

What is it, and how is it designed to help children be safe online? Perhaps more importantly, why do some people feel the Code may not be all it’s cracked up to be?

From COPPA to Kid’s Code

The US has something called the Children’s Online Privacy Protection Act (COPPA for short). The act:

…imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

For some time now, the Act has been criticised for having certain shortcomings. The primary issue for most folks is that COPPA is a grey area for teens. This is due to making use of aims which may not necessarily be designed for them. As COPPA is all about dealing with sites and services directly targeting children under 13, the moment an older child uses an app or service designed for someone younger, the COPPA wheels start to come off.

The Kids’ Code aims to fix that. From the text:

This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, would, among other things, require a business that provides an online service, product, or feature likely to be accessed by children to comply with specified requirements, including a requirement to configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children, and providing to provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.

Extra safeguarding

Online services would need to begin adding additional safeguards for anyone under the age of 18. Although nothing would be in force until 2024, as noted above, requirements include:

  • Defaulting to the highest possible privacy settings.

  • Making it obvious if the child using a device is having their location monitored.

Advertising and profiling is a natural additional concern when children are involved. As a result, dark patterns would be prohibited. These are dubious design choices designed to lead unwary device owners to specific choices they may otherwise have avoided. It can be quite manipulative, so it’s a natural target for the bill.

Data Protection Impact Assessments (DPIAs) will also be required for any company which falls under the bill. DPIAs must take into consideration a variety of things, including, but not limited to :

…whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature,” and “whether the design of the online product, service, or feature could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the online product, service, or feature.

This will likely require a huge amount of work to pin down correctly, especially for organisations with multiple products potentially in use by young children and teenagers. Is it feasible to be able to do this in time for 2024?

Some reasonable concerns…

Not everyone is entirely on board with the bill’s content. There are fears of mandatory age identification, and the suggestion that children will simply stop making use of new services. This is due to the possible drag effect of having to prove your age and identity on every website.

There is also the question of how, exactly, you verify a child’s age. What valid identification do they have? Could their age be determined by guesstimates due to biometric/facial scanning? The face scanning aspect of this, in particular, is not proving to be particularly popular:

All this additional verified data naturally paints a target on its own back for data theft and fraud attempts. Can the companies collecting and storing this data guarantee it will be properly secured? What happens if or when it’s stolen or leaked?

These are pretty big questions, and at the moment, we don’t really have all of the answers. All we can do is wait and see what direction the bill heads in next.

Data broker sued for allegedly selling individuals’ sensitive location data

The Federal Trade Commission (FTC) has sued data broker Kochava for allegedly selling information that would allow for individuals’ whereabouts to be traced to sensitive locations. The information included location data from hundreds of millions of phones, including sensitive locations that could be tied to an individual.

And, while the name Kochava may not ring any bells, it actually has a sizeable footprint in the data collection industry. In its own words, Kochava is the industry leader for mobile app attribution and mobile app analytics, and its platform provides a comprehensive set of measurement and targeting tools for app marketers.

While we are all more or less aware that advertisers spend a lot of money to enhance their targeted advertising strategies, there are boundaries to what the FTC will allow.

Buy and sell

Kochava is a location data broker that provides precise geolocation data from consumers’ smartphones and also purchases similar data sets from other brokers in order to resell them to clients. These data feeds are often used by clients who want to analyze things like foot traffic at local stores or other locations. Not only does it show the exact location of mobile devices, they are also associated with a unique identifier, like a device ID, as well as other information, like an IP address, device type and more.

This means that an exact location can be traced back to a unique individual. Kochava even boasts that one of the possibilities of the datasets is to identify households, for example by tracking where the phones “stay at night”.

This is exactly one of the objections brought up by the FTC. The data is not anonymized and can be used to identify the mobile device’s user or owner. Another reason why this is possible is because other data brokers specifically sell services that work to match Mobile Advertising IDs with offline information, like consumers’ names and physical addresses.

Sensitive locations

One of the restrictions the FTC takes a hard stance on are sensitive locations. As we can read in the complaint, the Federal Trade Commission filed the lawsuit against Kochava for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.

As examples of sensitive locations the FTC lists:

  • reproductive health clinics
  • places of worship
  • homeless and domestic violence shelters
  • addiction recovery facilities

Having such information revealed could expose people to threats of stigma, stalking, discrimination, job loss, and even physical violence, the FTC explained. In an earlier article, we explained why Google has promised to delete location data of trips to sensitive locations.

Ruling to follow

The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information. Earlier this month, the FTC announced that it is exploring rules to crack down on harmful commercial surveillance practices that collect, analyze, and profit from information about people. The FTC files a complaint when it has reason to believe that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest.

According to Kochava’s management

“this lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

The case will be decided by the court. The complaint was filed in the U.S. District Court for the District of Idaho, where Kochava is based.

What is a keylogger?

A blog post published earlier this year posed the question “Is Grammarly a keylogger?” I have personally had people reference that post and ask me to add detection of Grammarly to Malwarebytes. The answer has always been, “no.” Whether or not you like what Grammarly does, Grammarly is not a keylogger, according to the way that term is used by the security industry.

This begs the question: exactly what is a keylogger, then?

A keylogger is anything that logs keystrokes, right?

Well, no. This is way too broad a definition, since there are countless programs installed on every computer on earth designed to capture and save your keystrokes. Any word processor, for example. For that matter, any productivity software, whether that be a word processor, a notepad, a spreadsheet, a slideshow app, etc. Even something as low level as a Terminal window will record everything you type in the command history.

Using a computer made in the last several decades is all about typing things in a keyboard, and some program doing something with all those button presses. There’s a tongue-in-cheek saying about a common piece of advice for avoiding phishing attacks: you can’t tell the user to stop clicking things on the thing-clicking machine. Similarly, if you’re going to blow the whistle at anything that captures your keystrokes, you’re fighting a losing battle.

Is it something that sends your keystrokes somewhere?

We’re getting closer, but still no. Think about the things you use every day. A web browser, for example. Every time you type a search in a browser, what you type is sent off to the search engine of your choosing (most likely Google). Plus, there are tons of websites that will save things you type on the server. Consider Google docs, for example. Everything you type in such a document in your browser gets sent off to Google.

The web browser isn’t the only guilty party, of course. Consider Apple’s Notes app. Depending on your settings, everything you type in the Notes app will be synced to iCloud. The same is true of Microsoft’s OneNote app. For that matter – again, depending on your settings – doing a Spotlight search on your Mac can send everything you type in the search bar to Apple.

This is clearly where Grammarly lies. It collects keystrokes and sends them off your device for the purpose of having their backend system check the grammar of what you typed. Would it be better if it could do all that on the device? Certainly, though I know nothing of the technical reasons why that decision was made. Would I personally use Grammarly? Not a chance. However, there are many people who need a grammar checker and like the features Grammarly offers.

Clearly, these things are all legitimate apps, offering legitimate functionality. This definition is still too broad to be useful.

Then what IS a keylogger?

A more useful definition would be:

A keylogger is a program that collects keystrokes and sends them to a third-party, solely for the benefit of that third-party.

The key differentiator between a keylogger and something more legitimate is that it’s not collecting your keystrokes for your benefit. Instead, someone else intends to use what you typed for some purpose of their own, nefarious or otherwise. However, within this definition, there are a few different types of keyloggers.

“Potentially unwanted” keyloggers

A keylogger may be identified as a “PUP” (which stands for “Potentially Unwanted Program”) if it’s software that is sold legally and openly. Such programs are often marketed as tools for monitoring your children or employees, and as such have a theoretical legitimate use. (I have some strongly negative opinions about the use of keylogging software for such purposes, but to each their own.)

However, such keyloggers are also very commonly misused. In reality, legitimate usage of such keyloggers is probably dwarfed by illegitimate usage. People with access to someone else’s device can install them without the owner’s knowledge for unsavory – even malicious – reasons. This is quite common with intimate partner abuse, stalking, workplace harassment, etc.

For this reason, most security software will detect these so-called “legitimate” keyloggers as PUPs. Malwarebytes, as a member of the Coalition Against Stalkerware, is certainly no exception.

Adware keyloggers

These keyloggers are things that collect keystrokes within certain contexts for the purposes of targeting you with ads, building a profile to better understand you as a target for ads, or as a means of better understanding the entire customer base. An example of the type of data that such a program might collect would be every search you enter in your browser and every site you visit (whether that’s by typing the address in the address bar or clicking a link). Such programs often go well beyond just logging keystrokes, and will collect things such as your browser history, browser of choice, software installed on your computer, your location, etc.

These programs will generally trick the user into installing them, using a variety of lures. The old fake Adobe Flash Player installer trick is one of the most common, even now, when Flash is long dead. Generally speaking, though, these are spread in the form of trojans: ie, programs the user is tricked into downloading and running.

Such programs are either malware or just shy of malware, depending on your definition. Either way, they serve no legitimate purpose for anyone other than shady advertisers and deserve to be deleted with extreme prejudice. The only good news is that it is not the intent of these programs to harm you (though poor data handling practices by shady adware companies definitely could cause harm regardless of intent).

Malicious keyloggers

The most concerning category of keyloggers. These are the ones without any supposed “legitimate” purpose, and are intended for nothing but to steal your information. Such keyloggers are often used to collect sensitive information, such as account credentials, credit card numbers, social security numbers, and more.

Malicious keyloggers get onto your machine through a variety of means. They could be trojans, often using a lure more convincing than a fake Flash installer. They could infect your machine through a browser vulnerability that allows arbitrary code to execute. (This is less common on Macs than on Windows, but is nonetheless an increasing problem for Mac users.)

Such malware has also been known to have been installed manually, by attackers who have gotten access to the machine somehow, via physical or remote access. In a well-known case, the creator of the FruitFly malware is known to have used passwords obtained from data breaches to gain access to victims’ Macs. He used a process called “credential stuffing,” in which a password obtained from one online account is used to attempt to log in to something else. Since so many people reuse passwords, this is unfortunately a fairly reliable strategy.

In the case of malicious keyloggers, the software is rarely limited to just capturing keystrokes. Most malicious spyware has keylogging capabilities as only a part of the complete package, also including – among other things – file collection, capture of the screen contents, capture of video and audio via the webcam and microphone, and even execution of arbitrary commands. Thus, most such malware is not referred to as a “keylogger,” but rather is called “spyware.”

How do I protect myself from keyloggers?

Obviously, one way to do so is to use some kind of antivirus software, such as Malwarebytes. If you think you might be being targeted by someone using a PUP keylogger, make sure that the software you use detects such software. Membership in the Coalition Against Stalkerware would be a good indication of that.

You can avoid some of the common means that attackers may use to install a keylogger on your device by making sure you use a strong login password on your computer. Make sure it’s one that nobody could guess, and don’t leave your computer logged in and unattended. If you need to share your computer with someone, don’t let them use your account on the computer. Instead, create a separate account for that person and do not give them admin privileges. (On a Mac, this can be done in System Preferences -> Users & Groups.)

When it comes to the more malicious stuff, be careful about what you download. If a website tells you that you need to install something to see its content, or tells you that you’re infected and that you need to install something to fix it, run away screaming. (If you’re in a public place, you may want to consider just closing the browser window, though; otherwise you may get strange looks.)

It’s also critically important to keep your system up-to-date. Doing so ensures that your system is protected against known vulnerabilities that could be used to infect your device. On a Mac, go to System Preferences -> Software Update and check the box reading Automatically keep my Mac up to date.

Doing these things is never a guarantee, but they will go a long way towards reducing the chances of ever being affected by a keylogger.

TikTok vulnerability could have allowed hijackers to take over accounts

Microsoft has released a detailed rundown of an issue, now fixed, which was potentially dangerous for users of TikTok. The problem, flagged as a “high-severity vulnerability” by Microsoft, required several steps chained together in order to function. Attackers making use of it could have compromised accounts with one click.

From there, the standard rules of engagement for compromised accounts apply. Sending messages, uploading content, checking out sensitive information or looking at private videos; all of this and more would have been possible. Worse, Microsoft determined that both versions of the TikTok app on Android were vulnerable to this issue. That’s around 1.5 billion installations in total, so it’s just as well TikTok received word of the vulnerability in February of this year and it’s now fixed.

Shall we take a look?

What is a deeplink?

To ward off any possible confusion, deeplinks are completely unrelated to deepfakes.

This issue is pinned around TikTok’s deeplink verification. These deeplinks can make URLs function in a variety of different ways. As Engadget explains, hitting a Twitter embed on Chrome mobile which opens the Twitter app is an example of this working in practice.

Where this goes wrong is when someone finds a way to bypass this deeplink verification, and make URLs behave in unexpected ways. As it happens, our old friend JavaScript is the first step in the chain to exploit success.

The perils of JavaScript interface injection

Exploitation was dependent on how the app implemented JavaScript interfaces, provided by something called WebView in the Android operating system which is used to load and display web pages. Untrusted content loaded up in WebView left the app vulnerable to something called JavaScript interface injection. This could lead to corrupted data, leakage, and even arbitrary code execution.

Microsoft found that several of these issues chained together with regard to handling a specific deeplink could force loading of arbitrary ULRs to the app’s WebView.

The fixed exploit now lives on only as CVE-2022-28799:

The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

Fixes and suggestions

Microsoft has the following advice for app developers required to dabble with JavaScript interfaces:

  • Use the default browser to open URLs that don’t belong to the application’s approved list.

  • Keep the approved list up to date and track the expiration dates of the included domains. This can prevent attackers from hijacking WebView by claiming an expired domain on the approved list.

  • Avoid using partial string comparison methods to compare and verify a URL with the approved list of trusted domains.

  • Avoid adding stage or internal network domains to the approved list as these domains could be spoofed by an attacker to hijack WebView.

It’s important to note that Microsoft has seen no evidence of this being exploited in the wild. There is no need for users to be panicking about this particular exploit. There are many threats out there for users of TikTok like phishing and social engineering. This one, however, can be set aside as a highly technical “close, but no cigar”.

Apple releases security update for iPhones and iPads to address vulnerability

Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices.

The WebKit zero-day that is known as CVE-2022-32893 was fixed for iOS 15.6.1, iPadOS 15.6, and macOS Monterey 12.5.1 on August 17, and for Safari in macOS Big Sur and macOS Catalina on August 18. This update applies to older devices running iOS 12.

Zero-day?

Technically this is not a zero-day, because by definition a zero-day is a software vulnerability previously unknown to those who should be interested in fixing it, like the vendor of the target. And since this vulnerability has been known for weeks it is no longer considered a zero-day, although users of older Apple OS versions were unable to install a patch for this vulnerability until now.

WebKit vulnerability

CVE-2022-32893 is an out-of-bounds write issue that was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. The vulnerability exists in Apple’s HTML rendering software, WebKit, which powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple has already said it’s aware of a report that the issue may have been actively exploited.

Not vulnerable

Apple mentions in the security update for CVE-2022-32893 that iOS 12 is not impacted by CVE-2022-32894. As we mentioned in our blog about the two actively exploited zero-days it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32893 could be exploited for initial code to be run, and this code could be used to leverage CVE-2022-32894 to obtain kernel privileges. This does not mean the WebKit vulneraility can do no harm on devices that are not vulnerable to CVE-2022-32894, as it could be chained with another vulnerability to obtain higher privileges,

Mitigation

Other than the information that the exploit has been used in the wild, Apple has not released any specifics about the vulnerability. The vulnerabilities are on the CISA list of vulnerabilities to be patched by September 8.

Owners of an iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, or iPod touch (6th generation) can use the update function on the device or use iTunes to update the software to iOS 12.5.6.

Stay safe, everyone!

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes Endpoint Protection continues to receive outstanding results in third-party testing. Our recent participation in two highly-regarded industry evaluations, namely MRG-Effitas and Info-Tech’s Data Quadrant Report, reflects our belief that continual testing and unbiased validation are crucial to our mission to deliver easy, effective, and efficient cyber protection for customers. 

Info-Tech’s Data Quadrant report: Malwarebytes ranks #2 overall and #1 across several key areas

Using data collected from real end users, Info-Tech’s Data Quadrant Reports provide a holistic, unbiased view of the product landscape to help you determine which product is right for your organization. Malwarebytes ranked #2 out of 14 organizations in the report, earning a composite satisfaction score of 8.8.

easset upload file32149 234658 e
easset upload file39497 234658 e

Malwarebytes also took the #1 spot for three different categories: 

  1. Usability And Intuitiveness (Shallow end user learning curve): 87% user satisfaction 

  2. Vendor Support (Offers quality support): 84% user satisfaction 

  3. Flexible Deployment Options (Supports on-premise, cloud and hybrid IT environments): 87% satisfaction

MRG Effitas 360° Assessment & Certification: Badges across the board

MRG Effitas, a world leader in independent IT research, published its antivirus efficacy assessment results in August 2022. We achieved the highest possible score (100%) for a fourth consecutive quarter and received certifications for Level 1 (the highest ranking awarded by MRG Effitas), Exploit, Online Banking, and Ransomware.

Tested and published in a separate report, our mobile product also achieved the MRG Android 360 degree certification. 

easset upload file50028 234658 e

Malwarebytes Endpoint Protection blocked a wide range of ransomware, fileless attacks and other threats:

  • 100 percent of “in the wild” threats blocked: Tested malware considered as ‘zero-day’, delivered by URLs 

  • 100 percent of ransomware blocked: Tested ‘in-house’ ransomware samples in-house (no possibly known signatures or community verdicts)

  • 100 percent of financial malware blocked: Tested financial malware used in the Magecart credit card-skimming attack

  • 100 percent of fileless attacks blocked: Tested to see how security products protect against a specific exploitation technique

  • 100 percent of PUA/adware blocked: Tested potentially unwanted applications (PUA), that are not malicious, but are generally considered unsuitable for most home or business networks.

Malwarebytes Endpoint Protection also delivered the fourth best performance rating of all tested vendors, and did it with zero false positives, providing further evidence that the Malwarebytes EP delivers the right combination of powerful detection without affecting overall operating system performance.

Easy, effective, and efficient cyber protection validated by third-party testing

Malwarebytes is committed to regularly subjecting our solutions to third-party testing.

Third-party testing is critical to ensuring that your endpoint security solution performs well where it counts, whether that’s ease-of-use, rate of false positives, percentage of threats blocked, and so on. To read more about what customers have to say about Malwarebytes Endpoint Protection and EDR, check out our case studies page.

More resources

Why MRG-Effitas matters to SMBs

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Why MITRE matters to SMBs

Final Fantasy 14 players targeted by QR code phishing

Final Fantasy 14, the smash-hit online role playing game, is under fire from scammers. The attack is a devious way to try and compromise player accounts, making use of free item promises and bogus QR codes.

As the game is a constantly changing service, it’s almost impossible to keep up with new features, offers, and content. The developers announce these changes on their blog, The Lodestone. What’s being talked about at the moment is the QR code-centric phishing attack.

The developers write:

As we have mentioned in the past, we have confirmed that certain individuals are attempting to direct players to fake login websites which imitate the Square Enix Account Management System in an effort to steal (also known as “phishing”) information such as their Square Enix ID and password, as well as date of birth.

Please also be aware of the following methods used to direct players to fake pages:

・Using FFXIV in-game chat to direct players to fake pages imitating Square Enix websites, including the Support Center, the Lodestone, and the official FINAL FANTASY XIV Forums.

・Including a QR code in an image disguised as an official Twitter or forum post, and scanning the QR code displays fake pages.

・Disguising as a FFXIV game play video with a link to fake pages as part of the video or in the description.

Before opening any URLs, we urge you to confirm that they are legitimate and not a fraudulent imitation.

How the QR code phish attack works

Thanks to players grabbing screenshots, we can show you what these attacks typically look like.

Scammers send direct messages (tells) to other players. Many of the accounts sending these messages appear to have been hijacked themselves. A link is sent to the victim, directing them away from the game to image hosting services.

What waits for them is a screenshot of a faked Tweet from the official Final Fantasy 14 account.

It reads as follows:

We’ve decided to sneak another mount into the 6.2 release. Scan the QR code to automatically add the mount. This mount is only available until 4th September, after this date the mount will become tradeable and will be the only way to own this, so claim it now.

Mounts, pets, and other in-game items can be quite expensive. As a result, any promise of free items will no doubt catch some attention. Scanning the QR code will take the would-be item grabber to a fake login portal. Once the account is stolen, the scammers are free to use it to continue the phishing antics. Gaming accounts with a lot of in-game funds or items attached are of course very valuable. Depending on the game and how trading works, they may sell the account, or items, or trade other content. Final Fantasy 14 players are also at risk due to the perils of Real Money Trading. Often, phishing feeds into this activity too.

Avoiding the scam

In terms of bogus websites, Square Enix has this advice:

The Square Enix Account Management System complies with EV SSL certification. Should a website ask for your Square Enix Account information, please make sure that the website is legitimate before entering any information. On certain web browsers, the address bar will display an icon indicating the website’s security certificate. On a legitimate Square Enix Account Management System login page, clicking this security icon will display references to “SQUARE ENIX CO., LTD.”

* On a legitimate website operated by SQUARE ENIX CO., LTD., no other pages apart from login pages will require password entry, nor will any of our staff ever ask you for your password.Examples of characteristics used in phishing URLs:

* The “s” is missing from “https” in the URL of the login page. The fake website will display http:// in the URL.

* The hyphen symbol is missing from “square-enix.” The fake website will display variations of “squareenix” in the URL.

* The letter “i” is replaced with various characters like “l” or “j.” The fake website will display “square-enlx” or “square-enjx.”

* The “com” in “square-enix.com” is replaced by various domains.

In terms of additional account security, you can make use of a One Time Password to further bolster your security defences. This can be done via an app, or through physical hardware tokens.

QR code scams are very popular in Final Fantasy land, and you can bet they’ll come back around in another form in the near future.

Stay safe out there!